npm - @hongymagic/q - Versions diffs - 0.3.1 → 0.3.2 - Mend

@hongymagic/q 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -105,7 +105,7 @@ provider_api_key_env = "PROVIDER_API_KEY"
 | `provider_slug` | Provider identifier (maps to `x-portkey-provider` header) |
 | `api_key_env` | Environment variable for Portkey API key (maps to `x-portkey-api-key` header) |
 | `provider_api_key_env` | Environment variable for underlying provider's API key (maps to `Authorization` header) |
-| `headers` | Additional custom headers (supports `${VAR}` interpolation) |
+| `headers` | Additional custom headers (supports env var interpolation for allowlisted vars) |
 **Environment variables:**

package/dist/q.js CHANGED Viewed

@@ -27262,14 +27262,37 @@ ${formatZodErrors(result.error)}`);
     return result;
   }
   static interpolate(value) {
-    return value.replace(/\$\{([^}]+)\}/g, (_, varName) => {
-      const envValue = process.env[varName];
-      if (envValue === undefined) {
-        throw new ConfigValidationError(`Environment variable '${varName}' referenced in config but not set`);
-      }
-      return envValue;
-    });
-  }
+    return interpolateValue(value);
+  }
+}
+var ALLOWED_INTERPOLATION_VARS = new Set([
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "PORTKEY_API_KEY",
+  "ANTHROPIC_BASE_URL",
+  "OPENAI_BASE_URL",
+  "PORTKEY_BASE_URL",
+  "PORTKEY_PROVIDER",
+  "HTTP_PROXY",
+  "HTTPS_PROXY",
+  "NO_PROXY",
+  "HOME",
+  "USER",
+  "HOSTNAME"
+]);
+function interpolateValue(value) {
+  return value.replace(/\$\{([^}]+)\}/g, (_, varName) => {
+    if (!ALLOWED_INTERPOLATION_VARS.has(varName)) {
+      const allowedList = Array.from(ALLOWED_INTERPOLATION_VARS).join(", ");
+      throw new ConfigValidationError(`Environment variable '${varName}' is not allowed for interpolation.
+` + `Allowed variables: ${allowedList}`);
+    }
+    const envValue = process.env[varName];
+    if (envValue === undefined) {
+      throw new ConfigValidationError(`Environment variable '${varName}' referenced in config but not set`);
+    }
+    return envValue;
+  });
 }
 async function loadConfig() {
   return Config.load();
@@ -27314,7 +27337,7 @@ api_key_env = "OPENAI_API_KEY"
 # provider_slug = "@your-org/bedrock-provider"
 # api_key_env = "PORTKEY_API_KEY"
 # provider_api_key_env = "PROVIDER_API_KEY"
-# headers = { "x-custom" = "\${CUSTOM_VALUE}" }
+# headers = { "x-portkey-trace-id" = "\${HOSTNAME}" }  # Only allowlisted env vars
 # Example: Ollama (local models)
 # [providers.ollama]
@@ -27424,6 +27447,12 @@ class QError2 extends Error {
     this.name = "QError";
   }
 }
+class UsageError2 extends QError2 {
+  constructor(message) {
+    super(message, 2);
+    this.name = "UsageError";
+  }
+}
 function logError2(message) {
   console.error(message);
 }
@@ -46196,6 +46225,20 @@ function createPortkeyProvider(config2, providerName, debug = false) {
 }
 // src/providers/index.ts
+var SENSITIVE_FIELD_PATTERNS = [
+  "key",
+  "secret",
+  "token",
+  "password",
+  "auth",
+  "credential"
+];
+function filterSensitiveFields(config2) {
+  return Object.fromEntries(Object.entries(config2).filter(([key]) => {
+    const lowerKey = key.toLowerCase();
+    return !SENSITIVE_FIELD_PATTERNS.some((pattern) => lowerKey.includes(pattern));
+  }));
+}
 function resolveProvider(config2, providerOverride, modelOverride, debug = false) {
   const providerName = providerOverride ?? config2.default.provider;
   const providerConfig = config2.providers[providerName];
@@ -46203,7 +46246,7 @@ function resolveProvider(config2, providerOverride, modelOverride, debug = false
     throw new ProviderNotFoundError(providerName);
   }
   const modelId = modelOverride ?? config2.default.model;
-  logDebug(`Provider config: ${JSON.stringify(providerConfig, null, 2)}`, debug);
+  logDebug(`Provider config: ${JSON.stringify(filterSensitiveFields(providerConfig), null, 2)}`, debug);
   const model = createModel(providerConfig, providerName, modelId, debug);
   return {
     model,
@@ -54509,11 +54552,15 @@ async function main() {
       console.log(listProviders(config3));
       process.exit(0);
     }
+    const query = args.query.join(" ");
+    const MAX_QUERY_LENGTH = 5000;
+    if (query.length > MAX_QUERY_LENGTH) {
+      throw new UsageError2(`Query too long (${query.length} characters). Maximum is ${MAX_QUERY_LENGTH}.`);
+    }
     logDebug2("Loading config...", debug);
     const config2 = await loadConfig();
     logDebug2(`Resolving provider: ${args.options.provider ?? config2.default.provider}`, debug);
     const { model, providerName, modelId } = resolveProvider(config2, args.options.provider, args.options.model, debug);
-    const query = args.query.join(" ");
     const envInfo = getEnvironmentInfo();
     logDebug2(`Query: ${query}`, debug);
     logDebug2(`Provider: ${providerName}, Model: ${modelId}`, debug);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hongymagic/q",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "Quick AI answers from the command line",
   "main": "dist/q.js",
   "type": "module",