mirror of
https://github.com/giancarloerra/socraticode.git
synced 2026-07-03 14:05:21 +02:00
7cdf21a961
Address CodeRabbit findings on PR #36: 1. The previous patch attached `QDRANT_API_KEY` as an `api-key` header regardless of URL scheme, which would leak the secret on the wire if a user configured an authenticated Qdrant over plain HTTP. Add a guard that rejects the combination and throws a specific error, placed before the readiness probe so its message is not masked by the generic "Cannot reach external Qdrant" handler. Loopback URLs (`localhost`, `127.0.0.1`, `[::1]`) are accepted on `http://` so local-dev workflows where users run authenticated Qdrant on plain HTTP keep working. The URL is parsed (rather than checked with startsWith) so hostnames like `http://localhost.evil.com` are not mistaken for loopback. 2. The "omits api-key header when QDRANT_API_KEY is not set" test relied on the spread of the real `constants.js` module, which means it would flake to a header-attached state on any developer machine with `QDRANT_API_KEY` exported in the shell. Pass `QDRANT_API_KEY: undefined` explicitly so the override always wins. 3. Add two tests covering the new guard: one asserting the rejection on plain HTTP for non-loopback hosts, and one asserting that the localhost exception still attaches the api-key header. 4. Document the HTTPS requirement (and localhost exception) in the `QDRANT_API_KEY` row of the README configuration table.