Deduplicate Copilot bearer-prefix stripping in api-proxy

[Copilot]

stripBearerPrefix() existed in both upstream-response.js and providers/copilot-auth.js with the same regex but different empty-value semantics. This change removes the duplicate implementation and makes upstream-response use the shared canonical helper, so Bearer/token normalization now stays consistent in one place.

• What changed

  • Removed the local stripBearerPrefix() from containers/api-proxy/upstream-response.js
  • Imported the shared implementation from containers/api-proxy/providers/copilot-auth.js
  • Standardized upstream-response on the canonical undefined return for empty/whitespace-only credentials after prefix stripping

• Behavioral impact

  • buildCopilotAuthErrorMessage() now treats values like `****** the same way as the rest of the Copilot auth path: effectively unset
  • Future auth-prefix changes only need to be made in one helper

• Coverage

  • Added a focused regression test asserting that an empty stripped BYOK key is treated as missing through the upstream-response code path

// before
function stripBearerPrefix(value) {
  return ((value || '').replace(/^\s*(?:Bearer|token)\s+/i, '').trim()) || '';
}

// after
const { stripBearerPrefix } = require('./providers/copilot-auth');

[Copilot]

Pull request overview

This PR removes a duplicated stripBearerPrefix() implementation in the api-proxy and standardizes upstream-response to use the canonical helper from providers/copilot-auth, aligning empty/whitespace-only credential handling to return undefined.

Changes:

• Removed local stripBearerPrefix() from containers/api-proxy/upstream-response.js and imported the shared helper from containers/api-proxy/providers/copilot-auth.js.
• Updated buildCopilotAuthErrorMessage() to rely on the canonical empty-value semantics (empty stripped values treated as unset).
• Added a regression unit test ensuring an empty stripped BYOK key is treated as missing through the upstream-response path.

Show a summary per file

File	Description
containers/api-proxy/upstream-response.js	Switches bearer-prefix stripping to the shared canonical helper and exposes buildCopilotAuthErrorMessage via _testing for unit tests.
containers/api-proxy/server.auth.test.js	Adds a focused regression test covering the empty-stripped BYOK key behavior via upstream-response’s auth error message path.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4951 · ◷

[github-actions]

🔥 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

Overall: PASS

cc @Copilot @lpcox

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

🔭 Smoke Test: API Proxy OTEL Tracing

Scenario	Result	Notes
S1: Module Loading	✅	otel.js loads; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal symbols
S2: Test Suite	✅	59/59 tests pass (otel.test.js + otel-fanout.test.js)
S3: Env Var Forwarding	✅	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
S4: Token Tracker	✅	onUsage callback present in token-tracker-http.js (invoked at line 256 after usage normalization)
S5: OTEL Diagnostics	✅	No live container run; graceful fallback to /var/log/api-proxy/otel.jsonl when no endpoint configured

All scenarios passed. ✅

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke Test: Copilot BYOK (Direct Mode) — PASS ✅

Test	Result
GitHub MCP connectivity	✅
github.com HTTP (200)	✅
File write/read	✅
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar. Agent only sees placeholder; real key held by sidecar.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔥 Smoke Test Results — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP (200)	✅
File write/read	✅

PR: Deduplicate Copilot bearer-prefix stripping in api-proxy
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Deduplicate Copilot bearer-prefix stripping in api-proxy ✅
Refactor OpenAI BYOK base URL parsing to reuse shared proxy URL normalization ✅
refactor(api-proxy): split proxy-request.js into http-client.js and body-handler.js ✅
PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results — FAIL ❌

Check	Result
Redis PING	❌ Connection timeout (no PONG)
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ Skipped (pg_isready failed)

host.docker.internal resolves to 172.17.0.1 but both ports (6379, 5432) are unreachable — service containers appear to not be running or are not accessible from this runner.

🔌 Service connectivity validated by Smoke Services

[github-actions]

@Copilot

Smoke Test Results:

• refactor-split-proxy-request: ✅ MCP connectivity
• GitHub.com HTTP: ❌ (Expected 200/301, got 000)
• File I/O: ✅
• Direct BYOK mode: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: FAIL

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Gemini Engine Smoke Test Results

Last 2 Merged PRs:

1. Refactor OpenAI BYOK base URL parsing to reuse shared proxy URL normalization
2. refactor(api-proxy): split proxy-request.js into http-client.js and body-handler.js

Test Results:

• GitHub MCP Testing: ✅
• GitHub.com Connectivity: ❌ (Status 000/400)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini