fix: auto-inject GHEC tenant domains into firewall allowlist (#1316)

* Initial plan

* fix: auto-inject GHEC tenant domains into firewall allowlist

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: Copilot

src/cli.test.ts

@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, parseDnsOverHttps, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal, validateAllowHostPorts, parseMemoryLimit, validateFormat, validateApiProxyConfig, buildRateLimitConfig, validateRateLimitFlags, hasRateLimitOptions, collectRulesetFile, validateApiTargetInAllowedDomains, DEFAULT_OPENAI_API_TARGET, DEFAULT_ANTHROPIC_API_TARGET, DEFAULT_COPILOT_API_TARGET, emitApiProxyTargetWarnings, formatItem, program, parseAgentTimeout, applyAgentTimeout, handlePredownloadAction, resolveApiTargetsToAllowedDomains, extractGhesDomainsFromEngineApiTarget } from './cli';
+import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, parseDnsOverHttps, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal, validateAllowHostPorts, parseMemoryLimit, validateFormat, validateApiProxyConfig, buildRateLimitConfig, validateRateLimitFlags, hasRateLimitOptions, collectRulesetFile, validateApiTargetInAllowedDomains, DEFAULT_OPENAI_API_TARGET, DEFAULT_ANTHROPIC_API_TARGET, DEFAULT_COPILOT_API_TARGET, emitApiProxyTargetWarnings, formatItem, program, parseAgentTimeout, applyAgentTimeout, handlePredownloadAction, resolveApiTargetsToAllowedDomains, extractGhesDomainsFromEngineApiTarget, extractGhecDomainsFromServerUrl } from './cli';
 import { redactSecrets } from './redact-secrets';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -2216,6 +2216,125 @@ describe('cli', () => {
     });
   });
 
+  describe('extractGhecDomainsFromServerUrl', () => {
+    it('should return empty array when no env vars are set', () => {
+      const domains = extractGhecDomainsFromServerUrl({});
+      expect(domains).toEqual([]);
+    });
+
+    it('should return empty array when GITHUB_SERVER_URL is github.com', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://github.com' });
+      expect(domains).toEqual([]);
+    });
+
+    it('should return empty array for GHES (non-ghe.com) server URL', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://github.mycompany.com' });
+      expect(domains).toEqual([]);
+    });
+
+    it('should extract GHEC tenant domain and API subdomain from GITHUB_SERVER_URL', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://myorg.ghe.com' });
+      expect(domains).toContain('myorg.ghe.com');
+      expect(domains).toContain('api.myorg.ghe.com');
+      expect(domains).toHaveLength(2);
+    });
+
+    it('should handle GITHUB_SERVER_URL with trailing slash', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://myorg.ghe.com/' });
+      expect(domains).toContain('myorg.ghe.com');
+      expect(domains).toContain('api.myorg.ghe.com');
+    });
+
+    it('should handle GITHUB_SERVER_URL with path components', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'https://acme.ghe.com/some/path' });
+      expect(domains).toContain('acme.ghe.com');
+      expect(domains).toContain('api.acme.ghe.com');
+    });
+
+    it('should extract from GITHUB_API_URL for GHEC', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_API_URL: 'https://api.myorg.ghe.com' });
+      expect(domains).toContain('api.myorg.ghe.com');
+    });
+
+    it('should not add GITHUB_API_URL domain if already present from GITHUB_SERVER_URL', () => {
+      const domains = extractGhecDomainsFromServerUrl({
+        GITHUB_SERVER_URL: 'https://myorg.ghe.com',
+        GITHUB_API_URL: 'https://api.myorg.ghe.com',
+      });
+      expect(domains).toContain('myorg.ghe.com');
+      expect(domains).toContain('api.myorg.ghe.com');
+      // api.myorg.ghe.com should appear only once
+      const apiCount = domains.filter(d => d === 'api.myorg.ghe.com').length;
+      expect(apiCount).toBe(1);
+    });
+
+    it('should return empty array when GITHUB_API_URL is api.github.com', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_API_URL: 'https://api.github.com' });
+      expect(domains).toEqual([]);
+    });
+
+    it('should ignore non-ghe.com GITHUB_API_URL', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_API_URL: 'https://api.github.mycompany.com' });
+      expect(domains).toEqual([]);
+    });
+
+    it('should handle invalid GITHUB_SERVER_URL gracefully', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_SERVER_URL: 'not-a-valid-url' });
+      expect(domains).toEqual([]);
+    });
+
+    it('should handle invalid GITHUB_API_URL gracefully', () => {
+      const domains = extractGhecDomainsFromServerUrl({ GITHUB_API_URL: 'not-a-valid-url' });
+      expect(domains).toEqual([]);
+    });
+  });
+
+  describe('resolveApiTargetsToAllowedDomains with GHEC', () => {
+    it('should auto-add GHEC domains when GITHUB_SERVER_URL is a ghe.com tenant', () => {
+      const domains: string[] = [];
+      const env = { GITHUB_SERVER_URL: 'https://myorg.ghe.com' };
+      resolveApiTargetsToAllowedDomains({}, domains, env);
+      expect(domains).toContain('myorg.ghe.com');
+      expect(domains).toContain('api.myorg.ghe.com');
+    });
+
+    it('should not duplicate GHEC domains if already in allowlist', () => {
+      const domains: string[] = ['myorg.ghe.com', 'api.myorg.ghe.com'];
+      const env = { GITHUB_SERVER_URL: 'https://myorg.ghe.com' };
+      resolveApiTargetsToAllowedDomains({}, domains, env);
+      const tenantCount = domains.filter(d => d === 'myorg.ghe.com').length;
+      const apiCount = domains.filter(d => d === 'api.myorg.ghe.com').length;
+      expect(tenantCount).toBe(1);
+      expect(apiCount).toBe(1);
+    });
+
+    it('should not add GHEC domains for public github.com', () => {
+      const initialLength = 0;
+      const domains: string[] = [];
+      const env = { GITHUB_SERVER_URL: 'https://github.com' };
+      resolveApiTargetsToAllowedDomains({}, domains, env);
+      // github.com itself should NOT be auto-added just from GITHUB_SERVER_URL
+      expect(domains).not.toContain('github.com');
+      expect(domains).not.toContain('api.github.com');
+      expect(domains).toHaveLength(initialLength);
+    });
+
+    it('should auto-add GHEC domain from GITHUB_API_URL', () => {
+      const domains: string[] = [];
+      const env = { GITHUB_API_URL: 'https://api.myorg.ghe.com' };
+      resolveApiTargetsToAllowedDomains({}, domains, env);
+      expect(domains).toContain('api.myorg.ghe.com');
+    });
+
+    it('should combine GHEC domains with explicit API target', () => {
+      const domains: string[] = [];
+      const env = { GITHUB_SERVER_URL: 'https://company.ghe.com' };
+      resolveApiTargetsToAllowedDomains({ copilotApiTarget: 'api.company.ghe.com' }, domains, env);
+      expect(domains).toContain('company.ghe.com');
+      expect(domains).toContain('api.company.ghe.com');
+    });
+  });
+
   describe('resolveApiTargetsToAllowedDomains with GHES', () => {
     it('should auto-add GHES domains when ENGINE_API_TARGET is set', () => {
       const domains: string[] = ['github.com'];

src/cli.ts

@@ -378,6 +378,53 @@ export function emitApiProxyTargetWarnings(
   }
 }
 
+/**
+ * Extracts GHEC domains from GITHUB_SERVER_URL and GITHUB_API_URL environment variables.
+ * When GITHUB_SERVER_URL points to a GHEC tenant (*.ghe.com), returns the tenant hostname
+ * and its API subdomain so they can be auto-added to the firewall allowlist.
+ *
+ * @param env - Environment variables (defaults to process.env)
+ * @returns Array of domains to auto-add to allowlist, or empty array if not GHEC
+ */
+export function extractGhecDomainsFromServerUrl(
+  env: Record<string, string | undefined> = process.env
+): string[] {
+  const domains: string[] = [];
+
+  // Extract from GITHUB_SERVER_URL (e.g., https://company.ghe.com)
+  const serverUrl = env['GITHUB_SERVER_URL'];
+  if (serverUrl) {
+    try {
+      const hostname = new URL(serverUrl).hostname;
+      if (hostname !== 'github.com' && hostname.endsWith('.ghe.com')) {
+        // GHEC tenant: add the tenant domain and its API subdomain
+        // e.g., company.ghe.com → company.ghe.com + api.company.ghe.com
+        domains.push(hostname);
+        domains.push(`api.${hostname}`);
+      }
+    } catch {
+      // Invalid URL — skip
+    }
+  }
+
+  // Extract from GITHUB_API_URL (e.g., https://api.company.ghe.com)
+  const apiUrl = env['GITHUB_API_URL'];
+  if (apiUrl) {
+    try {
+      const hostname = new URL(apiUrl).hostname;
+      if (hostname !== 'api.github.com' && hostname.endsWith('.ghe.com')) {
+        if (!domains.includes(hostname)) {
+          domains.push(hostname);
+        }
+      }
+    } catch {
+      // Invalid URL — skip
+    }
+  }
+
+  return domains;
+}
+
 /**
  * Extracts GHES API domains from engine.api-target environment variable.
  * When engine.api-target is set (indicating GHES), returns the GHES hostname,
@@ -463,6 +510,17 @@ export function resolveApiTargetsToAllowedDomains(
     apiTargets.push(env['ANTHROPIC_API_TARGET']);
   }
 
+  // Auto-populate GHEC domains when GITHUB_SERVER_URL points to a *.ghe.com tenant
+  const ghecDomains = extractGhecDomainsFromServerUrl(env);
+  if (ghecDomains.length > 0) {
+    for (const domain of ghecDomains) {
+      if (!allowedDomains.includes(domain)) {
+        allowedDomains.push(domain);
+      }
+    }
+    debug(`Auto-added GHEC domains from GITHUB_SERVER_URL/GITHUB_API_URL: ${ghecDomains.join(', ')}`);
+  }
+
   // Auto-populate GHES domains when engine.api-target is set
   const ghesDomains = extractGhesDomainsFromEngineApiTarget(env);
   if (ghesDomains.length > 0) {