Skip to content

[Refactoring] Split containers/api-proxy/proxy-request.js into focused modules #5973

Description

@github-actions

Refactoring Opportunity

Summary

  • File: containers/api-proxy/proxy-request.js
  • Current size: 431 lines
  • Responsibilities identified: 5 distinct concerns

Evidence

The file's own JSDoc flags its security sensitivity: "Security note: proxyRequest is the credential injection path. Any change here should be reviewed carefully for header-injection and SSRF risks." Yet this credential-injection path currently bundles unrelated responsibilities together, making security audits harder.

Identified concern zones (confirmed via grep -n inspection):

Lines Concern
1-90 Imports + WebSocket proxy wiring (17 require calls)
97-122 Optional OTel tracing bootstrap (graceful no-op shim)
126-130 Retry/backoff constants (MODEL_NOT_SUPPORTED_RETRY_DELAYS_MS)
205-270 buildRequestHeaders() - header strip, inject, content-length fixup
271-333 sendUpstreamRequest() - raw HTTPS request dispatch
334-400 proxyRequest() - orchestration: guards, rate-limit, body transform, OTel span, retry, metrics

proxyRequest() is 65 lines with 7 parameters, making it difficult to test any single concern in isolation. Neighbouring files confirm the refactoring intent: proxy-error-handler.js notes it was "Extracted from proxy-request.js to isolate error handling" and proxy-guards.js notes it was "Separated from proxy-request.js so the guard decision path can be audited" - the same pattern should continue.

Proposed Split

containers/api-proxy/proxy-request.js (431 lines) could become:

  • containers/api-proxy/request-headers.js - buildRequestHeaders(), isValidRequestId(), header-strip logic (~80 lines)
  • containers/api-proxy/upstream-http.js - sendUpstreamRequest(), retry loop, backoff constants (~100 lines)
  • containers/api-proxy/proxy-request.js - proxyRequest() orchestrator using the above (~150 lines)

Affected Callers

grep -rn "require.*proxy-request" containers/

Current callers:

  • containers/api-proxy/server.js (production entry point)
  • containers/api-proxy/server.token-steering.test.js
  • containers/api-proxy/server.model-not-supported.test.js
  • containers/api-proxy/server.token-guards.test.js
  • containers/api-proxy/server.anthropic-beta.test.js

Effort Estimate

Medium

Benefits

  • Credential injection path becomes auditable in isolation
  • Header manipulation logic unit-testable independently from HTTP dispatch
  • Continues the extraction pattern established by proxy-error-handler.js and proxy-guards.js

Detected by Refactoring Scanner workflow. Run date: 2026-07-07

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Refactoring Opportunity Scanner · 151.9 AIC · ⊞ 6.7K ·

  • expires on Sep 5, 2026, 5:40 AM UTC

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions