Skip to content

fix: harden gateway contracts and lifecycle#14

Merged
bntvllnt merged 1 commit into
mainfrom
fix/auth-bind-hardening-6
May 28, 2026
Merged

fix: harden gateway contracts and lifecycle#14
bntvllnt merged 1 commit into
mainfrom
fix/auth-bind-hardening-6

Conversation

@bntvllnt
Copy link
Copy Markdown
Owner

@bntvllnt bntvllnt commented May 28, 2026

Summary

  • harden auth/bind invariants, config validation, HTTP body/host/timeouts, and OpenAI error envelopes
  • forward supported OpenAI params and reject unsupported params deterministically
  • make contract/e2e tests deterministic with faux provider coverage and add lifecycle/security tests
  • improve extension daemon logging, env hygiene, footer probe cap, and side-effect tool descriptions

Tests

  • pnpm run check

Fixes #6
Fixes #7
Fixes #8
Fixes #9
Fixes #10
Fixes #11
Fixes #12
Fixes #13

@bntvllnt bntvllnt merged commit 91bed72 into main May 28, 2026
1 check passed
@bntvllnt bntvllnt mentioned this pull request May 29, 2026
Merged
bntvllnt added a commit that referenced this pull request May 29, 2026
@bntvllnt
docs(changelog): record PR #14 hardening (body cap, host guard, param…
f54ae17 
… rejection, timeouts)

Documents the gateway-contract + lifecycle hardening that landed in #14
(closing #6-#13) under the Unreleased section. First canary trigger after
enabling vars.ENABLE_CANARY + npm trusted publishing.
bntvllnt added a commit that referenced this pull request May 29, 2026
@bntvllnt
docs(changelog): record PR #14 hardening (body cap, host guard, param…
0992b38 
… rejection, timeouts) (#15)

Documents the gateway-contract + lifecycle hardening that landed in #14
(closing #6-#13) under the Unreleased section. First canary trigger after
enabling vars.ENABLE_CANARY + npm trusted publishing.
@bntvllnt bntvllnt mentioned this pull request May 30, 2026
Merged
4 tasks
bntvllnt added a commit that referenced this pull request May 30, 2026
@bntvllnt
release: 0.2.0 (#16)
ca3aa3c 
Promote the Unreleased changelog to 0.2.0 (namespace migration to
@earendil-works/pi-*, PR #14 hardening: body cap, loopback Host guard,
unsupported-parameter rejection, server timeouts, faux-provider tests,
pi-package keyword, CHANGELOG-driven releases + per-push canaries).

Doc-sync for the 0.2.0 behavior changes:
- llms-full.txt: correct the Chat Completions 'Accepted fields' list (the
  params now rejected with HTTP 400 unsupported_parameter are moved to a new
  'Rejected fields' note); add 413 + invalid_host rows to the status table.
- README + CLAUDE: document the loopback Host-header guard, 16 MB body cap,
  and server timeouts under Security defaults.

pnpm run check green.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment