Fix DIFC proxy GHEC data-residency REST API host derivation

[lpcox]

Summary

Fixes #8202 — the mcpg DIFC proxy was not GHEC data-residency (*.ghe.com) aware in the right way.

The DIFC proxy forwards gh api (REST/GraphQL) calls, but on GHEC data-residency tenants it derived the upstream API host as copilot-api.<tenant>.ghe.com — the Copilot inference endpoint, which does not serve the REST API. As a result gh api rate_limit forwarded through the proxy failed (root cause of github/gh-aw#41225, where the AWF awf-cli-proxy liveness probe failed with diagnosis=unknown).

Root cause

deriveAPIFromServerURL in internal/envutil/github.go mapped https://tenant.ghe.com → https://copilot-api.tenant.ghe.com. That subdomain is the Copilot endpoint, not the REST API. The correct GHEC data-residency REST API base is https://api.<tenant>.ghe.com (confirmed by GitHub docs and this repo's own docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.md §1).

Changes

• internal/envutil/github.go: GHEC derivation now produces https://api.<tenant>.ghe.com (REST API host), preserving any port.
• internal/proxy/proxy.go: Removed the copilot-api-based isGHECDataResidencyHost GraphQL special case. With the corrected host, GHEC GraphQL lives at /graphql (same as github.com), matching GITHUB_GRAPHQL_URL=https://api.<tenant>.ghe.com/graphql.
• Updated unit tests (envutil, proxy) to the corrected expectations.
• Updated docs (ENVIRONMENT_VARIABLES.md, AGENTS.md) and clarified in AWF_PIPELINE_ENVIRONMENT_VARIABLES.md that the DIFC/REST proxy targets api.<slug>.ghe.com, distinct from the Copilot inference sidecar which uses copilot-api.<slug>.ghe.com.

Verification

make agent-finished passes (format, build, lint, Go tests, Rust guard tests).

Note on companion issues

This addresses the root cause in github/gh-aw-mcpg. The companion issues remain:

• github/gh-aw — inject the enterprise host into the curated DIFC-proxy env so GITHUB_SERVER_URL reaches the proxy.
• API proxy routes Copilot model requests to GHES API instead of Copilot API on Enterprise Server gh-aw-firewall#1300 — replace the opaque diagnosis=unknown probe message with the actual HTTP status/body.

[Copilot]

Pull request overview

Fixes the DIFC proxy’s upstream GitHub API host derivation for GHEC data-residency tenants (*.ghe.com) so REST/GraphQL forwarding targets the correct REST API host (api.<tenant>.ghe.com) instead of the Copilot inference host (copilot-api.<tenant>.ghe.com).

Changes:

• Update GITHUB_SERVER_URL → API base derivation for *.ghe.com to use api.<tenant>.ghe.com (preserving port).
• Simplify GraphQL URL rewriting in the proxy by removing the copilot-api.*.ghe.com special case and treating GHEC data residency like dotcom (/graphql).
• Update unit tests and documentation to match the corrected behavior and clarify the REST-vs-Copilot-host distinction.

Show a summary per file

File	Description
internal/envutil/github.go	Fix .ghe.com API base derivation to api.<tenant>.ghe.com and update related logging/comments.
internal/envutil/github_test.go	Update derivation expectations for GHEC data-residency mappings.
internal/envutil/github_coverage_test.go	Update edge-case coverage expectations for .ghe.com host derivation.
internal/proxy/proxy.go	Remove copilot-api GraphQL routing special-case; route GHEC data residency GraphQL to /graphql.
internal/proxy/forward_to_github_test.go	Update GraphQL path routing expectations for GHEC data residency (/api/graphql → /graphql).
docs/ENVIRONMENT_VARIABLES.md	Update documented derivation rules and examples to use api.*.ghe.com.
docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.md	Clarify distinction between Copilot inference (copilot-api.*) and DIFC REST/GraphQL proxy (api.*).
AGENTS.md	Update environment variable documentation to reflect api.*.ghe.com derivation.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/8 changed files
• Comments generated: 1
• Review effort level: Low

[lpcox]

@copilot address review feedback