refactor(api-proxy): extract guard enforcement into proxy-guards.js

[Copilot]

proxy-request.js mixed quota/token guard enforcement with proxy orchestration, making the guard decision path harder to audit and test in isolation.

Changes

• New containers/api-proxy/proxy-guards.js: Extracts sendGuardBlockedResponse and enforceGuards from proxy-request.js, along with the extractModelFromBody helper they depend on. Imports directly from the existing ./guards/ sub-modules. Includes graceful-degradation stub for optional otel, matching the pattern in the rest of the proxy.

• proxy-request.js (−~100 lines): Removes the extracted functions and their exclusive imports (buildCommonGuardChecks, writeBlockedRequestDiag). Guard state getters/builders shared with proxyWebSocket remain. Adds require('./proxy-guards') for enforceGuards.

• Dockerfile: Adds proxy-guards.js to the COPY list — required since the image copies source files individually; omitting it would trigger the graceful-degradation stubs and silently break guard enforcement at runtime.

// proxy-request.js — before
const { buildCommonGuardChecks } = require('./guards/common-guard-checks');
const { writeBlockedRequestDiag } = require('./blocked-request-diagnostics');
// ... enforceGuards + sendGuardBlockedResponse defined here (~100 lines)

// proxy-request.js — after
const { enforceGuards } = require('./proxy-guards');

[Copilot]

Pull request overview

This PR refactors the API proxy’s HTTP guard enforcement by moving the guard decision and blocked-response logic out of proxy-request.js into a dedicated proxy-guards.js module, making the enforcement path easier to audit and independently test without changing behavior.

Changes:

• Extracted enforceGuards, sendGuardBlockedResponse, and extractModelFromBody into new containers/api-proxy/proxy-guards.js.
• Updated proxy-request.js to call the extracted enforceGuards() during the HTTP request flow.
• Added proxy-guards.js to the api-proxy Docker image COPY list to ensure it’s bundled at runtime.

Show a summary per file

File	Description
containers/api-proxy/proxy-request.js	Replaces in-file guard enforcement with enforceGuards() imported from proxy-guards.js.
containers/api-proxy/proxy-guards.js	New module encapsulating HTTP guard evaluation and blocked-response/diagnostic emission.
containers/api-proxy/Dockerfile	Ensures proxy-guards.js is copied into the image alongside other individually-copied modules.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

❌ Security Guard failed. Please review the logs for details.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

✅ Smoke Claude passed

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

✅ Contribution Check completed successfully!

Contribution guidelines review complete: PR #5520 follows the applicable CONTRIBUTING.md guidelines, so no PR comment was needed.

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

Smoke Test: Claude Engine Validation

• API check: ✅ PASS
• gh check: ✅ PASS
• File check: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for issue #5520 · 61.4 AIC · ⊞ 3.3K · ◷

[github-actions]

🔍 Smoke Test: Copilot PAT Auth — PR #5520

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	⚠️ template vars unresolved

Overall: PASS (MCP + HTTP confirmed; file test skipped due to unresolved workflow template variables)

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR: "refactor(api-proxy): extract guard enforcement into proxy-guards.js" — author @Copilot, assignees @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

PR: refactor(api-proxy): extract guard enforcement into proxy-guards.js
Author: @Copilot | Assignees: @lpcox @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Direct) Mode ✅

Direct BYOK Mode: COPILOT_PROVIDER_API_KEY → api-proxy sidecar → api.githubcopilot.com

Test	Result
GitHub MCP Connectivity	✅
GitHub.com HTTP (200)	✅
File Write/Read	✅
BYOK Inference Path	✅

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Status	Detail
1. Module Loading	✅	otel.js loads cleanly; exports 7 public functions: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite	✅	39 passed, 0 failed (otel.test.js)
3. Env Var Forwarding	✅	api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅	onUsage callback present in finalizeHttpTracking() (token-tracker-http.js:324); invoked as the OTEL hook point before span end
5. OTEL Diagnostics	i️	No OTLP endpoint configured in sandbox — graceful degradation active; spans written to FileSpanExporter fallback (/var/log/api-proxy/otel.jsonl)

Overall: All scenarios pass. The proxy-guards.js refactor in this PR does not affect OTEL tracing paths.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌
Node.js	v24.17.0	v22.23.0	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Tests did not pass — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Smoke test summary for #5520:

• Merged PRs reviewed: #5523 refactor(api-proxy): extract sliding-window data structure into rate-limiter-window.js ✅
• Merged PRs reviewed: #5522 refactor: split agent-volumes-mounts.test.ts by feature area ✅
• GitHub query ✅
• GitHub Discussions query ✅
• Playwright GitHub title check ✅
• Smoke file write/read ✅
• npm ci && npm run build ✅

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5520 · 48.6 AIC · ⊞ 7.8K · ◷

[github-actions]

Smoke Test Results

• GitHub MCP Testing: ❌ (Failed to fetch PR titles; mcpscripts not found)
• GitHub.com Connectivity: ❌ (Failed with exit code 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅
  Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results

• Redis PING (host.docker.internal:6379): ❌ timeout — port unreachable
• PostgreSQL pg_isready (host.docker.internal:5432): ❌ no response
• PostgreSQL SELECT 1: ❌ no response (pg_isready failed)

host.docker.internal resolves to 172.17.0.1 but both ports timed out. GitHub Actions service containers appear not to be running or not reachable from this sandbox.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

@Copilot @lpcox

Smoke Test: Copilot BYOK (Direct) Mode — Azure OpenAI (Foundry)

• refactor(api-proxy): extract guard enforcement into proxy-guards.js ✅
• test: shared port-spec fixture to keep TypeScript and shell validators in sync ✅
• HTTP github.com connectivity ✅
• File I/O in agent container ✅
• Running in direct BYOK mode via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) ✅

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

cc @lpcox @Copilot

GitHub MCP Testing: ✅
github.com Connectivity: ✅
File Write/Read Test: ✅
BYOK Inference Test: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
Status: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)