fix: propagate apiProxy.auth OIDC config fields to all layers

[github-actions]

Config Consistency Fixes

Automated audit of PRs merged in the last 7 days (first run, no prior state; audited through PR #5549).

Gap Found: apiProxy.auth OIDC fields not wired end-to-end

The JSON schema (src/awf-config-schema.json / docs/awf-config.schema.json) and spec §5 CLI mapping define 18 apiProxy.auth.* fields. Only anthropicTokenUrl was fully wired through the config-file → TypeScript types → build-config → env-var pipeline. The other 17 fields were accepted by schema validation but silently ignored at runtime when set in a config file.

Field	Fix Applied
apiProxy.auth.type	Added to AwfFileConfig interface, mapped to authType option, wired to AWF_AUTH_TYPE
apiProxy.auth.provider	Added to AwfFileConfig, mapped to authProvider, wired to AWF_AUTH_PROVIDER
apiProxy.auth.oidcAudience	Added to AwfFileConfig, mapped to authOidcAudience, wired to AWF_AUTH_OIDC_AUDIENCE
apiProxy.auth.azureTenantId	Added to AwfFileConfig, mapped to authAzureTenantId, wired to AWF_AUTH_AZURE_TENANT_ID
apiProxy.auth.azureClientId	Added to AwfFileConfig, mapped to authAzureClientId, wired to AWF_AUTH_AZURE_CLIENT_ID
apiProxy.auth.azureScope	Added to AwfFileConfig, mapped to authAzureScope, wired to AWF_AUTH_AZURE_SCOPE
apiProxy.auth.azureCloud	Added to AwfFileConfig, mapped to authAzureCloud, wired to AWF_AUTH_AZURE_CLOUD
apiProxy.auth.awsRoleArn	Added to AwfFileConfig, mapped to authAwsRoleArn, wired to AWF_AUTH_AWS_ROLE_ARN
apiProxy.auth.awsRegion	Added to AwfFileConfig, mapped to authAwsRegion, wired to AWF_AUTH_AWS_REGION
apiProxy.auth.awsRoleSessionName	Added to AwfFileConfig, mapped to authAwsRoleSessionName, wired to AWF_AUTH_AWS_ROLE_SESSION_NAME
apiProxy.auth.gcpWorkloadIdentityProvider	Added to AwfFileConfig, mapped to authGcpWorkloadIdentityProvider, wired to AWF_AUTH_GCP_WORKLOAD_IDENTITY_PROVIDER
apiProxy.auth.gcpServiceAccount	Added to AwfFileConfig, mapped to authGcpServiceAccount, wired to AWF_AUTH_GCP_SERVICE_ACCOUNT
apiProxy.auth.gcpScope	Added to AwfFileConfig, mapped to authGcpScope, wired to AWF_AUTH_GCP_SCOPE
apiProxy.auth.anthropicFederationRuleId	Added to AwfFileConfig, mapped to authAnthropicFederationRuleId, wired to AWF_AUTH_ANTHROPIC_FEDERATION_RULE_ID
apiProxy.auth.anthropicOrganizationId	Added to AwfFileConfig, mapped to authAnthropicOrganizationId, wired to AWF_AUTH_ANTHROPIC_ORGANIZATION_ID
apiProxy.auth.anthropicServiceAccountId	Added to AwfFileConfig, mapped to authAnthropicServiceAccountId, wired to AWF_AUTH_ANTHROPIC_SERVICE_ACCOUNT_ID
apiProxy.auth.anthropicWorkspaceId	Added to AwfFileConfig, mapped to authAnthropicWorkspaceId, wired to AWF_AUTH_ANTHROPIC_WORKSPACE_ID

Bonus fix: normalizedAuthType now checks config.authType

api-proxy-env-config.ts computed normalizedAuthType exclusively from process.env.AWF_AUTH_TYPE. When apiProxy.auth.type is set via config file, the ACTIONS_ID_TOKEN_REQUEST_* GitHub OIDC tokens were not forwarded to the api-proxy container. This is now fixed: config.authType is checked first, falling back to the host env var.

Layers Verified

Layer	Status
src/awf-config-schema.json	✅ All 18 auth fields present (unchanged)
docs/awf-config.schema.json	✅ Identical to src (unchanged, diff confirmed empty)
docs/awf-config-spec.md §5 CLI mapping	✅ All 18 auth fields documented (unchanged)
src/config-file.ts AwfFileConfig	✅ Fixed — added 17 missing fields
src/config-file.ts mapAwfFileConfigToCliOptions	✅ Fixed — added 17 missing mappings
src/types/api-proxy-credential-options.ts	✅ Fixed — added 17 new option fields
src/commands/build-config.ts	✅ Fixed — wired 17 new options with AWF_AUTH_* env fallbacks
src/services/api-proxy-env-config.ts	✅ Fixed — normalizedAuthType uses config.authType; 17 new AWF_AUTH_* env entries

Security Classification

All 17 new fields are non-sensitive configuration identifiers (auth type strings, tenant IDs used in keyless OIDC federation, provider URLs, service account emails). They contain no secrets or credentials. This is consistent with the spec's existing classification of them as config-only fields.

Verification

• TypeScript compiles (tsc --noEmit — clean)
• Config-file-mapping tests pass (39 tests, 3 new)
• OIDC forwarding tests pass (4 tests, 3 new)
• Broader api-proxy and config-file tests pass (184 tests)

Generated by Config Consistency Auditor · 306.8 AIC · ⊞ 6.7K · ◷

[Copilot]

Pull request overview

This PR fixes an end-to-end configuration wiring gap where many apiProxy.auth.* OIDC fields were accepted by the JSON schema but were not propagated through the config-file → CLI options → WrapperConfig → api-proxy container environment pipeline, resulting in silent runtime ignores. It also corrects OIDC runtime token forwarding so config-file–provided authType enables forwarding of ACTIONS_ID_TOKEN_REQUEST_*.

Changes:

• Extend config-file parsing/mapping to include the previously-unwired apiProxy.auth.* OIDC fields.
• Add the corresponding ApiProxyCredentialOptions fields and wire them into buildConfig() with AWF_AUTH_* env fallbacks.
• Update api-proxy env generation to (a) use config.authType when deciding to forward GitHub OIDC runtime tokens and (b) pass through the new AWF_AUTH_* variables; add tests covering these paths.

Show a summary per file

File	Description
src/types/api-proxy-credential-options.ts	Adds new typed option fields for OIDC auth configuration (mapped to AWF_AUTH_*).
src/services/api-proxy-service-oidc.test.ts	Adds tests for OIDC runtime token forwarding and config-driven AWF_AUTH_* env wiring.
src/services/api-proxy-env-config.ts	Ensures normalizedAuthType checks config.authType first; forwards OIDC config fields to api-proxy env.
src/config-file.ts	Extends AwfFileConfig and mapAwfFileConfigToCliOptions() to include OIDC auth fields from config file.
src/config-file-mapping.test.ts	Adds tests verifying config-file → CLI-option mapping for the new OIDC auth fields.
src/commands/build-config.ts	Wires new auth* fields into the resulting WrapperConfig, with AWF_AUTH_* env fallbacks.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 1
• Review effort level: Low

[github-actions]

✅ Copilot review passed with no inline comments.

@github-actions[bot] Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	98.24%	98.28%	📈 +0.04%
Statements	98.17%	98.21%	📈 +0.04%
Functions	99.53%	99.53%	➡️ +0.00%
Branches	94.29%	94.00%	📉 -0.29%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

Smoke test comment posted and label added for PR #5559

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Smoke Claude passed

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

Smoke test completed with partial failures. Summary posted to PR #5559.

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

🚀 Security Guard has started processing this pull request

[github-actions]

✅ Contribution Check completed successfully!

Contribution guidelines review complete for PR #5559. The PR includes relevant tests, uses appropriate src/ test file organization, has a clear description, and does not appear to require additional documentation because the affected fields were already documented.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

Smoke Test: Claude Engine

• API check: ✅ PASS
• gh check: ✅ PASS
• File check: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for issue #5559 · 37.2 AIC · ⊞ 3.3K · ◷

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
HTTP github.com	⚠️ pre-step data unavailable (template vars not resolved)
File write/read	⚠️ pre-step data unavailable (template vars not resolved)

PR: fix: propagate apiProxy.auth OIDC config fields to all layers
Author: @github-actions[bot]

Overall: FAIL — pre-computed test data was not passed (workflow template variables unresolved)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔐 Smoke Test: Copilot PAT — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR by @github-actions[bot]

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
Module Loading	✅	otel.js loads; exports 14 symbols (startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled, + 7 internals); isEnabled() → true (file-fallback mode)
Test Suite	✅	39/39 tests pass (otel.test.js) — covers span creation, token attributes, parent context propagation, OTLP export, and graceful degradation
Env Var Forwarding	✅	src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to the api-proxy container
Token Tracker Integration	✅	onUsage callback present in token-tracker-http.js (lines 283/324); proxy-request.js wires startRequestSpan/setTokenAttributes/endSpan
OTEL Diagnostics	✅	No live proxy run; module gracefully degrades to FileSpanExporter → /var/log/api-proxy/otel.jsonl when no OTLP endpoint configured

All 5 scenarios pass. OTEL tracing integration is complete and functional.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke Test: Copilot BYOK ✅ PASS

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Test Results:

• ✅ GitHub MCP connectivity
• ✅ GitHub.com connectivity (HTTP 200)
• ✅ File write/read
• ✅ BYOK inference path

Mode: Direct BYOK
PR: #5559 - fix: propagate apiProxy.auth OIDC config fields

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: Gemini Engine Validation

• GitHub MCP Testing: ❌ (Tools not found)
• GitHub.com Connectivity: ❌ (Connection failed)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.17.0	v22.23.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ALL_TESTS_PASSED=false — Python and Node.js versions differ between host and chroot environments. Label smoke-chroot was not applied.

Tested by Smoke Chroot

[github-actions]

@github-actions[bot] Smoke test results:

• GitHub MCP: ✅
• GitHub.com connectivity: ✅
• File write/read test: ✅
• BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

Smoke test: PASS

Merged PRs:

• test: fix stale assertions breaking npm test on main
• Fix rootless firewall artifact permissions to prevent EACCES on upload

Queried PRs:

• [WIP] Refactor run_chroot_command into sub-functions
• fix: propagate apiProxy.auth OIDC config fields to all layers

Checks:

• GitHub page title contains GitHub ✅
• Smoke-test file write/read ✅
• npm ci && npm run build ✅

Overall: PASS

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5559 · 42.3 AIC · ⊞ 7.8K · ◷

[github-actions]

fix: propagate apiProxy.auth OIDC config fields to all layers

✅ MCP connectivity
✅ GitHub.com HTTP (200)
✅ File I/O
✅ BYOK inference

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

cc: @github-actions[bot]

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Smoke Test Results

• Redis (host.docker.internal:6379 → 172.17.0.1): ❌ no response (timeout)
• PostgreSQL pg_isready (host.docker.internal:5432): ❌ no response
• PostgreSQL SELECT 1: ❌ no response

host.docker.internal resolved to 172.17.0.1 but no services responded on ports 6379 or 5432.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services