Refactor Copilot provider into focused BYOK and auth modules

[Copilot]

containers/api-proxy/providers/copilot.js had accumulated multiple unrelated concerns: BYOK parsing/injection, credential resolution, endpoint derivation, fallback policy, and adapter wiring. This change extracts the reusable helper logic into focused modules so the provider entrypoint stays centered on adapter assembly.

• Module split

  • Added containers/api-proxy/providers/copilot-byok.js for:
    • BYOK extra header parsing
    • BYOK extra body field parsing
    • body field injection
    • Copilot placeholder token sentinel
  • Added containers/api-proxy/providers/copilot-auth.js for:
    • bearer/token normalization
    • BYOK vs GitHub token resolution
    • Copilot/GitHub target derivation
    • GitHub API base-path derivation
    • Copilot model fallback policy

• Copilot adapter stays focused

  • Reduced containers/api-proxy/providers/copilot.js to adapter composition and request behavior
  • Kept existing adapter semantics intact:
    • BYOK header/body injection
    • session ID propagation
    • /models OAuth handling
    • validation/model-fetch wiring

• Caller updates

  • containers/api-proxy/model-config.js now imports getCopilotModelFallbackPolicy from copilot-auth.js
  • tests that accessed Copilot internals now import from the focused helper modules rather than the adapter file

• Example

  const { getCopilotModelFallbackPolicy } = require('./providers/copilot-auth');
  const { createCopilotAdapter } = require('./providers/copilot');

This keeps the public adapter entrypoint unchanged for provider construction while making the BYOK and auth/target logic independently consumable and easier to review.

[github-actions]

Smoke Test: Copilot BYOK (Direct) — Run #27028423285

Test	Result
GitHub MCP connectivity	✅ PR list fetched
GitHub.com connectivity	✅
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-byok-27028423285.txt verified
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

PR: Refactor Copilot provider into focused BYOK and auth modules by @Copilot, assignees: @lpcox @Copilot

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: Claude

• ✅ GitHub API: 2 PR entries found
• ✅ GitHub check: playwright_check PASS
• ✅ File verify: smoke-test file present

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke test results:

• [awf] Close ARC/DinD zero-config gaps for chroot identity, DinD staging, and MCP Docker host propagation ✅
• Refactor Copilot provider into focused BYOK and auth modules ✅
  Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅ (smoke-test-copilot-27028423287.txt)

Overall: PASS

PR: Refactor Copilot provider into focused BYOK and auth modules — authored by @Copilot, assigned to @lpcox and @Copilot.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Gemini Engine Smoke Test Results

• GitHub MCP Testing: ❌ (mcpscripts command not found)
• GitHub.com Connectivity: ❌ (HTTP 400/SSL error via Squid)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🔭 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
1. Module Loading	✅ Pass	otel.js loads; isEnabled()=true; exports startRequestSpan, setTokenAttributes, endSpan, endSpanError, shutdown, isEnabled + internal test helpers
2. Test Suite	✅ Pass	33/33 tests passed in otel.test.js (0 failures)
3. Env Var Forwarding	✅ Pass	api-proxy-service-config.ts forwards OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to api-proxy container
4. Token Tracker Integration	✅ Pass	onUsage callback exists in token-tracker-http.js (line 268); onSpanEnd also present — both serve as OTEL hook points
5. OTEL Diagnostics	✅ Pass (expected)	No OTLP endpoint in test env → FileSpanExporter active (writes to /var/log/api-proxy/otel.jsonl); graceful degradation confirmed

All 5 scenarios passed. The OTEL tracing integration is healthy on this PR.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions matched. Go matches but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4394 · sonnet46 1.1M · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING (host.docker.internal:6379)	❌ timeout / no response
PostgreSQL pg_isready (host.docker.internal:5432)	❌ no response
PostgreSQL SELECT 1	❌ no response

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 are unreachable. Services also not present on 127.0.0.1.

Overall: ❌ FAIL

🔌 Service connectivity validated by Smoke Services

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[lpcox]

@copilot review pr and then implemented the recomended fixes

[Copilot]

@copilot review pr and then implemented the recomended fixes

Reviewed the PR changes in commit 794e0e7 and reran the API-proxy test suite (906 tests). I didn’t find any actionable bugs or security regressions to fix, so no additional code changes were needed.