Skip to content

Bug: OpenCode listener (port 10004) starts unconditionally when any credential is available #2336

Closed
#2337
Closed
Bug: OpenCode listener (port 10004) starts unconditionally when any credential is available#2336
#2337
Assignees
lpcoxcopilot-swe-agent
Labels
bugSomething isn't working
@lpcox

Description

@lpcox
lpcox
opened on May 1, 2026

Problem

The api-proxy OpenCode listener (port 10004) starts whenever any API credential is available (OPENAI_API_KEY, ANTHROPIC_API_KEY, or COPILOT_AUTH_TOKEN), even in workflows that do not use the OpenCode engine.

Example: In a Copilot-only workflow (e.g., smoke-copilot), only COPILOT_AUTH_TOKEN is set. The OpenCode listener still starts because resolveOpenCodeRoute() returns a non-null route when any credential is present.

Impact:

  • /reflect endpoint reports OpenCode as "configured" (1 of 5 providers configured includes OpenCode)
  • Health check counts the OpenCode listener as expected (expectedListeners++)
  • Misleading diagnostics and unnecessary port exposure

Observed in: https://github.com/github/gh-aw/actions/runs/25199652994

Root Cause

In containers/api-proxy/server.js:

// Line 1437 (reflect endpoint)
const opencodeConfigured = !!(OPENAI_API_KEY || ANTHROPIC_API_KEY || COPILOT_AUTH_TOKEN);

// Line 1543 (health check)
if (OPENAI_API_KEY || ANTHROPIC_API_KEY || COPILOT_AUTH_TOKEN) expectedListeners++;

// Line 1766-1771 (listener startup)
const opencodeStartupRoute = resolveOpenCodeRoute(
  OPENAI_API_KEY, ANTHROPIC_API_KEY, COPILOT_AUTH_TOKEN, ...
);
if (opencodeStartupRoute) { /* starts listener on port 10004 */ }

OpenCode is a meta-provider that routes to whichever credential is available. But it should only start when the workflow actually needs the OpenCode engine.

Proposed Fix

1. Add AWF_ENABLE_OPENCODE env var gate in api-proxy

const ENABLE_OPENCODE = process.env.AWF_ENABLE_OPENCODE === "true";

// Line 1437 (reflect)
const opencodeConfigured = ENABLE_OPENCODE && !!(OPENAI_API_KEY || ANTHROPIC_API_KEY || COPILOT_AUTH_TOKEN);

// Line 1543 (health check)
if (ENABLE_OPENCODE && (OPENAI_API_KEY || ANTHROPIC_API_KEY || COPILOT_AUTH_TOKEN)) expectedListeners++;

// Line 1766 (listener startup)
if (ENABLE_OPENCODE) {
  const opencodeStartupRoute = resolveOpenCodeRoute(...);
  if (opencodeStartupRoute) { /* start listener */ }
}

2. AWF sets AWF_ENABLE_OPENCODE=true only when needed

In src/docker-manager.ts, only pass the env var to the api-proxy when the engine is opencode:

// In the proxyService.environment block (~line 1768):
...(config.enableOpenCode && { AWF_ENABLE_OPENCODE: "true" }),

3. Add enableOpenCode to WrapperConfig

Add an enableOpenCode?: boolean field to WrapperConfig in src/types.ts, set from a CLI flag (--enable-opencode) or config file field.

Comparison with Gemini

Note that Gemini already uses the correct pattern: it only starts when GEMINI_API_KEY is explicitly provided. OpenCode should follow the same explicit-enablement approach rather than implicitly activating from unrelated credentials.

Files to Change

  • containers/api-proxy/server.js — Gate OpenCode listener, reflect, and health check on AWF_ENABLE_OPENCODE
  • src/docker-manager.ts — Pass AWF_ENABLE_OPENCODE=true to api-proxy when engine is opencode
  • src/types.ts — Add enableOpenCode config field
  • src/cli.ts — Wire CLI flag or config to the new field

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions