Refactor URL derivation and helper ownership across envutil/config/mcp (#3968)

The codebase had duplicated GitHub API URL resolution logic with
divergent behavior between proxy and unified server paths, plus helper
placement that blurred package boundaries. This refactor consolidates
URL derivation, separates config expansion from validation, and moves
MCP result construction to the MCP layer.

- **GitHub API URL derivation is now single-source (`envutil`)**
- Added `envutil.DeriveGitHubAPIURL(defaultURL string)` and internal
server-URL derivation logic.
- `server/unified` now derives from `GITHUB_API_URL` **or**
`GITHUB_SERVER_URL` (instead of only `GITHUB_API_URL`), aligning
behavior with proxy mode.
- Removed duplicate derivation functions from `internal/proxy/proxy.go`.
  - Updated call sites:
    - `internal/cmd/proxy.go` → `envutil.DeriveGitHubAPIURL("")`
- `internal/server/unified.go` →
`envutil.DeriveGitHubAPIURL("https://api.github.com")`

- **Config variable expansion extracted from validation**
- Moved expansion concerns from `internal/config/validation.go` to new
`internal/config/expand.go`:
- `expandVariablesCore`, `expandVariables`, `ExpandRawJSONVariables`,
`expandEnvVariables`, `expandTracingVariables`, `varExprPattern`
  - `validation.go` now remains focused on validation rules and flow.

- **MCP error `CallToolResult` helper moved to `mcp` package**
- Added `mcp.NewErrorCallToolResult(err)` in
`internal/mcp/tool_result.go`.
- Replaced server-local helper usage in `internal/server/unified.go` and
`internal/server/tool_registry.go`.
  - Updated corresponding tests to use the new helper location.

```go
// unified/server path now uses centralized derivation logic
apiURL := envutil.DeriveGitHubAPIURL("https://api.github.com")

// shared MCP-layer error result helper
return mcp.NewErrorCallToolResult(err)
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1057253636/b514/launcher.test
/tmp/go-build1057253636/b514/launcher.test
-test.testlogfile=/tmp/go-build1057253636/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1057253636/b467/vet.cfg apic.go decode.go x_amd64/vet -p
roundrobin lcache/go/1.25.8-bool x_amd64/vet -p g_.a 1227851/b288/
x_amd64/vet -I /tmp/go-build278-atomic` (dns block)
> - Triggering command: `/tmp/go-build900982912/b514/launcher.test
/tmp/go-build900982912/b514/launcher.test
-test.testlogfile=/tmp/go-build900982912/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -d -lang=go1.25
64/pkg/tool/linu./internal/config b2799acda4848aff53b399dfb07b4159
/tmp/go-build278bash 0a4 64/pkg/tool/linu--noprofile ctl star��
r/runc-log.json
64/pkg/tool/linu/var/run/docker/runtime-runc/mob--log-format .13/x64/git
auHmSssMaaom2Ek4bash -goversion r/6j32koixnhwjnj--noprofile
/usr/bin/runc.original` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1057253636/b496/config.test
/tmp/go-build1057253636/b496/config.test
-test.testlogfile=/tmp/go-build1057253636/b496/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1057253636/b387/vet.cfg @v1.1.3/cpu/cpu.-errorsas
1227851/b151/ x_amd64/vet --gdwarf-5 ternal/engine/in-unsafeptr=false
lcache/go/1.25.8-unreachable=false x_amd64/vet 1227�� 8RQNG6Nox -I
x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build2556833836/b492/config.test
/tmp/go-build2556833836/b492/config.test
-test.testlogfile=/tmp/go-build2556833836/b492/testlog.txt
-test.paniconexit0 -test.timeout=10m0s /usr��
7253636/b560/tty--log-format ntime.v2.task/mojson 7253636/b560/impdelete
ntime.v2.task/mobash 062439bb528087fb/usr/bin/runc
UNDLE=/etc/ssl/c--root uKbOHgHoxAqgN/t5/var/run/docker/runtime-runc/moby
k/_t��
tr7/ca-certifica/run/containerd/io.containerd.runtime.v2.task/moby/d15ea4acb1ef69f4d1e1e6e2b19b0bash
test:latest bash .cfg olang.org/protob--norc x_amd64/vet
95d45854b162103b` (dns block)
> - Triggering command: `/tmp/go-build76351485/b001/config.test
/tmp/go-build76351485/b001/config.test
-test.testlogfile=/tmp/go-build76351485/b001/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -m
2e5d631e9ae2084a/run/containerd/io.containerd.runtime.v2.task/moby/b6f36c5d7e9d4--size-limit
y ctl b04263944d57c5b7git d94d1b364afb75b8show 5d0/log.json ctl dock��
ion.go y ash
ntime.v2.task/mo/opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/REDACTED-linux
0b5929f8b23b298f/opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/go/tools/autobuild.sh
e-handler 2a9e172d1927c35b435/log.json` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1057253636/b514/launcher.test
/tmp/go-build1057253636/b514/launcher.test
-test.testlogfile=/tmp/go-build1057253636/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1057253636/b467/vet.cfg apic.go decode.go x_amd64/vet -p
roundrobin lcache/go/1.25.8-bool x_amd64/vet -p g_.a 1227851/b288/
x_amd64/vet -I /tmp/go-build278-atomic` (dns block)
> - Triggering command: `/tmp/go-build900982912/b514/launcher.test
/tmp/go-build900982912/b514/launcher.test
-test.testlogfile=/tmp/go-build900982912/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -d -lang=go1.25
64/pkg/tool/linu./internal/config b2799acda4848aff53b399dfb07b4159
/tmp/go-build278bash 0a4 64/pkg/tool/linu--noprofile ctl star��
r/runc-log.json
64/pkg/tool/linu/var/run/docker/runtime-runc/mob--log-format .13/x64/git
auHmSssMaaom2Ek4bash -goversion r/6j32koixnhwjnj--noprofile
/usr/bin/runc.original` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1057253636/b514/launcher.test
/tmp/go-build1057253636/b514/launcher.test
-test.testlogfile=/tmp/go-build1057253636/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1057253636/b467/vet.cfg apic.go decode.go x_amd64/vet -p
roundrobin lcache/go/1.25.8-bool x_amd64/vet -p g_.a 1227851/b288/
x_amd64/vet -I /tmp/go-build278-atomic` (dns block)
> - Triggering command: `/tmp/go-build900982912/b514/launcher.test
/tmp/go-build900982912/b514/launcher.test
-test.testlogfile=/tmp/go-build900982912/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -d -lang=go1.25
64/pkg/tool/linu./internal/config b2799acda4848aff53b399dfb07b4159
/tmp/go-build278bash 0a4 64/pkg/tool/linu--noprofile ctl star��
r/runc-log.json
64/pkg/tool/linu/var/run/docker/runtime-runc/mob--log-format .13/x64/git
auHmSssMaaom2Ek4bash -goversion r/6j32koixnhwjnj--noprofile
/usr/bin/runc.original` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1057253636/b523/mcp.test
/tmp/go-build1057253636/b523/mcp.test
-test.testlogfile=/tmp/go-build1057253636/b523/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I .cfg
olang.org/grpc@v1.80.0/balancer_wrapper.go x_amd64/vet ute.go
mentation.go -o x_amd64/vet .cfg�� J5E4/LjHfXKvhsjfAdZsIJ5E4 -I
x_amd64/vet -I 1227851/b468/ -imultiarch x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build2556833836/b489/mcp.test
/tmp/go-build2556833836/b489/mcp.test
-test.testlogfile=/tmp/go-build2556833836/b489/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

internal/cmd/proxy.go

@@ -189,7 +189,7 @@ func runProxy(cmd *cobra.Command, args []string) error {
 	// Resolve GitHub API URL: flag → env vars → default
 	apiURL := proxyAPIURL
 	if apiURL == "" {
-		apiURL = proxy.DeriveGitHubAPIURL()
+		apiURL = envutil.DeriveGitHubAPIURL("")
 	}
 	if apiURL == "" {
 		apiURL = proxy.DefaultGitHubAPIBase

internal/config/expand.go

@@ -0,0 +1,133 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+
+	"github.com/github/gh-aw-mcpg/internal/config/rules"
+)
+
+// Variable expression pattern: ${VARIABLE_NAME}
+var varExprPattern = regexp.MustCompile(`\$\{([A-Za-z_][A-Za-z0-9_]*)\}`)
+
+// expandVariablesCore is the shared implementation for variable expansion.
+// It works with byte slices and handles the core expansion logic, tracking undefined variables.
+// This eliminates code duplication between expandVariables and ExpandRawJSONVariables.
+// It returns the expanded bytes, a slice of undefined variable names, and an error
+// (currently always nil).
+func expandVariablesCore(data []byte, contextDesc string) ([]byte, []string, error) {
+	logValidation.Printf("Expanding variables: context=%s", contextDesc)
+	var undefinedVars []string
+
+	result := varExprPattern.ReplaceAllFunc(data, func(match []byte) []byte {
+		// Extract variable name (remove ${ and })
+		varName := string(match[2 : len(match)-1])
+
+		if envValue, exists := os.LookupEnv(varName); exists {
+			logValidation.Printf("Expanded variable: %s (found in environment)", varName)
+			return []byte(envValue)
+		}
+
+		// Track undefined variable
+		undefinedVars = append(undefinedVars, varName)
+		logValidation.Printf("Undefined variable: %s", varName)
+		return match // Keep original if undefined
+	})
+
+	logValidation.Printf("Variable expansion completed: context=%s, undefined_count=%d", contextDesc, len(undefinedVars))
+	return result, undefinedVars, nil
+}
+
+// expandVariables expands variable expressions in a string.
+// value is the source string and jsonPath identifies the config location for errors.
+// It returns the expanded string and an error if any variable is undefined.
+func expandVariables(value, jsonPath string) (string, error) {
+	result, undefinedVars, _ := expandVariablesCore([]byte(value), fmt.Sprintf("jsonPath=%s", jsonPath))
+
+	if len(undefinedVars) > 0 {
+		logValidation.Printf("Variable expansion failed: undefined variables=%v", undefinedVars)
+		return "", rules.UndefinedVariable(undefinedVars[0], jsonPath)
+	}
+
+	return string(result), nil
+}
+
+// ExpandRawJSONVariables expands all ${VAR} expressions in JSON data before schema validation.
+// This ensures the schema validates the expanded values, not the variable syntax.
+// It collects undefined variables and reports the first undefined variable as an error.
+func ExpandRawJSONVariables(data []byte) ([]byte, error) {
+	result, undefinedVars, _ := expandVariablesCore(data, "raw JSON data")
+
+	if len(undefinedVars) > 0 {
+		logValidation.Printf("Variable expansion failed: undefined variables=%v", undefinedVars)
+		return nil, rules.UndefinedVariable(undefinedVars[0], "configuration")
+	}
+
+	return result, nil
+}
+
+// expandEnvVariables expands all variable expressions in an env map.
+// env is the map to expand and serverName is used for config-path error context.
+// It returns a new map with expanded values or an error if any variable is undefined.
+func expandEnvVariables(env map[string]string, serverName string) (map[string]string, error) {
+	logValidation.Printf("Expanding env variables for server: %s, count=%d", serverName, len(env))
+	result := make(map[string]string, len(env))
+
+	for key, value := range env {
+		jsonPath := fmt.Sprintf("mcpServers.%s.env.%s", serverName, key)
+
+		expanded, err := expandVariables(value, jsonPath)
+		if err != nil {
+			return nil, err
+		}
+
+		result[key] = expanded
+	}
+
+	logValidation.Printf("Env variable expansion completed for server: %s", serverName)
+	return result, nil
+}
+
+// expandTracingVariables expands ${VAR} expressions in TracingConfig fields.
+// This is called for TOML-loaded configs before validation, mirroring the
+// stdin JSON path where ExpandRawJSONVariables handles expansion.
+func expandTracingVariables(cfg *TracingConfig) error {
+	if cfg == nil {
+		return nil
+	}
+
+	if cfg.Endpoint != "" {
+		expanded, err := expandVariables(cfg.Endpoint, "gateway.opentelemetry.endpoint")
+		if err != nil {
+			return err
+		}
+		cfg.Endpoint = expanded
+	}
+
+	if cfg.TraceID != "" {
+		expanded, err := expandVariables(cfg.TraceID, "gateway.opentelemetry.traceId")
+		if err != nil {
+			return err
+		}
+		cfg.TraceID = expanded
+	}
+
+	if cfg.SpanID != "" {
+		expanded, err := expandVariables(cfg.SpanID, "gateway.opentelemetry.spanId")
+		if err != nil {
+			return err
+		}
+		cfg.SpanID = expanded
+	}
+
+	if cfg.Headers != "" {
+		expanded, err := expandVariables(cfg.Headers, "gateway.opentelemetry.headers")
+		if err != nil {
+			return err
+		}
+		cfg.Headers = expanded
+	}
+
+	return nil
+}

internal/config/validation.go

@@ -16,9 +16,6 @@ import (
 // ValidationError is an alias for rules.ValidationError for backward compatibility
 type ValidationError = rules.ValidationError
 
-// Variable expression pattern: ${VARIABLE_NAME}
-var varExprPattern = regexp.MustCompile(`\$\{([A-Za-z_][A-Za-z0-9_]*)\}`)
-
 // W3C trace context patterns (spec §4.1.3.6)
 var (
 	traceIDPattern = regexp.MustCompile(`^[0-9a-f]{32}$`)
@@ -45,122 +42,6 @@ func logValidateServerFailed(name, reason string) {
 	logValidation.Printf("Validation failed: %s, name=%s", reason, name)
 }
 
-// expandVariablesCore is the shared implementation for variable expansion.
-// It works with byte slices and handles the core expansion logic, tracking undefined variables.
-// This eliminates code duplication between expandVariables and ExpandRawJSONVariables.
-func expandVariablesCore(data []byte, contextDesc string) ([]byte, []string, error) {
-	logValidation.Printf("Expanding variables: context=%s", contextDesc)
-	var undefinedVars []string
-
-	result := varExprPattern.ReplaceAllFunc(data, func(match []byte) []byte {
-		// Extract variable name (remove ${ and })
-		varName := string(match[2 : len(match)-1])
-
-		if envValue, exists := os.LookupEnv(varName); exists {
-			logValidation.Printf("Expanded variable: %s (found in environment)", varName)
-			return []byte(envValue)
-		}
-
-		// Track undefined variable
-		undefinedVars = append(undefinedVars, varName)
-		logValidation.Printf("Undefined variable: %s", varName)
-		return match // Keep original if undefined
-	})
-
-	logValidation.Printf("Variable expansion completed: context=%s, undefined_count=%d", contextDesc, len(undefinedVars))
-	return result, undefinedVars, nil
-}
-
-// expandVariables expands variable expressions in a string
-// Returns the expanded string and error if any variable is undefined
-func expandVariables(value, jsonPath string) (string, error) {
-	result, undefinedVars, _ := expandVariablesCore([]byte(value), fmt.Sprintf("jsonPath=%s", jsonPath))
-
-	if len(undefinedVars) > 0 {
-		logValidation.Printf("Variable expansion failed: undefined variables=%v", undefinedVars)
-		return "", rules.UndefinedVariable(undefinedVars[0], jsonPath)
-	}
-
-	return string(result), nil
-}
-
-// ExpandRawJSONVariables expands all ${VAR} expressions in JSON data before schema validation.
-// This ensures the schema validates the expanded values, not the variable syntax.
-// It collects all undefined variables and reports them in a single error.
-func ExpandRawJSONVariables(data []byte) ([]byte, error) {
-	result, undefinedVars, _ := expandVariablesCore(data, "raw JSON data")
-
-	if len(undefinedVars) > 0 {
-		logValidation.Printf("Variable expansion failed: undefined variables=%v", undefinedVars)
-		return nil, rules.UndefinedVariable(undefinedVars[0], "configuration")
-	}
-
-	return result, nil
-}
-
-// expandEnvVariables expands all variable expressions in an env map
-func expandEnvVariables(env map[string]string, serverName string) (map[string]string, error) {
-	logValidation.Printf("Expanding env variables for server: %s, count=%d", serverName, len(env))
-	result := make(map[string]string, len(env))
-
-	for key, value := range env {
-		jsonPath := fmt.Sprintf("mcpServers.%s.env.%s", serverName, key)
-
-		expanded, err := expandVariables(value, jsonPath)
-		if err != nil {
-			return nil, err
-		}
-
-		result[key] = expanded
-	}
-
-	logValidation.Printf("Env variable expansion completed for server: %s", serverName)
-	return result, nil
-}
-
-// expandTracingVariables expands ${VAR} expressions in TracingConfig fields.
-// This is called for TOML-loaded configs before validation, mirroring the
-// stdin JSON path where ExpandRawJSONVariables handles expansion.
-func expandTracingVariables(cfg *TracingConfig) error {
-	if cfg == nil {
-		return nil
-	}
-
-	if cfg.Endpoint != "" {
-		expanded, err := expandVariables(cfg.Endpoint, "gateway.opentelemetry.endpoint")
-		if err != nil {
-			return err
-		}
-		cfg.Endpoint = expanded
-	}
-
-	if cfg.TraceID != "" {
-		expanded, err := expandVariables(cfg.TraceID, "gateway.opentelemetry.traceId")
-		if err != nil {
-			return err
-		}
-		cfg.TraceID = expanded
-	}
-
-	if cfg.SpanID != "" {
-		expanded, err := expandVariables(cfg.SpanID, "gateway.opentelemetry.spanId")
-		if err != nil {
-			return err
-		}
-		cfg.SpanID = expanded
-	}
-
-	if cfg.Headers != "" {
-		expanded, err := expandVariables(cfg.Headers, "gateway.opentelemetry.headers")
-		if err != nil {
-			return err
-		}
-		cfg.Headers = expanded
-	}
-
-	return nil
-}
-
 // validateMounts validates mount specifications using centralized rules
 func validateMounts(mounts []string, jsonPath string) error {
 	for i, mount := range mounts {

internal/envutil/github.go

@@ -1,6 +1,8 @@
 package envutil
 
 import (
+	"fmt"
+	"net/url"
 	"os"
 	"strings"
 
@@ -9,6 +11,9 @@ import (
 
 var logGitHub = logger.New("envutil:github")
 
+// DefaultGitHubAPIBaseURL is the default GitHub API base URL.
+const DefaultGitHubAPIBaseURL = "https://api.github.com"
+
 // LookupGitHubToken searches environment variables for a GitHub token using
 // a canonical priority order. It returns the first non-empty (trimmed) value
 // found, or an empty string if none is set.
@@ -49,3 +54,49 @@ func LookupGitHubAPIURL(defaultURL string) string {
 	logGitHub.Printf("GitHub API URL using default: %s", url)
 	return url
 }
+
+// DeriveGitHubAPIURL resolves the GitHub API URL from environment variables:
+//  1. GITHUB_API_URL
+//  2. GITHUB_SERVER_URL (derived)
+//  3. defaultURL
+func DeriveGitHubAPIURL(defaultURL string) string {
+	if apiURL := LookupGitHubAPIURL(""); apiURL != "" {
+		return apiURL
+	}
+	if serverURL := strings.TrimSpace(os.Getenv("GITHUB_SERVER_URL")); serverURL != "" {
+		derived := deriveAPIFromServerURL(serverURL)
+		if derived != "" {
+			logGitHub.Printf("GitHub API URL derived from GITHUB_SERVER_URL=%s: %s", serverURL, derived)
+			return derived
+		}
+	}
+	return strings.TrimRight(strings.TrimSpace(defaultURL), "/")
+}
+
+// deriveAPIFromServerURL converts a GITHUB_SERVER_URL to the corresponding API endpoint.
+// GHEC tenants (*.ghe.com): https://tenant.ghe.com → https://copilot-api.tenant.ghe.com
+// GitHub.com: https://github.com → https://api.github.com
+// GHES (all others): https://github.example.com → https://github.example.com/api/v3
+func deriveAPIFromServerURL(serverURL string) string {
+	parsed, err := url.Parse(strings.TrimRight(serverURL, "/"))
+	if err != nil || parsed.Host == "" {
+		return ""
+	}
+	if parsed.Scheme != "http" && parsed.Scheme != "https" {
+		return ""
+	}
+
+	hostname := strings.ToLower(parsed.Hostname())
+
+	switch {
+	case hostname == "github.com" || hostname == "www.github.com":
+		return DefaultGitHubAPIBaseURL
+	case strings.HasSuffix(hostname, ".ghe.com"):
+		if port := parsed.Port(); port != "" {
+			return fmt.Sprintf("%s://copilot-api.%s:%s", parsed.Scheme, hostname, port)
+		}
+		return fmt.Sprintf("%s://copilot-api.%s", parsed.Scheme, hostname)
+	default:
+		return fmt.Sprintf("%s://%s/api/v3", parsed.Scheme, parsed.Host)
+	}
+}