Skip to content

feat: add provider-specific gateway authentication#440

Open
willkill07 wants to merge 1 commit into
NVIDIA:mainfrom
willkill07:feat/provider-auth-headers
Open

feat: add provider-specific gateway authentication#440
willkill07 wants to merge 1 commit into
NVIDIA:mainfrom
willkill07:feat/provider-auth-headers

Conversation

@willkill07

@willkill07 willkill07 commented Jul 15, 2026

Copy link
Copy Markdown
Member

Overview

Adds provider-specific custom authentication for OpenAI- and Anthropic-compatible CLI gateway routes and documents endpoint-based upstream selection.

  • I confirm this contribution is my own work, or I have the right to submit it under this project license.
  • I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

  • Adds openai_auth_header and anthropic_auth_header under [upstream], with environment overrides, validation, managed-gateway fingerprinting, and MCP environment forwarding.
  • Preserves inbound provider credentials, then applies the route-specific configured Authorization value, then falls back to the existing provider API-key injection.
  • Applies the existing trusted-client proof requirement to configured credentials on MCP-managed gateways.
  • Documents how Responses and Chat Completions use openai_base_url, while Messages uses anthropic_base_url, independent of the compatible client.
  • Adds coverage for configuration precedence, secret-safe validation errors, provider isolation, credential precedence, managed-gateway proof, endpoint mapping, fingerprint changes, and MCP environment generation.
  • Validated with cargo fmt --all, just test-rust, cargo clippy --workspace --all-targets -- -D warnings, just docs, and uv run pre-commit run --all-files. The docs build passed with the remote FDR redirect comparison skipped after an HTTP 403 warning.

Where should the reviewer start?

Start with crates/cli/src/gateway/mod.rs for authentication precedence and managed-gateway enforcement, then review crates/cli/src/configuration/mod.rs for resolution and validation.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

  • Relates to: none

Summary by CodeRabbit

  • New Features

    • Added configurable authentication headers for OpenAI and Anthropic upstreams.
    • Provider-specific headers now take precedence over environment credentials.
    • Authentication headers are validated and securely excluded from startup output.
    • Changes to configured credentials are reflected in managed configuration identity.
  • Documentation

    • Added guidance for provider upstream URLs and authentication settings.
    • Documented new authentication environment variables and updated coding-agent configuration examples.

Signed-off-by: Will Killian <wkillian@nvidia.com>
@willkill07 willkill07 requested review from a team and lvojtku as code owners July 15, 2026 19:21
@github-actions github-actions Bot added size:L PR is large Feature a new feature lang:rust PR changes/introduces Rust code labels Jul 15, 2026
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The CLI now supports OpenAI and Anthropic upstream authentication headers from configuration files and environment variables. Headers are validated, fingerprinted, propagated through gateway forwarding, tested for precedence and redaction, and documented across CLI and MCP integrations.

Changes

Provider authentication

Layer / File(s) Summary
Configuration and validation contract
crates/cli/src/configuration/*
GatewayConfig and TOML upstream configuration now include optional provider auth headers, which are validated as HTTP header values and included in managed bootstrap fingerprints.
Gateway auth forwarding
crates/cli/src/gateway/*, crates/cli/src/server/mod.rs, crates/cli/src/mcp_environment.rs
Provider forwarding selects route-specific configured headers, respects inbound authorization, and propagates the renamed provider-auth injection permission across gateway paths.
Configuration and persistence coverage
crates/cli/tests/coverage/shared/config_tests.rs
Tests cover defaults, file and environment resolution, validation failures, secret-safe errors, scoped environment handling, and fingerprint changes.
Gateway and state regression coverage
crates/cli/tests/coverage/shared/gateway_tests.rs, crates/cli/tests/coverage/shared/server_tests.rs, crates/cli/tests/coverage/shared/session_tests.rs
Tests cover provider-specific precedence, inbound-auth suppression, authorization gating, startup redaction, route handling, and updated configuration construction.
Documentation and MCP integration
docs/nemo-relay-cli/*, integrations/coding-agents/codex/.mcp.json
Documentation describes provider upstreams and auth variables, while the Codex MCP environment allowlist includes related provider variables.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AppState
  participant ProviderForwarding
  participant Upstream
  Client->>AppState: Send gateway request
  AppState->>ProviderForwarding: Prepare route and auth permission
  ProviderForwarding->>ProviderForwarding: Select configured provider header
  ProviderForwarding->>Upstream: Forward request with permitted auth
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title follows Conventional Commits and accurately summarizes the provider-specific gateway auth change.
Description check ✅ Passed The description includes the required sections and gives enough detail, reviewer guidance, and validation notes.
Docstring Coverage ✅ Passed Docstring coverage is 93.75% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@willkill07 willkill07 self-assigned this Jul 15, 2026
@willkill07 willkill07 added this to the 0.6 milestone Jul 15, 2026
@github-actions

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/cli/src/gateway/routes.rs`:
- Around line 17-49: The route-to-auth-header mapping is duplicated between
ProviderForwarding::configured_auth_header and
ProviderRoute::configured_auth_header. Extract a shared private helper accepting
the route plus OpenAI and Anthropic header options, then delegate both methods
to it while preserving their existing return behavior and route mappings.

In `@crates/cli/tests/coverage/shared/config_tests.rs`:
- Around line 525-571: Update
invalid_provider_auth_header_errors_do_not_expose_secret_values to use valid
TOML while still passing a newline-containing header to validate_auth_header, so
the test exercises validation and secret redaction rather than TOML parsing. Add
an equivalent config-based invalid-header test for Anthropic, asserting the
Anthropic field is identified, the valid HTTP header error appears, and both
secret fragments are absent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 92c09def-54d0-493a-8f91-14920c3f5886

📥 Commits

Reviewing files that changed from the base of the PR and between a64fff4 and 6442bed.

📒 Files selected for processing (15)
  • crates/cli/src/configuration/mod.rs
  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
  • docs/nemo-relay-cli/basic-usage.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/codex.mdx
  • integrations/coding-agents/codex/.mcp.json
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
  • GitHub Check: Check / Run
  • GitHub Check: Preview docs
🧰 Additional context used
📓 Path-based instructions (15)
**/*.mdx

📄 CodeRabbit inference engine (.agents/skills/review-doc-style/SKILL.md)

MDX top-of-file SPDX comments must use {/* ... */} delimiters instead of HTML comment delimiters (Must-Fix)

In MDX files, top-of-file comments must use JSX comment delimiters ({/* to open and */} to close); do not use HTML comments for MDX SPDX headers

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
**/*.{md,mdx}

📄 CodeRabbit inference engine (AGENTS.md)

Update README.md, fern/, package READMEs, and binding-support notes when public behavior, package names, examples, or supported bindings change.

**/*.{md,mdx}: Prefer the documented public API, not internal shortcuts
Keep package names, repo references, and build commands current
Keep release-process and release-notes guidance in repo-maintainer docs such as RELEASING.md, not as user-facing docs pages or CHANGELOG.md
Keep stable user-facing wrappers at scripts/ root in docs and examples; only point at namespaced helper paths when documenting internal maintenance work
When detailed dynamic plugin guides exist, keep Rust native plugin examples, Python worker plugin examples, and grpc-v1 protocol details on separate pages

If links in documentation change, run just docs-linkcheck.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
**/*.{md,markdown,mdx}

📄 CodeRabbit inference engine (CONTRIBUTING.md)

Add the SPDX license header to all Markdown/MDX documentation files using the HTML comment block form.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
{docs,examples}/**/*

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update docs and examples.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
**/*

📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)

**/*: Format changed files with the language-native formatter before the final lint/test pass.
If dynamic plugin behavior changed, use maintain-dynamic-plugins and include the native SDK, worker protocol, Python SDK, docs, packaging, and Codecov surfaces in the validation plan.
If code changes alter APIs, bindings, commands, paths, packaging behavior, observability/adaptive semantics, or documented best practices, update any dependent maintainer or consumer skills in the same branch.
During iteration, prefer uv run pre-commit run --files <changed files...>.
Before review or handoff, run uv run pre-commit run --all-files.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • docs/nemo-relay-cli/basic-usage.mdx
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
docs/**/*

📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)

If documentation examples or commands under docs/ change, run the targeted docs checks appropriate to the change.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
{docs/**,README.md,CONTRIBUTING.md,RELEASING.md,SECURITY.md}

⚙️ CodeRabbit configuration file

{docs/**,README.md,CONTRIBUTING.md,RELEASING.md,SECURITY.md}: Review documentation for technical accuracy against the current API, command correctness, and consistency across language bindings.
Flag stale examples, missing SPDX headers where required, and instructions that no longer match CI or pre-commit behavior.

Files:

  • docs/nemo-relay-cli/codex.mdx
  • docs/nemo-relay-cli/claude-code.mdx
  • docs/nemo-relay-cli/basic-usage.mdx
**/*.rs

📄 CodeRabbit inference engine (.agents/skills/prepare-pr/SKILL.md)

**/*.rs: Any Rust change must run just test-rust
Any Rust change must run cargo fmt --all
Any Rust change must run cargo clippy --workspace --all-targets -- -D warnings

**/*.rs: Run cargo fmt --all for all FFI work since it is Rust work
Run just test-rust to validate FFI changes
Run cargo clippy --workspace --all-targets -- -D warnings to enforce strict linting on FFI work

When Rust files changed as part of Go work, also run cargo fmt --all, just test-rust, and cargo clippy --workspace --all-targets -- -D warnings

**/*.rs: Run cargo fmt --all when Rust files are changed as part of Node work
Run cargo clippy --workspace --all-targets -- -D warnings when Rust files are changed as part of Node work
Run just test-rust when Rust files are changed as part of Node work

When changing the core Rust runtime or Rust-facing API surface, format Rust code with cargo fmt (rustfmt defaults), keep cargo clippy -- -D warnings clean, and satisfy cargo deny check per deny.toml.

**/*.rs: If any Rust code changed, always run just test-rust.
If any Rust code changed, also run cargo fmt --all.
If any Rust code changed, also run cargo clippy --workspace --all-targets -- -D warnings.
For Rust changes headed for review, run cargo fmt --all and cargo clippy --workspace --all-targets -- -D warnings even if relying on pre-commit.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py}

📄 CodeRabbit inference engine (AGENTS.md)

Follow binding naming conventions in Rust and Python: use snake_case.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py,js,mjs,cjs,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{rs,py,js,mjs,cjs,ts,tsx}: Use Json = serde_json::Value in Rust-facing runtime APIs where the existing code expects JSON payloads.
Use Result<T> with FlowError in core runtime paths, and keep errors explicit and binding-appropriate at the wrapper layer.
Keep async behavior on the existing tokio-based model; bindings should preserve callback and future lifetimes rather than blocking or hiding async work unexpectedly.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py,go,js,ts,c,h}

📄 CodeRabbit inference engine (CONTRIBUTING.md)

Use language-appropriate naming conventions: Rust snake_case, C FFI exports prefixed nemo_relay_, Go PascalCase, Node.js camelCase, and Python snake_case.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,go,js,ts}

📄 CodeRabbit inference engine (CONTRIBUTING.md)

Add the SPDX license header to all Rust, Go, JavaScript, and TypeScript source files using the corresponding // comment form.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
{crates/**/src/**/*.rs,python/**/*.py}

📄 CodeRabbit inference engine (.agents/skills/maintain-dynamic-plugins/SKILL.md)

Do not add tests under src; Rust tests belong in crate tests/ trees, and Python SDK tests belong under python/tests.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/src/configuration/mod.rs
**/*.{rs,py,go,js,ts}

📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)

If a language surface changed, always run that language's test target even when Rust core did not change.

Files:

  • crates/cli/src/configuration/types.rs
  • crates/cli/src/gateway/request.rs
  • crates/cli/src/mcp_environment.rs
  • crates/cli/src/server/mod.rs
  • crates/cli/src/gateway/mod.rs
  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/src/gateway/routes.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/src/configuration/mod.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
{crates/**/tests/**,python/tests/**,go/nemo_relay/**/*_test.go}

⚙️ CodeRabbit configuration file

{crates/**/tests/**,python/tests/**,go/nemo_relay/**/*_test.go}: Tests should cover the behavior promised by the changed API surface, including error paths and cross-request isolation where relevant.
Prefer assertions on lifecycle events, scope stacks, middleware ordering, and binding parity over shallow smoke tests.

Files:

  • crates/cli/tests/coverage/shared/config_tests.rs
  • crates/cli/tests/coverage/shared/gateway_tests.rs
  • crates/cli/tests/coverage/shared/server_tests.rs
  • crates/cli/tests/coverage/shared/session_tests.rs
🔇 Additional comments (18)
docs/nemo-relay-cli/basic-usage.mdx (1)

145-181: LGTM!

Also applies to: 269-271

docs/nemo-relay-cli/claude-code.mdx (1)

73-82: LGTM!

docs/nemo-relay-cli/codex.mdx (1)

120-122: LGTM!

integrations/coding-agents/codex/.mcp.json (1)

39-45: LGTM!

crates/cli/tests/coverage/shared/config_tests.rs (1)

29-37: LGTM!

Also applies to: 43-100, 103-160, 425-476, 491-523, 1978-2020

crates/cli/src/configuration/mod.rs (2)

16-16: LGTM!

Also applies to: 63-68, 202-204, 1124-1124, 1149-1172, 1433-1456


1468-1476: 🎯 Functional Correctness | ⚡ Quick win

Trim the value before validating/storing it.

validate_auth_header checks value.trim().is_empty() but returns the original, untrimmed value. Stray leading/trailing whitespace (e.g. from a TOML multiline string or env var with a trailing newline) will pass validation and then be sent verbatim as the Authorization header value downstream in inject_provider_auth_with_env — which, for the env-var fallback path, explicitly trims for this exact reason ("sending Bearer with leading whitespace can confuse upstream auth parsers").

🐛 Proposed fix
 fn validate_auth_header(name: &str, value: String) -> Result<String, CliError> {
-    if value.trim().is_empty() {
+    let value = value.trim().to_string();
+    if value.is_empty() {
         return Err(CliError::Config(format!("{name} must not be empty")));
     }
     HeaderValue::from_str(&value)
         .map_err(|_| CliError::Config(format!("{name} must be a valid HTTP header value")))?;
     Ok(value)
 }
crates/cli/src/configuration/types.rs (1)

24-26: LGTM!

Also applies to: 115-117

crates/cli/src/gateway/request.rs (1)

33-39: LGTM!

Also applies to: 59-59, 75-75

crates/cli/src/server/mod.rs (1)

442-457: LGTM!

crates/cli/src/mcp_environment.rs (1)

41-46: LGTM!

crates/cli/src/gateway/mod.rs (2)

71-73: LGTM!

Also applies to: 134-138, 260-267, 447-454, 720-724, 733-739, 955-959, 1103-1128


872-914: 🎯 Functional Correctness

Confirm configured auth headers are documented as full header values, not bare keys.

When configured_auth_header is set, it's written verbatim to Authorization for every route (including Anthropic, which otherwise uses x-api-key), with no scheme normalization — unlike the env-var fallback a few lines below, which prepends Bearer for OpenAI routes. This appears intentional (openai_auth_header/anthropic_auth_header are meant to hold a complete header value), but please confirm the docs make this explicit so users don't configure a bare API key expecting automatic Bearer prefixing.

crates/cli/tests/coverage/shared/gateway_tests.rs (3)

98-98: LGTM!

Also applies to: 202-207, 219-225, 238-243, 594-598, 785-789, 911-923, 941-945, 1021-1034, 1044-1056, 1068-1072, 1192-1198, 1229-1235


992-1012: LGTM! Good coverage of provider-isolation and inbound-suppression precedence per path instructions on cross-request isolation testing.


956-990: 🎯 Functional Correctness

No issue: configured_auth_header is route-driven ProviderForwarding::new only snapshots the configured auth headers; configured_auth_header(route) matches on the route argument, so reusing the same forwarding value across different routes is valid.

			> Likely an incorrect or invalid review comment.
crates/cli/tests/coverage/shared/server_tests.rs (1)

160-172: LGTM!

Also applies to: 175-203, 426-449, 458-458

crates/cli/tests/coverage/shared/session_tests.rs (1)

724-726: LGTM!

Also applies to: 1977-1979, 2237-2239, 2318-2320, 2402-2404, 3709-3711, 3787-3789, 3861-3863, 3919-3921, 4404-4406, 4533-4535, 4632-4634, 4749-4751, 4844-4846, 6675-6677, 6691-6693

Comment on lines +17 to 49
#[derive(Clone)]
pub(super) struct ProviderForwarding {
pub(super) route: ProviderRoute,
pub(super) allow_environment_provider_auth: bool,
pub(super) allow_provider_auth_injection: bool,
openai_auth_header: Option<String>,
anthropic_auth_header: Option<String>,
}

impl ProviderForwarding {
pub(super) fn new(route: ProviderRoute, allow_environment_provider_auth: bool) -> Self {
pub(super) fn new(
route: ProviderRoute,
allow_provider_auth_injection: bool,
config: &crate::configuration::GatewayConfig,
) -> Self {
Self {
route,
allow_environment_provider_auth,
allow_provider_auth_injection,
openai_auth_header: config.openai_auth_header.clone(),
anthropic_auth_header: config.anthropic_auth_header.clone(),
}
}

pub(super) fn configured_auth_header(&self, route: ProviderRoute) -> Option<&str> {
match route {
ProviderRoute::OpenAiResponses
| ProviderRoute::OpenAiChatCompletions
| ProviderRoute::OpenAiModels => self.openai_auth_header.as_deref(),
ProviderRoute::AnthropicMessages | ProviderRoute::AnthropicCountTokens => {
self.anthropic_auth_header.as_deref()
}
}
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicated OpenAI/Anthropic route-mapping logic between ProviderForwarding::configured_auth_header and ProviderRoute::configured_auth_header.

Both methods encode the exact same route→header selection. Extracting a single shared helper (e.g. a private free function taking (route, openai_header: Option<&str>, anthropic_header: Option<&str>)) that both ProviderForwarding::configured_auth_header and ProviderRoute::configured_auth_header delegate to would remove the duplication and the risk of the two match statements drifting when new routes are added.

Also applies to: 125-138

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/cli/src/gateway/routes.rs` around lines 17 - 49, The
route-to-auth-header mapping is duplicated between
ProviderForwarding::configured_auth_header and
ProviderRoute::configured_auth_header. Extract a shared private helper accepting
the route plus OpenAI and Anthropic header options, then delegate both methods
to it while preserving their existing return behavior and route mappings.

Comment on lines +525 to +571
#[test]
fn invalid_provider_auth_header_errors_do_not_expose_secret_values() {
let temp = tempfile::tempdir().unwrap();
let path = temp.path().join("config.toml");
std::fs::write(
&path,
r#"
[upstream]
openai_auth_header = "Bearer private\nsecret"
"#,
)
.unwrap();

let error = resolve_server_config(&GatewayOverrides {
config: Some(path),
..GatewayOverrides::default()
})
.unwrap_err()
.to_string();

assert!(error.contains("upstream.openai_auth_header"), "{error}");
assert!(error.contains("valid HTTP header value"), "{error}");
assert!(!error.contains("private"), "{error}");
assert!(!error.contains("secret"), "{error}");
}

#[test]
fn invalid_provider_auth_environment_errors_do_not_expose_secret_values() {
let temp = tempfile::tempdir().unwrap();
let xdg = temp.path().join("xdg");
std::fs::create_dir_all(&xdg).unwrap();
let scope = PluginConfigDiscoveryScope::enter(temp.path(), &xdg);
let path = temp.path().join("config.toml");
std::fs::write(&path, "").unwrap();
scope.set_auth_headers("Bearer private\nsecret", "Basic valid");

let error = resolve_server_config(&GatewayOverrides {
config: Some(path),
..GatewayOverrides::default()
})
.unwrap_err()
.to_string();

assert!(error.contains("NEMO_RELAY_OPENAI_AUTH_HEADER"), "{error}");
assert!(!error.contains("private"), "{error}");
assert!(!error.contains("secret"), "{error}");
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
from pathlib import Path

path = Path("crates/cli/tests/coverage/shared/config_tests.rs")
text = path.read_text()
assert 'openai_auth_header = "Bearer private\\nsecret"' in text
print("Confirmed: the TOML fixture contains a literal newline inside a single-line quoted value.")
PY

Repository: NVIDIA/NeMo-Relay

Length of output: 245


Make the auth-header error test use valid TOML and cover Anthropic too. crates/cli/tests/coverage/shared/config_tests.rs:529-571 The literal newline in openai_auth_header makes the fixture fail parsing before validate_auth_header runs, so the secret-redaction assertion never hits the intended path. Add the same invalid-header case for Anthropic.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/cli/tests/coverage/shared/config_tests.rs` around lines 525 - 571,
Update invalid_provider_auth_header_errors_do_not_expose_secret_values to use
valid TOML while still passing a newline-containing header to
validate_auth_header, so the test exercises validation and secret redaction
rather than TOML parsing. Add an equivalent config-based invalid-header test for
Anthropic, asserting the Anthropic field is identified, the valid HTTP header
error appears, and both secret fragments are absent.

Source: Path instructions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Feature a new feature lang:rust PR changes/introduces Rust code size:L PR is large

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant