Skip to content

Fix: address review issues from PR #12 #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fangchenli merged 1 commit into from
Jan 28, 2026
Merged

Fix: address review issues from PR #12 #13

fangchenli merged 1 commit into from
Jan 28, 2026

Conversation

@fangchenli
Copy link
Contributor

@fangchenli fangchenli commented Jan 28, 2026

Summary

Fixes 7 issues identified during code review of PR #12:

  • API key security: Pass Gemini API key via x-goog-api-key header instead of URL query parameter to prevent leakage in logs/tracebacks
  • SDK system_instruction: Use Gemini SDK's native system_instruction parameter instead of concatenating system messages into the user prompt
  • Dedup content builders: Merge _build_sdk_contents and _build_http_contents into a single _build_contents method
  • Redact error traces: Apply redact_text() to llm_call_failed trace error messages to prevent sensitive data in traces
  • Fix protocol info key: _extract_protocol_info was reading "protocol" instead of "protocol_name", causing empty protocol name in inspect output
  • Fix CLI error message: Catch-all error was referencing ANTHROPIC_API_KEY instead of being provider-agnostic
  • Wire LLM step guard: Add check_llm_allowed_in_step("work") runtime guard in the engine to enforce the LLM-only-in-WORK invariant

Test plan

  • All 373 tests pass
  • mypy passes
  • ruff passes
  • Pre-commit hooks pass

🤖 Generated with Claude Code

@fangchenli @claude
Fix review issues from PR #12
632b2aa 
- Pass Gemini API key via x-goog-api-key header instead of URL query
  parameter to prevent key leakage in logs and tracebacks
- Use Gemini SDK's native system_instruction parameter instead of
  concatenating system messages into the user prompt
- Deduplicate _build_sdk_contents and _build_http_contents into a
  single _build_contents method
- Redact error messages in llm_call_failed trace events using
  redact_text() to prevent sensitive data in traces
- Fix _extract_protocol_info reading wrong key ("protocol" vs
  "protocol_name") causing empty protocol name in inspect output
- Fix CLI catch-all error message referencing ANTHROPIC_API_KEY
  instead of being provider-agnostic
- Wire check_llm_allowed_in_step runtime guard into the engine's
  PROPOSE step to enforce the LLM-only-in-WORK invariant

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fangchenli fangchenli merged commit aad0c0d into main Jan 28, 2026
3 checks passed
@fangchenli fangchenli deleted the fix/pr12-review-issues branch January 28, 2026 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fangchenli