fix(security): reduce residual CodeQL logging flows

- remove secret-presence logging path in gateway startup output - reduce credential-derived warning path in provider fallback setup - avoid as_deref credential propagation in delegate/provider wiring - harden Composio error rendering to avoid raw body leakage - simplify onboarding secrets status output to non-sensitive wording
2026-02-17 16:23:54 +08:00 · 2026-02-17 16:23:54 +08:00 · 60d81fb706
commit 60d81fb706
parent 1711f140be
6 changed files with 60 additions and 43 deletions
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@ -261,15 +261,14 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
        &config,
    ));
    // Extract webhook secret for authentication
-    let webhook_secret_hash: Option<Arc<str>> = config
-        .channels_config
-        .webhook
-        .as_ref()
-        .and_then(|w| w.secret.as_deref())
-        .map(str::trim)
-        .filter(|secret| !secret.is_empty())
-        .map(hash_webhook_secret)
-        .map(Arc::from);
+    let webhook_secret_hash: Option<Arc<str>> =
+        config.channels_config.webhook.as_ref().and_then(|webhook| {
+            webhook.secret.as_ref().and_then(|raw_secret| {
+                let trimmed_secret = raw_secret.trim();
+                (!trimmed_secret.is_empty())
+                    .then(|| Arc::<str>::from(hash_webhook_secret(trimmed_secret)))
+            })
+        });

    // WhatsApp channel (if configured)
    let whatsapp_channel: Option<Arc<WhatsAppChannel>> =
@ -355,9 +354,6 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
    } else {
        println!("  ⚠️  Pairing: DISABLED (all requests accepted)");
    }
-    if webhook_secret_hash.is_some() {
-        println!("  🔒 Webhook secret: ENABLED");
-    }
    println!("  Press Ctrl+C to stop.\n");

    crate::health::mark_component_ok("gateway");