LLM Gateway Final Hardening Handoff — 2026-05-12

Summary

Hardened GitHub Copilot bridge:
- Loopback-only default: COPILOT_BRIDGE_HOST=127.0.0.1.
- Health endpoint remains available when underlying copilot-api is starting, unavailable, or auth-blocked.
- Health now reports auth_required, package/version, last startup/output, and warns while COPILOT_API_PACKAGE=copilot-api@latest.
- Existing spawn/restart behavior from Erik was preserved.
Dashboard client coverage now reports bridge runtime state per client:
- Codex -> codex.
- Claude Code -> claude-code.
- Microsoft Copilot -> m365-copilot-bridge.
- GitHub Copilot -> copilot-bridge.
- ChatGPT/OpenAI Desktop -> chatgpt-bridge.
Deployed changed dashboard artifacts and restarted only copilot-bridge and llm-gateway.

Public Gateway health: status=ok, database connected.
Client coverage, 24h:
- Codex Desktop / CLI: live, bridge ready, requestCount=3, tokensSaved=4067.
- Claude Desktop / Claude Code: live, bridge ready, requestCount=28.
- Microsoft Copilot: local process detected, bridge auth_required.
- GitHub Copilot: local process detected, bridge auth_required.
Copilot bridge direct health:
- status=auth_required.
- host=127.0.0.1.
- copilot_api_package=copilot-api@latest.
- Detail: authorize GitHub device login shown in bridge logs.
Fresh compression proof:
- Request chatcmpl-1778621358742-cascdms.
- Caller final-repeat-compression-smoke.
- Model qwen2.5:14b.
- Compression ctxlean:verbatim_compact.
- Tokens 8882 -> 106, saved 8776, savings 98.81%.

Gateway tracks and compresses only traffic that enters the Gateway/Companion before provider execution.
GitHub Copilot and Microsoft Copilot cannot be counted until their real account/device auth is completed.
copilot-api@latest should be pinned before treating the GitHub Copilot bridge as fully production-stable.
Erik direct SSH was intermittent/refused during deploy; Cloudflare SSH worked with GODEBUG=netdns=go+1.