refactor: split buildApiProxyBaseEnv into focused env-var builders#6033
Conversation
Extract seven focused sub-functions from the 157-line buildApiProxyBaseEnv monolith in
src/services/api-proxy-env-config.ts, each covering one distinct concern group:
- buildCredentialEnv(config) — API keys (OpenAI, Anthropic, Copilot, Gemini, Vertex)
- buildProviderRoutingEnv(config) — provider targets, GitHub enterprise URLs, platform type,
integration identity
- buildProxyRoutingEnv(networkConfig) — Squid HTTP_PROXY/HTTPS_PROXY/NO_PROXY
- buildOtelEnv() — OTEL endpoint, headers, service name, trace context
- buildRateLimitEnv(config) — AWF_RATE_LIMIT_* vars, token guards, run limits
- buildModelPolicyEnv(config) — model aliases, allowed/disallowed models, Anthropic cache,
token steering, diagnostic logging
- buildOidcEnv(config) — OIDC provider vars, GitHub Actions OIDC tokens,
custom auth headers
buildApiProxyBaseEnv is now a thin orchestrator that composes all seven builders.
All sub-functions are exported with @internal JSDoc and ts-prune-ignore-next for unit testing.
Add api-proxy-env-config.test.ts with 49 unit tests covering each sub-function in isolation.
Closes #6010
There was a problem hiding this comment.
Pull request overview
This PR refactors buildApiProxyBaseEnv() (a security-sensitive env assembly path for the api-proxy sidecar) by splitting it into smaller, concern-focused env-var builder functions and adds a new Jest test suite to validate each builder in isolation.
Changes:
- Split the previous monolithic env assembly into multiple focused builders (credentials, provider routing, proxy routing, OTEL, rate-limits, model policy, OIDC) and made
buildApiProxyBaseEnv()a thin orchestrator. - Added a new unit test file covering the new builders and the orchestrator composition.
Show a summary per file
| File | Description |
|---|---|
| src/services/api-proxy-env-config.ts | Refactors env construction into multiple smaller builder functions and composes them via a thin orchestrator. |
| src/services/api-proxy-env-config.test.ts | Adds new unit tests covering each builder and the orchestrator output. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 3
- Review effort level: Low
| * Builds API credential environment variables for the api-proxy sidecar. | ||
| * These keys are passed securely to the sidecar and are NOT visible to the agent container. | ||
| * @internal Exported for testing | ||
| */ | ||
| export function buildCredentialEnv(config: WrapperConfig): Record<string, string> { |
| export function buildOidcEnv(config: WrapperConfig): Record<string, string> { | ||
| const normalizedAuthType = (config.authType?.toLowerCase().trim()) || getLowerCaseProcessEnvValue('AWF_AUTH_TYPE') || ''; | ||
|
|
| it('sets AWF_AUTH_ANTHROPIC_TOKEN_URL when anthropicTokenUrl is configured', () => { | ||
| const env = buildOidcEnv({ ...baseConfig, workDir: '/tmp/awf-test', anthropicTokenUrl: 'https://auth.anthropic.com/token' }); | ||
| expect(env.AWF_AUTH_ANTHROPIC_TOKEN_URL).toBe('https://auth.anthropic.com/token'); | ||
| }); | ||
| }); |
|
@copilot address review feedback |
Addressed all three review points in commit
|
|
❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed... |
|
✅ Smoke Claude passed |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
✅ Build Test Suite completed successfully! |
|
🔌 Smoke Services — All services reachable! ✅ |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
🚀 Security Guard has started processing this pull request |
|
✅ Contribution Check completed successfully! PR #6033 follows the applicable CONTRIBUTING.md guidelines: it has a clear description, adds focused tests for the refactor, keeps changes in src/services, and no documentation update appears necessary for the internal API-preserving change. |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
Smoke Test: Claude Engine Validation
Overall Result: PASS ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Gemini Engine Validation
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Smoke Test Results
Overall: cc Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔬 Smoke Test: Copilot PAT Auth
Overall: PASS 🎉 Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
GitHub MCP tool: ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔄 Smoke Test Results: Copilot BYOK (Direct) Mode
Status: PASS Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is fully functional — fan-out export via Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
buildApiProxyBaseEnv()insrc/services/api-proxy-env-config.tswas a 157-line function handling 10+ unrelated concern groups — a security-critical path where credential flow should be auditable in isolation.Changes
src/services/api-proxy-env-config.ts— extracted seven focused sub-functions, all@internal-exported for testability:buildCredentialEnv(config)— API keys for OpenAI, Anthropic, Copilot, Gemini, VertexbuildProviderRoutingEnv(config)— provider targets, GitHub enterprise URLs, platform type, integration identitybuildProxyRoutingEnv(networkConfig)— SquidHTTP_PROXY/HTTPS_PROXY/NO_PROXYbuildOtelEnv()— OTLP endpoint, headers, service name, trace context forwardingbuildRateLimitEnv(config)—AWF_RATE_LIMIT_*, token guards, run limits, agent timeoutbuildModelPolicyEnv(config)— model aliases, allowed/disallowed models, Anthropic cache, token steering, diagnosticsbuildOidcEnv(config)— OIDC provider vars, GitHub Actions runtime tokens, custom auth headersbuildApiProxyBaseEnvis now a thin orchestrator:Public API surface is unchanged — the sole external caller (
api-proxy-service-config.ts) required no modification.src/services/api-proxy-env-config.test.ts(new) — 49 unit tests covering each sub-function in isolation (credential isolation, proxy routing, OIDC conditional forwarding, rate limit omission, etc.).