fix(security): remediate unassigned CodeQL findings

- harden URL/request handling for composio and whatsapp integrations - reduce cleartext logging exposure across providers/tools/gateway - hash and constant-time compare gateway webhook secrets - expand nested secret encryption coverage in config - align feature aliases and add regression tests for security paths - fix bubblewrap all-features test invocation surfaced during deep validation
2026-02-17 15:44:41 +08:00 · 2026-02-17 15:44:41 +08:00 · 1711f140be
commit 1711f140be
parent f9d681063d
14 changed files with 481 additions and 146 deletions
--- a/src/tools/delegate.rs
+++ b/src/tools/delegate.rs
@ -16,8 +16,8 @@ const DELEGATE_TIMEOUT_SECS: u64 = 120;
 /// summarization) to purpose-built sub-agents.
 pub struct DelegateTool {
    agents: Arc<HashMap<String, DelegateAgentConfig>>,
-    /// Global API key fallback (from config.api_key)
-    fallback_api_key: Option<String>,
+    /// Global credential fallback (from config.api_key)
+    fallback_credential: Option<String>,
    /// Depth at which this tool instance lives in the delegation chain.
    depth: u32,
 }
@ -25,11 +25,11 @@ pub struct DelegateTool {
 impl DelegateTool {
    pub fn new(
        agents: HashMap<String, DelegateAgentConfig>,
-        fallback_api_key: Option<String>,
+        fallback_credential: Option<String>,
    ) -> Self {
        Self {
            agents: Arc::new(agents),
-            fallback_api_key,
+            fallback_credential,
            depth: 0,
        }
    }
@ -39,12 +39,12 @@ impl DelegateTool {
    /// their DelegateTool via this method with `depth: parent.depth + 1`.
    pub fn with_depth(
        agents: HashMap<String, DelegateAgentConfig>,
-        fallback_api_key: Option<String>,
+        fallback_credential: Option<String>,
        depth: u32,
    ) -> Self {
        Self {
            agents: Arc::new(agents),
-            fallback_api_key,
+            fallback_credential,
            depth,
        }
    }
@ -165,13 +165,13 @@ impl Tool for DelegateTool {
        }

        // Create provider for this agent
-        let api_key = agent_config
+        let provider_credential = agent_config
            .api_key
            .as_deref()
-            .or(self.fallback_api_key.as_deref());
+            .or(self.fallback_credential.as_deref());

        let provider: Box<dyn Provider> =
-            match providers::create_provider(&agent_config.provider, api_key) {
+            match providers::create_provider(&agent_config.provider, provider_credential) {
                Ok(p) => p,
                Err(e) => {
                    return Ok(ToolResult {
@ -268,7 +268,7 @@ mod tests {
                provider: "openrouter".to_string(),
                model: "anthropic/claude-sonnet-4-20250514".to_string(),
                system_prompt: None,
-                api_key: Some("sk-test".to_string()),
+                api_key: Some("delegate-test-credential".to_string()),
                temperature: None,
                max_depth: 2,
            },