Skip to content

fix: pass provider keys to pi backend only#4

Merged
Svaag merged 1 commit into
mainfrom
fix/pi-backend-provider-env
Jun 15, 2026
Merged

fix: pass provider keys to pi backend only#4
Svaag merged 1 commit into
mainfrom
fix/pi-backend-provider-env

Conversation

@Svaag

@Svaag Svaag commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

The production canary on the dedicated loop VM proved that the service-level Vault-rendered env is present and Pi works when /opt/engineering-loop/.env is sourced, but the Engineering Loop backend subprocess scrubbed all provider API keys before invoking pi.

This keeps the allowlist model, but lets PiBackend receive only model-provider API keys:

  • OPENROUTER_API_KEY
  • ANTHROPIC_API_KEY
  • OPENAI_API_KEY

Vault, GitHub App tokens, SSH agent state, cloud credentials, Discord/Icinga values, and app runtime credentials remain blocked from the backend subprocess.

Validation

  • uv run pytest
  • uvx ruff check src tests
  • uv run mypy --strict src

Production evidence

@Svaag Svaag mentioned this pull request Jun 15, 2026
Closed
@Svaag

Svaag commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Production canary blocker fixed here. Local validation and CI are green: uv run pytest, uvx ruff check src tests, uv run mypy --strict src. No PR comments/code suggestions were present when checked.

This was referenced Jun 15, 2026
Open
Closed
@Svaag Svaag marked this pull request as ready for review June 15, 2026 05:22
@Svaag Svaag merged commit 5916408 into main Jun 15, 2026
3 checks passed
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 15, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aa29db8ae5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/hyrule_engineering_loop/backend.py
Comment on lines +64 to +69
PI_PROVIDER_ENV_NAMES = frozenset(
{
"ANTHROPIC_API_KEY",
"OPENAI_API_KEY",
"OPENROUTER_API_KEY",
}

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep Pi env in sync with accepted provider keys

For live Pi runs where operators set only HYRULE_LLM_API_KEY (the generic key name accepted by provider_env_names()/provider_env() for OpenRouter, OpenAI, and Anthropic), this allowlist drops the sole configured provider credential. The live preflight can still mark provider_key as configured, but SubprocessBackend invokes pi with an env built from this set, so the backend still fails with no API key; either pass/translate the generic key for Pi or make preflight reject that configuration.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Svaag