fix(api-proxy): fetch models from BYOK custom providers and fix models_url in reflect

[Copilot]

In BYOK mode with a custom provider (e.g. OpenRouter), cachedModels.copilot was never populated and models_url in the reflect response always pointed to /models (ignoring COPILOT_API_BASE_PATH). This caused awf-reflect: models fetch returned 400 errors from the gh-aw framework and made arbitrary model names like minimax/minimax-m2.5:free invisible to the model resolver.

Changes

containers/api-proxy/providers/copilot.js

• getModelsFetchConfig() — For standard api.githubcopilot.com, behavior is unchanged (only COPILOT_GITHUB_TOKEN accepted, returns null for BYOK-only). For custom targets, now returns a fetch config using the BYOK auth token at https://${rawTarget}${basePath}/models, populating the model cache at startup.

• getReflectionInfo() — models_url now includes the base path prefix. For OpenRouter (COPILOT_API_BASE_PATH=/api/v1), the reflected URL becomes http://api-proxy:10002/api/v1/models instead of http://api-proxy:10002/models.

• Extracted a modelsPath closure variable shared by both methods to avoid duplication.

Example: with COPILOT_PROVIDER_BASE_URL=https://openrouter.ai/api/v1 and COPILOT_API_KEY=<key>:

// Before: returned null → cachedModels.copilot never populated
// After:
adapter.getModelsFetchConfig()
// → { url: 'https://openrouter.ai/api/v1/models', opts: { headers: { Authorization: '******' } }, cacheKey: 'copilot' }

adapter.getReflectionInfo().models_url
// → 'http://api-proxy:10002/api/v1/models'  (was '/models')

containers/api-proxy/server.test.js

Added tests covering: adapter-based fetchStartupModels with BYOK + custom target, getModelsFetchConfig() for all auth/target combinations, and getReflectionInfo() base-path-aware models_url.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.example.com
  • Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/.bin/jest server.test.js (dns block)
  • Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node /opt/hostedtoolcache/node/20.20.2/x64/bin/node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/jest-worker/build/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.48%	87.55%	📈 +0.07%
Statements	87.44%	87.51%	📈 +0.07%
Functions	82.66%	82.66%	➡️ +0.00%
Branches	79.65%	79.69%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	87.1% → 88.2% (+1.14%)	87.5% → 88.6% (+1.11%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Fixes Copilot BYOK + custom provider startup model discovery in the api-proxy sidecar, and corrects the reflected models_url to include COPILOT_API_BASE_PATH so downstream tooling can fetch models from the right endpoint.

Changes:

• Updated Copilot provider adapter to fetch /models at startup for custom (BYOK) targets and to reflect a base-path-aware models_url.
• Added Jest coverage for Copilot adapter model-fetch configuration, base-path-aware reflection, and adapter-driven fetchStartupModels caching behavior.

Show a summary per file

File	Description
containers/api-proxy/providers/copilot.js	Adds base-path-aware models_url and enables startup model fetch for BYOK custom targets via adapter config.
containers/api-proxy/server.test.js	Adds tests for adapter-based startup model fetching and Copilot adapter getModelsFetchConfig() / getReflectionInfo() behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 4

[lpcox]

@copilot address the review feedback

[Copilot]

@copilot address the review feedback

All three review issues addressed in commit 3441ba7:

1. basePath='/' → //models: Fixed by computing modelsPath as (basePath && basePath !== '/') ? \${basePath}/models` : '/models', so a bare /` base path is treated as no prefix.

2. GitHub token leaking to third-party providers: The custom-target branch in getModelsFetchConfig() now uses apiKey (COPILOT_API_KEY) explicitly instead of authToken. If only a GitHub token is set with no BYOK key, the fetch is skipped (returns null) rather than forwarding the OAuth token to a third party.

3. New tests added:

   • Both tokens + custom target → Authorization uses apiKey, not githubToken
   • Only GitHub token + custom target → getModelsFetchConfig() returns null
   • COPILOT_API_BASE_PATH='/' → both fetch URL and models_url produce /models not //models

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.example.com
  • Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/.bin/jest server.test.js (dns block)
  • Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node /opt/hostedtoolcache/node/20.20.2/x64/bin/node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/jest-worker/build/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ (template vars not expanded; MCP reads confirmed)
File write/read	⚠️ (file path not provided — template vars unexpanded)

PR: fix(api-proxy): fetch models from BYOK custom providers and fix models_url in reflect
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PASS (core connectivity verified)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK

Test	Result
GitHub MCP (list merged PRs)	✅ "chore: upgrade agentic workflows to gh-aw v0.71.5"
GitHub.com connectivity	⚠️ Pre-step data not expanded
File write/read	⚠️ Pre-step data not expanded
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR by @Copilot · Assignees: @lpcox, @Copilot

Overall: PASS (core BYOK path verified ✅)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

✅ GitHub MCP: Last 2 merged PRs retrieved

• chore: upgrade agentic workflows to gh-aw v0.71.5 #2689: chore: upgrade agentic workflows to gh-aw v0.71.5
• refactor: eliminate duplicate code patterns #2681: refactor: eliminate duplicate code patterns

✅ Playwright: Navigated to github.com, title verified
✅ File Writing: Test file created successfully
✅ Bash Tool: File verified with cat

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test

✅ GitHub PR review: chore: upgrade agentic workflows to gh-aw v0.71.5; refactor: eliminate duplicate code patterns
❌ safeinputs-gh query: unavailable; fallback titles fix(api-proxy): fetch models from BYOK custom providers and fix models_url in reflect; feat: replace Playwright MCP container with pre-installed @playwright/cli in agent image
✅ Playwright: title contains GitHub
❌ Tavily: tool list unavailable
✅ File write/bash: verified
✅ Discussion comment: posted
✅ Build: npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2699 · ● 482.2K · ◷

[github-actions]

Chroot Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results

• Redis PING: ❌ timeout/no response
• PostgreSQL pg_isready: ❌ no response (host.docker.internal:5432 - no response)
• PostgreSQL SELECT 1: ❌ skipped (pg_isready failed)

Overall: FAIL — host.docker.internal is not reachable from this runner environment. Service containers may not be configured or the host alias is unavailable.

🔌 Service connectivity validated by Smoke Services