Refactor api-proxy upstream response factory into focused modules

[Copilot]

createUpstreamResponseHandlers() in containers/api-proxy/upstream-response.js had grown into a large multi-responsibility factory (logging, auth diagnostics, retry routing, token tracking, and response dispatch). This change decomposes those concerns into focused modules while preserving the existing factory contract used by proxy-request.js.

• Decomposition of upstream-response.js

  • Extracted logging concerns to containers/api-proxy/upstream-log.js
    • createLogRequestCompletion
    • createLogUpstreamAuthError
    • buildCopilotAuthErrorMessage
  • Extracted 400 retry flow to containers/api-proxy/upstream-retry.js
    • handle400WithRetry
  • Extracted token-tracking wiring to containers/api-proxy/upstream-token.js
    • setupTokenTracking

• Factory remains the integration point

  • createUpstreamResponseHandlers() now wires extracted helpers with shared context.
  • Export surface remains stable (createUpstreamResponseHandlers, parseModelNotSupportedFromBody, MAX_MODEL_NOT_SUPPORTED_RETRIES), so caller behavior remains unchanged.

• Runtime packaging alignment

  • Updated containers/api-proxy/Dockerfile COPY list to include:
    • upstream-log.js
    • upstream-retry.js
    • upstream-token.js

• Focused module-level coverage

  • Added:
    • upstream-log.test.js
    • upstream-retry.test.js
    • upstream-token.test.js

// upstream-response.js (now primarily wiring)
const { createLogRequestCompletion, createLogUpstreamAuthError } = require('./upstream-log');
const { handle400WithRetry } = require('./upstream-retry');
const { setupTokenTracking } = require('./upstream-token');

[Copilot]

Pull request overview

This PR refactors the api-proxy’s upstream response handling by splitting the previously multi-responsibility createUpstreamResponseHandlers() factory into smaller focused modules (logging, retry-on-400 logic, and token-tracking wiring) while preserving the factory’s public contract used by proxy-request.js.

Changes:

• Extracted request completion + upstream auth error logging into upstream-log.js.
• Extracted 400-response retry/forwarding flow into upstream-retry.js.
• Extracted token tracking / OTEL wiring into upstream-token.js, and updated upstream-response.js to primarily wire these modules together.
• Updated the api-proxy image Dockerfile COPY list to include the new runtime modules, and added focused Jest unit tests for each module.

Show a summary per file

File	Description
containers/api-proxy/upstream-response.js	Refactors the factory to wire together extracted logging/retry/token helpers while keeping the external interface stable.
containers/api-proxy/upstream-log.js	New module encapsulating request completion metrics/logging and upstream auth error logging logic (incl. Copilot auth diagnostics).
containers/api-proxy/upstream-log.test.js	Unit tests for the extracted logging helpers.
containers/api-proxy/upstream-retry.js	New module encapsulating buffered-400 retry/forward logic (deprecated header retry + Copilot model-not-supported retry/diagnostic).
containers/api-proxy/upstream-retry.test.js	Unit tests for the extracted retry/forwarding logic.
containers/api-proxy/upstream-token.js	New module encapsulating request-model fallback extraction and token tracking/OTEL callback wiring.
containers/api-proxy/upstream-token.test.js	Unit tests for request-model extraction and OTEL/token callback wiring.
containers/api-proxy/Dockerfile	Adds the new upstream modules to the explicit COPY list to keep the runtime image aligned with the refactor.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 0

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

✅ Smoke Claude passed

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

❌ Security Guard failed. Please review the logs for details.

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Contribution Check completed successfully!

Contribution guidelines review complete for PR #5445: no important missing items found based only on the provided PR metadata, diff, and CONTRIBUTING.md context.

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

Smoke Test: Claude Engine

• API status: ✅ PASS
• gh check: ✅ PASS
• File status: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for issue #5445 · 37.7 AIC · ⊞ 3.1K · ◷

[github-actions]

🔬 Smoke Test Results

PR: Refactor api-proxy upstream response factory into focused modules
Author: @Copilot | Assignees: @lpcox @Copilot

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	❌ (pre-step data unavailable)
File write/read	❌ (pre-step data unavailable)

Overall: FAIL — pre-computed step outputs were not substituted (template variables unresolved).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot PAT Auth — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test Results: Direct BYOK Mode ✅ PASS

Tests:

• ✅ GitHub MCP connectivity (PR retrieval successful)
• ✅ GitHub.com connectivity (HTTP 200)
• ✅ File write/read (test file created and verified)
• ✅ BYOK inference path active (reading this prompt confirms api-proxy → api.githubcopilot.com working)

Mode: Direct BYOK via COPILOT_PROVIDER_API_KEY → api-proxy sidecar → api.githubcopilot.com

CC: @lpcox @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔭 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Status	Detail
Module Loading	✅	otel.js loads; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
Test Suite	✅	59 passed / 0 failed across 2 suites (otel.test.js, otel-fanout.test.js)
Env Var Forwarding	✅	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration	✅	onUsage callback exists in token-tracker-http.js (line 283, invoked line 324)
OTEL Diagnostics	✅	No live container run; graceful degradation confirmed — falls back to /var/log/api-proxy/otel.jsonl when no OTLP endpoint configured

All scenarios pass. ✅

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Gemini Engine Smoke Test Results

• PR Titles:
  • Fix gVisor workflow: Add proper health checks for Squid and Envoy (Fix gVisor workflow: Add proper health checks for Squid and Envoy #5237)
  • [Error: Could not fetch second PR title]
• GitHub MCP Testing: ❌
• GitHub.com Connectivity: ❌ (Status 000)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

@lpcox

• GitHub MCP Test: ✅
• GitHub.com connectivity: ✅
• File write/read test: ✅
• Direct BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

Merged PRs: chore: upgrade gh-aw to v0.81.0 and recompile workflows; refactor: extract buildAgentSecurityConfig from buildAgentService
PR query: test: fix failing npm test after gh-aw v0.81.0 recompile; Refactor generatePolicyManifest into composable policy section builders
GitHub title check: ✅
File write/readback: ✅
Discussion comment: ✅
Build: ✅
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environment.

Tested by Smoke Chroot

[github-actions]

Smoke Test: Services Connectivity

Check	Result
Redis PING	❌ timeout (no PONG)
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ timeout

Overall: FAIL — host.docker.internal service containers are unreachable from this runner.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5445 · 84.2 AIC · ⊞ 7.7K · ◷

[github-actions]

@lpcox @Copilot

Smoke Test: Copilot BYOK (Azure Foundry)

• List PRs (merged): ✅
• HTTP github.com: ✅
• File I/O: ✅
• BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)