Skip to content

Refactor api-proxy request path into auditable header and upstream modules#5996

Merged
lpcox merged 2 commits into
mainfrom
copilot/refactor-split-proxy-request-module
Jul 8, 2026
Merged

Refactor api-proxy request path into auditable header and upstream modules#5996
lpcox merged 2 commits into
mainfrom
copilot/refactor-split-proxy-request-module

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

containers/api-proxy/proxy-request.js had accumulated multiple security-sensitive concerns (header mutation, upstream dispatch, retry/backoff, orchestration) in one file, making review and targeted auditing harder. This PR continues the existing extraction pattern by isolating request-header and upstream transport logic into focused modules while preserving caller-facing behavior.

  • What changed

    • Header construction extractedcontainers/api-proxy/request-headers.js
      • Moved isValidRequestId() and buildRequestHeaders().
      • Keeps header strip/inject flow centralized (including x-request-id, Copilot x-initiator, content-length/transfer-encoding fixup, learned-header stripping).
    • Upstream HTTPS dispatch extractedcontainers/api-proxy/upstream-http.js
      • Moved upstream request execution and retry scheduling into createSendUpstreamRequest(...).
      • Retains MODEL_NOT_SUPPORTED_RETRY_DELAYS_MS and recursive retry behavior via injected dependencies.
    • Orchestrator simplifiedcontainers/api-proxy/proxy-request.js
      • proxyRequest() now coordinates body collection/transform, guard enforcement, header builder, and upstream sender using the new modules.
      • Existing exports/callers remain compatible.
    • Container packaging updated
      • Added request-headers.js and upstream-http.js to containers/api-proxy/Dockerfile COPY list.
  • Code shape after refactor (example)

// proxy-request.js
const { isValidRequestId, buildRequestHeaders } = require('./request-headers');
const { createSendUpstreamRequest } = require('./upstream-http');

const sendUpstreamRequest = createSendUpstreamRequest({
  https, proxyAgent, handleUpstreamResponse, sleep, otel, handleRequestError, metrics,
});

Copilot AI changed the title [WIP] Refactor proxy-request.js into focused modules Refactor api-proxy request path into auditable header and upstream modules Jul 7, 2026
Copilot finished work on behalf of lpcox July 7, 2026 22:27
Copilot AI requested a review from lpcox July 7, 2026 22:27
@lpcox lpcox marked this pull request as ready for review July 7, 2026 22:43
@lpcox lpcox requested a review from Copilot July 7, 2026 22:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the api-proxy’s HTTP request pipeline by extracting security-sensitive header construction and upstream HTTPS dispatch into dedicated modules, aiming to make auditing and future changes safer and more localized while preserving existing behavior.

Changes:

  • Extracted request header validation/building into request-headers.js (including strip/inject and content-length fixups).
  • Extracted upstream HTTPS request dispatch + model-not-supported backoff scheduling into upstream-http.js.
  • Updated the api-proxy Docker image packaging to include the newly introduced modules, and added focused unit tests for both extracted modules.
Show a summary per file
File Description
containers/api-proxy/upstream-http.js New module for upstream HTTPS request execution and retry scheduling.
containers/api-proxy/upstream-http.test.js Adds unit tests covering upstream dispatch and model-not-supported backoff path.
containers/api-proxy/request-headers.js New module centralizing request-id validation and upstream header construction/stripping.
containers/api-proxy/request-headers.test.js Adds unit tests covering request-id validation and header strip/inject behaviors.
containers/api-proxy/proxy-request.js Simplifies orchestrator by delegating header building and upstream sending to new modules.
containers/api-proxy/Dockerfile Extends COPY list to ensure the new runtime modules are included in the built image.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 6/6 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5996 follows the applicable CONTRIBUTING.md guidelines based on the provided metadata, diff, and contribution guide. No GitHub comment needed.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 99.00% ➡️ +0.00%
Statements 98.95% 98.95% ➡️ +0.00%
Functions 99.72% 99.72% ➡️ +0.00%
Branches 95.44% 95.41% 📉 -0.03%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions github-actions Bot mentioned this pull request Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode ✅

Test Result
GitHub MCP Connectivity
GitHub.com HTTP Connectivity
File Write/Read
BYOK Inference (api-proxy → api.githubcopilot.com)

Overall Status: PASS

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar. Inference authenticated with real credential held by sidecar; agent only sees placeholder.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5996 · 35.1 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Result
GitHub MCP Connectivity
GitHub.com HTTP ✅ (200)
File Write/Read ⚠️ (template vars unresolved in workflow)

Overall: PASS — core connectivity verified.

@lpcox — smoke test complete on PR #5996.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) unreachable from this runner.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Gemini Engine Smoke Test Results

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Status
GitHub.com connectivity (HTTP 200)
GitHub MCP connectivity
File write/read ⚠️ (template vars unresolved in workflow)

Overall: PASS
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Refactor api-proxy request path into auditable header and upstream modules
feat: add build-tools to SHA digest pinning infrastructure
fix: add diagnostic EACCES guard to workdir setup

GitHub reads: ✅
Playwright title: ✅
File write: ✅
Build: ✅
Overall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Status Notes
Module Loading otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled (+ internal helpers). isEnabled() returns true when endpoint is configured, false otherwise.
Test Suite 59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js — span creation, token attributes, parent context propagation, exporters (OTLP, File, FanOut), serialization, and shutdown all green.
Env Var Forwarding src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, and OTEL_SERVICE_NAME to the api-proxy container. Tests in agent-environment-credentials.test.ts verify this.
Token Tracker Integration onUsage callback exists in token-tracker-http.js as the OTEL hook point; proxy-request.js wires startRequestSpan/setTokenAttributes into the tracker.
OTEL Diagnostics No live spans exported (no OTLP endpoint in this run), but graceful degradation confirmed — module falls back to FileSpanExporter writing to /var/log/api-proxy/otel.jsonl when unconfigured.

All 5 scenarios pass. OTEL tracing integration is functional with 59 passing tests.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.18.0 v22.23.1
Go go1.22.12 go1.22.12

Overall: ❌ Not all versions matched — Python and Node.js versions differ between host and chroot environment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File write/read test: ✅
  • BYOK inference test: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5996 · 42.1 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 5c20a1b into main Jul 8, 2026
85 of 91 checks passed
@lpcox lpcox deleted the copilot/refactor-split-proxy-request-module branch July 8, 2026 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactoring] Split containers/api-proxy/proxy-request.js into focused modules

3 participants