fix: bug-hunt batch — credential leak, request-path hardening, config validation, papercuts#4
Merged
Merged
Conversation
The recorder wrote every inbound header verbatim into git-tracked test/fixtures/*.json, capturing Claude Code's real authorization / x-api-key. Redact authorization/x-api-key/cookie before writing (extracted as a testable redactHeaders); guard the server behind import.meta.main so it can be imported.
- Catch upstream fetch() failures -> log + 502 (was an opaque, unlogged 500) - Propagate client cancellation via req.signal (stop billing aborted requests) - Preserve upstream response headers (retry-after, rate-limit, request-id), not just content-type; strip stale framing headers - Best-effort log writes so a logging I/O failure can't crash a request - readDecisions skips a truncated line instead of discarding every record
- Validate each route's when-clause at load (reject missing/empty/multi-key and unknown workType) so a bad rule fails loud instead of silently never matching and defeating the hot-reload keep-last-good safety net - Clear error for a missing [models] table (was a raw TypeError) - Detect two aliases colliding on one MUX_MODEL_ override key - De-flake the fs.watch reload tests (own dir per test + armed watcher)
- Match route tags case-insensitively against the config when.tag (an uppercase config tag no longer silently misroutes a control agent to a paid model) - check-latest honors MUX_ROUTES like every other command - Guard an empty/unrecognized OpenRouter catalog instead of flagging every configured slug as stale
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the 13 real issues from the adversarial
src/bug-hunt (1 high, 1 medium, 11 low), in four grouped commits.🔴 HIGH
record-fixtures.tswrote inboundauthorization/x-api-keyverbatim into git-trackedtest/fixtures/*.json. Now redacted before write (no real token was ever committed — checked).🟠 MEDIUM
when— a missing/typo'dwhenloaded clean then 400'd every request (incl. the main loop) and swapped out the good config via hot-reload. Now validated at load (fail loud).🟡 LOW (request path + papercuts)
fetch()failure → logged 502 instead of an opaque unlogged 500req.signal) so aborted requests stop billingreadDecisionsskips a truncated line[models]→ clear error;MUX_MODEL_alias-collision detectioncheck-latesthonorsMUX_ROUTES; empty-catalog guardAlso de-flaked the
fs.watchreload tests (own dir per test + armed watcher).Verified
bun run checkgreen: eslint + tsc + 71 tests (+15), stable across 8 consecutive full-suite runs