Skip to content

refactor(api-proxy): extract createProviderAuthScaffold to deduplicate provider adapter boilerplate#5760

Merged
lpcox merged 3 commits into
mainfrom
copilot/duplicate-auth-header-scaffolding
Jul 1, 2026
Merged

refactor(api-proxy): extract createProviderAuthScaffold to deduplicate provider adapter boilerplate#5760
lpcox merged 3 commits into
mainfrom
copilot/duplicate-auth-header-scaffolding

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

All non-Copilot provider adapters (OpenAI, Anthropic, Gemini) independently repeated the same two-step security-sensitive boilerplate: reading credentials via createBaseAdapterConfig and extracting deps.bodyTransform || null. Consolidating this into a single helper reduces the number of places where credential env-var names are referenced directly.

Changes

  • adapter-factory.js — New createProviderAuthScaffold(env, deps, envVars) bundles createBaseAdapterConfig + bodyTransform extraction, returning { apiKey, rawTarget, basePath, bodyTransform }. Exported alongside existing helpers.

  • providers/gemini.js — Direct replacement; createBaseAdapterConfig import swapped for createProviderAuthScaffold.

  • providers/anthropic.js — Same replacement; bodyTransform destructured as depsBodyTransform since it's subsequently composed with optimisationsTransform.

  • providers/openai.js — Same replacement with renamed destructuring (apiKey: openaiApiKey etc.) to preserve the existing BYOK target/key override logic.

  • adapter-factory.test.js — 9 new unit tests covering env-var reading, default fallbacks, bodyTransform passthrough, null/undefined/omitted deps, whitespace trimming, and protocol prefix stripping.

// Before (repeated in every provider):
const { apiKey, rawTarget, basePath } = createBaseAdapterConfig(env, {
  keyEnvVar: GEMINI_ENV.KEY,
  targetEnvVar: GEMINI_ENV.TARGET,
  basePathEnvVar: GEMINI_ENV.BASE_PATH,
  defaultTarget: 'generativelanguage.googleapis.com',
});
const bodyTransform = deps.bodyTransform || null;

// After:
const { apiKey, rawTarget, basePath, bodyTransform } = createProviderAuthScaffold(env, deps, {
  keyEnvVar: GEMINI_ENV.KEY,
  targetEnvVar: GEMINI_ENV.TARGET,
  basePathEnvVar: GEMINI_ENV.BASE_PATH,
  defaultTarget: 'generativelanguage.googleapis.com',
});

Copilot AI changed the title [WIP] Refactor duplicated provider adapter auth-header scaffolding refactor(api-proxy): extract createProviderAuthScaffold to deduplicate provider adapter boilerplate Jul 1, 2026
Copilot AI requested a review from lpcox July 1, 2026 18:44
Copilot finished work on behalf of lpcox July 1, 2026 18:44
@lpcox lpcox requested a review from Copilot July 1, 2026 18:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the api-proxy provider adapters to reduce duplicated, security-sensitive credential boilerplate by introducing a shared helper (createProviderAuthScaffold) in adapter-factory.js. The change centralizes env-var credential/target/basePath reading (via existing createBaseAdapterConfig) and standardizes bodyTransform extraction across non-Copilot providers.

Changes:

  • Added createProviderAuthScaffold(env, deps, envVars) and exported it from adapter-factory.js.
  • Updated OpenAI, Anthropic, and Gemini provider adapters to use createProviderAuthScaffold instead of duplicating the same setup logic.
  • Added unit tests for createProviderAuthScaffold to cover env reading, defaults, normalization, and bodyTransform behavior.
Show a summary per file
File Description
containers/api-proxy/adapter-factory.js Adds createProviderAuthScaffold helper and exports it to dedupe adapter setup logic.
containers/api-proxy/providers/openai.js Switches OpenAI adapter to use the new helper while preserving BYOK/OIDC logic.
containers/api-proxy/providers/anthropic.js Switches Anthropic adapter to use the new helper and composes transforms using the returned value.
containers/api-proxy/providers/gemini.js Switches Gemini adapter to use the new helper and passes through bodyTransform.
containers/api-proxy/adapter-factory.test.js Adds unit tests for the new helper (env/defaults/normalization/bodyTransform).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +154 to +160
/**
* Bundle the repeated env-reading and deps-extraction boilerplate common to
* all non-Copilot provider adapters:
*
* createBaseAdapterConfig(env, envVars) → { apiKey, rawTarget, basePath }
* deps.bodyTransform || null → bodyTransform
*
Comment on lines +166 to +175
* @param {Record<string, string|undefined>} env - Environment variables
* @param {{ bodyTransform?: ((body: Buffer) => Buffer|null)|null }} [deps={}] - Injected dependencies
* @param {object} envVars
* @param {string} envVars.keyEnvVar - e.g. 'GEMINI_API_KEY'
* @param {string} envVars.targetEnvVar - e.g. 'GEMINI_API_TARGET'
* @param {string} envVars.basePathEnvVar - e.g. 'GEMINI_API_BASE_PATH'
* @param {string} envVars.defaultTarget - e.g. 'generativelanguage.googleapis.com'
* @returns {{ apiKey: string|undefined, rawTarget: string, basePath: string,
* bodyTransform: ((body: Buffer) => Buffer|null)|null }}
*/
@lpcox lpcox marked this pull request as ready for review July 1, 2026 19:19
@lpcox

lpcox commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Connectivity to github.com failed (SSL error 35). File test passed. PR listing pending.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

Contribution guidelines check complete for PR #5760: no important missing items found in the pre-fetched PR metadata, diffs, and CONTRIBUTING.md content. No comment needed.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Both JSDoc issues addressed in the latest commit:

  1. Inline example updated from deps.bodyTransform || nulldeps.bodyTransform ?? null to match the nullish-check implementation.
  2. bodyTransform type widened to ((body: Buffer) => (Buffer | null | Promise<Buffer | null>)) | null in both @param and @returns, aligning with body-handler.js:154 and proxy-request.js:332.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.65% 98.68% 📈 +0.03%
Statements 98.53% 98.57% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.46% 94.46% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot finished work on behalf of lpcox July 1, 2026 19:22
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test: Copilot PAT Auth — PR #5760

Test Result
GitHub MCP (list PRs) ✅ Connected — returned PR #5739
GitHub.com HTTP ❓ Template var unresolved
File write/read ❓ Template var unresolved

Overall: PARTIAL — MCP connectivity confirmed; pre-step outputs not interpolated.

Auth mode: PAT (COPILOT_GITHUB_TOKEN) | PR by @Copilot, assigned to @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GH check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5760 · 30.1 AIC · ⊞ 6.1K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Test Result
1. GitHub MCP connectivity
2. GitHub.com HTTP (200)
3. File write/read
4. BYOK inference path

Status: PASS
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) → api-proxy → api.githubcopilot.com

@lpcox

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

Test Result
GitHub MCP connectivity ✅ PASS
GitHub.com HTTP connectivity ⚠️ N/A (pre-step data not substituted)
File write/read ⚠️ N/A (pre-step data not substituted)

Overall: ⚠️ PARTIAL — MCP test passed; HTTP and file test data was not injected (template vars unresolved).

PR: refactor(api-proxy): extract createProviderAuthScaffold to deduplicate provider adapter boilerplate
Author: @Copilot · Assignees: @lpcox @Copilot

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ fix: sysroot filter should not drop workspace custom mounts
✅ fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind)
✅ GitHub title check
✅ File write/read check
✅ Build check
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.17.0 v22.23.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing — Results

Scenario Status Detail
Module Loading ✅ Pass otel.js loads successfully; exports 7 public functions: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
Test Suite ✅ Pass ~44 test cases across otel.test.js + otel-fanout.test.js covering spans, attributes, parent context propagation, exporters, and serialization
Env Var Forwarding ✅ Pass api-proxy-env-config.tsbuildApiProxyBaseEnv forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to the api-proxy container
Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js; setTokenAttributes + setBudgetAttributes are wired as the OTEL hook points
OTEL Diagnostics ✅ Pass (fallback) No OTLP endpoint configured in this run → FileSpanExporter gracefully writes spans to /var/log/api-proxy/otel.jsonl (expected degradation behavior)

Overall: All scenarios pass. OTEL tracing integration is complete and functioning correctly on PR #5760.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke test summary: FAIL. Connectivity error 35.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@lpcox @Copilot

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

GitHub MCP: fix: sysroot filter should not drop workspace custom mounts; fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind) ✅

GitHub.com connectivity: HTTP 200 ✅

File I/O: smoke-test ✅

BYOK inference: ✅

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File write/read test: ✅
  • BYOK inference test: ✅
    Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
    Overall status: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: GitHub Actions Services Connectivity

Check Result
Redis PING ❌ Timeout/no response
PostgreSQL pg_isready ❌ No response
PostgreSQL SELECT 1 ❌ Timeout/no response

Overall: FAILhost.docker.internal is not reachable from this environment. Service containers (Redis on :6379, PostgreSQL on :5432) did not respond.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Notes
  • Bun: Tests use bun:test built-in (no external deps needed)
  • C++: CMake build only (no test executables in these projects)
  • Deno: Downloaded std@0.208.0 assert module for tests
  • Java: Used -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo to work around runner's read-only ~/.m2 directory (owned by root)
  • Node.js: All projects use custom node test.js scripts (no external test framework)
  • Rust: No external crate dependencies; tests are pure unit tests

Generated by Build Test Suite for #5760 · 81.1 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit c8e990c into main Jul 1, 2026
23 checks passed
@lpcox lpcox deleted the copilot/duplicate-auth-header-scaffolding branch July 1, 2026 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Duplicate Code] Provider adapter auth-header scaffolding repeated across API proxy providers

3 participants