fix: route GHEC Copilot proxy to copilot-api subdomain (#1331)

* Initial plan

* fix: route GHEC Copilot proxy to copilot-api subdomain

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: fix awf-runner timeout detection and no-docker test timeouts (#1332)

* Initial plan

* fix: fix awf-runner timeout detection and no-docker test timeouts

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

containers/api-proxy/server.js

@@ -57,7 +57,8 @@ function deriveCopilotApiTarget() {
     return process.env.COPILOT_API_TARGET;
   }
   // Auto-derive from GITHUB_SERVER_URL:
-  // - GitHub Enterprise Cloud (*.ghe.com) → api.<subdomain>.ghe.com
+  // - GitHub Enterprise Cloud (*.ghe.com): Copilot inference/models/MCP are served at
+  //   copilot-api.<subdomain>.ghe.com (separate from the GitHub REST API at api.*)
   // - GitHub Enterprise Server (non-github.com, non-ghe.com) → api.enterprise.githubcopilot.com
   // - github.com → api.githubcopilot.com
   const serverUrl = process.env.GITHUB_SERVER_URL;
@@ -69,7 +70,9 @@ function deriveCopilotApiTarget() {
         if (hostname.endsWith('.ghe.com')) {
           // Extract subdomain: mycompany.ghe.com → mycompany
           const subdomain = hostname.slice(0, -8); // Remove '.ghe.com'
-          return `api.${subdomain}.ghe.com`;
+          // GHEC routes Copilot inference to copilot-api.<subdomain>.ghe.com,
+          // not to api.<subdomain>.ghe.com (which is the GitHub REST API)
+          return `copilot-api.${subdomain}.ghe.com`;
         }
         // GHES (any other non-github.com hostname)
         return 'api.enterprise.githubcopilot.com';

containers/api-proxy/server.test.js

@@ -46,24 +46,24 @@ describe('deriveCopilotApiTarget', () => {
   });
 
   describe('GitHub Enterprise Cloud (*.ghe.com)', () => {
-    it('should derive api.<subdomain>.ghe.com for GHEC tenants', () => {
+    it('should derive copilot-api.<subdomain>.ghe.com for GHEC tenants', () => {
       process.env.GITHUB_SERVER_URL = 'https://mycompany.ghe.com';
-      expect(deriveCopilotApiTarget()).toBe('api.mycompany.ghe.com');
+      expect(deriveCopilotApiTarget()).toBe('copilot-api.mycompany.ghe.com');
     });
 
     it('should handle GHEC URLs with trailing slash', () => {
       process.env.GITHUB_SERVER_URL = 'https://example.ghe.com/';
-      expect(deriveCopilotApiTarget()).toBe('api.example.ghe.com');
+      expect(deriveCopilotApiTarget()).toBe('copilot-api.example.ghe.com');
     });
 
     it('should handle GHEC URLs with path components', () => {
       process.env.GITHUB_SERVER_URL = 'https://acme.ghe.com/some/path';
-      expect(deriveCopilotApiTarget()).toBe('api.acme.ghe.com');
+      expect(deriveCopilotApiTarget()).toBe('copilot-api.acme.ghe.com');
     });
 
     it('should handle multi-part subdomain for GHEC', () => {
       process.env.GITHUB_SERVER_URL = 'https://dev.mycompany.ghe.com';
-      expect(deriveCopilotApiTarget()).toBe('api.dev.mycompany.ghe.com');
+      expect(deriveCopilotApiTarget()).toBe('copilot-api.dev.mycompany.ghe.com');
     });
   });
 

docs/enterprise-configuration.md

@@ -16,14 +16,14 @@ When `GITHUB_SERVER_URL` is set to a `*.ghe.com` domain, AWF automatically deriv
 
 ```bash
 # Example: GITHUB_SERVER_URL=https://acme.ghe.com
-# AWF automatically uses: api.acme.ghe.com
+# AWF automatically uses: copilot-api.acme.ghe.com
 ```
 
 **How it works:**
 1. AWF reads `GITHUB_SERVER_URL` from your environment
 2. Detects that the hostname ends with `.ghe.com`
 3. Extracts the subdomain (e.g., `acme` from `acme.ghe.com`)
-4. Routes Copilot API traffic to `api.<subdomain>.ghe.com`
+4. Routes Copilot API traffic to `copilot-api.<subdomain>.ghe.com`
 5. **Auto-injects `GH_HOST` environment variable** in the agent container so the `gh` CLI targets your GHEC instance
 
 **GH_HOST Auto-Injection:**
@@ -45,16 +45,22 @@ export GITHUB_SERVER_URL="https://acme.ghe.com"
 export GITHUB_TOKEN="<your-copilot-cli-token>"
 
 sudo -E awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com,raw.githubusercontent.com \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com,copilot-telemetry-service.acme.ghe.com,raw.githubusercontent.com \
   --enable-api-proxy \
   -- npx @github/copilot@latest --prompt "your prompt here"
 ```
 
 **Domain breakdown:**
 - `acme.ghe.com` - Your GHEC tenant domain (git operations, web UI)
-- `api.acme.ghe.com` - Your tenant-specific Copilot API endpoint (automatically routed by AWF)
+- `api.acme.ghe.com` - GitHub REST API endpoint (AWF auto-adds this for `*.ghe.com` instances)
+- `copilot-api.acme.ghe.com` - Copilot inference, models, and MCP endpoint (AWF auto-adds this for `*.ghe.com` instances)
+- `copilot-telemetry-service.acme.ghe.com` - Copilot telemetry endpoint (AWF auto-adds this for `*.ghe.com` instances)
 - `raw.githubusercontent.com` - Raw content access (if using GitHub MCP server)
 
+:::note
+AWF automatically adds `api.<slug>.ghe.com`, `copilot-api.<slug>.ghe.com`, and `copilot-telemetry-service.<slug>.ghe.com` to the firewall allowlist when `GITHUB_SERVER_URL` points to a `*.ghe.com` domain. They are listed above for transparency; you do not need to include them manually.
+:::
+
 ### GitHub Actions (GHEC)
 
 In GitHub Actions workflows running on GHEC, the `GITHUB_SERVER_URL` environment variable is automatically set by GitHub Actions. No additional configuration is needed:
@@ -73,7 +79,7 @@ jobs:
           # GITHUB_SERVER_URL is automatically set by GitHub Actions
         run: |
           sudo -E awf \
-            --allow-domains ${{ github.server_url_hostname }},api.${{ github.server_url_hostname }},raw.githubusercontent.com \
+            --allow-domains raw.githubusercontent.com \
             --enable-api-proxy \
             -- npx @github/copilot@latest --prompt "generate tests"
 ```
@@ -114,7 +120,7 @@ export GITHUB_TOKEN="<your-copilot-cli-token>"
 export GITHUB_PERSONAL_ACCESS_TOKEN="<your-github-pat>"
 
 sudo -E awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com,raw.githubusercontent.com,registry.npmjs.org \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com,copilot-telemetry-service.acme.ghe.com,raw.githubusercontent.com,registry.npmjs.org \
   --enable-api-proxy \
   "npx @github/copilot@latest \
     --disable-builtin-mcps \
@@ -211,8 +217,8 @@ If automatic detection doesn't work for your setup, you can manually specify the
 ```bash
 # For GHEC with custom configuration
 sudo awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com \
-  --copilot-api-target api.acme.ghe.com \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com,copilot-telemetry-service.acme.ghe.com \
+  --copilot-api-target copilot-api.acme.ghe.com \
   --enable-api-proxy \
   -- your-command
 
@@ -231,7 +237,7 @@ The `--copilot-api-target` flag takes precedence over automatic detection.
 AWF determines the Copilot API endpoint in this order:
 
 1. **`--copilot-api-target` flag** (highest priority) - Manual override
-2. **`GITHUB_SERVER_URL` with `*.ghe.com`** - Automatic GHEC detection → `api.<subdomain>.ghe.com`
+2. **`GITHUB_SERVER_URL` with `*.ghe.com`** - Automatic GHEC detection → `copilot-api.<subdomain>.ghe.com`
 3. **`GITHUB_SERVER_URL` non-github.com** - Automatic GHES detection → `api.enterprise.githubcopilot.com`
 4. **Default** - Public GitHub → `api.githubcopilot.com`
 
@@ -252,7 +258,7 @@ Add `--keep-containers` to inspect the configuration:
 
 ```bash
 sudo -E awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com \
   --enable-api-proxy \
   --keep-containers \
   -- npx @github/copilot@latest --prompt "test"
@@ -265,7 +271,7 @@ sudo -E awf \
 docker logs awf-api-proxy | grep "Copilot proxy"
 
 # Expected for GHEC:
-# Copilot proxy listening on port 10002 (target: api.acme.ghe.com)
+# Copilot proxy listening on port 10002 (target: copilot-api.acme.ghe.com)
 
 # Expected for GHES:
 # Copilot proxy listening on port 10002 (target: api.enterprise.githubcopilot.com)
@@ -304,7 +310,7 @@ sudo cat /tmp/squid-logs-*/access.log | grep TCP_DENIED
 
 # Add the blocked domain to your allowlist
 sudo -E awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com,<blocked-domain> \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com,copilot-telemetry-service.acme.ghe.com,<blocked-domain> \
   --enable-api-proxy \
   -- your-command
 ```
@@ -366,7 +372,7 @@ docker pull ghcr.io/github/github-mcp-server:latest
 
 # 4. Run Copilot with AWF
 sudo -E awf \
-  --allow-domains acme.ghe.com,api.acme.ghe.com,raw.githubusercontent.com,registry.npmjs.org \
+  --allow-domains acme.ghe.com,copilot-api.acme.ghe.com,copilot-telemetry-service.acme.ghe.com,raw.githubusercontent.com,registry.npmjs.org \
   --enable-api-proxy \
   "npx @github/copilot@latest \
     --disable-builtin-mcps \

src/cli.test.ts

@@ -2232,23 +2232,29 @@ describe('cli', () => {
       expect(domains).toEqual([]);
     });
 
-    it('should extract GHEC tenant domain and API subdomain from GITHUB_SERVER_URL', () => {
+    it('should extract GHEC tenant, API, Copilot API, and telemetry subdomains from GITHUB_SERVER_URL', () => {
       const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://myorg.ghe.com' });
       expect(domains).toContain('myorg.ghe.com');
       expect(domains).toContain('api.myorg.ghe.com');
-      expect(domains).toHaveLength(2);
+      expect(domains).toContain('copilot-api.myorg.ghe.com');
+      expect(domains).toContain('copilot-telemetry-service.myorg.ghe.com');
+      expect(domains).toHaveLength(4);
     });
 
     it('should handle GITHUB_SERVER_URL with trailing slash', () => {
       const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://myorg.ghe.com/' });
       expect(domains).toContain('myorg.ghe.com');
       expect(domains).toContain('api.myorg.ghe.com');
+      expect(domains).toContain('copilot-api.myorg.ghe.com');
+      expect(domains).toContain('copilot-telemetry-service.myorg.ghe.com');
     });
 
     it('should handle GITHUB_SERVER_URL with path components', () => {
       const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://acme.ghe.com/some/path' });
       expect(domains).toContain('acme.ghe.com');
       expect(domains).toContain('api.acme.ghe.com');
+      expect(domains).toContain('copilot-api.acme.ghe.com');
+      expect(domains).toContain('copilot-telemetry-service.acme.ghe.com');
     });
 
     it('should extract from GITHUB_API_URL for GHEC', () => {
@@ -2296,6 +2302,8 @@ describe('cli', () => {
       resolveApiTargetsToAllowedDomains({}, domains, env);
       expect(domains).toContain('myorg.ghe.com');
       expect(domains).toContain('api.myorg.ghe.com');
+      expect(domains).toContain('copilot-api.myorg.ghe.com');
+      expect(domains).toContain('copilot-telemetry-service.myorg.ghe.com');
     });
 
     it('should not duplicate GHEC domains if already in allowlist', () => {

src/cli.ts

@@ -380,11 +380,13 @@ export function emitApiProxyTargetWarnings(
 
 /**
  * Extracts GHEC domains from GITHUB_SERVER_URL and GITHUB_API_URL environment variables.
- * When GITHUB_SERVER_URL points to a GHEC tenant (*.ghe.com), returns the tenant hostname
- * and its API subdomain so they can be auto-added to the firewall allowlist.
+ * When GITHUB_SERVER_URL points to a GHEC tenant (*.ghe.com), returns the tenant hostname,
+ * its API subdomain, the Copilot API subdomain, and the Copilot telemetry subdomain so they
+ * can be auto-added to the firewall allowlist.
  *
  * @param env - Environment variables (defaults to process.env)
- * @returns Array of domains to auto-add to allowlist, or empty array if not GHEC
+ * @returns Array of GHEC-related domains (tenant, api.*, copilot-api.*, copilot-telemetry-service.*)
+ *          to auto-add to the allowlist, or an empty array if not GHEC
  */
 export function extractGhecDomainsFromServerUrl(
   env: Record<string, string | undefined> = process.env
@@ -397,10 +399,14 @@ export function extractGhecDomainsFromServerUrl(
     try {
       const hostname = new URL(serverUrl).hostname;
       if (hostname !== 'github.com' && hostname.endsWith('.ghe.com')) {
-        // GHEC tenant: add the tenant domain and its API subdomain
+        // GHEC tenant with data residency: add the tenant domain, API subdomain,
+        // Copilot inference subdomain, and Copilot telemetry subdomain.
         // e.g., company.ghe.com → company.ghe.com + api.company.ghe.com
+        //        + copilot-api.company.ghe.com + copilot-telemetry-service.company.ghe.com
         domains.push(hostname);
         domains.push(`api.${hostname}`);
+        domains.push(`copilot-api.${hostname}`);
+        domains.push(`copilot-telemetry-service.${hostname}`);
       }
     } catch {
       // Invalid URL — skip

tests/fixtures/awf-runner.ts

@@ -195,6 +195,19 @@ export class AwfRunner {
       throw error;
     }
 
+    // With reject: false, execa returns instead of throwing on timeout.
+    // Detect this case and return a proper timeout result.
+    if (result.timedOut) {
+      return {
+        exitCode: -1,
+        stdout: result.stdout || '',
+        stderr: result.stderr || '',
+        success: false,
+        timedOut: true,
+        workDir: this.extractWorkDir(result.stderr || ''),
+      };
+    }
+
     // Extract work directory from stderr logs
     const workDir = this.extractWorkDir(result.stderr || '');
 
@@ -389,6 +402,19 @@ export class AwfRunner {
       throw error;
     }
 
+    // With reject: false, execa returns instead of throwing on timeout.
+    // Detect this case and return a proper timeout result.
+    if (result.timedOut) {
+      return {
+        exitCode: -1,
+        stdout: result.stdout || '',
+        stderr: result.stderr || '',
+        success: false,
+        timedOut: true,
+        workDir: this.extractWorkDir(result.stderr || ''),
+      };
+    }
+
     const workDir = this.extractWorkDir(result.stderr || '');
 
     // Normalize exit code to handle undefined (defaults to 0)

tests/integration/no-docker.test.ts

@@ -50,7 +50,7 @@ describe('Docker-in-Docker removal (PR #205)', () => {
       {
         allowDomains: ['github.com'],
         logLevel: 'debug',
-        timeout: 30000,
+        timeout: 120000,
         buildLocal: true,
       }
     );
@@ -63,7 +63,7 @@ describe('Docker-in-Docker removal (PR #205)', () => {
     const result = await runner.runWithSudo('docker run alpine echo hello', {
       allowDomains: ['github.com'],
       logLevel: 'debug',
-      timeout: 30000,
+      timeout: 120000,
       buildLocal: true,
     });
 
@@ -78,7 +78,7 @@ describe('Docker-in-Docker removal (PR #205)', () => {
     const result = await runner.runWithSudo('which docker-compose', {
       allowDomains: ['github.com'],
       logLevel: 'debug',
-      timeout: 30000,
+      timeout: 120000,
       buildLocal: true,
     });
 
@@ -93,7 +93,7 @@ describe('Docker-in-Docker removal (PR #205)', () => {
       {
         allowDomains: ['github.com'],
         logLevel: 'debug',
-        timeout: 30000,
+        timeout: 120000,
         buildLocal: true,
       }
     );