feat: GHEC tenant support for proxy and guard URL parsing (#2481)

## Summary

Adds auto-derivation of GitHub API URL from environment variables for
GHEC/GHES tenants, and fixes the Rust guard URL parser to handle
non-github.com URLs.

## Changes

### Proxy: Environment-based API URL resolution
The proxy `--github-api-url` flag now auto-resolves from environment
when not explicitly set:

1. `GITHUB_API_URL` — explicit API endpoint
2. `GITHUB_SERVER_URL` — auto-derived:
   - `*.ghe.com` → `copilot-api.*.ghe.com` (GHEC)
   - other hosts → `<host>/api/v3` (GHES)
   - `github.com` → `api.github.com`
3. Default: `https://api.github.com`

This matches the derivation pattern used by GitHub Agentic Workflows'
`deriveCopilotApiTarget()`.

### Rust Guard: Generic URL parsing
`extract_repo_from_github_url()` now handles GHEC/GHES URLs by looking
for `/repos/<owner>/<repo>` generically in the URL path, instead of only
matching `api.github.com` prefixes.

### Tests
- 10 Go unit tests for `DeriveGitHubAPIURL()` and
`deriveAPIFromServerURL()`
- 3 Rust unit tests for GHEC/GHES/standard URL extraction

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Author: lpcox

AGENTS.md

@@ -367,6 +367,8 @@ DEBUG_COLORS=0 DEBUG=* ./awmg --config config.toml
 ## Environment Variables
 
 - `GITHUB_PERSONAL_ACCESS_TOKEN` - GitHub auth
+- `GITHUB_API_URL` - Explicit GitHub API endpoint (e.g., `https://copilot-api.mycompany.ghe.com`); used by proxy to set upstream target
+- `GITHUB_SERVER_URL` - GitHub server URL; proxy auto-derives API endpoint: `*.ghe.com` → `copilot-api.*.ghe.com`, GHES → `<host>/api/v3`, `github.com` → `api.github.com`
 - `DOCKER_API_VERSION` - Set by querying Docker daemon's current API version; falls back to `1.44` for all architectures if detection fails
 - `DEBUG` - Enable debug logging (e.g., `DEBUG=*`, `DEBUG=server:*,launcher:*`)
 - `DEBUG_COLORS` - Control colored output (0 to disable, auto-disabled when piping)

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -513,14 +513,15 @@ pub fn extract_repo_info_from_search_query(query: &str) -> (String, String, Stri
     (String::new(), String::new(), String::new())
 }
 
-fn extract_repo_from_github_url(url: &str) -> Option<String> {
+pub(crate) fn extract_repo_from_github_url(url: &str) -> Option<String> {
     let parse_owner_repo = |path: &str| {
         let mut parts = path.split('/').filter(|segment| !segment.is_empty());
         let owner = parts.next()?;
         let repo = parts.next()?;
         Some(format!("{}/{}", owner, repo))
     };
 
+    // Fast path for well-known github.com URLs
     if let Some(path) = url
         .strip_prefix("https://api.github.com/repos/")
         .or_else(|| url.strip_prefix("http://api.github.com/repos/"))
@@ -530,6 +531,12 @@ fn extract_repo_from_github_url(url: &str) -> Option<String> {
         return parse_owner_repo(path);
     }
 
+    // Generic path: handle GHEC (api.*.ghe.com) and GHES (*/api/v3/repos/*)
+    // by looking for /repos/<owner>/<repo> in the URL path.
+    if let Some(pos) = url.find("/repos/") {
+        return parse_owner_repo(&url[pos + 7..]);
+    }
+
     None
 }
 

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -3848,4 +3848,45 @@ mod tests {
             "item path must use /items/ prefix for REST format"
         );
     }
+
+    #[test]
+    fn test_extract_repo_from_github_url_ghec() {
+        // GHEC tenant URLs (api.<tenant>.ghe.com)
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://api.mycompany.ghe.com/repos/owner/repo/issues"),
+            Some("owner/repo".to_string())
+        );
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://api.mycompany.ghe.com/repos/owner/repo"),
+            Some("owner/repo".to_string())
+        );
+    }
+
+    #[test]
+    fn test_extract_repo_from_github_url_ghes() {
+        // GHES URLs (host/api/v3/repos/...)
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://github.example.com/api/v3/repos/owner/repo/pulls"),
+            Some("owner/repo".to_string())
+        );
+    }
+
+    #[test]
+    fn test_extract_repo_from_github_url_standard() {
+        // Standard github.com API URLs
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://api.github.com/repos/octocat/Hello-World/issues"),
+            Some("octocat/Hello-World".to_string())
+        );
+        // Standard github.com HTML URLs
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://github.com/octocat/Hello-World"),
+            Some("octocat/Hello-World".to_string())
+        );
+        // No match
+        assert_eq!(
+            helpers::extract_repo_from_github_url("https://example.com/no-repos-path"),
+            None
+        );
+    }
 }

internal/cmd/proxy.go

@@ -92,7 +92,7 @@ Local usage:
 	cmd.Flags().StringVarP(&proxyListen, "listen", "l", "127.0.0.1:8080", "Proxy listen address")
 	cmd.Flags().StringVar(&proxyLogDir, "log-dir", getDefaultLogDir(), "Log file directory")
 	cmd.Flags().StringVar(&proxyDIFCMode, "guards-mode", "filter", "DIFC enforcement mode: strict, filter, propagate")
-	cmd.Flags().StringVar(&proxyAPIURL, "github-api-url", proxy.DefaultGitHubAPIBase, "Upstream GitHub API URL")
+	cmd.Flags().StringVar(&proxyAPIURL, "github-api-url", "", "Upstream GitHub API URL (default: auto-derived from GITHUB_API_URL or GITHUB_SERVER_URL, falls back to https://api.github.com)")
 	cmd.Flags().BoolVar(&proxyTLS, "tls", false, "Enable HTTPS with auto-generated self-signed certificates")
 	cmd.Flags().StringVar(&proxyTLSDir, "tls-dir", "", "Directory for TLS certificates (default: <log-dir>/proxy-tls)")
 	cmd.Flags().StringSliceVar(&proxyTrustedBots, "trusted-bots", nil, "Additional trusted bot usernames (comma-separated, extends built-in list)")
@@ -144,12 +144,22 @@ func runProxy(cmd *cobra.Command, args []string) error {
 		logger.LogInfo("startup", "No fallback token — proxy will forward client Authorization headers")
 	}
 
+	// Resolve GitHub API URL: flag → env vars → default
+	apiURL := proxyAPIURL
+	if apiURL == "" {
+		apiURL = proxy.DeriveGitHubAPIURL()
+	}
+	if apiURL == "" {
+		apiURL = proxy.DefaultGitHubAPIBase
+	}
+	logger.LogInfo("startup", "Upstream GitHub API URL: %s", apiURL)
+
 	// Create the proxy server
 	proxySrv, err := proxy.New(ctx, proxy.Config{
 		WasmPath:     proxyGuardWasm,
 		Policy:       proxyPolicy,
 		GitHubToken:  token,
-		GitHubAPIURL: proxyAPIURL,
+		GitHubAPIURL: apiURL,
 		DIFCMode:     proxyDIFCMode,
 		TrustedBots:  proxyTrustedBots,
 	})

internal/proxy/proxy.go

@@ -12,6 +12,8 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"net/url"
+	"os"
 	"strings"
 	"time"
 
@@ -31,6 +33,58 @@ const (
 	ghHostPathPrefix = "/api/v3"
 )
 
+// DeriveGitHubAPIURL resolves the upstream GitHub API URL from environment
+// variables. Priority order:
+//  1. GITHUB_API_URL — explicit API endpoint (e.g. https://copilot-api.mycompany.ghe.com)
+//  2. GITHUB_SERVER_URL — auto-derive API endpoint from server URL:
+//     - https://mycompany.ghe.com  → https://copilot-api.mycompany.ghe.com
+//     - https://github.mycompany.com → https://github.mycompany.com/api/v3
+//     - https://github.com → https://api.github.com
+//  3. Returns empty string if no env vars are set (caller uses DefaultGitHubAPIBase)
+func DeriveGitHubAPIURL() string {
+	if apiURL := os.Getenv("GITHUB_API_URL"); apiURL != "" {
+		logProxy.Printf("GitHub API URL from GITHUB_API_URL: %s", apiURL)
+		return apiURL
+	}
+	if serverURL := os.Getenv("GITHUB_SERVER_URL"); serverURL != "" {
+		derived := deriveAPIFromServerURL(serverURL)
+		if derived != "" {
+			logProxy.Printf("GitHub API URL derived from GITHUB_SERVER_URL=%s: %s", serverURL, derived)
+			return derived
+		}
+	}
+	return ""
+}
+
+// deriveAPIFromServerURL converts a GITHUB_SERVER_URL to the corresponding API endpoint.
+// GHEC tenants (*.ghe.com): https://tenant.ghe.com → https://copilot-api.tenant.ghe.com
+// GitHub.com: https://github.com → https://api.github.com
+// GHES (all others): https://github.example.com → https://github.example.com/api/v3
+func deriveAPIFromServerURL(serverURL string) string {
+	parsed, err := url.Parse(strings.TrimRight(serverURL, "/"))
+	if err != nil || parsed.Host == "" {
+		return ""
+	}
+
+	// Use Hostname() (not Host) so that an optional port does not interfere
+	// with the suffix / equality checks below.
+	hostname := strings.ToLower(parsed.Hostname())
+
+	switch {
+	case hostname == "github.com" || hostname == "www.github.com":
+		return DefaultGitHubAPIBase
+	case strings.HasSuffix(hostname, ".ghe.com"):
+		// GHEC tenant: copilot-api.<subdomain>.ghe.com (re-add port when present)
+		if port := parsed.Port(); port != "" {
+			return fmt.Sprintf("%s://copilot-api.%s:%s", parsed.Scheme, hostname, port)
+		}
+		return fmt.Sprintf("%s://copilot-api.%s", parsed.Scheme, hostname)
+	default:
+		// GHES: <host>/api/v3 (parsed.Host retains the port, if any)
+		return fmt.Sprintf("%s://%s/api/v3", parsed.Scheme, parsed.Host)
+	}
+}
+
 // Server is a filtering HTTP forward proxy for the GitHub REST/GraphQL API.
 // It loads the same WASM guard used by the MCP gateway and runs the 6-phase
 // DIFC pipeline on every proxied response.

internal/proxy/proxy_test.go

@@ -4,6 +4,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 
 	"github.com/github/gh-aw-mcpg/internal/difc"
@@ -844,3 +845,122 @@ func TestUnwrapSingleObject(t *testing.T) {
 		})
 	}
 }
+
+func TestDeriveAPIFromServerURL(t *testing.T) {
+	tests := []struct {
+		name      string
+		serverURL string
+		expected  string
+	}{
+		{
+			name:      "github.com returns default",
+			serverURL: "https://github.com",
+			expected:  DefaultGitHubAPIBase,
+		},
+		{
+			name:      "github.com with trailing slash",
+			serverURL: "https://github.com/",
+			expected:  DefaultGitHubAPIBase,
+		},
+		{
+			name:      "GHEC tenant derives copilot-api subdomain",
+			serverURL: "https://mycompany.ghe.com",
+			expected:  "https://copilot-api.mycompany.ghe.com",
+		},
+		{
+			name:      "GHEC tenant with trailing slash",
+			serverURL: "https://mycompany.ghe.com/",
+			expected:  "https://copilot-api.mycompany.ghe.com",
+		},
+		{
+			name:      "GHES uses /api/v3 path",
+			serverURL: "https://github.mycompany.com",
+			expected:  "https://github.mycompany.com/api/v3",
+		},
+		{
+			name:      "GHEC tenant with port",
+			serverURL: "https://mycompany.ghe.com:8443",
+			expected:  "https://copilot-api.mycompany.ghe.com:8443",
+		},
+		{
+			name:      "GHES with port",
+			serverURL: "https://github.example.com:8443",
+			expected:  "https://github.example.com:8443/api/v3",
+		},
+		{
+			name:      "empty string",
+			serverURL: "",
+			expected:  "",
+		},
+		{
+			name:      "invalid URL",
+			serverURL: "not-a-url",
+			expected:  "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := deriveAPIFromServerURL(tt.serverURL)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestDeriveGitHubAPIURL(t *testing.T) {
+	tests := []struct {
+		name     string
+		envVars  map[string]string
+		expected string
+	}{
+		{
+			name:     "no env vars returns empty",
+			envVars:  map[string]string{},
+			expected: "",
+		},
+		{
+			name:     "GITHUB_API_URL takes priority",
+			envVars:  map[string]string{"GITHUB_API_URL": "https://api.custom.ghe.com", "GITHUB_SERVER_URL": "https://other.ghe.com"},
+			expected: "https://api.custom.ghe.com",
+		},
+		{
+			name:     "GITHUB_SERVER_URL auto-derives GHEC",
+			envVars:  map[string]string{"GITHUB_SERVER_URL": "https://mycompany.ghe.com"},
+			expected: "https://copilot-api.mycompany.ghe.com",
+		},
+		{
+			name:     "GITHUB_SERVER_URL auto-derives GHES",
+			envVars:  map[string]string{"GITHUB_SERVER_URL": "https://github.example.com"},
+			expected: "https://github.example.com/api/v3",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Save and clear relevant env vars
+			savedAPI, hadAPI := os.LookupEnv("GITHUB_API_URL")
+			savedServer, hadServer := os.LookupEnv("GITHUB_SERVER_URL")
+			os.Unsetenv("GITHUB_API_URL")
+			os.Unsetenv("GITHUB_SERVER_URL")
+			defer func() {
+				if hadAPI {
+					_ = os.Setenv("GITHUB_API_URL", savedAPI)
+				} else {
+					_ = os.Unsetenv("GITHUB_API_URL")
+				}
+				if hadServer {
+					_ = os.Setenv("GITHUB_SERVER_URL", savedServer)
+				} else {
+					_ = os.Unsetenv("GITHUB_SERVER_URL")
+				}
+			}()
+
+			for k, v := range tt.envVars {
+				os.Setenv(k, v)
+			}
+
+			result := DeriveGitHubAPIURL()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}