mohdel 0.98.2 → 0.99.0

package/js/session/adapters/_chat_completions.js

@@ -95,7 +95,7 @@ export async function * runChatCompletions (envelope, client, config, deps = {})
     response = await client.chat.completions.create(args, { signal: deps.signal })
   } catch (e) {
     deps.log?.warn({ err: e }, `[mohdel:${config.provider}] request failed`)
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 
@@ -158,7 +158,7 @@ async function * runStreaming (envelope, client, args, config, start, deps) {
     stream = await client.chat.completions.create(args, { signal: deps.signal })
   } catch (e) {
     deps.log?.warn({ err: e }, `[mohdel:${config.provider}] request failed`)
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 
@@ -222,7 +222,7 @@ async function * runStreaming (envelope, client, args, config, start, deps) {
     }
   } catch (e) {
     deps.log?.warn({ err: e }, `[mohdel:${config.provider}] stream failed`)
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 

package/js/session/adapters/_errors.js

@@ -4,10 +4,14 @@
  * Maps SDK errors to a canonical `TypedError`. Inspects provider
  * error codes / messages first (so semantically meaningful tags like
  * `CONTEXT_OVERFLOW` and `QUOTA_EXHAUSTED` aren't lost in generic
- * status buckets), then falls back to HTTP status. 401/403 messages
- * stay generic to avoid echoing provider bodies that may contain the
- * API key back on the wire; for other statuses the provider's own
- * detail is preserved on `.detail` so callers can debug 400s.
+ * status buckets), then falls back to HTTP status. The provider's own
+ * detail is preserved on `.detail` for every classification —
+ * including 401/403. When the caller supplies the API key it was
+ * using, `classifyProviderError` masks any verbatim occurrence of
+ * that key in the detail before returning, so an echoed-key provider
+ * body never reaches downstream consumers as plaintext. Whatever the
+ * caller does with `detail` after that — surface it, log it, redact
+ * it further — is the caller's policy.
  *
  * Type tags: `AUTH_INVALID`, `RATE_LIMIT`, `QUOTA_EXHAUSTED`,
  * `CONTEXT_OVERFLOW`, `CONTENT_BLOCKED`, `PROVIDER_UNAVAILABLE`,
@@ -25,6 +29,27 @@ const DETAIL_CAP = 500
  * @param {any} err
  * @returns {string | undefined}
  */
+/**
+ * Replace verbatim occurrences of `key` in `detail` with a masked
+ * form. Long keys (≥ 16 chars) become `<first4>…<last4>` so a caller
+ * with multiple keys can still tell them apart from the masked
+ * substring; shorter keys fall back to `<redacted>` since revealing
+ * 8 chars would leak too much. Keys under 8 chars are treated as
+ * not-a-key (no scrub) — guards against pathological replacements
+ * on empty or fixture values.
+ * @param {string | undefined} detail
+ * @param {string | undefined} key
+ * @returns {string | undefined}
+ */
+function scrubKey (detail, key) {
+  if (!detail || !key || typeof key !== 'string' || key.length < 8) return detail
+  if (!detail.includes(key)) return detail
+  const mask = key.length >= 16
+    ? `${key.slice(0, 4)}…${key.slice(-4)}`
+    : '<redacted>'
+  return detail.split(key).join(mask)
+}
+
 function extractDetail (err) {
   if (!err) return undefined
   const nested = err.error?.message || err.response?.data?.error?.message
@@ -79,14 +104,20 @@ function matchesContextOverflow (msg) {
 
 /**
  * @param {unknown} e
+ * @param {string} [key]   Optional API key the call was made with. When
+ *                         provided, any verbatim occurrence is replaced
+ *                         with `<redacted>` in the returned detail —
+ *                         providers occasionally echo the rejected key
+ *                         in error bodies (notably 401/403) and that
+ *                         must not leak.
  * @returns {import('#core/errors.js').TypedError}
  */
-export function classifyProviderError (e) {
+export function classifyProviderError (e, key) {
   const err = /** @type {any} */(e)
   const status = err?.status
   const code = extractCode(err)
   const message = err?.message || ''
-  const detail = extractDetail(err)
+  const detail = scrubKey(extractDetail(err), key)
 
   // --- Code-driven classification (runs before status buckets so
   //     specific tags survive even when the upstream HTTP status is
@@ -142,12 +173,12 @@ export function classifyProviderError (e) {
   // --- Status-driven fallback. ---
 
   if (status === 401 || status === 403) {
-    // Deliberately no detail — 401/403 bodies can echo the key.
     return {
       message: 'authentication failed',
       severity: 'error',
       retryable: false,
-      type: 'AUTH_INVALID'
+      type: 'AUTH_INVALID',
+      detail
     }
   }
   if (status === 429) {

package/js/session/adapters/anthropic.js

@@ -96,7 +96,7 @@ export async function * anthropic (envelope, deps = {}) {
       if (blocks.length) injectImageBlocks(conversation, blocks)
     } catch (e) {
       log?.warn({ err: e }, '[mohdel:anthropic] image load failed')
-      yield { type: 'error', error: classifyProviderError(e) }
+      yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
       return
     }
   }
@@ -189,7 +189,7 @@ export async function * anthropic (envelope, deps = {}) {
       return
     }
     log?.warn({ err: e }, '[mohdel:anthropic] stream failed')
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 

package/js/session/adapters/gemini.js

@@ -58,7 +58,7 @@ export async function * gemini (envelope, deps = {}) {
       if (parts.length) injectParts(contents, parts)
     } catch (e) {
       log?.warn({ err: e }, '[mohdel:gemini] image load failed')
-      yield { type: 'error', error: classifyProviderError(e) }
+      yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
       return
     }
   }
@@ -80,7 +80,7 @@ export async function * gemini (envelope, deps = {}) {
       // `typed` lets _videos.js surface PROVIDER_UNAVAILABLE on
       // upload-deadline timeouts; fall back to generic classification.
       const typed = /** @type {any} */(e).typed
-      yield { type: 'error', error: typed || classifyProviderError(e) }
+      yield { type: 'error', error: typed || classifyProviderError(e, envelope.auth?.key) }
       return
     }
   }
@@ -172,7 +172,7 @@ export async function * gemini (envelope, deps = {}) {
       return
     }
     log?.warn({ err: e }, '[mohdel:gemini] stream failed')
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 

package/js/session/adapters/image/novita.js

@@ -83,7 +83,7 @@ async function post (fetchFn, url, body, apiKey) {
       body: JSON.stringify(body)
     })
   } catch (e) {
-    throw typedError(classifyProviderError(e).message, 'NET_ERROR', true)
+    throw typedError(classifyProviderError(e, apiKey).message, 'NET_ERROR', true)
   }
   if (!res.ok) {
     const text = await res.text().catch(() => '')

package/js/session/adapters/image/openai.js

@@ -30,8 +30,8 @@ export async function openaiImage (envelope, deps = {}) {
   try {
     response = await client.images.generate(args)
   } catch (e) {
-    throw Object.assign(new Error(classifyProviderError(e).message), {
-      typed: classifyProviderError(e)
+    throw Object.assign(new Error(classifyProviderError(e, envelope.auth?.key).message), {
+      typed: classifyProviderError(e, envelope.auth?.key)
     })
   }
 

package/js/session/adapters/openai.js

@@ -60,7 +60,7 @@ export async function * openai (envelope, deps = {}) {
       if (parts.length) injectImageParts(input, parts)
     } catch (e) {
       log?.warn({ err: e }, '[mohdel:openai] image load failed')
-      yield { type: 'error', error: classifyProviderError(e) }
+      yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
       return
     }
   }
@@ -156,7 +156,7 @@ export async function * openai (envelope, deps = {}) {
       return
     }
     log?.warn({ err: e }, '[mohdel:openai] stream failed')
-    yield { type: 'error', error: classifyProviderError(e) }
+    yield { type: 'error', error: classifyProviderError(e, envelope.auth?.key) }
     return
   }
 

package/js/session/run_image.js

@@ -51,7 +51,7 @@ export async function runImage (envelope, { resolveAdapter = getImageAdapter, sp
     const result = await adapter(envelope, spec ? { spec } : {})
     return { ok: true, result }
   } catch (e) {
-    const typed = /** @type {any} */(e).typed || classifyProviderError(e)
+    const typed = /** @type {any} */(e).typed || classifyProviderError(e, envelope.auth?.key)
     return { ok: false, error: typed }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mohdel",
-  "version": "0.98.2",
+  "version": "0.99.0",
   "license": "MIT",
   "author": {
     "name": "Christophe Le Bars",
@@ -87,7 +87,7 @@
     "@opentelemetry/exporter-trace-otlp-grpc": "^0.216.0",
     "@opentelemetry/sdk-node": "^0.216.0",
     "chalk": "^5.4.0",
-    "mohdel-thin-gate-linux-x64-gnu": "0.98.2"
+    "mohdel-thin-gate-linux-x64-gnu": "0.99.0"
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.91.1",