fix: propagate apiProxy.diagnostics config fields to all layers#4743
Conversation
PR #4678 added apiProxy.diagnostics.captureBlockedRequests and apiProxy.diagnostics.maxCapturedBytes to the JSON schemas and spec, but the fields were not wired through the TypeScript type system or the env var mapping in api-proxy-service-config.ts. Gaps fixed: - src/types/api-proxy-options.ts: add captureBlockedRequests and maxCapturedBytes typed fields - src/config-file.ts: add diagnostics nested interface and map apiProxy.diagnostics.* to the flat ApiProxyOptions fields - src/services/api-proxy-service-config.ts: wire captureBlockedRequests → AWF_CAPTURE_BLOCKED_LLM_REQUESTS and maxCapturedBytes → AWF_MAX_BLOCKED_CAPTURE_BYTES env vars Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 96.42% | 96.46% | 📈 +0.04% |
| Statements | 96.34% | 96.38% | 📈 +0.04% |
| Functions | 98.77% | 98.77% | ➡️ +0.00% |
| Branches | 90.74% | 90.69% | 📉 -0.05% |
📁 Per-file Coverage Changes (1 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/config-writer.ts |
89.3% → 90.9% (+1.65%) | 89.3% → 90.9% (+1.65%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
There was a problem hiding this comment.
Pull request overview
This PR aims to make the apiProxy.diagnostics.captureBlockedRequests and apiProxy.diagnostics.maxCapturedBytes config keys usable end-to-end by adding the missing TypeScript typings, config-file mapping, and api-proxy container env var wiring—closing gaps left after PR #4678 introduced the schema/spec/runtime support.
Changes:
- Added
captureBlockedRequests/maxCapturedBytesfields to theApiProxyOptionsTypeScript interface. - Extended
src/config-file.tsto support anapiProxy.diagnosticssection and map it into CLI option keys. - Updated api-proxy sidecar service env generation to emit
AWF_CAPTURE_BLOCKED_LLM_REQUESTSandAWF_MAX_BLOCKED_CAPTURE_BYTES.
Show a summary per file
| File | Description |
|---|---|
src/types/api-proxy-options.ts |
Adds TS option fields and inline docs for blocked-request diagnostics configuration. |
src/config-file.ts |
Adds apiProxy.diagnostics config shape and maps it to flat option keys used by the CLI/config merging layer. |
src/services/api-proxy-service-config.ts |
Forwards the new settings into api-proxy container environment variables. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
| ...(config.captureBlockedRequests !== undefined && | ||
| config.captureBlockedRequests !== false && { | ||
| AWF_CAPTURE_BLOCKED_LLM_REQUESTS: String(config.captureBlockedRequests), | ||
| }), | ||
| ...(config.maxCapturedBytes !== undefined && { |
| modelAliases: config.apiProxy?.models, | ||
| debugTokens: config.apiProxy?.logging?.debugTokens, | ||
| tokenLogDir: config.apiProxy?.logging?.tokenLogDir, | ||
| captureBlockedRequests: config.apiProxy?.diagnostics?.captureBlockedRequests, | ||
| maxCapturedBytes: config.apiProxy?.diagnostics?.maxCapturedBytes, |
| }), | ||
| ...(config.maxCapturedBytes !== undefined && { | ||
| AWF_MAX_BLOCKED_CAPTURE_BYTES: String(config.maxCapturedBytes), | ||
| }), |
|
@copilot address review feedback |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Addressed all three review comments in commit
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/27363917538/job/80858488872?pr=4743 |
Fixed in commit
|
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (3 files)
Coverage comparison generated by |
Smoke Test: Copilot PAT Auth — PASS ✅
PR: fix: propagate apiProxy.diagnostics config fields to all layers
|
|
MCP connectivity: ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Overall: PASS
|
|
GitHub API: ✅ PASS Total: PASS
|
🔬 Smoke Test ResultsPR: fix: propagate apiProxy.diagnostics config fields to all layers
Overall: FAIL — pre-step outputs were not resolved; tests 2 & 3 could not be verified.
|
Smoke Test: Copilot BYOK (Direct) ModeStatus: ✅ PASS
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar → api.githubcopilot.com Related: PR #4764, #4765 · Author:
|
|
Merged PRs:
Checks:
Overall: FAIL
|
Smoke Test: GitHub Actions Services ConnectivityRunning inside AWF sandbox (
Overall: FAIL Root cause: AWF iptables rules block outbound connections to database ports (Redis 6379, PostgreSQL 5432) as "dangerous ports".
|
Chroot Version Comparison Results
Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
|
fix: propagate apiProxy.diagnostics config fields to all layers
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "api.openai.com"See Network Configuration for more information.
|
Config Consistency Fixes
Automated fixes for configuration fields not fully propagated across all required layers.
From PR #4678 — "Add opt-in diagnostics artifact for blocked LLM request bodies"
PR #4678 added
apiProxy.diagnostics.captureBlockedRequestsandapiProxy.diagnostics.maxCapturedBytesto both JSON schemas and the spec, but did not wire them through the TypeScript type system or the env var mapping.apiProxy.diagnostics.captureBlockedRequestscaptureBlockedRequests?: boolean | 'summary' | 'redacted' | 'full'tosrc/types/api-proxy-options.tsapiProxy.diagnostics.captureBlockedRequestsdiagnostics?nested interface +captureBlockedRequestsmapping insrc/config-file.tsapiProxy.diagnostics.captureBlockedRequestsAWF_CAPTURE_BLOCKED_LLM_REQUESTSwiring insrc/services/api-proxy-service-config.tsapiProxy.diagnostics.maxCapturedBytesmaxCapturedBytes?: numbertosrc/types/api-proxy-options.tsapiProxy.diagnostics.maxCapturedBytesmaxCapturedBytesmapping insrc/config-file.tsapiProxy.diagnostics.maxCapturedBytesAWF_MAX_BLOCKED_CAPTURE_BYTESwiring insrc/services/api-proxy-service-config.tsLayers already present (no fix needed)
src/awf-config-schema.json)docs/awf-config.schema.json)docs/awf-config-spec.md)containers/api-proxy/blocked-request-diagnostics.js)Verification
tsc --noEmit) — clean