refactor: extract provider env var constants to a shared module

[Copilot]

The API proxy provider env var matrix (*_API_KEY, *_API_TARGET, *_API_BASE_PATH, auth-header overrides) was duplicated as string literals in both the TypeScript host wrapper and the JS container provider adapters — creating drift risk when adding or renaming provider settings.

Changes

• containers/api-proxy/provider-env-constants.js (new) — CommonJS source of truth for the container side; exports OPENAI_ENV, ANTHROPIC_ENV, GEMINI_ENV, COPILOT_ENV objects
• src/api-proxy-env-constants.ts (new) — TypeScript mirror (as const) for the host wrapper side
• providers/{openai,anthropic,gemini,copilot}.js — import and use constants instead of inline string literals in createBaseAdapterConfig calls and direct env.* accesses
• src/commands/build-config.ts — replace process.env.OPENAI_API_KEY etc. with process.env[OPENAI_ENV.KEY]
• src/services/api-proxy-service-config.ts — use constants for both key-forwarding and target/base-path env var names

Before:

// openai.js
createBaseAdapterConfig(env, {
  keyEnvVar: 'OPENAI_API_KEY',
  targetEnvVar: 'OPENAI_API_TARGET',
  basePathEnvVar: 'OPENAI_API_BASE_PATH',
});
validateAuthHeaderEnv('AWF_OPENAI_AUTH_HEADER', env.AWF_OPENAI_AUTH_HEADER);

After:

const { OPENAI_ENV } = require('../provider-env-constants');
createBaseAdapterConfig(env, {
  keyEnvVar: OPENAI_ENV.KEY,
  targetEnvVar: OPENAI_ENV.TARGET,
  basePathEnvVar: OPENAI_ENV.BASE_PATH,
});
validateAuthHeaderEnv(OPENAI_ENV.AUTH_HEADER, env[OPENAI_ENV.AUTH_HEADER]);

The two constants files (JS and TS) need to be kept in sync — both carry a comment pointing to their counterpart.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	97.57%	97.61%	📈 +0.04%
Statements	97.50%	97.54%	📈 +0.04%
Functions	98.84%	98.84%	➡️ +0.00%
Branches	92.95%	92.98%	📈 +0.03%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/commands/build-config.ts	92.8% → 93.3% (+0.48%)	92.8% → 93.3% (+0.48%)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)

✨ New Files (1 files)

• src/api-proxy-env-constants.ts: 100.0% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

⚠️ Not ready to approve

The OpenAI provider adapter still reads several provider env vars via literal env.* properties, undermining the refactor’s goal of eliminating drift risk.

Pull request overview

Refactors the API proxy provider environment-variable “matrix” into shared constants modules to reduce duplicated string literals and drift risk between the TypeScript host wrapper and the api-proxy container adapters.

Changes:

• Added shared env var constant modules for host-side TypeScript (src/api-proxy-env-constants.ts) and container-side CommonJS (containers/api-proxy/provider-env-constants.js).
• Updated host-side config assembly and api-proxy service env forwarding to reference env vars via constants.
• Updated provider adapters (OpenAI/Anthropic/Gemini/Copilot) to use constants instead of inline env var string literals (with one remaining gap noted in comments).

File summaries

File	Description
src/services/api-proxy-service-config.ts	Uses shared env var constants when building api-proxy container environment.
src/commands/build-config.ts	Resolves provider-related config values from process.env[...] using shared constants.
src/api-proxy-env-constants.ts	New TypeScript constants for provider env var names used on the host side.
containers/api-proxy/provider-env-constants.js	New CommonJS constants for provider env var names used in container adapters.
containers/api-proxy/providers/openai.js	Uses constants for base adapter config and auth header env var (but still has some literal env reads that should be migrated).
containers/api-proxy/providers/anthropic.js	Uses constants for key/target/base-path and auth-header env var names.
containers/api-proxy/providers/gemini.js	Uses constants for key/target/base-path env var names.
containers/api-proxy/providers/copilot.js	Uses constants for Copilot env var names when reading token/base-path.

Copilot's findings

• Files reviewed: 8/8 changed files
• Comments generated: 2

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lpcox]

@copilot address review feedback

[github-actions]

⏳ Copilot review left inline comments.

@copilot To proceed:

1. Ask @copilot to address the review feedback (reply to this comment or the review thread)
2. Once the fix is pushed, add the ready-for-aw label to trigger agentic CI smoke tests

[Copilot]

@copilot address review feedback

Addressed in commit 2402468.

I updated containers/api-proxy/providers/openai.js to consistently read provider env vars via shared constants (OPENAI_ENV/COPILOT_ENV) using env[CONST] for the remaining OpenAI/Copilot accesses flagged in review.

[github-actions]

✅ Contribution Check completed successfully!

[github-actions]

❌ Smoke Claude failed

[github-actions]

🔑 Smoke Copilot PAT reports failed. PAT auth path may have issues...

[github-actions]

🔌 Smoke Services — Service connectivity failed ⚠️

[github-actions]

📡 Smoke OTel Tracing reports failed. OTel tracing regression detected. ⚠️

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

❌ Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🔬 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	❓ pre-step data unavailable (template not substituted)
File write/read	❓ pre-step data unavailable (template not substituted)

Overall: FAIL (incomplete pre-step data)

CC @lpcox

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS

• ✅ GitHub MCP connectivity (2 merged PRs verified)
• ✅ GitHub.com HTTP 200
• ✅ File write/read test
• ✅ BYOK inference (COPILOT_PROVIDER_API_KEY → api-proxy → api.githubcopilot.com)

Running in direct BYOK mode. Agent sees placeholder credential only; sidecar holds real key.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

@Copilot @lpcox

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

• MCP PR data: ✅
• GitHub.com connectivity: ✅
• File write/read: ❌
• BYOK inference: ✅

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

🔭 Smoke Test: API Proxy OTEL Tracing

Scenario	Result	Notes
1. Module Loading	✅	otel.js loads; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internals
2. Test Suite	✅	59 tests passed, 0 failed (2 suites: otel.test.js, otel-fanout.test.js)
3. Env Var Forwarding	✅	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅	onUsage callback present in token-tracker-http.js (lines 283, 324) as OTEL hook point
5. OTEL Diagnostics	✅	No live containers (static analysis); graceful degradation confirmed — file fallback to /var/log/api-proxy/otel.jsonl when no endpoint configured

All scenarios pass. ✅

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

@Copilot @lpcox Smoke Test Results:

• refactor: extract provider env var constants to a shared module ✅
• fix: allow node preflight to use explicit binary ✅
• GitHub.com connectivity ✅
• File I/O in sandbox ✅
• Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) ✅

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

PR: refactor: extract provider env var constants to a shared module
Author: @Copilot | Assignees: @lpcox @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Refactor: extract createProviderOidcAuth to unify OIDC setup across provider adapters
Centralize provider adapter assembly with buildProviderAdapter and enforce isEnabled contract
GitHub reads: ✅
Playwright title: ✅
File write: ✅
Discussion note: ✅
Build: ❌
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: Services Connectivity

Check	Result	Detail
Redis PING	❌	Timeout (no response)
PostgreSQL pg_isready	❌	no response
PostgreSQL SELECT 1	❌	Timeout (no response)

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 are unreachable (connection timeout).

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all runtimes matched — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results: PASS

• GitHub MCP Testing: ✅
  • PR Refactor: extract createProviderOidcAuth to unify OIDC setup across provider adapters #5206: Refactor: extract createProviderOidcAuth to unify OIDC setup across provider adapters
  • PR refactor(agent-service): extract resolveAgentImageConfig from buildAgentService #5129: refactor(agent-service): extract resolveAgentImageConfig from buildAgentService
• GitHub.com Connectivity: ✅ (HTTP 200 via Squid)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5207 · ◷