fix(api-proxy): address code review feedback

- proxy-utils.js: sanitize raw target in warn logs (log injection)
- copilot.js: fallback to default when COPILOT_API_TARGET is malformed
- openai/anthropic/gemini: getModelsFetchConfig respects *_API_BASE_PATH
- anthropic.js: cache composedBodyTransform at startup (not per-request)
- ADDING-A-PROVIDER.md: fix Dockerfile COPY snippet path
- server.test.js: add createProviderServer() tests (health, stubs, transforms, auth)

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/5fe25196-13b3-4865-b327-6d74594f980d

Author: Copilot

containers/api-proxy/providers/ADDING-A-PROVIDER.md

@@ -177,8 +177,8 @@ Add the new adapter file to the explicit `COPY` list in `containers/api-proxy/Do
 
 ```dockerfile
 COPY server.js logging.js metrics.js rate-limiter.js token-tracker.js \
-     model-resolver.js proxy-utils.js anthropic-cache.js anthropic-transforms.js \
-     providers/ ./
+     model-resolver.js proxy-utils.js anthropic-cache.js anthropic-transforms.js ./
+COPY providers/ ./providers/
 ```
 
 Also update the `EXPOSE` directive to include the new port:

containers/api-proxy/providers/anthropic.js

@@ -62,6 +62,10 @@ function createAnthropicAdapter(env, deps = {}) {
 
   const bodyTransform = deps.bodyTransform || null;
 
+  // Build the composed transform once at construction time to avoid
+  // re-allocating the wrapper function on every request.
+  const composedBodyTransform = composeBodyTransforms(bodyTransform, optimisationsTransform);
+
   return {
     name: 'anthropic',
     port: 10001,
@@ -104,9 +108,7 @@ function createAnthropicAdapter(env, deps = {}) {
       return headers;
     },
 
-    getBodyTransform() {
-      return composeBodyTransforms(bodyTransform, optimisationsTransform);
-    },
+    getBodyTransform() { return composedBodyTransform; },
 
     getValidationProbe() {
       if (!apiKey) return null;
@@ -130,8 +132,11 @@ function createAnthropicAdapter(env, deps = {}) {
 
     getModelsFetchConfig() {
       if (!apiKey) return null;
+      // Use the configured base path so Anthropic-compatible endpoints with a
+      // path prefix populate /reflect and models.json correctly.
+      const modelsPath = basePath ? `${basePath}/models` : '/v1/models';
       return {
-        url: `https://${rawTarget}/v1/models`,
+        url: `https://${rawTarget}${modelsPath}`,
         opts: {
           method: 'GET',
           headers: { 'x-api-key': apiKey, 'anthropic-version': '2023-06-01' },

containers/api-proxy/providers/copilot.js

@@ -45,7 +45,10 @@ function resolveCopilotAuthToken(env = process.env) {
  */
 function deriveCopilotApiTarget(env = process.env) {
   if (env.COPILOT_API_TARGET) {
-    return normalizeApiTarget(env.COPILOT_API_TARGET);
+    const target = normalizeApiTarget(env.COPILOT_API_TARGET);
+    // Only use the explicit value if it parsed into a valid hostname;
+    // fall through to auto-derivation when the value is malformed.
+    if (target) return target;
   }
   const serverUrl = env.GITHUB_SERVER_URL;
   if (serverUrl) {

containers/api-proxy/providers/gemini.js

@@ -81,8 +81,11 @@ function createGeminiAdapter(env, deps = {}) {
 
     getModelsFetchConfig() {
       if (!apiKey) return null;
+      // Use the configured base path so Gemini-compatible endpoints with a
+      // path prefix populate /reflect and models.json correctly.
+      const modelsPath = basePath ? `${basePath}/models` : '/v1beta/models';
       return {
-        url: `https://${rawTarget}/v1beta/models`,
+        url: `https://${rawTarget}${modelsPath}`,
         opts: { method: 'GET', headers: { 'x-goog-api-key': apiKey } },
         cacheKey: 'gemini',
       };

containers/api-proxy/providers/openai.js

@@ -76,13 +76,16 @@ function createOpenAIAdapter(env, deps = {}) {
 
     /**
      * Returns the model-list fetch config for /reflect model population, or null.
+     * Uses the configured base path so prefixed OpenAI-compatible deployments
+     * (e.g. Databricks, Azure) populate /reflect and models.json correctly.
      *
      * @returns {{ url: string, opts: object, cacheKey: string }|null}
      */
     getModelsFetchConfig() {
       if (!apiKey) return null;
+      const modelsPath = basePath ? `${basePath}/models` : '/v1/models';
       return {
-        url: `https://${rawTarget}/v1/models`,
+        url: `https://${rawTarget}${modelsPath}`,
         opts: { method: 'GET', headers: { 'Authorization': `Bearer ${apiKey}` } },
         cacheKey: 'openai',
       };

containers/api-proxy/proxy-utils.js

@@ -31,15 +31,17 @@ function normalizeApiTarget(value) {
     const parsed = new URL(candidate);
 
     if (parsed.pathname !== '/' || parsed.search || parsed.hash || parsed.username || parsed.password || parsed.port) {
+      const safe = trimmed.replace(/[\x00-\x1f\x7f]/g, '?');
       console.warn(
-        `Ignoring unsupported API target URL components in ${trimmed}; ` +
+        `Ignoring unsupported API target URL components in ${safe}; ` +
         'configure path prefixes via the corresponding *_API_BASE_PATH environment variable.'
       );
     }
 
     return parsed.hostname || undefined;
   } catch (err) {
-    console.warn(`Invalid API target ${trimmed}; expected a hostname (e.g. 'api.example.com') or URL`);
+    const safe = trimmed.replace(/[\x00-\x1f\x7f]/g, '?');
+    console.warn(`Invalid API target ${safe}; expected a hostname (e.g. 'api.example.com') or URL`);
     return undefined;
   }
 }

containers/api-proxy/server.test.js

@@ -15,7 +15,7 @@ const { deriveCopilotApiTarget, deriveGitHubApiTarget, deriveGitHubApiBasePath,
 const { resolveOpenCodeRoute } = require('./providers/opencode');
 
 // Core proxy functions that remain in server.js
-const { proxyWebSocket, httpProbe, validateApiKeys, keyValidationResults, resetKeyValidationState, fetchJson, extractModelIds, fetchStartupModels, reflectEndpoints, healthResponse, cachedModels, resetModelCacheState, makeModelBodyTransform, MODEL_ALIASES, buildModelsJson, writeModelsJson } = require('./server');
+const { proxyWebSocket, httpProbe, validateApiKeys, keyValidationResults, resetKeyValidationState, fetchJson, extractModelIds, fetchStartupModels, reflectEndpoints, healthResponse, cachedModels, resetModelCacheState, makeModelBodyTransform, MODEL_ALIASES, buildModelsJson, writeModelsJson, createProviderServer } = require('./server');
 
 describe('normalizeApiTarget', () => {
   it('should strip https:// prefix', () => {
@@ -2125,3 +2125,241 @@ describe('composeBodyTransforms', () => {
     expect(composed(Buffer.from('hello'))).toBeNull();
   });
 });
+
+// ── createProviderServer tests ────────────────────────────────────────────────
+//
+// Tests that verify the generic proxy server factory honours the ProviderAdapter
+// interface: health routing, unconfigured-stub responses, URL transforms, and
+// adapter-specific auth selection.
+//
+describe('createProviderServer', () => {
+  const servers = [];
+
+  /** Small helper: start a createProviderServer instance and return its port. */
+  function startAdapter(adapter) {
+    return new Promise((resolve) => {
+      const srv = createProviderServer(adapter);
+      srv.listen(0, '127.0.0.1', () => {
+        servers.push(srv);
+        resolve(srv.address().port);
+      });
+    });
+  }
+
+  /** Fetch a path from a server running on localhost and return { status, body }. */
+  function fetch(port, path, opts = {}) {
+    return new Promise((resolve, reject) => {
+      const req = http.request(
+        { hostname: '127.0.0.1', port, path, method: opts.method || 'GET', headers: opts.headers || {} },
+        (res) => {
+          let data = '';
+          res.on('data', (c) => { data += c; });
+          res.on('end', () => {
+            let parsed;
+            try { parsed = JSON.parse(data); } catch { parsed = data; }
+            resolve({ status: res.statusCode, body: parsed, headers: res.headers });
+          });
+        }
+      );
+      req.on('error', reject);
+      if (opts.body) req.write(opts.body);
+      req.end();
+    });
+  }
+
+  afterEach((done) => {
+    let remaining = servers.length;
+    if (!remaining) { done(); return; }
+    servers.splice(0).forEach((s) => s.close(() => { if (!--remaining) done(); }));
+  });
+
+  // ── /health endpoint — enabled adapter ──────────────────────────────────────
+
+  it('returns 200 /health when adapter is enabled', async () => {
+    const adapter = {
+      name: 'test-enabled', port: 0, isManagementPort: false, alwaysBind: false,
+      participatesInValidation: false,
+      isEnabled: () => true,
+      getTargetHost: () => 'api.example.com',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+    };
+    const port = await startAdapter(adapter);
+    const { status, body } = await fetch(port, '/health');
+    expect(status).toBe(200);
+    expect(body.status).toBe('healthy');
+    expect(body.service).toBe('awf-api-proxy-test-enabled');
+  });
+
+  // ── /health endpoint — disabled adapter (default 503) ───────────────────────
+
+  it('returns default 503 /health when adapter is disabled and has no getUnconfiguredHealthResponse', async () => {
+    const adapter = {
+      name: 'test-disabled', port: 0, isManagementPort: false, alwaysBind: true,
+      participatesInValidation: false,
+      isEnabled: () => false,
+      getTargetHost: () => '',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+      getUnconfiguredResponse: () => ({ statusCode: 503, body: { error: 'not configured' } }),
+    };
+    const port = await startAdapter(adapter);
+    const { status, body } = await fetch(port, '/health');
+    expect(status).toBe(503);
+    expect(body.status).toBe('not_configured');
+    expect(body.service).toBe('awf-api-proxy-test-disabled');
+  });
+
+  // ── /health endpoint — custom unconfigured health response ──────────────────
+
+  it('returns custom getUnconfiguredHealthResponse when adapter is disabled', async () => {
+    const adapter = {
+      name: 'test-custom-health', port: 0, isManagementPort: false, alwaysBind: true,
+      participatesInValidation: false,
+      isEnabled: () => false,
+      getTargetHost: () => '',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+      getUnconfiguredResponse: () => ({ statusCode: 503, body: { error: 'not configured' } }),
+      getUnconfiguredHealthResponse: () => ({
+        statusCode: 503,
+        body: { status: 'not_configured', service: 'awf-api-proxy-gemini', error: 'GEMINI_API_KEY not configured' },
+      }),
+    };
+    const port = await startAdapter(adapter);
+    const { status, body } = await fetch(port, '/health');
+    expect(status).toBe(503);
+    expect(body.service).toBe('awf-api-proxy-gemini');
+    expect(body.error).toMatch(/GEMINI_API_KEY/);
+  });
+
+  // ── Unconfigured stub — non-health request ────────────────────────────────
+
+  it('returns getUnconfiguredResponse body for proxy requests when disabled', async () => {
+    const adapter = {
+      name: 'test-unconfigured', port: 0, isManagementPort: false, alwaysBind: true,
+      participatesInValidation: false,
+      isEnabled: () => false,
+      getTargetHost: () => '',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+      getUnconfiguredResponse: () => ({
+        statusCode: 503,
+        body: { error: 'proxy not configured (no API key)' },
+      }),
+    };
+    const port = await startAdapter(adapter);
+    const { status, body } = await fetch(port, '/v1/chat/completions', { method: 'POST', body: '{}' });
+    expect(status).toBe(503);
+    expect(body.error).toMatch(/proxy not configured/);
+  });
+
+  it('returns default 503 for proxy requests when disabled and no getUnconfiguredResponse', async () => {
+    const adapter = {
+      name: 'test-no-stub', port: 0, isManagementPort: false, alwaysBind: false,
+      participatesInValidation: false,
+      isEnabled: () => false,
+      getTargetHost: () => '',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+    };
+    const port = await startAdapter(adapter);
+    const { status, body } = await fetch(port, '/v1/models', { method: 'GET' });
+    expect(status).toBe(503);
+    expect(body.error).toMatch(/test-no-stub.*not configured/);
+  });
+
+  // ── URL transform ─────────────────────────────────────────────────────────
+
+  it('applies transformRequestUrl before proxying', async () => {
+    // Record what the transform was called with; upstream will fail (no real host)
+    // but the transform runs synchronously in the request handler before proxying starts.
+    const calls = [];
+    const adapter = {
+      name: 'test-url-transform', port: 0, isManagementPort: false, alwaysBind: false,
+      participatesInValidation: false,
+      isEnabled: () => true,
+      getTargetHost: () => 'api.example.com',
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => null,
+      transformRequestUrl: (url) => {
+        const result = url.replace('?key=placeholder', '');
+        calls.push({ input: url, output: result });
+        return result;
+      },
+    };
+    const port = await startAdapter(adapter);
+    // fetch will return a non-2xx (proxy can't reach api.example.com in test), that's fine.
+    await fetch(port, '/v1/models?key=placeholder').catch(() => {});
+    expect(calls).toHaveLength(1);
+    expect(calls[0].input).toBe('/v1/models?key=placeholder');
+    expect(calls[0].output).toBe('/v1/models');
+  });
+
+  // ── Auth headers ──────────────────────────────────────────────────────────
+
+  it('calls getAuthHeaders() for each proxied request', async () => {
+    // Record the headers returned by getAuthHeaders; upstream will fail (no real host)
+    // but getAuthHeaders is called synchronously in the request handler.
+    const headerCalls = [];
+    const adapter = {
+      name: 'test-auth', port: 0, isManagementPort: false, alwaysBind: false,
+      participatesInValidation: false,
+      isEnabled: () => true,
+      getTargetHost: () => 'api.example.com',
+      getBasePath: () => '',
+      getAuthHeaders: (req) => {
+        const h = { 'Authorization': 'Bearer injected-token' };
+        headerCalls.push(h);
+        return h;
+      },
+      getBodyTransform: () => null,
+    };
+    const port = await startAdapter(adapter);
+    await fetch(port, '/v1/models').catch(() => {});
+    expect(headerCalls).toHaveLength(1);
+    expect(headerCalls[0].Authorization).toBe('Bearer injected-token');
+  });
+
+  // ── getBodyTransform called once per request (not per-call) ──────────────
+
+  it('calls getBodyTransform() once per request', async () => {
+    let callCount = 0;
+    const upstream = http.createServer((req, res) => {
+      req.resume();
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end('{}');
+    });
+    const upstreamPort = await new Promise((resolve) => {
+      upstream.listen(0, '127.0.0.1', () => resolve(upstream.address().port));
+    });
+    servers.push(upstream);
+
+    const adapter = {
+      name: 'test-transform-count', port: 0, isManagementPort: false, alwaysBind: false,
+      participatesInValidation: false,
+      isEnabled: () => true,
+      getTargetHost: () => `127.0.0.1:${upstreamPort}`,
+      getBasePath: () => '',
+      getAuthHeaders: () => ({}),
+      getBodyTransform: () => { callCount++; return null; },
+    };
+    const port = await startAdapter(adapter);
+
+    await new Promise((resolve, reject) => {
+      const req = http.request({ hostname: '127.0.0.1', port, path: '/v1/chat/completions', method: 'POST' }, resolve);
+      req.on('error', reject);
+      req.write('{}');
+      req.end();
+    });
+
+    await new Promise((r) => setTimeout(r, 100));
+    expect(callCount).toBe(1);
+  });
+});