Skip to content

Refactor preflight allowed-domain resolution into explicit pipeline stages#5757

Merged
lpcox merged 2 commits into
mainfrom
copilot/refactor-domain-resolution-pipeline
Jul 1, 2026
Merged

Refactor preflight allowed-domain resolution into explicit pipeline stages#5757
lpcox merged 2 commits into
mainfrom
copilot/refactor-domain-resolution-pipeline

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

resolveAllowedDomains in src/commands/preflight.ts had grown into a long security-critical orchestrator that mixed parsing, merge logic, localhost side-effects, API target resolution, and validation. This refactor extracts the inline parsing and validation stages into dedicated helpers, keeping behavior unchanged while making the allowlist path easier to reason about and review.

  • Pipeline stage extraction

    • Added parseDomainOptions(options) to encapsulate:
      • --allow-domains parsing
      • --allow-domains-file parsing
      • --ruleset-file merge
    • Added validateAllowedDomains(domains) to encapsulate domain/pattern validation and centralized error handling.
  • Orchestrator simplification

    • resolveAllowedDomains now composes stages:
      1. parseDomainOptions
      2. dedupe
      3. existing processLocalhostKeyword flow (including option mutations)
      4. existing API target auto-resolution
      5. validateAllowedDomains
    • Existing public signature and side-effects are preserved.
  • Focused unit coverage

    • Added direct tests for parseDomainOptions and validateAllowedDomains in src/commands/preflight.test.ts.
    • Kept existing resolveAllowedDomains coverage to ensure integration behavior remains aligned.
let allowedDomains = parseDomainOptions(options);
allowedDomains = [...new Set(allowedDomains)];

const localhostResult = processLocalhostKeyword(
  allowedDomains,
  (options.enableHostAccess as boolean) || false,
  options.allowHostPorts as string | undefined
);

resolveApiTargetsToAllowedDomains(/* existing args */);
validateAllowedDomains(allowedDomains);

Copilot AI changed the title [WIP] Refactor domain-resolution pipeline stages from resolveAllowedDomains Refactor preflight allowed-domain resolution into explicit pipeline stages Jul 1, 2026
Copilot AI requested a review from lpcox July 1, 2026 18:37
Copilot finished work on behalf of lpcox July 1, 2026 18:37
@lpcox lpcox requested a review from Copilot July 1, 2026 18:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the preflight allowed-domain resolution logic by extracting the parsing/merge stage and the domain-validation stage into dedicated helpers, while keeping resolveAllowedDomains() as the orchestrator that composes the full pipeline (including localhost handling and API-target auto-allowlisting). This improves readability and reviewability of a security-sensitive path without changing the externally visible behavior.

Changes:

  • Extracted parseDomainOptions(options) to encapsulate --allow-domains, --allow-domains-file, and --ruleset-file parsing/merge (including existing process.exit(1) error behavior).
  • Extracted validateAllowedDomains(domains) to centralize per-domain validation and failure handling.
  • Added focused unit tests covering the new helpers, while retaining existing resolveAllowedDomains coverage.
Show a summary per file
File Description
src/commands/preflight.ts Split allowed-domain parsing/merge and validation into parseDomainOptions / validateAllowedDomains, and updated resolveAllowedDomains to compose these stages.
src/commands/preflight.test.ts Added direct unit coverage for parseDomainOptions and validateAllowedDomains and updated imports accordingly.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@lpcox lpcox marked this pull request as ready for review July 1, 2026 19:17
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

Contribution check complete for PR #5757: the refactor appears to follow the applicable CONTRIBUTING.md guidelines. It includes focused tests, keeps changes in the appropriate src/ command files, has a clear PR description, and does not require documentation updates because behavior is unchanged.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.65% 98.69% 📈 +0.04%
Statements 98.53% 98.57% 📈 +0.04%
Functions 99.55% 99.55% ➡️ +0.00%
Branches 94.46% 94.46% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 92.7% → 94.5% (+1.82%) 92.7% → 94.5% (+1.82%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS

  • MCP Connectivity: ✅ github-list_pull_requests verified
  • GitHub.com HTTP: ✅ HTTP 200
  • File Write/Read: ✅ Confirmed
  • BYOK Inference: ✅ Running via api-proxy → api.githubcopilot.com

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com


@lpcox @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test Results

PR: Refactor preflight allowed-domain resolution into explicit pipeline stages
Author: @Copilot | Assignees: @lpcox, @Copilot

Test Result
GitHub MCP connectivity
GitHub.com HTTP connectivity ❌ (pre-step data unavailable)
File write/read ❌ (pre-step data unavailable)

Overall: FAIL — pre-step template variables were not substituted; connectivity tests could not be verified.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
gh check ✅ PASS
File status ✅ PASS

Overall result: PASS

Generated by Smoke Claude for #5757 · 30.1 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ❌ pre-step data not injected (template vars unresolved)

Overall: FAIL

PR: Refactor preflight allowed-domain resolution into explicit pipeline stages@Copilot / assignees: @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Status Detail
Module Loading otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + test helpers
Test Suite 39/39 tests pass (otel.test.js)
Env Var Forwarding api-proxy-env-config.ts forwards all 5 OTEL vars: GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID + OTEL_SERVICE_NAME
Token Tracker Integration onUsage callback present in token-tracker-http.js as the OTEL hook point
OTEL Diagnostics No spans exported (expected — no api-proxy container ran in this workflow); fallback file exporter configured for /var/log/api-proxy/otel.jsonl

All scenarios pass. OTEL integration is complete and functional.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File IO test: ✅
  • BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Refactor preflight allowed-domain resolution into explicit pipeline stages

✅ GitHub MCP Testing
✅ GitHub.com Connectivity
✅ File Write/Read Test
✅ BYOK Inference Test

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

cc @lpcox @Copilot

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.17.0 v22.23.0
Go go1.22.12 go1.22.12

Result: 1/3 passed — Python and Node.js versions differ between host and chroot. The smoke-chroot label was not applied.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Merged PRs reviewed:

  • fix: sysroot filter should not drop workspace custom mounts
  • fix: filter split-fs-invisible mounts when sysroot-stage is active (arc-dind)

Checks:

  • GitHub title page: ✅
  • File write/read: ✅
  • Build: ✅
  • Discussion comment: ⚠️ skipped (discussions write unavailable)

Overall: PASS

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results: GitHub Actions Services Connectivity

Check Result
Redis PING ❌ timeout (no connection)
PostgreSQL pg_isready ❌ no response
PostgreSQL SELECT 1 ❌ not reached

Overall: FAILhost.docker.internal is not reachable from this sandbox. Service containers appear unavailable or the host alias is not resolvable.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for #5757 · 56.6 AIC · ⊞ 7.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results: Gemini Engine

  • GitHub MCP Testing: ❌ (mcpscripts not found)
  • GitHub.com Connectivity: ❌ (SSL/Proxy Error)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 1, 2026
@lpcox lpcox merged commit 79438e7 into main Jul 1, 2026
88 of 90 checks passed
@lpcox lpcox deleted the copilot/refactor-domain-resolution-pipeline branch July 1, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactoring] Extract domain-resolution pipeline stages from resolveAllowedDomains (97 lines) in src/commands/preflight.ts

3 participants