fix: include Gemini in api-proxy validation, add 503 fallback

[Copilot]

validateApiProxyConfig() didn't know about GEMINI_API_KEY, so Gemini-only api-proxy configurations triggered a false "no API keys found" warning. When the key was absent, port 10003 silently refused connections instead of returning an actionable error.

Changes

• src/cli.ts — Add hasGeminiKey param to validateApiProxyConfig(), include Gemini in the status log (OpenAI=…, Gemini=…), add geminiApiKey to redacted config filter
• src/docker-manager.ts — Emit explicit warning when --enable-api-proxy is active but GEMINI_API_KEY is absent:

  [WARN] --enable-api-proxy is active but GEMINI_API_KEY is not set.
  [WARN]    The api-proxy Gemini listener (port 10003) will not start.
  [WARN]    Set GEMINI_API_KEY in the AWF runner environment to enable Gemini credential isolation.
  

• containers/api-proxy/server.js — Add 503 fallback listener on port 10003 when GEMINI_API_KEY is unset (matches existing OpenAI fallback pattern), so callers get a descriptive JSON error instead of connection-refused
• src/cli.test.ts — Update validation tests for Gemini key detection, mixed-key combinations, and updated "no keys" warning text

[Copilot]

Pull request overview

Fixes Gemini-only api-proxy configurations being mis-validated as having “no API keys”, and improves behavior when GEMINI_API_KEY is missing by providing clearer warnings and a 503 fallback on the Gemini port.

Changes:

• Extend validateApiProxyConfig() to include Gemini key detection and update CLI status/warning text accordingly.
• Add a Docker-manager warning when api-proxy is enabled without GEMINI_API_KEY.
• Add a port 10003 fallback server that returns 503 JSON errors when Gemini is not configured, avoiding connection-refused.

Show a summary per file

File	Description
src/docker-manager.ts	Adds warning logs when api-proxy is enabled but Gemini key is absent.
src/cli.ts	Updates api-proxy validation + status logging + redaction to include Gemini.
src/cli.test.ts	Updates/extends unit tests for Gemini key detection and mixed-key scenarios.
containers/api-proxy/server.js	Adds a 503 fallback listener on port 10003 when GEMINI_API_KEY is unset.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.22%	86.34%	📈 +0.12%
Statements	86.08%	86.19%	📈 +0.11%
Functions	87.50%	87.50%	➡️ +0.00%
Branches	78.81%	78.86%	📈 +0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/cli.ts	62.1% → 62.2% (+0.12%)	62.6% → 62.7% (+0.11%)
src/docker-manager.ts	86.6% → 87.0% (+0.40%)	86.0% → 86.5% (+0.40%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔬 Smoke Test Results

PR: fix: include Gemini in api-proxy validation, add 503 fallback
Author: @Copilot | Assignees: @lpcox, @Copilot

Test	Result
GitHub MCP connectivity	✅ PASS
GitHub.com HTTP	⚠️ N/A (pre-step outputs not injected)
File write/read	⚠️ N/A (pre-step outputs not injected)

Overall: ⚠️ PARTIAL — MCP verified; pre-computed test data unavailable (template vars not substituted).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Results

✅ GitHub MCP: "fix: normalize API target env vars to bare hostnames via URL parsing", "chore: upgrade smoke-copilot workflow to gh-aw v0.67.3"
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24158697843.txt created
✅ Bash: file contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All connectivity checks passed:

Check	Result
Redis PING → host.docker.internal:6379	✅ PONG
pg_isready → host.docker.internal:5432	✅ accepting connections
psql SELECT 1 → smoketest db as postgres	✅ returned 1

🔌 Service connectivity validated by Smoke Services

[github-actions]

🔮 Oracle smoke test report

• fix: normalize API target env vars to bare hostnames via URL parsing
• feat: forward OIDC env vars into agent container
• GitHub MCP (last 2 merged PRs): ✅
• safeinputs-gh PR query: ❌ (tool unavailable)
• Playwright title contains "GitHub": ❌ (permission error on MCP log path)
• Tavily search results returned: ❌ (tool unavailable)
• File write + bash cat: ✅
• Discussion query + mystical discussion comment: ❌ (required discussion tool unavailable)
• Build (npm ci && npm run build): ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot