fix(proxy): passthrough /rate_limit for CLI proxy liveness probe by lpcox · Pull Request #7187 · github/gh-aw-mcpg · GitHub
Skip to content

fix(proxy): passthrough /rate_limit for CLI proxy liveness probe#7187

Merged
lpcox merged 2 commits into
mainfrom
fix/proxy-passthrough-rate-limit
Jun 8, 2026
Merged

fix(proxy): passthrough /rate_limit for CLI proxy liveness probe#7187
lpcox merged 2 commits into
mainfrom
fix/proxy-passthrough-rate-limit

Conversation

@lpcox

@lpcox lpcox commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

The gh CLI liveness probe calls GET /rate_limit to verify connectivity. The DIFC proxy was blocking this as an unrecognized endpoint (HTTP 403), causing the cli-proxy sidecar to fail fast and prevent agent startup.

Root cause: /rate_limit is a GET request that enters the "read operation" path, but MatchRoute() returns nil for it, triggering the fail-closed "access denied: unrecognized endpoint" response.

Fix: Add /rate_limit to the passthrough list alongside /meta — both are safe read-only metadata endpoints used by gh CLI for initialization.

Affected: Any workflow using features.cli-proxy: true or features.difc-proxy: true with mcpg >= v0.3.23.

Reported via: https://github.com/github/gh-aw/actions/runs/27112965256/job/80016366723?pr=37708

The gh CLI liveness probe calls GET /rate_limit to verify connectivity.
The DIFC proxy blocked this as an unrecognized endpoint (HTTP 403),
causing the cli-proxy sidecar to fail fast.

Add /rate_limit to the passthrough list alongside /meta.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 8, 2026 03:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the DIFC proxy to allow the gh CLI’s initialization/liveness checks to succeed by explicitly passing through the GET /rate_limit metadata endpoint (similar to the existing /meta passthrough), preventing a fail-closed 403 on an otherwise safe read-only call.

Changes:

  • Add GET /rate_limit to the proxy passthrough allowlist alongside GET /meta.
  • Add a unit test verifying /api/v3/rate_limit is forwarded upstream as /rate_limit and returns successfully.
Show a summary per file
File Description
internal/proxy/handler.go Extends the existing metadata passthrough condition to include /rate_limit.
internal/proxy/handler_test.go Adds coverage ensuring /rate_limit requests are forwarded and not blocked by route matching.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread internal/proxy/handler_test.go
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants