Skip to content

refactor: split workdir-setup.ts into focused single-responsibility modules#6034

Merged
lpcox merged 3 commits into
mainfrom
copilot/refactor-extract-responsibility-zones
Jul 9, 2026
Merged

refactor: split workdir-setup.ts into focused single-responsibility modules#6034
lpcox merged 3 commits into
mainfrom
copilot/refactor-extract-responsibility-zones

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

src/workdir-setup.ts (397 lines) conflated five distinct concerns — low-level FS utilities, chroot mount helpers, log directory setup, chroot home mounts, and work-directory orchestration — making it difficult to navigate and reason about independently.

Changes

  • src/fs-utils.ts (new, ~100 lines) — General-purpose filesystem primitives: ensureDirectory (with EACCES diagnostics), assertRealDirectory, createMissingOwnedDirectorySegments

  • src/log-directory-setup.ts (new, ~140 lines) — Log and session-state directory creation: prepareLogDirectories, pruneStaleMcpLogDirs, MCP_LOGS_MAX_AGE_MS

  • src/chroot-home-setup.ts (new, ~110 lines) — Chroot home bind-mount preparation: prepareChrootHomeMountpoint, prepareChrootHomeMounts

  • src/workdir-setup.ts (trimmed to ~50 lines) — Thin orchestrator delegating to the above; retains ensureInitSignalDir, prepareWorkDirectories, and the existing workdirSetupTestHelpers shape so no callers or tests required changes

// Before: one 397-line file handling everything
// After:
src/fs-utils.ts           ~100 lines  (reusable FS primitives)
src/log-directory-setup.ts ~140 lines  (log/state dirs + MCP pruning)
src/chroot-home-setup.ts   ~110 lines  (chroot home bind-mount prep)
src/workdir-setup.ts        ~50 lines  (orchestrator)

The public API (prepareWorkDirectories, ensureInitSignalDir, workdirSetupTestHelpers) is unchanged — workdir-setup.ts re-exports sub-module internals into the existing test-helper object for backward compatibility.

Split 397-line workdir-setup.ts into four focused modules:

- src/fs-utils.ts (~100 lines): ensureDirectory, assertRealDirectory,
  createMissingOwnedDirectorySegments — general-purpose, reusable
- src/log-directory-setup.ts (~140 lines): prepareLogDirectories,
  pruneStaleMcpLogDirs, MCP_LOGS_MAX_AGE_MS — log/session-state setup
- src/chroot-home-setup.ts (~110 lines): prepareChrootHomeMountpoint,
  prepareChrootHomeMounts — chroot bind-mount preparation
- src/workdir-setup.ts (~50 lines): thin orchestrator with
  ensureInitSignalDir, prepareWorkDirectories, and backward-compat
  workdirSetupTestHelpers re-exporting from sub-modules

All existing public API (prepareWorkDirectories, ensureInitSignalDir,
workdirSetupTestHelpers) remains unchanged — no test updates required.

Closes #6012
Copilot AI changed the title [WIP] Refactor workdir-setup.ts to extract distinct responsibility zones refactor: split workdir-setup.ts into focused single-responsibility modules Jul 9, 2026
Copilot finished work on behalf of lpcox July 9, 2026 02:49
Copilot AI requested a review from lpcox July 9, 2026 02:49
@lpcox lpcox marked this pull request as ready for review July 9, 2026 02:55
Copilot AI review requested due to automatic review settings July 9, 2026 02:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors src/workdir-setup.ts into smaller single-responsibility modules to make filesystem, log-directory, and chroot-home setup logic easier to navigate and test, while keeping the existing public API surface (prepareWorkDirectories, ensureInitSignalDir, workdirSetupTestHelpers) stable.

Changes:

  • Extracted reusable filesystem primitives into src/fs-utils.ts.
  • Moved log + session-state directory creation (including MCP log pruning) into src/log-directory-setup.ts.
  • Moved chroot-home bind-mount placeholder preparation into src/chroot-home-setup.ts, leaving src/workdir-setup.ts as an orchestrator.
Show a summary per file
File Description
src/workdir-setup.ts Reduced to a thin orchestrator and keeps test-helper re-exports for backward compatibility.
src/fs-utils.ts New module for directory creation/validation helpers used across setup.
src/log-directory-setup.ts New module encapsulating log/session directory creation and MCP log pruning.
src/chroot-home-setup.ts New module encapsulating chroot home and runner tool-cache mountpoint preparation.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread src/fs-utils.ts
Comment on lines +21 to +33
// Identify the blocking ancestor for actionable diagnostics.
// Default to the nearest existing ancestor (more actionable than a path that
// does not exist), and confirm with a W_OK|X_OK access check.
let blocker: string | null = null;
let current = path.resolve(dirPath);
while (current !== path.dirname(current)) {
if (fs.existsSync(current)) {
blocker = current;
try { fs.accessSync(current, fs.constants.W_OK | fs.constants.X_OK); } catch { /* confirmed blocker */ }
break;
}
current = path.dirname(current);
}
@lpcox

lpcox commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Fixed in 14db06e.

ensureDirectory now walks up all existing ancestors and picks the first one that fails W_OK|X_OK as the blocker, only falling back to the nearest existing ancestor when every ancestor passes. The existing test that was asserting the old (incorrect) behaviour has been updated to reflect the new fallback semantics, and a new test covers the key scenario where the nearest existing ancestor is traversable but a higher-up ancestor is the real permission boundary.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Contribution Check failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Testing safeoutputs connectivity

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.98% 98.98% ➡️ +0.00%
Statements 98.94% 98.95% 📈 +0.01%
Functions 99.44% 99.44% ➡️ +0.00%
Branches 95.64% 95.61% 📉 -0.03%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 98.0% → 100.0% (+2.00%) 98.0% → 100.0% (+1.98%)
✨ New Files (3 files)
  • src/chroot-home-setup.ts: 100.0% lines
  • src/fs-utils.ts: 98.3% lines
  • src/log-directory-setup.ts: 96.2% lines

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot BYOK (Direct) Mode — PASS ✅

Test Result
1. File Write/Read
2. GitHub.com Connectivity ✅ (HTTP 200)
3. BYOK Inference Path
4. Direct BYOK Mode ✅ (api-proxy → api.githubcopilot.com)

Status: All tests passed. Running in direct BYOK mode with COPILOT_PROVIDER_API_KEY via api-proxy sidecar.

cc: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP connectivity ✅ (MCP reachable)
GitHub.com HTTP ⚠️ pre-step template unresolved
File write/read ⚠️ pre-step template unresolved

Overall: PARTIAL — workflow template variables were not substituted; pre-step outputs unavailable.

Auth mode: PAT (COPILOT_GITHUB_TOKEN) | /cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Gemini Engine Validation

  • GitHub MCP: ❌ (No tools available for read)
  • GitHub.com Connectivity: ❌ (HTTP 000)
  • File Writing: ✅
  • Bash Tool: ✅

PR Titles (from git log):

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test: Copilot Engine — PASS

Test Result
GitHub MCP Connectivity
GitHub.com HTTP
File Write/Read ✅ (smoke-test-copilot-28991364642.txt)

Overall: PASS 🟢

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke test: FAIL

  • Merged PRs: fix: use tag-only image ref in rootless permission repair; chore: upgrade gh-aw extension to v0.82.5 pre-release
  • GitHub title: ✅
  • Smoke file: ✅
  • Build: ✅
  • Discussion comment: ❌ (discussion writes unavailable here)
  • Overall: FAIL

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • ✅ Pre-fetched PR data validated
  • ✅ github.com connectivity (HTTP 200)
  • ✅ File write/read in sandbox
  • ✅ Direct BYOK inference path

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

/cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + helpers
2. Test Suite ✅ Pass 59/59 tests passed across otel.test.js + otel-fanout.test.js (2 test suites)
3. Env Var Forwarding ✅ Pass api-proxy-service.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (lines 285, 343) as OTEL hook point
5. OTEL Diagnostics ✅ Pass Span export verified via InMemorySpanExporter in tests; graceful fallback to FileSpanExporter (/var/log/api-proxy/otel.jsonl) when no endpoint configured

All 5 scenarios pass. OTEL tracing integration is fully functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this sandbox. Services may not be running or network routing is not configured.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6034 · 35 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6034 · 69.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • MCP connectivity (pre-fetched PR data): ✅
  • GitHub.com connectivity: ✅
  • File write/read: ✅
  • Direct BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@lpcox lpcox merged commit 6c4a1ef into main Jul 9, 2026
86 of 88 checks passed
@lpcox lpcox deleted the copilot/refactor-extract-responsibility-zones branch July 9, 2026 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactoring] Extract distinct responsibility zones from workdir-setup.ts

3 participants