fix: address review comments from PR #1979

Copilot · web-flow · commit 6ae99bc159eb · 2026-04-15T03:08:31.000Z
- types.ts: correct credential priority comment to reference user-configurable vars COPILOT_GITHUB_TOKEN/COPILOT_API_KEY instead of internal COPILOT_AUTH_TOKEN - smoke-opencode.md: add note that lock file compilation is pending until opencode engine support lands in gh-aw - server.js: add rate limiting to OpenCode (port 10004) HTTP handler using content-length-aware checkRateLimit() call - server.js: extract resolveOpenCodeRoute() helper for testability and refactor handler to use it - server.test.js: add 8 unit tests covering all OpenCode routing priority scenarios and header injection Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/a0621fda-d1a3-449b-a3da-a9d0331c4c76
diff --git a/.github/workflows/smoke-opencode.md b/.github/workflows/smoke-opencode.md
@@ -66,6 +66,11 @@ post-steps:
       echo "Safe output validation passed"
 ---
 
+> **Note:** This workflow has not yet been compiled to a `.lock.yml` file and is **not active** in GitHub Actions.
+> Compilation is pending `opencode` engine support in gh-aw. Once the engine is supported, run
+> `gh-aw compile .github/workflows/smoke-opencode.md` followed by
+> `npx tsx scripts/ci/postprocess-smoke-workflows.ts` to generate the lock file.
+
 # Smoke Test: OpenCode Engine Validation
 
 **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.**
diff --git a/containers/api-proxy/server.js b/containers/api-proxy/server.js
@@ -288,6 +288,33 @@ if (!proxyAgent) {
   logRequest('warn', 'startup', { message: 'No HTTPS_PROXY configured, requests will go direct' });
 }
 
+/**
+ * Resolves the OpenCode routing configuration based on available credentials.
+ * Priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > copilotToken (COPILOT_GITHUB_TOKEN / COPILOT_API_KEY)
+ *
+ * @param {string|undefined} openaiKey
+ * @param {string|undefined} anthropicKey
+ * @param {string|undefined} copilotToken
+ * @param {string} openaiTarget
+ * @param {string} anthropicTarget
+ * @param {string} copilotTarget
+ * @param {string} [openaiBasePath]
+ * @param {string} [anthropicBasePath]
+ * @returns {{ target: string, headers: Record<string,string>, basePath: string|undefined } | null}
+ */
+function resolveOpenCodeRoute(openaiKey, anthropicKey, copilotToken, openaiTarget, anthropicTarget, copilotTarget, openaiBasePath, anthropicBasePath) {
+  if (openaiKey) {
+    return { target: openaiTarget, headers: { 'Authorization': `Bearer ${openaiKey}` }, basePath: openaiBasePath };
+  }
+  if (anthropicKey) {
+    return { target: anthropicTarget, headers: { 'x-api-key': anthropicKey }, basePath: anthropicBasePath };
+  }
+  if (copilotToken) {
+    return { target: copilotTarget, headers: { 'Authorization': `Bearer ${copilotToken}` }, basePath: undefined };
+  }
+  return null;
+}
+
 /**
  * Check rate limit and send 429 if exceeded.
  * Returns true if request was rate-limited (caller should return early).
@@ -1052,52 +1079,44 @@ if (require.main === module) {
         url: logUrl,
       });
 
-      if (OPENAI_API_KEY) {
-        logRequest('info', 'opencode_proxy_header_injection', {
-          message: '[OpenCode Proxy] Routing to OpenAI/Copilot via OPENAI_API_KEY',
-          target: OPENAI_API_TARGET,
-        });
-        proxyRequest(req, res, OPENAI_API_TARGET, {
-          'Authorization': `Bearer ${OPENAI_API_KEY}`,
-        }, 'opencode', OPENAI_API_BASE_PATH);
-      } else if (ANTHROPIC_API_KEY) {
-        logRequest('info', 'opencode_proxy_header_injection', {
-          message: '[OpenCode Proxy] Routing to Anthropic via ANTHROPIC_API_KEY',
-          target: ANTHROPIC_API_TARGET,
-        });
-        const anthropicHeaders = { 'x-api-key': ANTHROPIC_API_KEY };
-        if (!req.headers['anthropic-version']) {
-          anthropicHeaders['anthropic-version'] = '2023-06-01';
-        }
-        proxyRequest(req, res, ANTHROPIC_API_TARGET, anthropicHeaders, 'opencode', ANTHROPIC_API_BASE_PATH);
-      } else {
-        // COPILOT_AUTH_TOKEN only — route to Copilot API target
-        logRequest('info', 'opencode_proxy_header_injection', {
-          message: '[OpenCode Proxy] Routing to Copilot via COPILOT_AUTH_TOKEN',
-          target: COPILOT_API_TARGET,
-        });
-        proxyRequest(req, res, COPILOT_API_TARGET, {
-          'Authorization': `Bearer ${COPILOT_AUTH_TOKEN}`,
-        }, 'opencode');
+      const parsedContentLength = Number(req.headers['content-length']);
+      const contentLength = Number.isFinite(parsedContentLength) && parsedContentLength > 0 ? parsedContentLength : 0;
+      if (checkRateLimit(req, res, 'opencode', contentLength)) {
+        return;
       }
+
+      const route = resolveOpenCodeRoute(
+        OPENAI_API_KEY, ANTHROPIC_API_KEY, COPILOT_AUTH_TOKEN,
+        OPENAI_API_TARGET, ANTHROPIC_API_TARGET, COPILOT_API_TARGET,
+        OPENAI_API_BASE_PATH, ANTHROPIC_API_BASE_PATH
+      );
+      if (!route) return;
+
+      logRequest('info', 'opencode_proxy_header_injection', {
+        message: `[OpenCode Proxy] Routing to ${route.target}`,
+        target: route.target,
+      });
+
+      const headers = Object.assign({}, route.headers);
+      if (ANTHROPIC_API_KEY && !OPENAI_API_KEY && !req.headers['anthropic-version']) {
+        headers['anthropic-version'] = '2023-06-01';
+      }
+      proxyRequest(req, res, route.target, headers, 'opencode', route.basePath);
     });
 
     opencodeServer.on('upgrade', (req, socket, head) => {
-      if (OPENAI_API_KEY) {
-        proxyWebSocket(req, socket, head, OPENAI_API_TARGET, {
-          'Authorization': `Bearer ${OPENAI_API_KEY}`,
-        }, 'opencode', OPENAI_API_BASE_PATH);
-      } else if (ANTHROPIC_API_KEY) {
-        const anthropicHeaders = { 'x-api-key': ANTHROPIC_API_KEY };
-        if (!req.headers['anthropic-version']) {
-          anthropicHeaders['anthropic-version'] = '2023-06-01';
-        }
-        proxyWebSocket(req, socket, head, ANTHROPIC_API_TARGET, anthropicHeaders, 'opencode', ANTHROPIC_API_BASE_PATH);
-      } else {
-        proxyWebSocket(req, socket, head, COPILOT_API_TARGET, {
-          'Authorization': `Bearer ${COPILOT_AUTH_TOKEN}`,
-        }, 'opencode');
+      const route = resolveOpenCodeRoute(
+        OPENAI_API_KEY, ANTHROPIC_API_KEY, COPILOT_AUTH_TOKEN,
+        OPENAI_API_TARGET, ANTHROPIC_API_TARGET, COPILOT_API_TARGET,
+        OPENAI_API_BASE_PATH, ANTHROPIC_API_BASE_PATH
+      );
+      if (!route) return;
+
+      const headers = Object.assign({}, route.headers);
+      if (ANTHROPIC_API_KEY && !OPENAI_API_KEY && !req.headers['anthropic-version']) {
+        headers['anthropic-version'] = '2023-06-01';
       }
+      proxyWebSocket(req, socket, head, route.target, headers, 'opencode', route.basePath);
     });
 
     opencodeServer.listen(10004, '0.0.0.0', () => {
@@ -1125,4 +1144,4 @@ if (require.main === module) {
 }
 
 // Export for testing
-module.exports = { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken };
+module.exports = { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute };
diff --git a/containers/api-proxy/server.test.js b/containers/api-proxy/server.test.js
@@ -5,7 +5,7 @@
 const http = require('http');
 const tls = require('tls');
 const { EventEmitter } = require('events');
-const { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken } = require('./server');
+const { normalizeApiTarget, deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath, normalizeBasePath, buildUpstreamPath, proxyWebSocket, resolveCopilotAuthToken, resolveOpenCodeRoute } = require('./server');
 
 describe('normalizeApiTarget', () => {
   it('should strip https:// prefix', () => {
@@ -781,3 +781,98 @@ describe('resolveCopilotAuthToken', () => {
   });
 });
 
+describe('resolveOpenCodeRoute', () => {
+  const OPENAI_TARGET = 'api.openai.com';
+  const ANTHROPIC_TARGET = 'api.anthropic.com';
+  const COPILOT_TARGET = 'api.githubcopilot.com';
+  const OPENAI_BASE = '/v1';
+  const ANTHROPIC_BASE = '';
+
+  it('should route to OpenAI when OPENAI_API_KEY is set (highest priority)', () => {
+    const route = resolveOpenCodeRoute(
+      'sk-openai-key', 'sk-anthropic-key', 'gho_copilot-token',
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.target).toBe(OPENAI_TARGET);
+    expect(route.headers['Authorization']).toBe('Bearer sk-openai-key');
+    expect(route.basePath).toBe(OPENAI_BASE);
+  });
+
+  it('should route to Anthropic when only ANTHROPIC_API_KEY is set', () => {
+    const route = resolveOpenCodeRoute(
+      undefined, 'sk-anthropic-key', undefined,
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.target).toBe(ANTHROPIC_TARGET);
+    expect(route.headers['x-api-key']).toBe('sk-anthropic-key');
+    expect(route.basePath).toBe(ANTHROPIC_BASE);
+  });
+
+  it('should prefer OpenAI over Anthropic when both are set', () => {
+    const route = resolveOpenCodeRoute(
+      'sk-openai-key', 'sk-anthropic-key', undefined,
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.target).toBe(OPENAI_TARGET);
+    expect(route.headers['Authorization']).toBe('Bearer sk-openai-key');
+  });
+
+  it('should route to Copilot when only copilotToken is set', () => {
+    const route = resolveOpenCodeRoute(
+      undefined, undefined, 'gho_copilot-token',
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.target).toBe(COPILOT_TARGET);
+    expect(route.headers['Authorization']).toBe('Bearer gho_copilot-token');
+    expect(route.basePath).toBeUndefined();
+  });
+
+  it('should prefer Anthropic over Copilot when both are set', () => {
+    const route = resolveOpenCodeRoute(
+      undefined, 'sk-anthropic-key', 'gho_copilot-token',
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.target).toBe(ANTHROPIC_TARGET);
+    expect(route.headers['x-api-key']).toBe('sk-anthropic-key');
+  });
+
+  it('should return null when no credentials are available', () => {
+    const route = resolveOpenCodeRoute(
+      undefined, undefined, undefined,
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).toBeNull();
+  });
+
+  it('should not set Authorization header for Anthropic route', () => {
+    const route = resolveOpenCodeRoute(
+      undefined, 'sk-anthropic-key', undefined,
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.headers['Authorization']).toBeUndefined();
+  });
+
+  it('should not set x-api-key header for OpenAI route', () => {
+    const route = resolveOpenCodeRoute(
+      'sk-openai-key', undefined, undefined,
+      OPENAI_TARGET, ANTHROPIC_TARGET, COPILOT_TARGET,
+      OPENAI_BASE, ANTHROPIC_BASE
+    );
+    expect(route).not.toBeNull();
+    expect(route.headers['x-api-key']).toBeUndefined();
+  });
+});
+
diff --git a/src/types.ts b/src/types.ts
@@ -41,7 +41,7 @@ export const API_PROXY_PORTS = {
 
   /**
    * OpenCode API proxy port (defaults to Copilot/OpenAI routing; falls back to Anthropic)
-   * OpenCode is BYOK — credential priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > COPILOT_AUTH_TOKEN
+   * OpenCode is BYOK — credential priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > COPILOT_GITHUB_TOKEN/COPILOT_API_KEY
    * @see containers/api-proxy/server.js
    */
   OPENCODE: 10004,
