Skip to content

[awf] api-proxy: COPILOT_API_KEY dummy-byok-key causes 10-100x premium request over-billing in v0.71 #2585

Description

@lpcox

Problem

In gh-aw v0.71+, the compiler injects COPILOT_API_KEY: dummy-byok-key-for-offline-mode into the lock file. This activates the BYOK detection path in the Copilot CLI, causing GitHub to bill every API call (both user-initiated and agent response turns) as a premium request — a 10-100x cost increase vs v0.68 where only user-initiated turns were billed.

Context

Original report: github/gh-aw#30324

Billing ratio shifted from ~0.07 (v0.68: only user turns billed) to ~1.0 (v0.71: all API calls billed). A related PR is in progress: #2571

Root Cause

The dummy BYOK key is required so the Copilot CLI allows custom MCP servers (standard mode blocks them via org policy). However, the key activates BYOK billing semantics where every API call counts as a premium request rather than only user-initiated turns.

Proposed Solution

In containers/api-proxy/, intercept or strip the COPILOT_API_KEY environment variable before it reaches the Copilot CLI billing path, while preserving MCP server permissioning. Alternatively, change the compiler to use a different mechanism (e.g., a dedicated env var) to unlock MCP server policy without triggering BYOK billing semantics.

Generated by Firewall Issue Dispatcher · ● 926.3K ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions