refactor: reduce pid-tracker API surface and harden api-proxy startup retry handling

[Copilot]

Bug Fix

What was the bug?

• src/pid-tracker.ts exposed internal helper functions and an unused async entrypoint, creating unnecessary API surface in a security-critical module.
• Integration CI could fail when Docker Compose reported API proxy startup as container awf-api-proxy exited (1), which was not treated as a retryable transient startup failure.

How did you fix it?

• Reduced the public API to production-facing exports:
  • trackPidForPortSync
  • isPidTrackingAvailable
  • PidTrackResult type re-export
• Internalized helper parsing and /proc lookup functions.
• Removed the unused async trackPidForPort export/path.
• Updated pid-tracker tests to validate behavior via the public API only.
• Updated stale JSDoc for trackPidForPortSync to describe it as the public PID lookup entrypoint.
• Merged latest main into this branch and resolved conflicts while preserving this PR’s intended pid-tracker API-surface changes.
• Hardened container startup retry logic in src/container-lifecycle.ts to retry when API proxy startup failures are reported as either:
  • is unhealthy
  • exited (1)
• Updated lifecycle tests in src/docker-manager-lifecycle.test.ts to cover the exited (1) retry path and adjusted expected startup error messaging.

Testing

• npm run lint
• npm run build
• npm test
• Targeted pid-tracker test validation after feedback updates.
• Targeted lifecycle test validation (npm test -- src/docker-manager-lifecycle.test.ts) for retry behavior updates.

[Copilot]

Pull request overview

This PR tightens the security-critical pid-tracker module by reducing its exported API to only production-facing entrypoints, and updates tests to validate behavior strictly through that public surface.

Changes:

• Removed exports for internal /proc parsing and lookup helpers, and removed the unused async PID tracking entrypoint.
• Updated the module’s usage example to the sync-only API.
• Refactored pid-tracker unit tests to be black-box tests against trackPidForPortSync / isPidTrackingAvailable.

Show a summary per file

File	Description
src/pid-tracker.ts	Removes internal/helper exports and the unused async entrypoint; updates module example to the sync API.
src/pid-tracker.test.ts	Reworks tests to validate outcomes via the public API only, instead of importing internal helpers.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit 1d57cf3. Updated the trackPidForPortSync JSDoc in src/pid-tracker.ts to describe it as the public PID lookup entrypoint and removed the stale reference to the deleted async API.

[lpcox]

@copilot merge main

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	87.88%	87.91%	📈 +0.03%
Statements	87.83%	87.84%	📈 +0.01%
Functions	83.11%	83.08%	📉 -0.03%
Branches	79.88%	79.91%	📈 +0.03%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/pid-tracker.ts	97.6% → 96.1% (-1.51%)	96.6% → 93.9% (-2.72%)
src/container-lifecycle.ts	87.1% → 88.2% (+1.14%)	87.5% → 88.6% (+1.11%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	87.88%	87.92%	📈 +0.04%
Statements	87.83%	87.84%	📈 +0.01%
Functions	83.11%	83.08%	📉 -0.03%
Branches	79.88%	79.93%	📈 +0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/pid-tracker.ts	97.6% → 96.1% (-1.51%)	96.6% → 93.9% (-2.72%)
src/container-lifecycle.ts	87.1% → 88.3% (+1.23%)	87.5% → 88.6% (+1.19%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	87.88%	87.94%	📈 +0.06%
Statements	87.83%	87.89%	📈 +0.06%
Functions	83.11%	83.08%	📉 -0.03%
Branches	79.88%	79.97%	📈 +0.09%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/pid-tracker.ts	97.6% → 97.4% (-0.21%)	96.6% → 96.3% (-0.28%)
src/container-lifecycle.ts	87.1% → 88.3% (+1.23%)	87.5% → 88.6% (+1.19%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

✅ Playwright: GitHub page loads, title contains "GitHub"
✅ File Operations: Test file created and verified
✅ Bash Verification: Content matches expected output
✅ Git History: Recent commits accessible

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ (401 - credential limitation in sandbox)
GitHub.com HTTP connectivity	⚠️ (pre-step data not injected)
File write/read (smoke-test-copilot-25703182436.txt)	✅

Overall: PARTIAL — File I/O test passed; MCP auth not available in this sandbox environment.

cc @lpcox

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK — by @lpcox

Test	Result
GitHub MCP connectivity	✅ (MCP configured)
GitHub.com connectivity	✅ (smoke pre-step passed)
File write/read	✅ (smoke-test-copilot-byok-25703182427.txt verified)
BYOK inference (api-proxy → api.githubcopilot.com)	✅ (responding now)

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test

• GitHub PR review: ✅ fix(api-proxy): add missing JS modules to Dockerfile COPY; refactor: remove duplicate HTTP helpers from OidcTokenProvider
• safeinputs-gh PR query: ❌ tool unavailable
• Playwright GitHub title: ✅
• Tavily web search: ❌ no search tool exposed
• File/Bash/Build: ✅
• Discussion interaction: ❌ github-discussion-query unavailable
• Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2895 · ● 765.2K · ◷

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Not attempted (pg_isready failed)

host.docker.internal is not reachable on ports 6379 or 5432 from this environment. Service containers may not be running or host.docker.internal DNS is not resolving.

🔌 Service connectivity validated by Smoke Services