Skip to content

fix(api-proxy): fall back to next alias candidate when Copilot rejects model for endpoint#6134

Open
lpcox with Copilot wants to merge 2 commits into
mainfrom
copilot/copilot-token-usage-report
Open

fix(api-proxy): fall back to next alias candidate when Copilot rejects model for endpoint#6134
lpcox with Copilot wants to merge 2 commits into
mainfrom
copilot/copilot-token-usage-report

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

The Test Coverage Reporter workflow was failing all runs with 0 AIC because the summarization alias resolved to gpt-5.4-mini (highest semver from copilot/gpt-5*mini*), which the Copilot API permanently rejects on /chat/completions with 400 model "gpt-5.4-mini" is not accessible via the /chat/completions endpoint. The error was unrecognized and forwarded directly to the Copilot CLI.

Root cause

The gpt-5-mini alias pattern copilot/gpt-5*mini* matches both gpt-5-mini and gpt-5.4-mini. Version sorting picks gpt-5.4-mini (5.4 > 5.0) as the winner. The Copilot API lists it in the models catalogue but restricts it to /responses only.

Changes

New: endpoint-blocked detection + per-request candidate fallback

  • upstream-response.js: adds MODEL_ENDPOINT_BLOCKED_PATTERN (/not accessible via the .+? endpoint/i) and parseModelEndpointBlockedFromBody; buffers 400s for this case; threads onModelEndpointBlockedRetry callback through to handle400WithRetry
  • upstream-retry.js: new branch (b) fires onModelEndpointBlockedRetry() before the existing transient-model-not-supported branch — permanent endpoint restriction, no delay
  • upstream-http.js: implements onModelEndpointBlockedRetry — reads req.awfModelCandidates, finds current model in body, picks next ranked candidate, rewrites body, retries

Ranked candidates wired through resolution pipeline

  • model-resolver.js (_resolveAliasPatterns): returns candidates: unique (full sorted list, e.g. [gpt-5.4-mini, claude-haiku-4.5]) alongside resolvedModel
  • model-body-rewriter.js: propagates candidates from resolution result
  • model-config.js: body transform signature becomes async (body, req) — stores req.awfModelCandidates on the request for later use by retry logic
  • body-handler.js: passes req to bodyTransform(body, req)

Documentation

  • model-api-mapping.json (both containers/api-proxy/ and docs/): notes added to gpt-5.4* family documenting the Copilot /chat/completions restriction and the proxy's fallback behaviour

Fallback flow (after fix)

COPILOT_MODEL=summarization
→ alias resolves: resolvedModel=gpt-5.4-mini, candidates=[gpt-5.4-mini, claude-haiku-4.5]
→ req.awfModelCandidates = [gpt-5.4-mini, claude-haiku-4.5]
→ Copilot: 400 "gpt-5.4-mini not accessible via /chat/completions"
→ parseModelEndpointBlockedFromBody → true
→ onModelEndpointBlockedRetry(): next candidate = claude-haiku-4.5
→ body rewritten with model: claude-haiku-4.5 → retry → ✓ success

Copilot AI linked an issue Jul 12, 2026 that may be closed by this pull request
When the Copilot API rejects a resolved model with "not accessible via
the /chat/completions endpoint" (e.g. gpt-5.4-mini), the api-proxy now
falls back to the next ranked candidate from the alias resolution rather
than returning the 400 error to the client.

Root cause: The `summarization` alias resolves via the `gpt-5-mini`
sub-alias which uses pattern `copilot/gpt-5*mini*`. This matches both
`gpt-5-mini` and `gpt-5.4-mini` from the Copilot model list. The version
sorter picks `gpt-5.4-mini` (v5.4 > v5.0) as the top candidate. But
the Copilot API only supports `gpt-5.4-mini` via /responses, not via
/chat/completions. The result is a 400 that previously was not recognized
and was forwarded directly to the client (Copilot CLI), causing all three
Test Coverage Reporter runs to fail with 0 AIC.

Changes:
- model-resolver.js: `_resolveAliasPatterns` now returns the full ranked
  `candidates` array alongside `resolvedModel` so callers have access to
  fallback options.
- model-body-rewriter.js: propagates `candidates` from resolution result.
- model-config.js: body transform now accepts (body, req) and stores
  `req.awfModelCandidates` for use during retry.
- body-handler.js: passes `req` to `bodyTransform(body, req)`.
- upstream-response.js: adds `MODEL_ENDPOINT_BLOCKED_PATTERN` matching
  "not accessible via the ... endpoint" errors; adds
  `parseModelEndpointBlockedFromBody`; threads `onModelEndpointBlockedRetry`
  callback through `handleUpstreamResponse` and `handle400WithRetry`.
- upstream-retry.js: new branch (b) handles endpoint-blocked 400s by
  calling `onModelEndpointBlockedRetry()` before the transient retry.
- upstream-http.js: implements `onModelEndpointBlockedRetry` — reads
  `req.awfModelCandidates`, finds current model in the body, picks the
  next ranked candidate, rewrites the body, and retries upstream.
- model-api-mapping.json + docs/model-api-mapping.json: updated notes for
  gpt-5.4 family to document the Copilot /chat/completions restriction.
- upstream-retry.test.js: adds 4 tests for endpoint-blocked fallback.
- model-resolver.test.js: adds test verifying `candidates` is returned.
Copilot AI changed the title [WIP] Fix missing token usage fields in report fix(api-proxy): fall back to next alias candidate when Copilot rejects model for endpoint Jul 12, 2026
Copilot AI requested a review from lpcox July 12, 2026 14:39
Copilot finished work on behalf of lpcox July 12, 2026 14:39
@lpcox lpcox marked this pull request as ready for review July 12, 2026 15:25
Copilot AI review requested due to automatic review settings July 12, 2026 15:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the api-proxy’s Copilot model-alias handling by detecting “model not accessible via endpoint” 400s and retrying the same request with the next ranked alias candidate, preventing hard failures when the highest-semver candidate is responses-only on Copilot.

Changes:

  • Add endpoint-blocked (“not accessible via the … endpoint”) detection and a no-delay retry path that falls back to the next alias candidate for Copilot.
  • Thread ranked alias candidates through model resolution/body-rewrite so retry logic can reuse them without re-resolving.
  • Document the Copilot /chat/completions restriction for gpt-5.4-mini in model mapping notes.
Show a summary per file
File Description
docs/model-api-mapping.json Documents Copilot endpoint restriction + fallback behavior for gpt-5.4-mini.
containers/api-proxy/model-api-mapping.json Mirrors the same restriction + fallback note for the runtime mapping file.
containers/api-proxy/upstream-retry.test.js Adds unit coverage for the endpoint-blocked retry branch.
containers/api-proxy/upstream-retry.js Adds endpoint-blocked retry branch ahead of transient model-not-supported retry.
containers/api-proxy/upstream-response.js Buffers relevant 400 bodies and wires endpoint-blocked parsing + callback into retry handling.
containers/api-proxy/upstream-http.js Implements request-body rewrite + resend using next ranked candidate.
containers/api-proxy/model-resolver.test.js Verifies ranked candidates are returned to support fallback.
containers/api-proxy/model-resolver.js Returns full ranked candidate list alongside resolvedModel.
containers/api-proxy/model-body-rewriter.js Propagates candidates from resolver into rewrite result.
containers/api-proxy/model-config.js Stores ranked candidates on req during body transform for later retry use.
containers/api-proxy/body-handler.js Passes req into bodyTransform to allow storing per-request state.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 11/11 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines +66 to +90
// Determine which model was sent in the current body.
const parsed = parseBodyAsObject(body);
const currentModel = parsed && parsed.model;
if (!currentModel) return false;

const currentIdx = candidates.indexOf(currentModel);
if (currentIdx < 0 || currentIdx >= candidates.length - 1) return false;

const nextModel = candidates[currentIdx + 1];

// Rewrite the body with the next candidate.
const newParsed = parseBodyAsObject(body);
if (!newParsed) return false;
newParsed.model = nextModel;
const newBody = Buffer.from(JSON.stringify(newParsed), 'utf8');

// Update the candidates list so if the next model also fails we can
// continue falling back (by shifting the current index forward).
sendUpstreamRequest(requestHeaders, {
body: newBody, targetHost, upstreamPath, req, res, provider, requestId, startTime, span, requestBytes,
hasRetried,
modelNotSupportedRetryCount,
});
return true;
},
async function transformRequestBody(body, provider, req, requestId, bodyTransform) {
if (bodyTransform && (req.method === 'POST' || req.method === 'PUT' || req.method === 'PATCH')) {
const transformed = await bodyTransform(body);
const transformed = await bodyTransform(body, req);
@lpcox

lpcox commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

@pelikhan can you take a look at this?

@github-actions

Copy link
Copy Markdown
Contributor

⏳ Copilot review left inline comments.

@copilot To proceed:

  1. Ask @copilot to address the review feedback (reply to this comment or the review thread)
  2. Once the fix is pushed, add the ready-for-aw label to trigger agentic CI smoke tests

@github-actions

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

Copy link
Copy Markdown
Contributor

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit e54e5b9

@github-actions

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.30% 98.33% 📈 +0.03%
Statements 98.23% 98.26% 📈 +0.03%
Functions 99.07% 99.07% ➡️ +0.00%
Branches 93.85% 93.85% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

📰 DEVELOPING STORY: Smoke Docker Sbx reports failed. Our correspondents are investigating the incident...

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Connectivity check failed: 000 (Exit 7). File writing passed. Searching for PRs in git log.

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

Copy link
Copy Markdown
Contributor

Thanks for the clear explanation of the endpoint-blocked fallback and for including focused tests and documentation updates. One contribution-guideline item remains: please reference any related issue in the PR description, as required under Pull Request Process → Pull request requirements in CONTRIBUTING.md. If no related issue exists, a brief note stating that would make the linkage explicit.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Contribution Check for #6134 · 3.62 AIC · ⊞ 19.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6134 · 55.2 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ⚠️ Template vars unexpanded in CI

Overall: PASS

PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Results

  • ✅ MCP Connectivity
  • ✅ GitHub.com HTTP 200
  • ⚠️ File I/O (test file not pre-staged)
  • ✅ BYOK Inference (api-proxy → api.githubcopilot.com)

Status: PASS (core path working)

Running in direct BYOK mode via COPILOT_PROVIDER_API_KEY with api-proxy sidecar injection.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP connectivity
GitHub.com HTTP
File write/read

Overall: PASS 🎉
Auth mode: PAT (COPILOT_GITHUB_TOKEN) | PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results: Gemini Engine

  • GitHub MCP Testing: ❌ (Only found PR feat: add Docker sbx microVM runtime support #6101 via git log; GitHub API/MCP unavailable)
  • GitHub.com Connectivity: ❌ (Status 000, Exit 7)
  • File Writing Testing: ✅ (File created in /tmp/gh-aw/agent/)
  • Bash Tool Testing: ✅ (File verified via cat)

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Test comment

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
S1: Module Loading ✅ Pass otel.js loads; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
S2: Test Suite ✅ Pass 45 tests passed (0 failures); otel-fanout.test.js covers fan-out/exporter selection; upstream-token.test.js validates OTEL hook wiring
S3: Env Var Forwarding ✅ Pass api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID
S4: Token Tracker Integration ✅ Pass onUsage callback present in token-tracker-http.js (line 343); onSpanEnd also wired for span lifecycle
S5: OTEL Diagnostics ✅ Pass No OTLP endpoint in test env → FileSpanExporter fallback used; graceful degradation confirmed

Overall: All 5 scenarios pass. 🎉

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.18.0 v22.23.1
Go go1.22.12 go1.22.12

Result: Not all tests passed — Python and Node.js versions differ between host and chroot.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Merged PRs:\n- compiled workflows\n- compiled workflows\nChecks:\n- GitHub query: ✅\n- Browser: ✅\n- Smoke file: ✅\n- Build: ✅\nOverall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note: Java Maven required -Dmaven.repo.local override as the default ~/.m2/repository was owned by root in this environment.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6134 · 36.9 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

📊 Copilot Token Usage Report2026-07-12

3 participants