Skip to content

Add host/sidecar parity guard for API proxy provider env constants#5837

Merged
lpcox merged 2 commits into
mainfrom
copilot/duplicate-code-api-proxy-env-vars
Jul 3, 2026
Merged

Add host/sidecar parity guard for API proxy provider env constants#5837
lpcox merged 2 commits into
mainfrom
copilot/duplicate-code-api-proxy-env-vars

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Provider env-var names for API proxy adapters were maintained in parallel in TypeScript and CommonJS, creating a drift risk in credential forwarding and target routing. This change introduces an explicit parity guard so mismatches fail fast in CI rather than surfacing as runtime auth/routing regressions.

  • Parity enforcement across TS and sidecar JS

    • Added src/api-proxy-env-constants-sync.test.ts to assert exact equality of OPENAI_ENV, ANTHROPIC_ENV, GEMINI_ENV, and COPILOT_ENV between:
      • src/api-proxy-env-constants.ts
      • containers/api-proxy/provider-env-constants.js
  • Source-of-truth wording cleanup

    • Updated file headers in both constants files to remove conflicting “single source of truth” language and point to the parity test as the synchronization mechanism.
expect(providerEnvConstants.OPENAI_ENV).toEqual(OPENAI_ENV);
expect(providerEnvConstants.ANTHROPIC_ENV).toEqual(ANTHROPIC_ENV);
expect(providerEnvConstants.GEMINI_ENV).toEqual(GEMINI_ENV);
expect(providerEnvConstants.COPILOT_ENV).toEqual(COPILOT_ENV);

Copilot AI changed the title [WIP] Refactor duplicate API proxy provider env-var constants Add host/sidecar parity guard for API proxy provider env constants Jul 2, 2026
Copilot finished work on behalf of lpcox July 2, 2026 23:45
Copilot AI requested a review from lpcox July 2, 2026 23:45
@lpcox lpcox marked this pull request as ready for review July 3, 2026 01:41
Copilot AI review requested due to automatic review settings July 3, 2026 01:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces drift risk between host TypeScript and API-proxy sidecar CommonJS provider environment-variable constants by adding a Jest parity test that fails CI when the two constant sets diverge, and by updating file headers to point at that enforcement mechanism.

Changes:

  • Added a Jest test to assert OPENAI_ENV, ANTHROPIC_ENV, GEMINI_ENV, and COPILOT_ENV match exactly between host TS and sidecar JS.
  • Updated header comments in both constants files to remove conflicting “source of truth” wording and reference the new parity test.
Show a summary per file
File Description
src/api-proxy-env-constants.ts Updates header comment to clarify synchronization is enforced via parity test.
src/api-proxy-env-constants-sync.test.ts Adds Jest test that asserts exact equality of provider env-constant objects across TS/JS.
containers/api-proxy/provider-env-constants.js Updates header comment to align with parity-test enforcement approach.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Gemini Engine Validation complete. Status: FAIL. Connectivity failed (000). MCP tools missing. File creation and verification passed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR follows the applicable CONTRIBUTING.md guidelines; no contribution-guidelines comment needed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.62% 98.66% 📈 +0.04%
Statements 98.51% 98.55% 📈 +0.04%
Functions 99.56% 99.56% ➡️ +0.00%
Branches 94.42% 94.42% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP
File write/read

Overall: PASS 🎉

Author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode — PASS

  • MCP connectivity: ✅
  • GitHub.com HTTP 200: ✅
  • File write/read: ✅
  • BYOK inference path: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5837 · 35.6 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) unreachable from this runner environment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke test results:\n- Add host/sidecar parity guard for API proxy provider env constants: ✅\n- Deduplicate provider auth header construction across runtime, validation, and model fetch paths: ✅\n- GitHub PR query: ✅\n- Playwright title check: ✅\n- Smoke file write/read: ✅\n- Build: ✅\nOverall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke test result: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5837 · 39.1 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

# Scenario Result Detail
1 Module Loading ✅ Pass otel.js loads cleanly; isEnabled: true; exports 14 symbols (startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled, plus internal helpers)
2 Test Suite ✅ Pass 59/59 tests pass across 2 suites (otel.test.js, otel-fanout.test.js)
3 Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts (lines 114–124) forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID to the container
4 Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js (line 283); invoked at line 324 as OTEL hook point
5 OTEL Diagnostics i️ Expected No spans exported (no live LLM calls in this run); FileSpanExporter fallback configured at /var/log/api-proxy/otel.jsonl

All scenarios pass or are expected-pending. OTEL tracing integration is fully implemented and tested.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

  • PR Titles: ${{ steps.smoke-data.outputs.SMOKE_PR_DATA }}
  • GitHub MCP Testing: ✅
  • GitHub.com Connectivity: ✅
  • File Write/Read Test: ✅
  • BYOK Inference Test: ✅

Overall: PASS

@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Merged PR titles: ${{ steps.smoke-data.outputs.SMOKE_PR_DATA }}

  1. GitHub MCP: ✅
  2. GitHub.com: ✅
  3. File I/O: ✅
  4. BYOK inference: ✅
    Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@lpcox lpcox merged commit 055ece5 into main Jul 3, 2026
86 of 90 checks passed
@lpcox lpcox deleted the copilot/duplicate-code-api-proxy-env-vars branch July 3, 2026 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment