Internalize unused provider session ID helper

[Copilot]

resolveProviderSessionId was exported from the API proxy env config module but had no external consumers. In a credential-handling path, keeping the helper public widened the module surface without adding value.

• What changed

  • Removed the public export from src/services/api-proxy-env-config.ts
  • Kept session ID resolution behavior unchanged for the existing internal call path in buildProviderTargetEnv

• Behavior coverage

  • Added a focused regression test on the public builder path to preserve coverage for normalized AWF_PROVIDER_SESSION_ID handling from process.env
  • This keeps the contract validated through the supported API instead of a helper-level export

• Before / after

  // before
  export function resolveProviderSessionId(config: WrapperConfig): string | undefined
  
  // after
  function resolveProviderSessionId(config: WrapperConfig): string | undefined

[Copilot]

Pull request overview

This PR reduces the public surface area of the API proxy env config module by making the resolveProviderSessionId helper internal, while preserving behavior via the supported buildProviderTargetEnv API and adding a regression test to lock in env normalization.

Changes:

• Removed the export from resolveProviderSessionId in src/services/api-proxy-env-config.ts (now module-private).
• Added a regression test ensuring AWF_PROVIDER_SESSION_ID read from process.env is trimmed when surfaced through buildProviderTargetEnv.

Show a summary per file

File	Description
src/services/api-proxy-env-config.ts	Internalizes resolveProviderSessionId while keeping buildProviderTargetEnv behavior unchanged.
src/services/api-proxy-service-split.test.ts	Adds regression coverage for trimming AWF_PROVIDER_SESSION_ID sourced from process.env.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0
• Review effort level: Low

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

Smoke test completed with FAIL status due to connectivity issues.

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Contribution Check completed successfully!

Contribution guidelines review complete for PR #5680: changes are scoped, TypeScript style appears appropriate, tests cover the behavior, documentation updates are not needed for this internal-only change, the PR description is clear, and file organization is consistent.

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

🚀 Security Guard has started processing this pull request

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

✅ Smoke Claude passed

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	98.16%	98.20%	📈 +0.04%
Statements	98.10%	98.13%	📈 +0.03%
Functions	99.54%	99.54%	➡️ +0.00%
Branches	94.14%	94.14%	➡️ +0.00%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔥 Smoke Test: Copilot PAT — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read	✅

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR: "Internalize unused provider session ID helper" — @Copilot (author), @lpcox (assignee)

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

✅ Smoke Test: Copilot BYOK (Direct) Mode — PASS

Test	Result
GitHub MCP	✅
GitHub.com Connectivity	✅
File Write/Read	✅
BYOK Inference	✅

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) → api-proxy sidecar → api.githubcopilot.com

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	⚠️ pre-step data not substituted
File write/read	⚠️ pre-step data not substituted

PR: Internalize unused provider session ID helper
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: ⚠️ PARTIAL — MCP connectivity confirmed; pre-step outputs were not injected into the workflow prompt, so HTTP and file tests could not be evaluated.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Claude Engine Validation

• API status: ✅ PASS
• gh check: ✅ PASS
• File status: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5680 · 36.1 AIC · ⊞ 6.1K · ◷

[github-actions]

@lpcox
PR titles: validated
MCP connectivity: ✅
github.com connectivity: ✅
file write/read: ✅
BYOK inference: ✅
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

• chore: upgrade gh-aw to v0.81.6 pre-release ✅
• [Test Coverage] add branch coverage for ssl-key-storage and config-writer ✅
• GitHub title check ✅
• File write/read ✅
• Build ❌ (npm not found)
• Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.17.0	v22.23.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments. Go matches. The chroot environment is using Ubuntu 22.04 system packages (Python 3.12.3, Node.js v22.x) while the host has newer versions installed.

Tested by Smoke Chroot

[github-actions]

@lpcox @Copilot
Remove unused buildProviderTargetEnv export from API proxy env config: ✅
Stop keyword leakage in api-proxy-env-constants export surface: ✅
GitHub.com connectivity: ✅
File I/O: ✅
BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

🔭 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
1. Module Loading	✅ Pass	otel.js loads cleanly; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
2. Test Suite	✅ Pass	39/39 tests passed in otel.test.js — spans, attributes, parent context, export, serialization
3. Env Var Forwarding	✅ Pass	src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to api-proxy container
4. Token Tracker Integration	✅ Pass	onUsage callback exists in token-tracker-http.js (line 283); invoked after normalized usage extraction as OTEL hook point
5. OTEL Diagnostics	✅ Pass	No endpoint configured → falls back to FileSpanExporter (/var/log/api-proxy/otel.jsonl); graceful degradation confirmed — _enabled=false path returns no-op INVALID_SPAN_CONTEXT, no errors

All 5 scenarios pass. OTEL integration is healthy for this PR.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5680 · 45.8 AIC · ⊞ 7.8K · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Timeout (no connection to host.docker.internal:6379)
PostgreSQL pg_isready	❌ No response on host.docker.internal:5432
PostgreSQL SELECT 1	❌ Cannot connect

Overall: FAIL — Service containers are not reachable via host.docker.internal from this environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test: Gemini Engine Validation

GitHub MCP Testing: ✅

• chore: upgrade gh-aw to v0.81.6 pre-release (chore: upgrade gh-aw to v0.81.6 pre-release #5668)
• [Test Coverage] add branch coverage for ssl-key-storage and config-writer ([Test Coverage] add branch coverage for ssl-key-storage and config-writer #5667)

GitHub.com Connectivity: ❌ (Status: 400/SSL Error)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini