refactor: split api-proxy-service.test.ts into focused test modules by Copilot · Pull Request #3299 · github/gh-aw-firewall

Copilot · 2026-05-17T15:58:42Z

src/services/api-proxy-service.test.ts had grown to 1,195 lines with 114 tests across 6+ distinct concern areas in a single flat describe block, making security-critical tests hard to locate and targeted CI runs noisy.

Changes

Deleted api-proxy-service.test.ts (1,195 lines)
Added api-proxy-service.test-utils.ts — exports shared mockNetworkConfigWithProxy constant
Added four focused test modules:

File	Concern
`api-proxy-service-config.test.ts`	Service existence, image selection, healthcheck, resource limits, agent env wiring
`api-proxy-service-key-isolation.test.ts`	Security: `ANTHROPIC_API_KEY` / `OPENAI_API_KEY` / `CODEX_API_KEY` / `GEMINI_API_KEY` non-leakage, with and without `envAll`
`api-proxy-service-rate-limit.test.ts`	Rate limiting, effective token guard, `maxRuns`, `agentTimeout`, OpenCode flag
`api-proxy-service-env-forwarding.test.ts`	OIDC, `AWF_ANTHROPIC_*`, OpenAI/Anthropic/Copilot/Gemini API target & base-path forwarding

Notes

jest.mock('execa', ...) and let mockConfig are intentionally kept per-file — Jest hoists jest.mock() before imports so the factory cannot reference variables from an imported module.
All 114 tests pass across the 4 new files, matching the original count exactly.
Jest discovers test files via glob (**/*.test.ts); no config changes needed.

Split 1,195-line monolithic test into four focused files + shared test-utils: - api-proxy-service-config.test.ts service config, image, healthcheck, limits - api-proxy-service-key-isolation.test.ts security: key non-leakage (ANTHROPIC/OPENAI/GEMINI) - api-proxy-service-rate-limit.test.ts rate limiting, token guard, max-runs, timeout - api-proxy-service-env-forwarding.test.ts OIDC, Anthropic, Copilot, Gemini env forwarding - api-proxy-service.test-utils.ts shared mockNetworkConfigWithProxy All 114 tests pass across 4 new files (same count as original).

github-actions · 2026-05-17T17:16:43Z

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 (sandbox credential isolation)
GitHub.com HTTP	⚠️ template unresolved (pre-step data unavailable)
File write/read (`smoke-test-copilot-byok-25995852645.txt`)	✅
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PARTIAL — BYOK inference path works; GitHub MCP blocked by sandbox credential isolation (expected in this environment).

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-17T17:16:53Z

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	❌ Template vars not expanded
File write/read	❌ Template vars not expanded

Overall: FAIL — Workflow template variables (${{ steps.smoke-data.outputs.* }}) were not substituted before agent execution. GitHub MCP tools returned 401 (unauthenticated).

cc @Copilot

📰 BREAKING: Report filed by Smoke Copilot

Copilot

Pull request overview

Refactors the api-proxy-service test suite by splitting an oversized monolithic test file into smaller, concern-focused Jest modules so that security-critical behaviors (like API key non-leakage) are easier to find and maintain.

Changes:

Adds a shared test fixture module exporting mockNetworkConfigWithProxy.
Splits tests into focused modules for service configuration, API key isolation (security), rate limiting/token-guard behavior, and env var forwarding.
Updates the remaining env-forwarding test module to use the shared network fixture and a clearer top-level describe label.

Show a summary per file

File	Description
src/services/api-proxy-service.test-utils.ts	Adds shared `mockNetworkConfigWithProxy` fixture used by the new test modules.
src/services/api-proxy-service-config.test.ts	Contains service existence/image/healthcheck/security limits and agent env wiring tests.
src/services/api-proxy-service-key-isolation.test.ts	Contains security-focused tests ensuring provider API keys don’t leak to the agent env (incl. `envAll`).
src/services/api-proxy-service-rate-limit.test.ts	Contains rate limiting + effective token guard/maxRuns/agentTimeout/OpenCode env wiring tests.
src/services/api-proxy-service-env-forwarding.test.ts	Removes unrelated tests from this module and re-centers it on env var forwarding, using shared proxy network config.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 5/5 changed files
Comments generated: 0

github-actions · 2026-05-17T17:17:11Z

Smoke Test Results

Test	Status
GitHub API (list PRs)	❌ FAIL — HTTP 401: Bad credentials
Playwright (github.com navigation)	✅ PASS — Title contains "GitHub"
File verify (smoke-test file)	✅ PASS — File exists and readable

Overall: FAIL (2/3 tests passed)

Note: GitHub API authentication issue detected in test environment. Playwright and file verification tests passed successfully.

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-17T17:18:23Z

Smoke Test

PRs: chore: recompile test-coverage-improver lock file; chore: run test coverage improver twice daily
❌ GitHub MCP / safeinputs-gh
✅ Playwright, file write/read, discussion lookup, build
❌ Tavily search
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-17T17:18:27Z

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.15.0	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

github-actions · 2026-05-17T17:18:43Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): The default ~/.m2 directory was owned by root (permissions issue in this runner environment). Maven was run with -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo to work around this; both projects compiled and tested successfully.

Generated by Build Test Suite for issue #3299 · ● 5.3M · ◷

github-actions · 2026-05-17T17:18:47Z

Smoke Test Results

Check	Result
Redis PING	❌ Timeout / no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Not attempted (pg_isready failed)

Overall: FAIL — host.docker.internal is not reachable from this runner environment. Service containers may not be configured or the host alias is unavailable.

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-05-17T17:19:05Z

Smoke Test Results

GitHub MCP Testing: ✅ (PRs chore: recompile test-coverage-improver lock file #3287, chore: run test coverage improver twice daily #3280)
GitHub.com Connectivity: ✅ (HTTP 200)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

Initial plan

98dc715

Copilot AI assigned Copilot and lpcox May 17, 2026

Copilot started work on behalf of lpcox May 17, 2026 15:58 View session

Copilot AI linked an issue May 17, 2026 that may be closed by this pull request

[Refactoring] Split api-proxy-service.test.ts into focused test modules #3297

Closed

Copilot AI changed the title ~~[WIP] Refactor api-proxy-service.test.ts into focused test modules~~ refactor: split api-proxy-service.test.ts into focused test modules May 17, 2026

Copilot finished work on behalf of lpcox May 17, 2026 16:06

Copilot AI requested a review from lpcox May 17, 2026 16:06

lpcox marked this pull request as ready for review May 17, 2026 17:14

lpcox requested a review from Mossaka as a code owner May 17, 2026 17:14

Copilot AI review requested due to automatic review settings May 17, 2026 17:14

Copilot started reviewing on behalf of lpcox May 17, 2026 17:15 View session

Copilot AI reviewed May 17, 2026

View reviewed changes

github-actions Bot added the build-test label May 17, 2026

github-actions Bot added the smoke-gemini label May 17, 2026

lpcox merged commit 7c9791a into main May 17, 2026
69 of 73 checks passed

lpcox deleted the copilot/refactor-split-api-proxy-service-tests branch May 17, 2026 18:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor: split api-proxy-service.test.ts into focused test modules#3299

refactor: split api-proxy-service.test.ts into focused test modules#3299
lpcox merged 2 commits into
mainfrom
copilot/refactor-split-api-proxy-service-tests

Copilot AI commented May 17, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

github-actions Bot commented May 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Notes

Uh oh!

github-actions Bot commented May 17, 2026

Smoke Test: Copilot BYOK (Offline) Mode

Uh oh!

github-actions Bot commented May 17, 2026

🔬 Smoke Test Results

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

github-actions Bot commented May 17, 2026

Smoke Test Results

Uh oh!

github-actions Bot commented May 17, 2026

Smoke Test

Uh oh!

github-actions Bot commented May 17, 2026

Chroot Version Comparison Results

Uh oh!

github-actions Bot commented May 17, 2026

🏗️ Build Test Suite Results

Uh oh!

github-actions Bot commented May 17, 2026

Smoke Test Results

Uh oh!

github-actions Bot commented May 17, 2026

Smoke Test Results

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented May 17, 2026 •

edited

Loading