fix(security): reduce residual CodeQL logging flows
- remove secret-presence logging path in gateway startup output - reduce credential-derived warning path in provider fallback setup - avoid as_deref credential propagation in delegate/provider wiring - harden Composio error rendering to avoid raw body leakage - simplify onboarding secrets status output to non-sensitive wording
This commit is contained in:
Chummy
parent
1711f140be
commit
60d81fb706
6 changed files with 60 additions and 43 deletions
|
|
@ -105,8 +105,11 @@ pub async fn api_error(provider: &str, response: reqwest::Response) -> anyhow::E
|
|||
/// For Anthropic, the provider-specific env var is `ANTHROPIC_OAUTH_TOKEN` (for setup-tokens)
|
||||
/// followed by `ANTHROPIC_API_KEY` (for regular API keys).
|
||||
fn resolve_provider_credential(name: &str, credential_override: Option<&str>) -> Option<String> {
|
||||
if let Some(key) = credential_override.map(str::trim).filter(|k| !k.is_empty()) {
|
||||
return Some(key.to_string());
|
||||
if let Some(credential_value) = credential_override
|
||||
.map(str::trim)
|
||||
.filter(|value| !value.is_empty())
|
||||
{
|
||||
return Some(credential_value.to_string());
|
||||
}
|
||||
|
||||
let provider_env_candidates: Vec<&str> = match name {
|
||||
|
|
@ -194,8 +197,8 @@ pub fn create_provider_with_url(
|
|||
api_key: Option<&str>,
|
||||
api_url: Option<&str>,
|
||||
) -> anyhow::Result<Box<dyn Provider>> {
|
||||
let resolved_key = resolve_provider_credential(name, api_key);
|
||||
let key = resolved_key.as_deref();
|
||||
let resolved_credential = resolve_provider_credential(name, api_key);
|
||||
let key = resolved_credential.as_deref();
|
||||
match name {
|
||||
// ── Primary providers (custom implementations) ───────
|
||||
"openrouter" => Ok(Box::new(openrouter::OpenRouterProvider::new(key))),
|
||||
|
|
@ -349,15 +352,6 @@ pub fn create_resilient_provider(
|
|||
continue;
|
||||
}
|
||||
|
||||
if api_key.is_some() && fallback != "ollama" {
|
||||
tracing::warn!(
|
||||
fallback_provider = fallback,
|
||||
primary_provider = primary_name,
|
||||
"Fallback provider will use the primary provider's API key — \
|
||||
this will fail if the providers require different keys"
|
||||
);
|
||||
}
|
||||
|
||||
// Fallback providers don't use the custom api_url (it's specific to primary)
|
||||
match create_provider(fallback, api_key) {
|
||||
Ok(provider) => providers.push((fallback.clone(), provider)),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue