Skip to content

refactor: extract shared credential-isolation scaffold for API proxy providers#5870

Merged
lpcox merged 3 commits into
mainfrom
copilot/duplicate-code-api-proxy-credential-isolation
Jul 3, 2026
Merged

refactor: extract shared credential-isolation scaffold for API proxy providers#5870
lpcox merged 3 commits into
mainfrom
copilot/duplicate-code-api-proxy-credential-isolation

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The four per-provider credential-env builders (openai, anthropic, copilot, gemini) each repeated the same security-critical flow: enabled guard → proxy URL construction → base-URL env injection → debug logging → placeholder credential merge. Drift here risks real API keys leaking into the agent environment or bypassing the sidecar.

Changes

  • New provider-credential-isolation.ts — exports buildProviderCredentialIsolationEnv(opts), a typed helper that owns the shared scaffold:

    • Enabled guard (returns {} when provider should not be proxied)
    • Proxy URL construction (http://<proxyIp>:<port>)
    • Base-URL env vars (one or more names → proxy URL, e.g. Gemini's dual GOOGLE_GEMINI_BASE_URL + GEMINI_API_BASE_URL)
    • Debug logging for proxy URL, optional target override, optional base-path override
    • Placeholder and extra-env merges
  • openai-credential-env.ts / anthropic-credential-env.ts / gemini-credential-env.ts — reduced to a single declarative buildProviderCredentialIsolationEnv call each; provider-specific comments preserved in place

  • copilot-credential-env.ts — calls the helper for the common scaffold; conditional BYOK placeholders (COPILOT_GITHUB_TOKEN, COPILOT_PROVIDER_API_KEY) and COPILOT_PROVIDER_WIRE_API remain as explicit post-processing on the returned object

Example

Before (repeated in each provider):

const proxyUrl = `http://${proxyIp}:${API_PROXY_PORTS.OPENAI}`;
const env: Record<string, string> = { OPENAI_BASE_URL: proxyUrl };
logger.debug(`OpenAI API will be proxied through sidecar at ${proxyUrl}`);
if (config.openaiApiTarget) logger.debug(`OpenAI API target overridden to: ${config.openaiApiTarget}`);
// ... repeat for every provider

After:

return buildProviderCredentialIsolationEnv({
  providerName: 'OpenAI',
  proxyIp,
  port: API_PROXY_PORTS.OPENAI,
  enabled: !!config.openaiApiKey,
  baseUrlVarNames: ['OPENAI_BASE_URL'],
  target: config.openaiApiTarget,
  basePath: config.openaiApiBasePath,
  placeholders: {
    OPENAI_API_KEY: 'sk-placeholder-for-api-proxy',
    CODEX_API_KEY: 'sk-placeholder-for-api-proxy',
  },
});

Copilot AI changed the title [WIP] Refactor repeated provider routing in credential builders refactor: extract shared credential-isolation scaffold for API proxy providers Jul 3, 2026
Copilot finished work on behalf of lpcox July 3, 2026 12:33
Copilot AI requested a review from lpcox July 3, 2026 12:33
@lpcox lpcox marked this pull request as ready for review July 3, 2026 12:35
Copilot AI review requested due to automatic review settings July 3, 2026 12:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the API-proxy “credential isolation” environment construction by extracting a shared helper (buildProviderCredentialIsolationEnv) and updating each provider-specific env builder to use the common scaffold. This reduces duplication in a security-sensitive area where drift could otherwise cause real credentials to leak into the agent container.

Changes:

  • Added buildProviderCredentialIsolationEnv(opts) to centralize: enabled guard, sidecar URL construction, base-url env injection, debug logging, and placeholder/extra-env merges.
  • Refactored OpenAI, Anthropic, and Gemini credential env builders into declarative calls to the shared helper.
  • Refactored Copilot to use the helper for the common scaffold while preserving BYOK-specific conditional masking and wire-API selection logic.
Show a summary per file
File Description
src/services/credentials/provider-credential-isolation.ts New shared helper that builds sidecar-routing env + credential placeholders.
src/services/credentials/openai-credential-env.ts Switched to helper-based scaffold for OpenAI proxy routing + placeholders.
src/services/credentials/anthropic-credential-env.ts Switched to helper-based scaffold for Anthropic proxy routing + helper-script env.
src/services/credentials/gemini-credential-env.ts Switched to helper-based scaffold for Gemini dual base-url vars + placeholder key.
src/services/credentials/copilot-credential-env.ts Uses helper for common proxy routing; keeps BYOK masking + wire-API env logic as post-processing.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +47 to +49
const hasCopilotProviderApiKey = !!config.copilotProviderApiKey;
const hasCopilotProviderBaseUrl = !!config.copilotProviderBaseUrl || !!getConfigEnvValue(config, 'COPILOT_PROVIDER_BASE_URL');
if (!config.copilotGithubToken && !hasCopilotProviderApiKey && !hasCopilotProviderBaseUrl) {
return {};
}
const enabled = !!(config.copilotGithubToken || hasCopilotProviderApiKey || hasCopilotProviderBaseUrl);
@lpcox

lpcox commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Fixed in 9a41b25. hasCopilotProviderApiKey now uses getConfigEnvValue to detect COPILOT_PROVIDER_API_KEY from all input paths (--env, --env-file, --env-all), mirroring the existing pattern for hasCopilotProviderBaseUrl. Added a regression test covering the additionalEnv case.

Copilot finished work on behalf of lpcox July 3, 2026 13:08
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5870 follows the applicable CONTRIBUTING.md guidelines; no contribution-guidelines comment needed.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.59% 98.62% 📈 +0.03%
Statements 98.52% 98.55% 📈 +0.03%
Functions 99.43% 99.43% ➡️ +0.00%
Branches 94.33% 94.31% 📉 -0.02%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)
✨ New Files (1 files)
  • src/services/credentials/provider-credential-isolation.ts: 100.0% lines

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🧪 Smoke Test: PAT Auth — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Overall: PASS — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5870 · 35.6 AIC · ⊞ 5.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) — Azure OpenAI (Foundry)

  • MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File write/read: ✅
  • BYOK inference: ✅

Running in direct BYOK mode via API proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

✅ GitHub MCP testing
✅ github.com connectivity (HTTP 200)
✅ File write/read test
✅ BYOK inference path (api-proxy → api.githubcopilot.com)

Status: PASS

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test Results

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ⚠️ pre-step template vars unexpanded

Overall: PASS (core connectivity verified)

Author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Services are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ❌
  • GitHub.com Connectivity: ❌ (HTTP 000)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading otel.js loaded; isEnabled: true; exports: startRequestSpan, setTokenAttributes, endSpan, etc.
2. Test Suite 59/59 tests passed across 2 suites
3. Env Var Forwarding ⚠️ OTEL_EXPORTER_OTLP_ENDPOINT not yet in api-proxy-service.ts (expected during development)
4. Token Tracker Integration token-tracker-http.js has onUsage callback
5. OTEL Diagnostics ⚠️ No span file found at runtime path (api-proxy OTEL not yet active in sandbox)

All scenarios pass or are expected-pending during development. ✅

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5870 · 34.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox

${{ steps.smoke-data.outputs.SMOKE_PR_DATA }}

  • GitHub MCP Testing: ✅
  • GitHub.com Connectivity: ✅
  • File Write/Read Test: ✅
  • BYOK Inference Test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@lpcox lpcox merged commit dccd45c into main Jul 3, 2026
85 of 88 checks passed
@lpcox lpcox deleted the copilot/duplicate-code-api-proxy-credential-isolation branch July 3, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Duplicate Code] API proxy credential-isolation env builders repeat provider routing scaffolding

3 participants