fix(security): remediate unassigned CodeQL findings

- harden URL/request handling for composio and whatsapp integrations - reduce cleartext logging exposure across providers/tools/gateway - hash and constant-time compare gateway webhook secrets - expand nested secret encryption coverage in config - align feature aliases and add regression tests for security paths - fix bubblewrap all-features test invocation surfaced during deep validation
2026-02-17 15:44:41 +08:00 · 2026-02-17 15:44:41 +08:00 · 1711f140be
commit 1711f140be
parent f9d681063d
14 changed files with 481 additions and 146 deletions
--- a/src/onboard/wizard.rs
+++ b/src/onboard/wizard.rs
@ -285,7 +285,7 @@ fn memory_config_defaults_for_backend(backend: &str) -> MemoryConfig {

 #[allow(clippy::too_many_lines)]
 pub fn run_quick_setup(
-    api_key: Option<&str>,
+    credential_override: Option<&str>,
    provider: Option<&str>,
    memory_backend: Option<&str>,
 ) -> Result<Config> {
@ -319,7 +319,7 @@ pub fn run_quick_setup(
    let config = Config {
        workspace_dir: workspace_dir.clone(),
        config_path: config_path.clone(),
-        api_key: api_key.map(String::from),
+        api_key: credential_override.map(String::from),
        api_url: None,
        default_provider: Some(provider_name.clone()),
        default_model: Some(model.clone()),
@ -379,7 +379,7 @@ pub fn run_quick_setup(
    println!(
        "  {} API Key:    {}",
        style("✓").green().bold(),
-        if api_key.is_some() {
+        if credential_override.is_some() {
            style("set").green()
        } else {
            style("not set (use --api-key or edit config.toml)").yellow()
@ -428,7 +428,7 @@ pub fn run_quick_setup(
    );
    println!();
    println!("  {}", style("Next steps:").white().bold());
-    if api_key.is_none() {
+    if credential_override.is_none() {
        println!("    1. Set your API key:  export OPENROUTER_API_KEY=\"sk-...\"");
        println!("    2. Or edit:           ~/.zeroclaw/config.toml");
        println!("    3. Chat:              zeroclaw agent -m \"Hello!\"");
@ -2801,22 +2801,14 @@ fn setup_channels() -> Result<ChannelsConfig> {
                        .header("Authorization", format!("Bearer {access_token_clone}"))
                        .send()?;
                    let ok = resp.status().is_success();
-                    let data: serde_json::Value = resp.json().unwrap_or_default();
-                    let user_id = data
-                        .get("user_id")
-                        .and_then(serde_json::Value::as_str)
-                        .unwrap_or("unknown")
-                        .to_string();
-                    Ok::<_, reqwest::Error>((ok, user_id))
+                    Ok::<_, reqwest::Error>(ok)
                })
                .join();
                match thread_result {
-                    Ok(Ok((true, user_id))) => {
-                        println!(
-                            "\r  {} Connected as {user_id}        ",
-                            style("✅").green().bold()
-                        );
-                    }
+                    Ok(Ok(true)) => println!(
+                        "\r  {} Connection verified        ",
+                        style("✅").green().bold()
+                    ),
                    _ => {
                        println!(
                            "\r  {} Connection failed — check homeserver URL and token",