[WIP] Refactor API proxy secret-isolation tests to reduce duplicate code

[Copilot]

• Inspect duplicate env-mutation scaffolding in src/services/api-proxy-service-key-isolation.test.ts
• Run baseline checks (lint, build, test) before code changes
• Extract minimal local test helpers to centralize env var mutation/restoration and agent env lookup
• Refactor only duplicated API-proxy key-isolation cases to use the helper(s)
• Run targeted tests for the changed test file
• Run final verification (lint, build, test) and security scan
• Push updated progress and close issue [Duplicate Code] API proxy secret-isolation tests repeat env mutation scaffolding #5300

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	97.62%	97.66%	📈 +0.04%
Statements	97.56%	97.60%	📈 +0.04%
Functions	98.85%	98.85%	➡️ +0.00%
Branches	93.24%	93.27%	📈 +0.03%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Refactors the API-proxy secret-isolation Jest tests to reduce repeated process.env mutation/restoration and repeated Docker Compose env extraction, making it easier to add/maintain additional key-isolation cases consistently.

Changes:

• Added a local withEnvVar() helper to centralize env var mutation + restoration via try/finally.
• Added a local getAgentEnvironment() helper to centralize compose generation + agent env retrieval.
• Updated multiple API key isolation test cases (Anthropic/OpenAI/Codex, with/without envAll) to use the helpers.

Show a summary per file

File	Description
src/services/api-proxy-service-key-isolation.test.ts	Introduces local test helpers and refactors key-isolation cases to use them, reducing duplicated scaffolding.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[lpcox]

@copilot address the review feedback and fix the pr title and summary

[Copilot]

@copilot address the review feedback and fix the pr title and summary

Addressed in 9c42a5f. The helper now returns NodeJS.ProcessEnv, and the remaining GITHUB_API_URL cases also use the shared helpers so missing env keys are typed correctly in the whole file.

[lpcox]

@copilot address the review feedback and fix the pr title and summary

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

❌ Smoke Claude failed

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

🚀 Security Guard has started processing this pull request

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Contribution Check completed successfully!

[github-actions]

🔥 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
github.com HTTP (200)	✅
File write/read	✅

PR: [WIP] Refactor API proxy secret-isolation tests to reduce duplicate code
Author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PASS ✅

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Direct) ✅

• ✅ MCP connectivity verified
• ✅ GitHub.com HTTP 200
• ✅ File write/read confirmed
• ✅ BYOK inference (api-proxy → api.githubcopilot.com) working

Status: PASS
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY via api-proxy sidecar)

@lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔥 Smoke Test: Copilot PAT — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

CC @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

[WIP] Refactor API proxy secret-isolation tests to reduce duplicate code
chore: upgrade gh-aw to v0.80.6 and recompile workflows
[WIP] Refactor entrypoint.sh by extracting initialization phases into functions
✅ GitHub PR review/query
✅ GitHub CLI query
✅ GitHub.com title check
✅ File write/read
✅ Discussion comment
✅ Build
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

@Copilot @lpcox

• GitHub MCP Testing: ✅
• GitHub.com connectivity: ✅
• File Write/Read Test: ✅
• BYOK Inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

🔬 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Detail
Module Loading	✅	otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled (+ test internals)
Test Suite	✅	otel.test.js 39/39 passed · otel-fanout.test.js 20/20 passed — 59 total, 0 failures
Env Var Forwarding	✅	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration	✅	onUsage callback present in token-tracker-http.js (line 324); onSpanEnd callback also wired as span completion hook
OTEL Diagnostics	✅	No span file at /var/log/api-proxy/otel.jsonl — expected (not running inside container); fallback FileSpanExporter activates when no OTLP endpoint is configured

All 5 scenarios pass. OTEL tracing integration is fully wired: module loads, tests pass, env vars are forwarded, token-tracker hooks exist, and graceful degradation is confirmed.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Gemini Smoke Test Results

• PR Optimize security-guard token usage with pre-run relevance gating, lower turn cap, and leaner prompt context #2113: security-guard pre-run relevance gating
• PR Optimize security-guard Claude token usage via prompt cache alignment and smaller diff payloads #2085: security-guard prompt cache alignment

Test	Status
GitHub MCP Testing	✅
GitHub.com Connectivity	✅
File Writing Testing	✅
Bash Tool Testing	✅

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions matched.

Go versions are in sync, but Python and Node.js differ between the host and chroot environments. The chroot is running older versions (Python 3.12.3 vs 3.12.13, Node v22 vs v24).

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5305 · 150.5 AIC · ⊞ 7.7K · ◷

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Connection timed out / port closed
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Connection timed out

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 are unreachable. Service containers may not be running or are not bound to the Docker bridge interface.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

@Copilot @lpcox

• Refactor extract functions in token-parsers file: ✅
• Refactor to extract rule-setup phases into named bash functions: ✅
• GitHub.com connectivity: ✅
• File write/read: ✅
• BYOK inference: ✅
  Running in direct BYOK mode via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
  Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)