Skip to content

[Refactoring] Split buildApiProxyBaseEnv() into focused env-var builders #6010

Description

@github-actions

Refactoring Opportunity

Summary

  • File: src/services/api-proxy-env-config.ts
  • Current size: 226 lines
  • Function in question: buildApiProxyBaseEnv() at lines 70–226 (157 lines)
  • Responsibilities identified: 10+ distinct concern groups in one function

Evidence

buildApiProxyBaseEnv() is a single 157-line function that builds a flat environment-variable record by concatenating 10+ named concern groups:

Line  74: API credentials (OpenAI, Anthropic, Copilot, Gemini, Vertex)
Line  80: Provider targets / GHES endpoint config
Line  85: GitHub enterprise context (GITHUB_SERVER_URL, GITHUB_API_URL, AWF_PLATFORM_TYPE)
Line  92: Integration identity (COPILOT_INTEGRATION_ID)
Line 107: Squid proxy routing (HTTP_PROXY, HTTPS_PROXY, NO_PROXY)
Line 114: OpenTelemetry / distributed tracing config
Line 127: Rate limiting config
Line 164: Model alias and policy config
Line 178: Anthropic prompt-cache optimizations
Line 196: OIDC authentication (Azure, AWS, GCP, Anthropic)
Line 210: Custom auth headers for internal AI gateways

This function is security-critical: it controls which API credentials flow to the api-proxy sidecar. A 157-line monolith makes credential flow harder to audit and test in isolation.

Proposed Split

src/services/api-proxy-env-config.ts could be refactored by extracting focused builders:

  • buildCredentialEnv(config) — API keys for OpenAI, Anthropic, Copilot, Gemini, Vertex
  • buildProviderRoutingEnv(config) — provider targets, GitHub enterprise URLs, platform type
  • buildProxyRoutingEnv(networkConfig) — Squid HTTP_PROXY / HTTPS_PROXY / NO_PROXY
  • buildOtelEnv() — OTEL endpoint, headers, service name, trace context forwarding
  • buildRateLimitEnv(config) — AWF_RATE_LIMIT_* vars
  • buildModelPolicyEnv(config) — model aliases, allowed/disallowed models, multipliers
  • buildOidcEnv(config) — OIDC provider vars, GitHub Actions OIDC tokens, Anthropic auth
  • buildApiProxyBaseEnv(config, networkConfig) — thin orchestrator calling the above

Affected Callers

grep -rn "buildApiProxyBaseEnv\|buildProviderTargetEnv" src/ --include="*.ts"

Current callers:

  • src/services/api-proxy-service-config.ts:38 — only external caller of buildApiProxyBaseEnv

The public API surface stays the same; only internal structure changes.

Effort Estimate

Low — extract sub-functions within the same file; no external callers to update.

Benefits

  • Each credential/config category is auditable in isolation
  • Easier to add new providers without reading 157 lines
  • Enables focused unit tests per env group (OIDC vars, OTEL vars, etc.)
  • Reduces risk of accidentally forwarding a secret to the wrong env group

Detected by Refactoring Scanner workflow. Run date: 2026-07-08

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Refactoring Opportunity Scanner · 186.6 AIC · ⊞ 6.7K ·

  • expires on Sep 6, 2026, 5:32 AM UTC

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions