refactor(copilot): extract buildCopilotModelsRequest to deduplicate /models auth headers

[Copilot]

getValidationProbe and getModelsFetchConfig in copilot.js each independently constructed the same /models GET request object — identical URL, Authorization, and Copilot-Integration-Id headers — with no shared source of truth. Any drift (token prefix change, new header, auth mode change) would require matching edits in both places.

Changes

• Extracted buildCopilotModelsRequest(extra = {}) — a closure-scoped helper inside createCopilotAdapter that builds the standard /models GET request using githubToken and integrationId.
• Both call-sites replaced: getValidationProbe calls it with no args; getModelsFetchConfig passes { cacheKey: 'copilot' } as the extra spread.
• The BYOK branch in getModelsFetchConfig (uses apiKey, custom modelsPath) is left intentionally separate — it is a distinct auth mode, not a duplicate.

function buildCopilotModelsRequest(extra = {}) {
  return {
    url: `https://${rawTarget}/models`,
    opts: {
      method: 'GET',
      headers: {
        'Authorization': ['Bearer', githubToken].join(' '),
        'Copilot-Integration-Id': integrationId,
      },
    },
    ...extra,
  };
}

// getValidationProbe
return buildCopilotModelsRequest();

// getModelsFetchConfig (standard target)
return buildCopilotModelsRequest({ cacheKey: 'copilot' });

[Copilot]

Pull request overview

This PR refactors the Copilot API proxy provider to avoid duplicated construction of the Copilot /models request, reducing the risk of header/auth drift between validation and startup model-fetch behavior.

Changes:

• Extracted buildCopilotModelsRequest(extra = {}) inside createCopilotAdapter to build the standard /models GET request object.
• Updated getValidationProbe and the standard-target branch of getModelsFetchConfig to use the shared helper.
• Left the BYOK/custom provider branch intentionally separate.

Show a summary per file

File	Description
containers/api-proxy/providers/copilot.js	Deduplicates /models request construction by extracting a helper used by both validation probing and startup model-fetch config.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[github-actions]

❌ Smoke Gemini reports failed. Facets need polishing...

[github-actions]

🔌 Smoke Services — Service connectivity failed ⚠️

[github-actions]

❌ Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed...

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🔑 Smoke Copilot PAT reports failed. PAT auth path may have issues...

[github-actions]

❌ Contribution Check failed. Please review the logs for details.

[github-actions]

Chroot tests failed Smoke Chroot failed - See logs for details.

[github-actions]

Build Test Failed Build Test Suite - See logs for details

[github-actions]

📡 Smoke OTel Tracing reports failed. OTel tracing regression detected. ⚠️

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

❌ Smoke Copilot BYOK reports failed. BYOK mode investigation needed...

[github-actions]

❌ Smoke Claude failed

[github-actions]

❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

[github-actions]

❌ Security Guard failed. Please review the logs for details.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

❌ Security Guard failed. Please review the logs for details.

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Smoke Claude passed

[github-actions]

🔥 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅ PASS
GitHub.com HTTP connectivity	⚠️ N/A (template vars not expanded)
File write/read	⚠️ N/A (template vars not expanded)

PR: refactor(copilot): extract buildCopilotModelsRequest to deduplicate /models auth headers
Author: @Copilot | Assignees: @lpcox @Copilot

Overall: PARTIAL PASS — MCP verified ✅; pre-step outputs unavailable (pipeline variable expansion issue).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔬 Smoke Test: Copilot PAT Auth — PR #5518

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP status	✅ 200
File write/read	⚠️ template vars unexpanded

Overall: PASS (2/2 verifiable tests passed; file test skipped due to unexpanded workflow variables)

PR: refactor(copilot): extract buildCopilotModelsRequest to deduplicate /models auth headers
Author: @Copilot · Assignees: @lpcox @Copilot
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test: Claude Engine Validation

Check	Result
API Status	✅ PASS
GH Check	✅ PASS
File Status	✅ PASS

Overall Result: PASS

Generated by Smoke Claude for issue #5518 · 61.8 AIC · ⊞ 3.3K · ◷

[github-actions]

Smoke Test: Copilot BYOK
✅ GitHub MCP connectivity
✅ GitHub.com HTTP 200
✅ File write/read verified
✅ BYOK inference (api-proxy → api.githubcopilot.com)

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar.

Status: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

@lpcox @Copilot
refactor(api-proxy): extract guard enforcement into proxy-guards.js ✅
refactor(copilot): extract buildCopilotModelsRequest to deduplicate /models auth headers ✅
GitHub.com connectivity ✅
File write/read ✅
BYOK inference ✅
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5518 · 42.8 AIC · ⊞ 7.8K · ◷

[github-actions]

Merged PRs:

• refactor(api-proxy): extract sliding-window data structure into rate-limiter-window.js
• refactor: split agent-volumes-mounts.test.ts by feature area

✅ GitHub PR list
✅ GitHub title check
✅ temp file write/read
✅ discussion comment
✅ npm ci && npm run build

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout (port 6379 unreachable)
PostgreSQL pg_isready	❌ No response (port 5432 unreachable)
PostgreSQL SELECT 1	❌ Not attempted (pg_isready failed)

host.docker.internal resolves to 172.17.0.1 but both service ports timed out. Service containers do not appear to be reachable from this runner environment.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

🔬 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
1. Module Loading	✅ Pass	otel.js loads; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + test helpers
2. Test Suite	✅ Pass	59/59 tests passed across 2 suites (otel.test.js, otel-fanout.test.js)
3. Env Var Forwarding	✅ Pass	api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅ Pass	onUsage callback present in token-tracker-http.js (line 324) as the OTEL hook point
5. OTEL Diagnostics	✅ Pass	No OTLP endpoint configured → graceful degradation to FileSpanExporter writing /var/log/api-proxy/otel.jsonl; isEnabled() returns true

All 5 scenarios pass. ✅

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke test PASS for:

• refactor(api-proxy): extract guard enforcement into proxy-guards.js
• refactor(copilot): extract buildCopilotModelsRequest to deduplicate /models auth headers
  ✅ MCP connectivity
  ✅ github.com connectivity
  ✅ File I/O
  ✅ BYOK inference
  Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
  cc @lpcox @Copilot

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.17.0	v22.23.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results: Gemini\n- PR #5523: refactor(api-proxy): extract sliding-window data structure into rate-limiter-window.js ✅\n- PR #5522: refactor: split agent-volumes-mounts.test.ts by feature area ✅\n- GitHub.com Connectivity: 200 ✅\n- File Writing & Bash Tooling: Verified ✅\n\nOverall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini