refactor: decompose writeConfigs into workdir-setup.ts + focused orchestrator

[Copilot]

writeConfigs in src/config-writer.ts was a 305-line monolith inlining six unrelated concerns, burying the security-critical Squid config and docker-compose credential writing midway through. This extracts the two largest concerns (log/state directory setup and chroot home bind-mount preparation) alongside their four private helpers into a dedicated module.

Changes

• src/log-paths.ts — exports LogPaths interface (previously unexported)

• src/workdir-setup.ts (new) — owns:

  • Private helpers: ensureDirectory, assertRealDirectory, createMissingOwnedDirectorySegments, prepareChrootHomeMountpoint
  • Exported prepareWorkDirectories(config, logPaths) covering:
    • Concern Improve links in readme to AW project #1: creates and chowns all log/state dirs (agent-logs, session-state, squid-logs, api-proxy-logs, cli-proxy-logs, /tmp/gh-aw/mcp-logs)
    • Concern Secret proxying #2: creates emptyHomeDir, whitelisted ~/.* subdirs, and runner tool-cache chroot mountpoints

• src/config-writer.ts — reduced from 431 → ~194 lines; writeConfigs is now a clear orchestration sequence:

  // workDir validation + chmod
  prepareWorkDirectories(config, logPaths);
  copySeccompProfile(config);             // inline, ~25 lines
  const sslConfig = await initSslBump(config);
  writeSquidAndCompose(config, sslConfig);
  writeAuditArtifacts(auditDir, ...);

• src/workdir-setup.test.ts (new) — 16 direct unit tests for prepareWorkDirectories, covering both concern Improve links in readme to AW project #1 and Secret proxying #2 independently of writeConfigs

No behavioral changes.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.62%	96.63%	➡️ +0.01%
Statements	96.49%	96.50%	📈 +0.01%
Functions	98.78%	98.78%	➡️ +0.00%
Branches	91.22%	91.20%	📉 -0.02%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.9% → 85.3% (-4.55%)	89.9% → 85.3% (-4.55%)

✨ New Files (1 files)

• src/workdir-setup.ts: 94.4% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR refactors the directory-setup portion of writeConfigs by extracting log/state directory creation and chroot home bind-mount preparation into a dedicated prepareWorkDirectories helper, improving readability and isolating security-sensitive setup logic.

Changes:

• Added src/workdir-setup.ts with prepareWorkDirectories() plus private directory/mountpoint helpers.
• Updated writeConfigs in src/config-writer.ts to validate workDir and delegate directory preparation to prepareWorkDirectories.
• Added src/workdir-setup.test.ts with focused unit coverage for workdir/log/chroot preparation; exported LogPaths type from src/log-paths.ts for typing.

Show a summary per file

File	Description
src/workdir-setup.ts	New module implementing log/state dir creation and chroot home/tool-cache mountpoint preparation.
src/workdir-setup.test.ts	New unit tests covering prepareWorkDirectories behaviors for both concerns.
src/log-paths.ts	Exports LogPaths interface for reuse by the new module.
src/config-writer.ts	Simplifies writeConfigs by delegating directory setup to prepareWorkDirectories.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 2

[github-actions]

@Copilot @lpcox
refactor: decompose writeConfigs into workdir-setup.ts + focused orchestrator: ✅
GitHub.com connectivity: ✅
File write/read: ✅
BYOK inference: ✅
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.62%	96.63%	➡️ +0.01%
Statements	96.49%	96.51%	📈 +0.02%
Functions	98.78%	98.79%	📈 +0.01%
Branches	91.22%	91.20%	📉 -0.02%

📁 Per-file Coverage Changes (3 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.9% → 85.3% (-4.55%)	89.9% → 85.3% (-4.55%)
src/commands/validators/config-assembly.ts	98.3% → 98.1% (-0.20%)	97.5% → 98.1% (+0.62%)
src/parsers/env-parsers.ts	100.0% → 100.0% (+0.00%)	100.0% → 96.5% (-3.45%)

✨ New Files (1 files)

• src/workdir-setup.ts: 94.4% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.62%	96.63%	➡️ +0.01%
Statements	96.49%	96.51%	📈 +0.02%
Functions	98.78%	98.79%	📈 +0.01%
Branches	91.22%	91.20%	📉 -0.02%

📁 Per-file Coverage Changes (3 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.9% → 85.3% (-4.55%)	89.9% → 85.3% (-4.55%)
src/commands/validators/config-assembly.ts	98.3% → 98.1% (-0.20%)	97.5% → 98.1% (+0.62%)
src/parsers/env-parsers.ts	100.0% → 100.0% (+0.00%)	100.0% → 96.5% (-3.45%)

✨ New Files (1 files)

• src/workdir-setup.ts: 94.4% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔬 Smoke Test — PAT Auth

Test	Result
GitHub MCP	✅
github.com HTTP	✅ 200
File write/read	✅

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Merged PRs:

• refactor: extract adapter-factory.js from proxy-utils.js
• refactor: decompose 287-line assembleAndValidateConfig into named helpers

Checks:

• GitHub PR reads: ✅
• Browser GitHub title check: ✅
• File write/read: ✅
• Build AWF: ❌ (node missing)
• Discussion lookup/comment: skipped

Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all runtimes matched — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🔬 Smoke Test Results — FAIL

PR: refactor: decompose writeConfigs into workdir-setup.ts + focused orchestrator
Author: @Copilot | Assignees: @lpcox @Copilot

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	❌ (pre-step output not resolved)
File write/read	❌ (pre-step output not resolved)

Overall: FAIL — workflow template variables (SMOKE_HTTP_CODE, SMOKE_FILE_PATH, SMOKE_FILE_CONTENT) were not substituted; pre-step outputs unavailable.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

@lpcox @Copilot
Smoke Test Results:

• GitHub MCP ([WIP] Normalize model name separators in AWF CLI): ✅
• GitHub.com: ✅
• File I/O: ✅
• BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4896 · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ timeout (no PONG)
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ timeout

host.docker.internal resolves to 172.17.0.1 but connections to ports 6379 and 5432 timed out — services are unreachable from this environment.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Results: Direct BYOK Mode ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Test	Result
GitHub MCP connectivity	✅
github.com HTTP 200	✅
File write/read	✅
BYOK inference path	✅

Overall Status: PASS

PR: #4896 by @lpcox (assignees: @lpcox, @Copilot)

🔑 BYOK report filed by Smoke Copilot BYOK