You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Function in question: buildApiProxyBaseEnv() at lines 70–226 (157 lines)
Responsibilities identified: 10+ distinct concern groups in one function
Evidence
buildApiProxyBaseEnv() is a single 157-line function that builds a flat environment-variable record by concatenating 10+ named concern groups:
Line 74: API credentials (OpenAI, Anthropic, Copilot, Gemini, Vertex)
Line 80: Provider targets / GHES endpoint config
Line 85: GitHub enterprise context (GITHUB_SERVER_URL, GITHUB_API_URL, AWF_PLATFORM_TYPE)
Line 92: Integration identity (COPILOT_INTEGRATION_ID)
Line 107: Squid proxy routing (HTTP_PROXY, HTTPS_PROXY, NO_PROXY)
Line 114: OpenTelemetry / distributed tracing config
Line 127: Rate limiting config
Line 164: Model alias and policy config
Line 178: Anthropic prompt-cache optimizations
Line 196: OIDC authentication (Azure, AWS, GCP, Anthropic)
Line 210: Custom auth headers for internal AI gateways
This function is security-critical: it controls which API credentials flow to the api-proxy sidecar. A 157-line monolith makes credential flow harder to audit and test in isolation.
Proposed Split
src/services/api-proxy-env-config.ts could be refactored by extracting focused builders:
buildCredentialEnv(config) — API keys for OpenAI, Anthropic, Copilot, Gemini, Vertex
buildProviderRoutingEnv(config) — provider targets, GitHub enterprise URLs, platform type
Refactoring Opportunity
Summary
src/services/api-proxy-env-config.tsbuildApiProxyBaseEnv()at lines 70–226 (157 lines)Evidence
buildApiProxyBaseEnv()is a single 157-line function that builds a flat environment-variable record by concatenating 10+ named concern groups:This function is security-critical: it controls which API credentials flow to the api-proxy sidecar. A 157-line monolith makes credential flow harder to audit and test in isolation.
Proposed Split
src/services/api-proxy-env-config.tscould be refactored by extracting focused builders:buildCredentialEnv(config)— API keys for OpenAI, Anthropic, Copilot, Gemini, VertexbuildProviderRoutingEnv(config)— provider targets, GitHub enterprise URLs, platform typebuildProxyRoutingEnv(networkConfig)— Squid HTTP_PROXY / HTTPS_PROXY / NO_PROXYbuildOtelEnv()— OTEL endpoint, headers, service name, trace context forwardingbuildRateLimitEnv(config)— AWF_RATE_LIMIT_* varsbuildModelPolicyEnv(config)— model aliases, allowed/disallowed models, multipliersbuildOidcEnv(config)— OIDC provider vars, GitHub Actions OIDC tokens, Anthropic authbuildApiProxyBaseEnv(config, networkConfig)— thin orchestrator calling the aboveAffected Callers
Current callers:
src/services/api-proxy-service-config.ts:38— only external caller ofbuildApiProxyBaseEnvThe public API surface stays the same; only internal structure changes.
Effort Estimate
Low — extract sub-functions within the same file; no external callers to update.
Benefits
Detected by Refactoring Scanner workflow. Run date: 2026-07-08
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.