Skip to content

refactor: eliminate duplicate provider env-var constants via JSON single source of truth#5869

Merged
lpcox merged 3 commits into
mainfrom
copilot/duplicate-env-var-constants
Jul 3, 2026
Merged

refactor: eliminate duplicate provider env-var constants via JSON single source of truth#5869
lpcox merged 3 commits into
mainfrom
copilot/duplicate-env-var-constants

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The 30 API proxy provider env-var constants (OPENAI_ENV, ANTHROPIC_ENV, GEMINI_ENV, COPILOT_ENV) were manually duplicated between src/api-proxy-env-constants.ts and containers/api-proxy/provider-env-constants.js. Drift between the two could silently break credential routing in the security-critical API proxy sidecar.

Changes

  • containers/api-proxy/provider-env-constants.json (new) — single authoritative definition of all four provider constant objects
  • containers/api-proxy/provider-env-constants.js — reduced to module.exports = require('./provider-env-constants.json')
  • src/api-proxy-env-constants.ts — replaces duplicated as const objects with a require() of the JSON; TypeScript infers literal string types from JSON, preserving the same type guarantees; OIDC mapping is unchanged
  • containers/api-proxy/Dockerfile — adds provider-env-constants.json to the explicit COPY list (the dockerfile-copy-coverage guard test enforces this)
  • src/api-proxy-env-constants-sync.test.ts — test description updated to reflect that parity is now structurally guaranteed rather than a checked invariant
// Before: 30+ lines of duplicated literals in both files
export const OPENAI_ENV = { KEY: 'OPENAI_API_KEY', ... } as const;

// After: single JSON load; JS sidecar does the same require('./provider-env-constants.json')
const _providerEnvConstants = require('../containers/api-proxy/provider-env-constants.json');
export const OPENAI_ENV = _providerEnvConstants.OPENAI_ENV;

Copilot AI changed the title [WIP] Fix duplicated environment variable constants in API proxy refactor: eliminate duplicate provider env-var constants via JSON single source of truth Jul 3, 2026
Copilot finished work on behalf of lpcox July 3, 2026 12:32
Copilot AI requested a review from lpcox July 3, 2026 12:32
@lpcox lpcox marked this pull request as ready for review July 3, 2026 12:35
Copilot AI review requested due to automatic review settings July 3, 2026 12:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the API-proxy provider env-var constants to remove duplicated definitions between the TypeScript host code and the CommonJS API-proxy sidecar by introducing a single JSON source of truth, reducing drift risk in credential routing.

Changes:

  • Add containers/api-proxy/provider-env-constants.json as the authoritative mapping for provider env-var constant objects.
  • Simplify the sidecar’s provider-env-constants.js to re-export the JSON, and update the api-proxy Dockerfile to copy the new JSON into the image.
  • Update the host’s src/api-proxy-env-constants.ts to load the same JSON and re-export the constants; adjust the sync test description accordingly.
Show a summary per file
File Description
src/api-proxy-env-constants.ts Switches host constants to load/re-export from the shared JSON definition.
src/api-proxy-env-constants-sync.test.ts Updates the test description to reflect the new “shared JSON source” approach.
containers/api-proxy/provider-env-constants.json Introduces the shared provider env-var constants definition.
containers/api-proxy/provider-env-constants.js Reduces sidecar constants module to a JSON re-export.
containers/api-proxy/Dockerfile Ensures the new JSON file is included in the api-proxy image build context via explicit COPY.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread src/api-proxy-env-constants.ts Outdated
Comment on lines +7 to +20
// eslint-disable-next-line @typescript-eslint/no-require-imports
const _providerEnvConstants = require('../containers/api-proxy/provider-env-constants.json') as {
OPENAI_ENV: { KEY: string; TARGET: string; BASE_PATH: string; AUTH_HEADER: string };
ANTHROPIC_ENV: { KEY: string; TARGET: string; BASE_PATH: string; AUTH_HEADER: string };
GEMINI_ENV: { KEY: string; TARGET: string; BASE_PATH: string };
COPILOT_ENV: {
GITHUB_TOKEN: string;
PROVIDER_API_KEY: string;
PROVIDER_TYPE: string;
PROVIDER_BASE_URL: string;
API_TARGET: string;
API_BASE_PATH: string;
};
};
@lpcox

lpcox commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Addressed in a4691a2.

Copilot finished work on behalf of lpcox July 3, 2026 13:21
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5869 follows the applicable CONTRIBUTING.md guidelines based on the provided context; no comment needed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.59% 98.63% 📈 +0.04%
Statements 98.52% 98.55% 📈 +0.03%
Functions 99.43% 99.43% ➡️ +0.00%
Branches 94.33% 94.33% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5869 · 55.7 AIC · ⊞ 5.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test (Direct BYOK → Azure OpenAI Foundry, o4-mini-aw)\n\n- MCP PR list: ✅\n- github.com connectivity: ✅\n- File I/O: ✅\n- BYOK inference: ✅\n\nOverall: PASS\n\ncc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is not reachable from this runner. Services are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK Mode ✅

  • ✅ BYOK inference working (direct mode via api-proxy → api.githubcopilot.com)
  • ✅ File I/O functional
  • ✅ Network connectivity (github.com HTTP 200)

Status: PASS

Running in direct BYOK mode with placeholder credentials. Inference requests routed through sidecar.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

refactor: eliminate duplicate provider env-var constants via JSON single source of truth
fix: drop workDir-adjacent chroot-home mount on split-fs sysroot
chore: fix 3 moderate CVEs via dep updates (2026-07-03)
✅ GitHub title check
✅ Build
Overall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test Results

Test Status
GitHub MCP connectivity ❌ (pre-step data unavailable)
GitHub.com HTTP ❌ (pre-step data unavailable)
File write/read ❌ (pre-step data unavailable)

Overall: FAILsmoke-data step outputs were not resolved (template vars unevaluated). The pre-agent step likely failed before this agent ran.

@lpcox — triggered on PR #5869

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth — PASS ✅

Test Result
GitHub MCP connectivity
GitHub.com HTTP connectivity
File write/read

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
Overall: PASS

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Gemini Smoke Test Results

  • GitHub MCP Testing: ❌
  • GitHub.com Connectivity: ❌
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Details
  • Bun: elysia (add test) and hono (mul test) passed.
  • C++: fmt and json libraries built successfully with CMake + make.
  • Deno: oak and std tests passed (1 test each).
  • .NET: hello-world printed Hello, World!; json-parse parsed and printed JSON correctly.
  • Go: color, env, and uuid packages all passed with go test ./....
  • Java: gson and caffeine compiled and tested successfully with Maven (1 test each, BUILD SUCCESS).
  • Node.js: clsx, execa, and p-limit all reported All tests passed!.
  • Rust: fd and zoxide built and tested (1 test each, test result: ok).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5869 · 42.3 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔭 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Details
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite ✅ Pass 59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (line 324) as OTEL hook; onSpanEnd callback also wired for span completion
5. OTEL Diagnostics ⚠️ N/A CI logs inaccessible (403); when no OTLP endpoint is configured, FileSpanExporter writes spans to /var/log/api-proxy/otel.jsonl as local fallback

All verifiable scenarios passed. OTEL integration is functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Recent merged PRs: chore: fix 3 moderate CVEs via dep updates (2026-07-03); fix: drop workDir-adjacent chroot-home mount on split-fs sysroot. Tests: MCP ✅, GitHub.com ✅, file I/O ✅, BYOK inference ✅. Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra. Status: PASS. @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@lpcox lpcox merged commit 97309fb into main Jul 3, 2026
86 of 88 checks passed
@lpcox lpcox deleted the copilot/duplicate-env-var-constants branch July 3, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Duplicate Code] API proxy env-var constants still duplicated across TypeScript and CommonJS modules

3 participants