Severity: Low
Location: src/llm/index.ts (all provider functions)
Description:
The createAnthropicProvider, createOpenAICompatibleProvider functions each create a new Headers object inline within the chat method. Headers objects are re-created on every call. More importantly, the API key is passed in the Authorization or x-api-key header on every single request — if the key is somehow logged or intercepted at the transport layer, it can't be rotated without restarting the process.
There is no mechanism to refresh or rotate the LLM API key at runtime.
Suggested Fix:
Support hot-reload of the LLM API key through the config update flow. The createLLMProvider is already called with a fresh config on LLM hot-swap (agent.ts:502), but there's no way to update the API key via the Settings UI without also changing the provider. Ensure the Settings UI allows updating just the API key for the same provider.
Also consider using a connection pool or keeping the agent alive between requests for better performance.
Severity: Low
Location:
src/llm/index.ts(all provider functions)Description:
The
createAnthropicProvider,createOpenAICompatibleProviderfunctions each create a newHeadersobject inline within thechatmethod. Headers objects are re-created on every call. More importantly, the API key is passed in theAuthorizationorx-api-keyheader on every single request — if the key is somehow logged or intercepted at the transport layer, it can't be rotated without restarting the process.There is no mechanism to refresh or rotate the LLM API key at runtime.
Suggested Fix:
Support hot-reload of the LLM API key through the config update flow. The
createLLMProvideris already called with a fresh config on LLM hot-swap (agent.ts:502), but there's no way to update the API key via the Settings UI without also changing the provider. Ensure the Settings UI allows updating just the API key for the same provider.Also consider using a connection pool or keeping the agent alive between requests for better performance.