[awf] API Proxy: OpenCode engine integration (port 10004, dynamic provider routing)

[lpcox]

Problem

The AWF api-proxy sidecar (containers/api-proxy/) does not have a handler for the OpenCode engine. The OpenCode port (10004) is referenced in AGENTS.md as already supported, but the integration described in the original PR needs to be fully implemented or verified in the firewall repo.

Context

Original report: github/gh-aw#25830

The OpenCode engine integration PR (#18403) needs to be applied to current HEAD. OpenCode is a provider-agnostic AI coding agent supporting 75+ models. Key requirements for the AWF firewall:

• API proxy on port 10004 (already documented in AGENTS.md as OpenCodeLLMGatewayPort = 10004)
• Dynamic domain allowlists based on model provider prefix (copilot/, anthropic/, openai/, google/, groq/, etc.)
• Credential protection: umask 077 + chmod 600 for opencode.jsonc config file
• OPENAI_API_KEY sourced from Copilot token for OpenAI-compatible API access

Root Cause

The containers/api-proxy/server.js file has handlers for OpenAI (10000), Anthropic (10001), Copilot (10002) but the OpenCode handler on port 10004 needs to implement the dynamic provider routing described in resolveOpenCodeRoute() (already present per stored memory at containers/api-proxy/server.js:291-316). The integration with the AWF CLI (src/docker-manager.ts) needs to:

• Expose port 10004 in the api-proxy container config
• Set OPENCODE_API_BASE_URL or equivalent env var in the agent container
• Add OpenCode-specific domain allowlists to Squid config generation (src/squid-config.ts)

Proposed Solution

1. Verify/complete resolveOpenCodeRoute() in containers/api-proxy/server.js: Confirm the dynamic routing logic handles all provider prefixes (copilot/, anthropic/, openai/, google/, groq/) and routes through the correct upstream with proper auth injection.
2. Expose port 10004 in src/docker-manager.ts: In generateDockerCompose(), ensure the api-proxy service exposes port 10004 when --enable-api-proxy is active.
3. Add OpenCode env vars in src/docker-manager.ts: Set OPENCODE_ANTHROPIC_API_BASE_URL, OPENCODE_OPENAI_API_BASE_URL etc. to `(172.30.0.30/redacted) in the agent container environment.
4. Dynamic domain allowlists in src/squid-config.ts: Add getDefaultDomainsForEngine() support for OpenCode that includes provider-specific domains based on OPENCODE_MODEL prefix.
5. Add .opencode/ to whitelisted home subdirs in src/docker-manager.ts agent volume config.
6. Write opencode.jsonc with umask 077 in the agent entrypoint or via a pre-run script to set all permissions to allow and prevent CI hanging.

Generated by Firewall Issue Dispatcher · ● 2.1M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to an existing issue:

• [awf] api-proxy: OpenCode engine defaults to Anthropic routing instead of Copilot #1970 — [awf] api-proxy: OpenCode engine defaults to Anthropic routing instead of Copilot (closed as completed)

Both issues describe the OpenCode API proxy on port 10004 and the need for dynamic provider routing (resolveOpenCodeRoute()). Issue #1970 was recently closed (2026-04-15) as completed, which may mean some of this work has already landed.

It's possible this issue covers additional scope (env vars, domain allowlists, .opencode/ home dir, opencode.jsonc credentials), so it may still be valid. If the work from #1970 already addresses the core concerns here, please consider reviewing the merged changes before proceeding.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #2013 · ● 307.9K · ◷

[lpcox]

Fixed by #1979 and #1984 (OpenCode port 10004 routing). Smoke-opencode workflow activated. Merged to main.