[codex] fix: reject credentials in advertised endpoint URLs

[StiensWout]

Summary

• Reject advertised endpoint URLs that contain userinfo credentials.
• Keep downstream connection handling from accepting credential-bearing endpoint strings.

Why

URLs with embedded credentials should not be accepted as advertised endpoints because they can leak secrets through display, logging, or transport boundaries.

Impact

Credential-bearing advertised endpoints are rejected before they can be stored or used.

Validation

• PATH="$HOME/.vite-plus/bin:$PATH" vp test packages/client-runtime/src/environment/endpoint.test.ts
• PATH="$HOME/.vite-plus/bin:$PATH" vp check
• PATH="$HOME/.vite-plus/bin:$PATH" vp run -r --concurrency-limit 1 typecheck

---

Note

Low Risk
Small input-validation hardening on endpoint URLs; only affects credential-bearing URLs that should not be advertised.

Overview
Advertised endpoint URLs with embedded userinfo are now rejected during normalization instead of being accepted and propagated.

normalizeHttpBaseUrl in advertisedEndpoint.ts throws "Endpoint URL must not include credentials." when url.username or url.password is non-empty, before path/query/hash normalization. That applies to HTTP/HTTPS and ws/wss inputs (after protocol coercion), so createAdvertisedEndpoint, deriveWsBaseUrl, and other callers that normalize through this helper fail early. Connection onboarding that normalizes httpBaseUrl surfaces the same error as invalid configuration.

Tests cover https://user:password@…, wss://user@…, and credential-bearing createAdvertisedEndpoint inputs.

^{Reviewed by Cursor Bugbot for commit 13861a1. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Reject credentials embedded in advertised endpoint URLs

Adds a credentials check to normalizeHttpBaseUrl in advertisedEndpoint.ts. If the URL contains a non-empty username or password, the function throws "Endpoint URL must not include credentials." before any normalization occurs. Behavioral Change: callers passing URLs with embedded credentials will now receive an error instead of silently proceeding.

^{Macroscope summarized 13861a1.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c64c4c90-f719-4e2c-9743-06142fde2054

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR adds security validation to reject URLs with embedded credentials. While the change is small and well-tested, security-related changes warrant human review to verify the validation is appropriately placed and handles all relevant code paths.

^{You can customize Macroscope's approvability policy. Learn more.}