fix: gate OpenCode listener (port 10004) on explicit AWF_ENABLE_OPENCODE flag by Copilot · Pull Request #2337 · github/gh-aw-firewall

Copilot · 2026-05-01T03:03:21Z

The OpenCode listener started unconditionally whenever any credential was present (OPENAI_API_KEY, ANTHROPIC_API_KEY, or COPILOT_AUTH_TOKEN), causing misleading /reflect diagnostics and unnecessary port exposure in workflows that don't use OpenCode (e.g. Copilot-only runs).

Changes

containers/api-proxy/server.js — Read AWF_ENABLE_OPENCODE env var (ENABLE_OPENCODE); gate opencodeConfigured in reflectEndpoints(), the expectedListeners++ count in the health-check latch, and the entire port-10004 listener startup block on this flag.
src/types.ts — Add enableOpenCode?: boolean to WrapperConfig.
src/docker-manager.ts — Inject AWF_ENABLE_OPENCODE=true into the api-proxy environment only when config.enableOpenCode is true.
src/cli.ts — Expose --enable-opencode flag wired to config.enableOpenCode. Add validateEnableOpenCodeFlag (following the same pattern as validateRateLimitFlags) so that using --enable-opencode without --enable-api-proxy exits immediately with a clear error message.
src/config-file.ts — Add enableOpenCode?: boolean to AwfFileConfig.apiProxy so the flag can be set via config file or stdin. Validated as a boolean and mapped to the enableOpencode CLI option in mapAwfFileConfigToCliOptions.

Behaviour

Before: OpenCode listener started whenever any of OPENAI_API_KEY | ANTHROPIC_API_KEY | COPILOT_AUTH_TOKEN was set.
After: OpenCode listener only starts when AWF_ENABLE_OPENCODE=true, mirroring the explicit-key pattern already used by Gemini. Using --enable-opencode without --enable-api-proxy is now a hard error. The flag is also configurable via the AWF config file/stdin spec under apiProxy.enableOpenCode.

// docker-manager.ts — only injected when the engine is opencode
...(config.enableOpenCode && { AWF_ENABLE_OPENCODE: 'true' }),

# awf config file
apiProxy:
  enabled: true
  enableOpenCode: true

github-actions · 2026-05-01T03:15:38Z

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	85.94%	85.95%	📈 +0.01%
Statements	85.93%	85.93%	➡️ +0.00%
Functions	87.93%	87.96%	📈 +0.03%
Branches	80.08%	79.97%	📉 -0.11%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
`src/cli.ts`	58.8% → 58.8% (-0.09%)	59.3% → 59.2% (-0.10%)
`src/docker-manager.ts`	87.4% → 87.7% (+0.29%)	87.0% → 87.3% (+0.27%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot

Pull request overview

This PR makes the OpenCode listener (api-proxy port 10004) opt-in by introducing an explicit AWF_ENABLE_OPENCODE=true gate, preventing the listener from starting (and /reflect from reporting it as configured) in workflows that don’t use OpenCode.

Changes:

Add enableOpenCode?: boolean to WrapperConfig, and expose it via --enable-opencode.
Inject AWF_ENABLE_OPENCODE=true into the api-proxy sidecar environment only when explicitly enabled.
Gate OpenCode’s /reflect “configured” status, startup latch expected listener count, and the listener startup block on AWF_ENABLE_OPENCODE.

Show a summary per file

File	Description
`containers/api-proxy/server.js`	Adds `AWF_ENABLE_OPENCODE` gating for OpenCode reflect/config state, readiness latch counting, and the 10004 listener startup.
`containers/api-proxy/server.test.js`	Updates reflectEndpoints test expectations for the default-disabled OpenCode behavior.
`src/types.ts`	Introduces `enableOpenCode?: boolean` config flag with documentation.
`src/docker-manager.ts`	Conditionally injects `AWF_ENABLE_OPENCODE=true` into api-proxy env when enabled.
`src/docker-manager.test.ts`	Adds tests asserting `AWF_ENABLE_OPENCODE` env injection behavior.
`src/cli.ts`	Adds `--enable-opencode` flag and wires it into `WrapperConfig`.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

containers/api-proxy/server.js:1774

The new if (ENABLE_OPENCODE) block isn’t indented like the surrounding listener startup code, which makes it easy to misread the block structure (especially with nested if (opencodeStartupRoute)). Re-indent the block contents to match the file’s existing style so future edits don’t accidentally introduce brace/scope bugs.

  if (ENABLE_OPENCODE) {
  const opencodeStartupRoute = resolveOpenCodeRoute(
    OPENAI_API_KEY, ANTHROPIC_API_KEY, COPILOT_AUTH_TOKEN,
    OPENAI_API_TARGET, ANTHROPIC_API_TARGET, COPILOT_API_TARGET,
    OPENAI_API_BASE_PATH, ANTHROPIC_API_BASE_PATH
  );

Files reviewed: 6/6 changed files
Comments generated: 2

Copilot · 2026-05-01T03:18:52Z

+  it('should report opencode as not configured when AWF_ENABLE_OPENCODE is not set', () => {
+    // ENABLE_OPENCODE is false at module load time (AWF_ENABLE_OPENCODE not set in test env),
+    // so opencode.configured must always be false regardless of other credentials.
    const result = reflectEndpoints();
    const opencode = result.endpoints.find((e) => e.provider === 'opencode');
-    expect(typeof opencode.configured).toBe('boolean');
+    expect(opencode.configured).toBe(false);
    expect(opencode.models).toBeNull();
    expect(opencode.models_url).toBeNull();


This change adds coverage for the disabled-by-default case, but there’s no corresponding test asserting that setting AWF_ENABLE_OPENCODE=true at module load time flips opencode.configured to true when a credential is present. Add a test that sets the env var before importing the module (e.g., via jest.resetModules()/jest.isolateModules()), so regressions in the enable flag wiring are caught.

Copilot · 2026-05-01T03:18:52Z

      enableApiProxy: options.enableApiProxy,
+      enableOpenCode: options.enableOpencode,
      modelAliases,


The CLI help text says --enable-opencode requires --enable-api-proxy, but there’s no validation enforcing that relationship. If a user sets --enable-opencode without --enable-api-proxy, the flag silently has no effect (no api-proxy sidecar -> no port 10004). Add a validation/error similar to validateRateLimitFlags so misuse fails fast with a clear message.

lpcox · 2026-05-01T03:19:27Z

@copilot address the review feedback

…-api-proxy; add AWF_ENABLE_OPENCODE=true test

Copilot · 2026-05-01T03:23:13Z

@copilot address the review feedback

Done in db88f48. Both review comments addressed:

server.test.js — Added an isolateModules test that sets AWF_ENABLE_OPENCODE=true and OPENAI_API_KEY before requiring the module, then asserts opencode.configured === true.
src/cli.ts — Added validateEnableOpenCodeFlag(enableApiProxy, enableOpenCode) (following the same pattern as validateRateLimitFlags) and wired it into the action handler so --enable-opencode without --enable-api-proxy exits with a clear error. Tests added in src/cli.test.ts.

github-actions · 2026-05-01T03:28:10Z

GitHub MCP Testing: ✅
GitHub.com Connectivity: ✅
File Write/Read Test: ✅
Overall status: PASS

@Copilot

💎 Faceted by Smoke Gemini

lpcox · 2026-05-01T03:31:57Z

@copilot the flag should also be enabled in the stdin config spec

Copilot · 2026-05-01T03:35:12Z

@copilot the flag should also be enabled in the stdin config spec

Done in c4b5177. Added enableOpenCode?: boolean to AwfFileConfig.apiProxy in src/config-file.ts, with validation (must be boolean, rejects unknown keys) and mapping to the enableOpencode CLI option in mapAwfFileConfigToCliOptions. Tests added for both the validation and the mapping.

github-actions · 2026-05-01T03:37:41Z

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	85.94%	85.95%	📈 +0.01%
Statements	85.93%	85.94%	➡️ +0.01%
Functions	87.93%	87.96%	📈 +0.03%
Branches	80.08%	80.00%	📉 -0.08%

📁 Per-file Coverage Changes (3 files)

File	Lines (Before → After)	Statements (Before → After)
`src/cli.ts`	58.8% → 58.8% (-0.09%)	59.3% → 59.2% (-0.10%)
`src/config-file.ts`	96.8% → 96.9% (+0.04%)	96.5% → 96.5% (+0.03%)
`src/docker-manager.ts`	87.4% → 87.7% (+0.29%)	87.0% → 87.3% (+0.27%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

github-actions · 2026-05-01T03:39:43Z

🔥 Smoke Test: Copilot BYOK — PASS

Test	Result
GitHub MCP (list PRs)	✅ PR #2329 "feat: model aliasing and fallbacks in api-proxy"
GitHub.com connectivity	✅ HTTP 200/301
File write/read	✅ `smoke-test-copilot-byok-25201004447.txt` confirmed
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS — @Copilot (author), assignees: @lpcox, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-01T03:40:21Z

Smoke Test Results

✅ GitHub MCP: Last 2 merged PRs retrieved
✅ Playwright: GitHub page title verified
✅ File Writing: Test file created successfully
✅ Bash Tool: File verified

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-01T03:40:35Z

🔥 Smoke Test Results — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

PR: fix: gate OpenCode listener (port 10004) on explicit AWF_ENABLE_OPENCODE flag
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PASS ✅

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-01T03:41:09Z

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

github-actions · 2026-05-01T03:42:07Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2337 · ● 561.6K · ◷

github-actions · 2026-05-01T03:42:33Z

Smoke Test Results

Redis PING: ❌ (timeout — host.docker.internal:6379 unreachable)
PostgreSQL pg_isready: ❌ (host.docker.internal:5432 — no response)
PostgreSQL SELECT 1: ❌ (skipped, pg_isready failed)

Overall: FAIL — Service containers not reachable via host.docker.internal.

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-05-01T03:46:13Z

feat: add enableOpenCode to AwfFileConfig (stdin/file config spec)
feat: model aliasing and fallbacks in api-proxy (#2329)
GitHub MCP review: ❌
safeinputs-gh PR query: ❌
Playwright GitHub title: ✅
Tavily search: ❌
File write + bash cat verify: ✅
Discussion comment: ❌
Build: ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

Initial plan

19ddd12

Copilot AI assigned Copilot and lpcox May 1, 2026

Copilot started work on behalf of lpcox May 1, 2026 03:03 View session

Copilot AI linked an issue May 1, 2026 that may be closed by this pull request

Bug: OpenCode listener (port 10004) starts unconditionally when any credential is available #2336

Closed

Gate OpenCode listener on AWF_ENABLE_OPENCODE env var

f7a6633

Copilot AI changed the title ~~[WIP] Fix OpenCode listener starting with any available credential~~ fix: gate OpenCode listener (port 10004) on explicit AWF_ENABLE_OPENCODE flag May 1, 2026

Copilot AI requested a review from lpcox May 1, 2026 03:10

Copilot finished work on behalf of lpcox May 1, 2026 03:10

lpcox marked this pull request as ready for review May 1, 2026 03:14

lpcox requested a review from Mossaka as a code owner May 1, 2026 03:14

Copilot AI review requested due to automatic review settings May 1, 2026 03:14

Copilot started reviewing on behalf of lpcox May 1, 2026 03:14 View session

github-actions Bot mentioned this pull request May 1, 2026

[aw] Smoke OpenCode failed #2340

Closed