fix(api-proxy): OpenCode port 10004 defaults to Copilot/OpenAI routing instead of Anthropic#1979
fix(api-proxy): OpenCode port 10004 defaults to Copilot/OpenAI routing instead of Anthropic#1979
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the api-proxy sidecar’s OpenCode port (10004) so it activates and routes based on the same credential priority OpenCode uses upstream, avoiding “connection refused” when only Copilot/OpenAI-style credentials are available.
Changes:
- Adjust OpenCode (10004) proxy activation guard and add credential-priority routing across OpenAI/Copilot-compatible, Anthropic, and Copilot targets.
- Update
API_PROXY_PORTS.OPENCODEdocumentation to reflect the new default routing behavior. - Add a new (source) smoke workflow definition for the OpenCode engine.
Show a summary per file
| File | Description |
|---|---|
containers/api-proxy/server.js |
Changes OpenCode (10004) proxy to start with broader credentials and dynamically route based on credential availability. |
src/types.ts |
Updates JSDoc/comments to reflect OpenCode routing defaults and priority. |
.github/workflows/smoke-opencode.md |
Adds an OpenCode smoke workflow source definition (not compiled to a .lock.yml in this PR). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 4
| * OpenCode API proxy port (routes to Anthropic by default) | ||
| * OpenCode is BYOK — defaults to Anthropic as the primary provider | ||
| * OpenCode API proxy port (defaults to Copilot/OpenAI routing; falls back to Anthropic) | ||
| * OpenCode is BYOK — credential priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > COPILOT_AUTH_TOKEN |
There was a problem hiding this comment.
The API proxy docs mention COPILOT_AUTH_TOKEN in the OpenCode credential priority, but COPILOT_AUTH_TOKEN is an internal server.js-derived value (resolved from COPILOT_GITHUB_TOKEN/COPILOT_API_KEY) and isn't something users configure directly. Consider updating this comment to reference the actual env vars/config fields users can set, so the docs remain actionable.
| * OpenCode is BYOK — credential priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > COPILOT_AUTH_TOKEN | |
| * OpenCode is BYOK — credential priority: OPENAI_API_KEY > ANTHROPIC_API_KEY > COPILOT_GITHUB_TOKEN/COPILOT_API_KEY |
| --- | ||
| description: Smoke test workflow that validates OpenCode engine functionality by testing AWF firewall capabilities | ||
| on: | ||
| roles: all | ||
| schedule: every 12h | ||
| workflow_dispatch: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| reaction: "rocket" | ||
| permissions: | ||
| contents: read | ||
| issues: read | ||
| pull-requests: read | ||
| discussions: read | ||
| name: Smoke OpenCode | ||
| engine: opencode | ||
| strict: true |
There was a problem hiding this comment.
This adds a new agentic workflow source file under .github/workflows/, but there is no corresponding compiled .lock.yml workflow checked in (unlike the other smoke workflows, e.g. smoke-copilot.md → smoke-copilot.lock.yml). As-is, this won't run in GitHub Actions and may be easy to overlook; consider either including the compiled lock file once supported, or adding an explicit note in the frontmatter/body that compilation is pending and the workflow is not yet active.
| const anthropicHeaders = { 'x-api-key': ANTHROPIC_API_KEY }; | ||
| if (!req.headers['anthropic-version']) { | ||
| anthropicHeaders['anthropic-version'] = '2023-06-01'; | ||
|
|
There was a problem hiding this comment.
The OpenCode (10004) HTTP handler doesn't apply rate limiting (unlike the other HTTP proxies that call checkRateLimit() before proxyRequest()). This makes the "per-engine rate limiting" comment inaccurate and allows unlimited HTTP traffic on 10004 even when AWF rate limiting is enabled. Consider computing content-length and calling checkRateLimit(req, res, 'opencode', contentLength) before routing/proxyRequest().
| const parsedContentLength = Number(req.headers['content-length']); | |
| const contentLength = Number.isFinite(parsedContentLength) && parsedContentLength > 0 ? parsedContentLength : 0; | |
| if (!checkRateLimit(req, res, 'opencode', contentLength)) { | |
| return; | |
| } |
| if (OPENAI_API_KEY) { | ||
| logRequest('info', 'opencode_proxy_header_injection', { | ||
| message: '[OpenCode Proxy] Routing to OpenAI/Copilot via OPENAI_API_KEY', | ||
| target: OPENAI_API_TARGET, | ||
| }); | ||
| proxyRequest(req, res, OPENAI_API_TARGET, { | ||
| 'Authorization': `Bearer ${OPENAI_API_KEY}`, | ||
| }, 'opencode', OPENAI_API_BASE_PATH); | ||
| } else if (ANTHROPIC_API_KEY) { | ||
| logRequest('info', 'opencode_proxy_header_injection', { | ||
| message: '[OpenCode Proxy] Routing to Anthropic via ANTHROPIC_API_KEY', | ||
| target: ANTHROPIC_API_TARGET, | ||
| }); | ||
| const anthropicHeaders = { 'x-api-key': ANTHROPIC_API_KEY }; | ||
| if (!req.headers['anthropic-version']) { | ||
| anthropicHeaders['anthropic-version'] = '2023-06-01'; | ||
| } | ||
| proxyRequest(req, res, ANTHROPIC_API_TARGET, anthropicHeaders, 'opencode', ANTHROPIC_API_BASE_PATH); | ||
| } else { | ||
| // COPILOT_AUTH_TOKEN only — route to Copilot API target | ||
| logRequest('info', 'opencode_proxy_header_injection', { | ||
| message: '[OpenCode Proxy] Routing to Copilot via COPILOT_AUTH_TOKEN', | ||
| target: COPILOT_API_TARGET, | ||
| }); | ||
| proxyRequest(req, res, COPILOT_API_TARGET, { | ||
| 'Authorization': `Bearer ${COPILOT_AUTH_TOKEN}`, | ||
| }, 'opencode'); | ||
| } |
There was a problem hiding this comment.
New provider-routing behavior for the OpenCode proxy (OPENAI_API_KEY vs ANTHROPIC_API_KEY vs COPILOT_AUTH_TOKEN) isn't covered by tests. Since this repo already has containers/api-proxy/server.test.js, please add unit/integration coverage for the 10004 routing priority and header injection for each credential scenario (and WebSocket upgrade routing if applicable).
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
- types.ts: correct credential priority comment to reference user-configurable vars COPILOT_GITHUB_TOKEN/COPILOT_API_KEY instead of internal COPILOT_AUTH_TOKEN - smoke-opencode.md: add note that lock file compilation is pending until opencode engine support lands in gh-aw - server.js: add rate limiting to OpenCode (port 10004) HTTP handler using content-length-aware checkRateLimit() call - server.js: extract resolveOpenCodeRoute() helper for testability and refactor handler to use it - server.test.js: add 8 unit tests covering all OpenCode routing priority scenarios and header injection Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/a0621fda-d1a3-449b-a3da-a9d0331c4c76
🔥 Smoke Test Results
Overall: PASS 🎉 PR by
|
Smoke Test Results✅ GitHub MCP: "fix: add size-based filtering to --env-all to prevent E2BIG" / "fix: recover toolchain env vars from $GITHUB_ENV file" Overall: PASS
|
Smoke Test: GitHub Actions Services Connectivity ✅All checks passed:
|
Smoke Test Status
|
Chroot Version Comparison Results
Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Port 10004 was gated on
ANTHROPIC_API_KEYand hardwired to Anthropic, causing silent connection-refused failures when OpenCode runs with Copilot credentials (OPENAI_API_KEYfrom token exchange). This aligns port 10004 with the upstream engine's actual credential hierarchy.Changes
containers/api-proxy/server.js— OpenCode proxy (port 10004)if (ANTHROPIC_API_KEY)→if (OPENAI_API_KEY || ANTHROPIC_API_KEY || COPILOT_AUTH_TOKEN)OPENAI_API_KEY→OPENAI_API_TARGETwithAuthorization: Bearer(Copilot/OpenAI default)ANTHROPIC_API_KEY→ANTHROPIC_API_TARGETwithx-api-key(Anthropic BYOK fallback)COPILOT_AUTH_TOKEN→COPILOT_API_TARGETwithAuthorization: Bearersrc/types.ts— corrected JSDoc andgenerateDockerCompose()comment forOPENCODE: 10004to reflect Copilot/OpenAI as the default, Anthropic as fallback.github/workflows/smoke-opencode.md— new smoke test workflow (GitHub MCP, file write, bash, AWF build); compilation to.lock.ymlis pendingopencodeengine support in gh-aw (currently not a valid engine in v0.68.1)