You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The file's own JSDoc flags its security sensitivity: "Security note: proxyRequest is the credential injection path. Any change here should be reviewed carefully for header-injection and SSRF risks." Yet this credential-injection path currently bundles unrelated responsibilities together, making security audits harder.
Identified concern zones (confirmed via grep -n inspection):
proxyRequest() is 65 lines with 7 parameters, making it difficult to test any single concern in isolation. Neighbouring files confirm the refactoring intent: proxy-error-handler.js notes it was "Extracted from proxy-request.js to isolate error handling" and proxy-guards.js notes it was "Separated from proxy-request.js so the guard decision path can be audited" - the same pattern should continue.
Proposed Split
containers/api-proxy/proxy-request.js (431 lines) could become:
Refactoring Opportunity
Summary
containers/api-proxy/proxy-request.jsEvidence
The file's own JSDoc flags its security sensitivity: "Security note: proxyRequest is the credential injection path. Any change here should be reviewed carefully for header-injection and SSRF risks." Yet this credential-injection path currently bundles unrelated responsibilities together, making security audits harder.
Identified concern zones (confirmed via
grep -ninspection):requirecalls)MODEL_NOT_SUPPORTED_RETRY_DELAYS_MS)buildRequestHeaders()- header strip, inject, content-length fixupsendUpstreamRequest()- raw HTTPS request dispatchproxyRequest()- orchestration: guards, rate-limit, body transform, OTel span, retry, metricsproxyRequest()is 65 lines with 7 parameters, making it difficult to test any single concern in isolation. Neighbouring files confirm the refactoring intent:proxy-error-handler.jsnotes it was "Extracted from proxy-request.js to isolate error handling" andproxy-guards.jsnotes it was "Separated from proxy-request.js so the guard decision path can be audited" - the same pattern should continue.Proposed Split
containers/api-proxy/proxy-request.js(431 lines) could become:containers/api-proxy/request-headers.js-buildRequestHeaders(),isValidRequestId(), header-strip logic (~80 lines)containers/api-proxy/upstream-http.js-sendUpstreamRequest(), retry loop, backoff constants (~100 lines)containers/api-proxy/proxy-request.js-proxyRequest()orchestrator using the above (~150 lines)Affected Callers
grep -rn "require.*proxy-request" containers/Current callers:
containers/api-proxy/server.js(production entry point)containers/api-proxy/server.token-steering.test.jscontainers/api-proxy/server.model-not-supported.test.jscontainers/api-proxy/server.token-guards.test.jscontainers/api-proxy/server.anthropic-beta.test.jsEffort Estimate
Medium
Benefits
proxy-error-handler.jsandproxy-guards.jsDetected by Refactoring Scanner workflow. Run date: 2026-07-07
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.