feat: add github copilot api proxy support

[Copilot]

Add Copilot API Proxy Support

Adding support for proxying GitHub Copilot API requests through the existing api-proxy sidecar, using the same credential isolation pattern as OpenAI and Anthropic.

Implementation Complete ✅

All requirements from the problem statement have been implemented:

1. ✅ Modified existing api-proxy to accept Copilot requests on port 10002
2. ✅ Forward requests to https://api.githubcopilot.com with Authorization header
3. ✅ Set COPILOT_API_URL environment variable in agent container
4. ✅ Include placeholder credential (COPILOT_TOKEN) in agent container
5. ✅ Treat Copilot the same as Codex and Claude for credential isolation
6. ✅ Use COPILOT_GITHUB_TOKEN directly (no separate API key)

Changes Made

Type Definitions (src/types.ts)

• Added copilotGithubToken field to WrapperConfig
• Updated documentation

CLI (src/cli.ts)

• Read COPILOT_GITHUB_TOKEN from environment (not COPILOT_API_KEY)
• Added validation and info-level logging
• Excluded from logs for security

API Proxy Server (containers/api-proxy/server.js)

• Added Copilot proxy endpoint on port 10002
• Reads COPILOT_GITHUB_TOKEN from environment
• Forwards to api.githubcopilot.com with Authorization: Bearer ${COPILOT_GITHUB_TOKEN}
• Updated health endpoints to report copilot provider

Docker Manager (src/docker-manager.ts)

• Pass COPILOT_GITHUB_TOKEN to api-proxy container
• Set COPILOT_API_URL=http://172.30.0.30:10002 in agent
• Set COPILOT_TOKEN=placeholder-token-for-credential-isolation in agent
• Set COPILOT_GITHUB_TOKEN=placeholder-token-for-credential-isolation in agent (EARLY, before --env-all)
• Configure AWF_ONE_SHOT_TOKENS to protect sensitive tokens (includes COPILOT_GITHUB_TOKEN)

One-Shot-Token Libraries (containers/agent/one-shot-token/)

• C implementation: COPILOT_GITHUB_TOKEN in hard-coded defaults
• Rust implementation: COPILOT_GITHUB_TOKEN in hard-coded defaults
• Both implementations cache and unset the token on first access

Agent Health Check (containers/agent/api-proxy-health-check.sh)

• Added Copilot API proxy health check section
• Logs COPILOT_API_URL value at container startup
• Validates COPILOT_GITHUB_TOKEN is placeholder value (one-shot protected)
• Validates COPILOT_TOKEN placeholder
• Tests connectivity to proxy endpoint

Tests (tests/integration/api-proxy.test.ts)

• Updated to use COPILOT_GITHUB_TOKEN instead of COPILOT_API_KEY
• Health check, environment variables, provider reporting

Example (examples/github-copilot.sh)

• Updated to check for COPILOT_GITHUB_TOKEN (not COPILOT_API_KEY)
• Enabled --enable-api-proxy flag for Copilot API proxying
• Set AWF_ONE_SHOT_TOKEN_DEBUG=1 for debug output

Smoke Test Workflow (.github/workflows/smoke-copilot.lock.yml)

• Removed COPILOT_API_KEY references
• Only requires COPILOT_GITHUB_TOKEN secret
• Uses --enable-api-proxy flag
• Enables AWF_ONE_SHOT_TOKEN_DEBUG=1 for debug logging
• Fixed artifact upload to include api-proxy logs directory

Usage

export COPILOT_GITHUB_TOKEN="ghp_..."
awf --enable-api-proxy --allow-domains api.githubcopilot.com -- command

How It Works

Credential Flow:

1. User provides COPILOT_GITHUB_TOKEN in host environment
2. CLI reads it and starts api-proxy sidecar with the real token
3. Agent receives COPILOT_GITHUB_TOKEN=placeholder-token-for-credential-isolation (set BEFORE --env-all)
4. Agent receives COPILOT_API_URL=http://172.30.0.30:10002
5. Agent receives COPILOT_TOKEN=placeholder-token-for-credential-isolation
6. One-shot-token library caches the placeholder and clears it from /proc/self/environ
7. Copilot CLI uses COPILOT_API_URL to send requests to api-proxy
8. Api-proxy injects Authorization: Bearer ${COPILOT_GITHUB_TOKEN} and forwards to api.githubcopilot.com

Container Startup Logging

When the agent container starts with Copilot API proxy enabled:

[health-check] Checking GitHub Copilot API proxy configuration...
[health-check] COPILOT_API_URL=http://172.30.0.30:10002
[health-check] ✓ COPILOT_GITHUB_TOKEN is placeholder value (correct)
[health-check] ✓ COPILOT_TOKEN is placeholder value (correct)
[health-check] ✓ GitHub Copilot API proxy is reachable

Debugging

The CLI logs API key detection:

[INFO] API proxy enabled: OpenAI=false, Anthropic=false, Copilot=true

Credential Isolation

When --enable-api-proxy is enabled:

Excluded from agent:

• OPENAI_API_KEY, CODEX_API_KEY - OpenAI/Codex API keys
• ANTHROPIC_API_KEY, CLAUDE_API_KEY - Anthropic/Claude API keys

Set to placeholder (protected by one-shot-token):

• COPILOT_GITHUB_TOKEN - Real token in api-proxy, placeholder in agent
• COPILOT_TOKEN - Placeholder for Copilot CLI compatibility

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	82.69%	82.67%	📉 -0.02%
Statements	82.61%	82.55%	📉 -0.06%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.78%	74.60%	📉 -0.18%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.1% → 84.1% (+0.02%)	83.3% → 83.2% (-0.12%)
src/cli.ts	44.0% → 44.0% (+0.04%)	44.0% → 44.0% (+0.03%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

To fix the problem in general, user-controlled values should only be written to logs after being passed through a clear, robust sanitization step that (a) strips or encodes control characters (especially \r and \n), (b) limits length, and (c) makes it obvious in the log line where user input begins and ends. The logger call should never insert raw, unsanitized request data.

In this specific file, most of that is already done via sanitizeForLog. The minimal, non‑functional change that addresses the concern is to: (1) ensure sanitizeForLog behaves safely even for non‑string inputs (e.g., undefined, objects) by converting them to strings before sanitizing, and (2) slightly adjust the log message on line 250 so that user-supplied fields are clearly marked (e.g., method="..." url="...") and continue to go through sanitizeForLog. This keeps all existing behavior (still logs method and URL, same truncation/character stripping) while making the sanitization more robust and explicit.

Concretely:

• In containers/api-proxy/server.js, update sanitizeForLog so it stringifies non‑string inputs instead of returning an empty string, then strips control characters and truncates as before.
• In the Copilot proxy server request handler, keep using sanitizeForLog(req.method) and sanitizeForLog(req.url) but change the template string on line 250 to clearly delineate user content, e.g., [Copilot Proxy] method="${...}" url="${...}". This preserves functionality while clarifying intent and improving readability/security posture.

No new imports or external methods are required; we reuse built‑in string manipulation.

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS ✅
hono	✅	1/1	PASS ✅

Overall: PASS ✅

All Bun projects built and tested successfully!

AI generated by Build Test Bun

[github-actions]

✅ Node.js Build Test Results

All Node.js projects built and tested successfully!

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

AI generated by Build Test Node.js

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Smoke Test Results - Claude Engine

Last 2 merged PRs:

• chore(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 #893: chore(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0
• chore(deps): bump docker/build-push-action from 5.4.0 to 6.19.2 #892: chore(deps): bump docker/build-push-action from 5.4.0 to 6.19.2

✅ GitHub MCP
✅ Playwright (GitHub page title verified)
✅ File writing (/tmp/gh-aw/agent/smoke-test-claude-22114595787.txt)
✅ Bash tool

Status: PASS

AI generated by Smoke Claude

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed their test suites.

AI generated by Build Test Go

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• docs: convert API proxy docs to Starlight format #941: docs: convert API proxy docs to Starlight format
• chore: reduce dependabot PR volume to ~5/week #937: chore: reduce dependabot PR volume to ~5/week

Tests:

• ✅ GitHub MCP: Fetched recent PRs
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created test file successfully
• ✅ Bash: Verified file contents

Overall Status: PASS

cc: @Copilot @lpcox

AI generated by Smoke Copilot

[github-actions]

Build Test: Deno Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results 🎯

✅ GitHub MCP: #941 "docs: convert API proxy docs to Starlight format", #937 "chore: reduce dependabot PR volume to ~5/week"
✅ Playwright: Page title verified "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-copilot-22119567815.txt created
✅ Bash Tool: File verified successfully

Status: PASS ✅

cc @Copilot @lpcox

AI generated by Smoke Copilot

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	82.69%	82.50%	📉 -0.19%
Statements	82.61%	82.42%	📉 -0.19%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.78%	74.55%	📉 -0.23%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.1% → 83.8% (-0.33%)	83.3% → 83.0% (-0.30%)
src/cli.ts	44.0% → 43.8% (-0.22%)	44.0% → 43.8% (-0.22%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	✅	PASS
execa	✅	✅	PASS
p-limit	✅	✅	PASS

Overall: PASS ✅

All Node.js test projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored, built, and ran.

AI generated by Build Test .NET

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Java projects successfully compiled and passed their tests through the AWF firewall with Maven proxy configuration.

AI generated by Build Test Java

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

Security Review Complete ✅

I've completed a thorough security review of this PR. The credential isolation architecture and firewall configuration appear secure, but I found one issue in the example script.

Issue Found: Example Script Environment Variable Mismatch

File: examples/github-copilot.sh (lines 19-23)

Issue: The example script checks for the wrong environment variable name:

# Check for COPILOT_API_KEY
if [ -z "$COPILOT_API_KEY" ]; then
  echo "Error: COPILOT_API_KEY environment variable is not set"
  echo "Set it with: export COPILOT_API_KEY='your_copilot_api_key'"
  exit 1
fi

Problem: The actual implementation uses COPILOT_GITHUB_TOKEN (as defined in src/cli.ts:995), not COPILOT_API_KEY. This mismatch will cause the example script to fail even when the correct environment variable is set.

Suggested Fix: Update the example script to check for COPILOT_GITHUB_TOKEN:

# Check for COPILOT_GITHUB_TOKEN
if [ -z "$COPILOT_GITHUB_TOKEN" ]; then
  echo "Error: COPILOT_GITHUB_TOKEN environment variable is not set"
  echo "Set it with: export COPILOT_GITHUB_TOKEN='ghp_...'"
  exit 1
fi

---

Security Validation ✅

I verified the following security-critical aspects of the implementation:

1. Credential Isolation ✅

   • Real COPILOT_GITHUB_TOKEN is held securely in api-proxy container (src/docker-manager.ts:965)
   • Agent receives placeholder value (placeholder-token-for-credential-isolation) set early at line 358
   • Early placeholder setting prevents --env-all from overriding it (line 421 checks hasOwnProperty)

2. Network Isolation ✅

   • Api-proxy ports (10000, 10001, 10002) are NOT exposed to host
   • Only accessible within Docker internal network (172.30.0.0/24)
   • Agent container explicitly allowed to reach api-proxy via iptables rules (setup-iptables.sh:132-135)

3. Domain Whitelisting ✅

   • Api-proxy routes through Squid proxy (src/docker-manager.ts:967-968)
   • Squid enforces domain allowlist before forwarding to api.githubcopilot.com
   • New port 10002 follows same pattern as existing ports 10000/10001

4. Token Protection ✅

   • AWF_ONE_SHOT_TOKENS configured to protect COPILOT_GITHUB_TOKEN (src/docker-manager.ts:352)
   • One-shot-token C and Rust libraries updated with COPILOT_GITHUB_TOKEN in hard-coded defaults
   • Health check validates placeholder value in agent (containers/agent/api-proxy-health-check.sh:101-116)

5. Container Security ✅

   • Api-proxy has cap_drop: ['ALL'] and no-new-privileges:true (src/docker-manager.ts:978-980)
   • Resource limits applied (memory, PIDs, CPU)
   • Consistent with existing security hardening

Recommendation

Fix the environment variable name in examples/github-copilot.sh, then this PR is good to merge from a security perspective. The credential isolation implementation follows the established pattern used for OpenAI and Anthropic, and all security controls are properly maintained.

AI generated by Security Guard

[github-actions]

Claude Smoke Test Results (Run #22119567763)

✅ GitHub MCP: Fetched last 2 merged PRs (#941, #937)
✅ Playwright: Navigated to GitHub, verified page title
✅ File Write: Created /tmp/gh-aw/agent/smoke-test-claude-22119567763.txt
✅ Bash Tool: Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Chroot Version Comparison Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ Tests Failed

The chroot binaries successfully executed, but version mismatches indicate the chroot environment is using container binaries instead of host binaries. This suggests the bind mounts may need adjustment.

AI generated by Smoke Chroot

[github-actions]

Build Test: Go - Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed tests.

AI generated by Build Test Go

[github-actions]

PR titles:
feat(api-proxy): add github copilot api proxy support
chore(deps): bump the all-github-actions group with 7 updates
Tests: GitHub MCP merged ✅ | safeinputs-gh ✅ | Playwright ✅ | Tavily ❌
Tests: File write ✅ | Bash cat ✅ | Discussion comment ✅ | Build ✅
Overall: FAIL

AI generated by Smoke Codex

[Copilot]

Pull request overview

This PR adds GitHub Copilot API proxy support to the AWF firewall, enabling credential isolation for Copilot API requests through the existing api-proxy sidecar container. The implementation follows the same pattern as OpenAI and Anthropic, with one key difference: Copilot uses a placeholder token protected by the one-shot-token library rather than complete exclusion from the agent environment.

Changes:

• Added Copilot API proxy endpoint (port 10002) to api-proxy sidecar with automatic credential injection
• Implemented credential isolation using placeholder tokens (COPILOT_GITHUB_TOKEN, COPILOT_TOKEN) protected by one-shot-token library
• Added integration tests, health checks, and workflow updates for Copilot support

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/types.ts	Added copilotGithubToken field to WrapperConfig with documentation
src/cli.ts	Added COPILOT_GITHUB_TOKEN reading, validation logging, and redaction
src/docker-manager.ts	Configured placeholder tokens early (before --env-all), set COPILOT_API_URL and COPILOT_TOKEN in agent, pass real token to api-proxy
containers/api-proxy/server.js	Added Copilot proxy endpoint on port 10002 with Authorization header injection
containers/agent/api-proxy-health-check.sh	Added health checks for Copilot configuration and connectivity
tests/integration/api-proxy.test.ts	Added integration tests for Copilot health checks, environment variables, and provider reporting
examples/github-copilot.sh	Updated example to use --enable-api-proxy (but contains critical bug: checks wrong variable name)
.github/workflows/smoke-copilot.lock.yml	Added --enable-api-proxy flag, AWF_ONE_SHOT_TOKEN_DEBUG, and api-proxy-logs artifact upload

Comments suppressed due to low confidence (2)

examples/github-copilot.sh:24

• The check should validate COPILOT_GITHUB_TOKEN (not COPILOT_API_KEY) to match the implementation. The actual environment variable used throughout the codebase is COPILOT_GITHUB_TOKEN (see src/cli.ts:995, src/docker-manager.ts:965).

# Check for COPILOT_API_KEY
if [ -z "$COPILOT_API_KEY" ]; then
  echo "Error: COPILOT_API_KEY environment variable is not set"
  echo "Set it with: export COPILOT_API_KEY='your_copilot_api_key'"
  exit 1
fi

examples/github-copilot.sh:40

• The comment correctly mentions COPILOT_GITHUB_TOKEN but the earlier checks in lines 19-24 incorrectly check for COPILOT_API_KEY. This inconsistency should be resolved by updating lines 9 and 19-24 to use COPILOT_GITHUB_TOKEN throughout.

# Use sudo -E to preserve environment variables (COPILOT_GITHUB_TOKEN, GITHUB_TOKEN, AWF_ONE_SHOT_TOKEN_DEBUG)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation states COPILOT_API_KEY should be set, but the actual environment variable used throughout the codebase is COPILOT_GITHUB_TOKEN. This should be changed to COPILOT_GITHUB_TOKEN to match the implementation in src/cli.ts:995, src/docker-manager.ts:965, and the test files.

This issue also appears in the following locations of the same file:

• line 19
• line 40

[Copilot]

Missing unit tests for Copilot API proxy functionality. Consider adding tests similar to those for OpenAI and Anthropic: 1) Test that api-proxy service is created with Copilot token, 2) Test that COPILOT_GITHUB_TOKEN is passed to api-proxy sidecar environment, 3) Test that COPILOT_API_URL is set in agent when Copilot token is provided, 4) Test that COPILOT_TOKEN placeholder is set in agent, 5) Test that COPILOT_GITHUB_TOKEN placeholder is set in agent early (before --env-all). See lines 1444-1487 for similar tests for OpenAI and Anthropic.

Suggested change

	}, 180000);
	}, 180000);
	test('should set COPILOT_GITHUB_TOKEN to placeholder in agent when Copilot token is provided', async () => {
	const result = await runner.runWithSudo(
	'bash -c "echo COPILOT_GITHUB_TOKEN=$COPILOT_GITHUB_TOKEN"',
	{
	allowDomains: ['api.githubcopilot.com'],
	enableApiProxy: true,
	buildLocal: true,
	logLevel: 'debug',
	timeout: 120000,
	env: {
	// Provide a fake real token; the agent should only see a placeholder value.
	COPILOT_GITHUB_TOKEN: 'ghp_fake-test-token-12345',
	},
	}
	);
	expect(result).toSucceed();
	expect(result.stdout).toContain(
	'COPILOT_GITHUB_TOKEN=placeholder-token-for-credential-isolation'
	);
	}, 180000);
	test('should set COPILOT_GITHUB_TOKEN placeholder in agent early (before --env-all)', async () => {
	// This test ensures that the placeholder for COPILOT_GITHUB_TOKEN is established
	// as part of the agent startup sequence, not injected later via a bulk env export.
	const result = await runner.runWithSudo(
	'bash -c "echo COPILOT_GITHUB_TOKEN=$COPILOT_GITHUB_TOKEN"',
	{
	allowDomains: ['api.githubcopilot.com'],
	enableApiProxy: true,
	buildLocal: true,
	logLevel: 'debug',
	timeout: 120000,
	env: {
	COPILOT_GITHUB_TOKEN: 'ghp_fake-test-token-12345',
	},
	}
	);
	expect(result).toSucceed();
	expect(result.stdout).toContain(
	'COPILOT_GITHUB_TOKEN=placeholder-token-for-credential-isolation'
	);
	}, 180000);

[Copilot]

The documentation is slightly misleading. Unlike openaiApiKey and anthropicApiKey (which are completely excluded from the agent), copilotGithubToken IS passed to the agent container as a placeholder value protected by the one-shot-token library. Consider rewording to: "The real token is held securely in the api-proxy sidecar. The agent receives a placeholder value that is protected by the one-shot-token library." This would be more accurate and consistent with the implementation in docker-manager.ts:357-360.

Suggested change

	* The token is NOT exposed to the agent container - only the proxy URL is provided.
	* The real token is held securely in the api-proxy sidecar.