Add model filtering, error handling, and config enhancements

Introduces support for filtering allowed models in API endpoints using the `allowed_models` configuration. Improves error handling by replacing string matching with structured error types. Updates logging to include model information when available.

Refactors configuration validation for better modularity and adds tests for `allowed_models` behavior and proxy rejection of disallowed models. Enhances middleware to log request details and integrates support for `/v1/completions` endpoint.

Removes unused dependencies from `go.mod` and adjusts Dockerfile to use a consistent command for starting the service.

Author: privapps

AGENTS.md

@@ -0,0 +1,56 @@
+# Repository Guidelines
+
+## Project Structure & Module Organization
+
+Source code location:
+- `cmd/` — Application entry points
+- `internal/` — Core service modules (auth, config, API, middleware)
+- `pkg/` — Shared utilities/packages
+- `test/` — Integration and helper tests
+- `config.example.json`, `Dockerfile`, `docker-compose.yml` — Example/config files
+
+## Build, Test, and Development Commands
+
+Key commands (via Makefile):
+- `make build` — Build service binary
+- `make run` — Start proxy server locally
+- `make dev` — Hot reload (requires air)
+- `make test` — Unit tests
+- `make test-all` — All tests (unit + integration)
+- `make test-coverage` — Coverage report
+- `make lint` — Lint code (golangci-lint)
+- `make fmt` — Format code
+
+Requires Go 1.23.0+
+
+## Coding Style & Naming Conventions
+
+- Indentation: tabs (Go standard)
+- Use camelCase or snake_case for names
+- Exported Go identifiers: PascalCase
+- Format code before PRs (`make fmt`), lint (`make lint`)
+
+## Testing Guidelines
+
+- Use Go `testing` package; name test files `_test.go`, test functions `TestXxx`
+- Unit tests: `internal/` and `pkg/`
+- Integration tests: `test/integration/`
+- Run: `make test-all`, `make test-coverage` (aim for >=45% coverage in core logic)
+
+## Commit & Pull Request Guidelines
+
+- Commit messages: short, present-tense (e.g., "Refactor code structure")
+- PRs: describe changes/reasoning, link issues, add screenshots for UI
+- Ensure all tests pass & code is formatted
+- Do not commit secrets or sensitive configs
+
+## Security & Configuration Tips
+
+- Store secrets in user-level config with permissions 0700
+- Never log sensitive data
+- Only use HTTPS for credentials/tokens
+- Do not push sensitive files; check `.gitignore`
+
+---
+
+For help, open an issue or see the README troubleshooting section.

Dockerfile

@@ -47,4 +47,4 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
   CMD wget --no-verbose --tries=1 --spider http://localhost:8081/health || exit 1
 
 # Run the binary
-CMD ["./github-copilot-svcs", "run"]
+CMD ["./github-copilot-svcs", "start"]

README.md

@@ -105,6 +105,19 @@ make security   # Run security analysis
 make docker-build       # Build Docker image
 make docker-run         # Run Docker container
 ```
+  ## Filtering Allowed Models
+
+  You can control which models are available by specifying `allowed_models` in your config file (`config.json`).
+
+  Example:
+  ```json
+  {
+    "allowed_models": ["gpt-4o", "claude-3.7-sonnet"]
+  }
+
+  - If set, both CLI and REST /v1/models lists are filtered and show a note.
+  - Proxy requests to /v1/chat/completions will only allow those models, rejecting others with HTTP 400.
+  - If omitted or set to null, all models are permitted (default behavior).
 
 ## Building for Different OS/Architectures
 
@@ -211,6 +224,20 @@ Content-Type: application/json
 }
 ```
 
+### Completions
+This endpoint is OpenAI-compatible and proxies requests to the upstream Copilot API `/completions` endpoint.
+
+```bash
+POST http://localhost:8081/v1/completions
+Content-Type: application/json
+
+{
+  "model": "gpt-4",
+  "prompt": "Write a hello world in Python",
+  "max_tokens": 100
+}
+```
+
 ### Available Models
 ```bash
 GET http://localhost:8081/v1/models

config.example.json

@@ -1,5 +1,6 @@
 {
   "port": 8081,
+  "allowed_models": null,
   "headers": {
     "user_agent": "GitHubCopilotChat/0.29.1",
     "editor_version": "vscode/1.102.3",

go.mod

@@ -3,11 +3,3 @@ module github.com/privapps/github-copilot-svcs
 go 1.23.0
 
 toolchain go1.23.5
-
-require (
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-)

go.sum

@@ -1,10 +0,0 @@
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=

internal/cli.go

@@ -1,12 +1,13 @@
 package internal
 
 import (
-	"encoding/json"
-	"flag"
-	"fmt"
-	"os"
-	"time"
-	"strings"
+"encoding/json"
+"errors"
+"flag"
+"fmt"
+"os"
+"time"
+"github.com/privapps/github-copilot-svcs/pkg/transform"
 )
 
 // Command constants to avoid goconst errors
@@ -112,14 +113,14 @@ func handleAuth() error {
 }
 
 func handleStatusWithFormat(jsonOutput bool) error {
-	cfg, err := LoadConfig()
-	if err != nil {
-		if strings.Contains(err.Error(), "either github_token or copilot_token must be provided") {
-			fmt.Println("Not authenticated. Run 'auth' to authenticate.")
-			return nil
-		}
-		return fmt.Errorf("failed to load config: %v", err)
-	}
+       cfg, err := LoadConfig()
+       if err != nil {
+               if errors.Is(err, ErrMissingTokens) {
+                       fmt.Println("Not authenticated. Run 'auth' to authenticate.")
+                       return nil
+               }
+               return fmt.Errorf("failed to load config: %v", err)
+       }
 
 	if jsonOutput {
 		return printStatusJSON(cfg)
@@ -213,14 +214,14 @@ func printStatusText(cfg *Config) error {
 }
 
 func handleConfig() error {
-	cfg, err := LoadConfig()
-	if err != nil {
-		if strings.Contains(err.Error(), "either github_token or copilot_token must be provided") {
-			fmt.Println("Not authenticated. Run 'auth' to authenticate.")
-			return nil
-		}
-		return fmt.Errorf("failed to load config: %v", err)
-	}
+       cfg, err := LoadConfig()
+       if err != nil {
+               if errors.Is(err, ErrMissingTokens) {
+                       fmt.Println("Not authenticated. Run 'auth' to authenticate.")
+                       return nil
+               }
+               return fmt.Errorf("failed to load config: %v", err)
+       }
 
 	path, _ := GetConfigPath()
 	fmt.Printf("Configuration file: %s\n", path)
@@ -248,20 +249,20 @@ func getCurrentTime() int64 {
 }
 
 func handleRun() error {
-	cfg, err := LoadConfig()
-	if err != nil {
-		if strings.Contains(err.Error(), "either github_token or copilot_token must be provided") {
-			if authErr := handleAuth(); authErr != nil {
-				return fmt.Errorf("authentication failed: %v", authErr)
-			}
-			cfg, err = LoadConfig()
-			if err != nil {
-				return fmt.Errorf("failed to load config after authentication: %v", err)
-			}
-		} else {
-			return fmt.Errorf("failed to load config: %v", err)
-		}
-	}
+       cfg, err := LoadConfig()
+       if err != nil {
+               if errors.Is(err, ErrMissingTokens) {
+                       if authErr := handleAuth(); authErr != nil {
+                               return fmt.Errorf("authentication failed: %v", authErr)
+                       }
+                       cfg, err = LoadConfig()
+                       if err != nil {
+                               return fmt.Errorf("failed to load config after authentication: %v", err)
+                       }
+               } else {
+                       return fmt.Errorf("failed to load config: %v", err)
+               }
+       }
 
 	// Create HTTP client and auth service
 	httpClient := CreateHTTPClient(cfg)
@@ -278,14 +279,14 @@ func handleRun() error {
 }
 
 func handleModels() error {
-	cfg, err := LoadConfig()
-	if err != nil {
-		if strings.Contains(err.Error(), "either github_token or copilot_token must be provided") {
-			fmt.Println("Not authenticated. Run 'auth' to authenticate.")
-			return nil
-		}
-		return fmt.Errorf("failed to load config: %v", err)
-	}
+       cfg, err := LoadConfig()
+       if err != nil {
+               if errors.Is(err, ErrMissingTokens) {
+                       fmt.Println("Not authenticated. Run 'auth' to authenticate.")
+                       return nil
+               }
+               return fmt.Errorf("failed to load config: %v", err)
+       }
 
 	// Create HTTP client and auth service
 	httpClient := CreateHTTPClient(cfg)
@@ -308,23 +309,52 @@ func handleModels() error {
 		return nil
 	}
 
-	fmt.Printf("Available models (%d total):\n", len(modelList.Data))
-	for _, model := range modelList.Data {
-		fmt.Printf("  - %s (%s)\n", model.ID, model.OwnedBy)
-	}
-
-	return nil
-}
+    filtered := modelList.Data
+    var unknown []string
+    filteredMsg := ""
+    if len(cfg.AllowedModels) > 0 {
+        allowedSet := make(map[string]struct{}, len(cfg.AllowedModels))
+        for _, name := range cfg.AllowedModels {
+            allowedSet[name] = struct{}{}
+        }
+        var tmp []transform.Model
+        foundSet := make(map[string]struct{})
+        for _, model := range filtered {
+            if _, ok := allowedSet[model.ID]; ok {
+                tmp = append(tmp, model)
+                foundSet[model.ID] = struct{}{}
+            }
+        }
+        for k := range allowedSet {
+            if _, ok := foundSet[k]; !ok {
+                unknown = append(unknown, k)
+            }
+        }
+        filtered = tmp
+        filteredMsg = "NOTE: The model list is filtered by allowed_models in config."
+        if len(unknown) > 0 {
+            fmt.Printf("WARNING: The following allowed_models were not found and are ignored: %v\n", unknown)
+        }
+    }
+    fmt.Printf("Available models (%d shown):\n", len(filtered))
+    for _, model := range filtered {
+        fmt.Printf("  - %s (%s)\n", model.ID, model.OwnedBy)
+    }
+    if filteredMsg != "" {
+        fmt.Println(filteredMsg)
+    }
+    return nil
+} 
 
 func handleRefresh() error {
-	cfg, err := LoadConfig()
-	if err != nil {
-		if strings.Contains(err.Error(), "either github_token or copilot_token must be provided") {
-			fmt.Println("Not authenticated. Run 'auth' to authenticate.")
-			return nil
-		}
-		return fmt.Errorf("failed to load config: %v", err)
-	}
+       cfg, err := LoadConfig()
+       if err != nil {
+               if errors.Is(err, ErrMissingTokens) {
+                       fmt.Println("Not authenticated. Run 'auth' to authenticate.")
+                       return nil
+               }
+               return fmt.Errorf("failed to load config: %v", err)
+       }
 
 	if cfg.CopilotToken == "" {
 		return fmt.Errorf("no token to refresh - run 'auth' command first")