[security] fix(providers): validate sibling endpoint overrides

[Hinotoi-agent]

Summary

• Add a shared provider endpoint override validator for MiniMax and Alibaba Coding Plan credentialed provider requests.
• Reject non-HTTPS endpoint overrides, embedded userinfo, and percent-encoded authority/host delimiters before cookies or API credentials are attached to follow-up requests.
• Preserve custom HTTPS proxy/test-host compatibility by default: arbitrary HTTPS hosts continue to work, while insecure or authority-confusing URLs fail closed.
• Add optional strict provider-owned-host mode for deployments that want a tighter allowlist:
  • MINIMAX_REQUIRE_PROVIDER_ENDPOINT_OVERRIDES=true
  • ALIBABA_CODING_PLAN_REQUIRE_PROVIDER_ENDPOINT_OVERRIDES=true
• Keep explicit rejected overrides fail-closed instead of silently falling back to the default credentialed provider endpoint.
• Add focused regression coverage for default custom HTTPS compatibility, strict provider-owned-host enforcement, rejected http:// overrides, rejected user:pass@ URLs, encoded-delimiter bypasses, accepted provider-owned HTTPS/bare host overrides, and fail-closed fetcher behavior.
• Update MiniMax and Alibaba provider docs to document the HTTPS-only default and optional strict provider-host mode.

Compatibility note

This revision keeps the compatibility path requested in review: custom HTTPS proxy/test domains remain accepted by default for MiniMax and Alibaba Coding Plan endpoint overrides.

The hard security boundary is now scheme/authority hygiene:

• https://... custom proxy/test domains are accepted by default.
• Bare hosts are normalized to HTTPS.
• http://... overrides are rejected so cookies/API credentials are not sent in cleartext.
• URLs with embedded userinfo are rejected.
• Percent-encoded host/authority delimiter tricks are rejected.
• If an explicit override is rejected, the fetcher fails closed and reports the rejected config key instead of silently falling back to the default provider endpoint.

Operators that prefer provider-owned hosts only can opt into strict mode with MINIMAX_REQUIRE_PROVIDER_ENDPOINT_OVERRIDES=true or ALIBABA_CODING_PLAN_REQUIRE_PROVIDER_ENDPOINT_OVERRIDES=true.

Validation

• git diff --check — passed.
• swift build --target CodexBarCore — passed:

Build of target: 'CodexBarCore' complete! (1.21s)

• Temporary local smoke executable depending on this checkout's real CodexBarCore — passed. The proof exercised the actual MiniMax/Alibaba settings readers and fetcher validators with redacted credentials/cookies:

PASS MiniMax default preserves custom HTTPS host
PASS MiniMax custom HTTPS not rejected by default
PASS MiniMax strict mode rejects custom host
PASS MiniMax strict mode reports rejected host key
PASS Alibaba default preserves custom HTTPS host
PASS Alibaba custom HTTPS not rejected by default
PASS Alibaba strict mode rejects custom host
PASS Alibaba strict mode reports rejected host key
PASS MiniMax rejects HTTP host override
PASS Alibaba rejects userinfo URL override

• swift test --filter 'MiniMaxProviderTests|AlibabaCodingPlanProviderTests' — still blocked before the focused tests by the existing local KeyboardShortcuts/SwiftUI #Preview macro toolchain issue (PreviewsMacros plugin not found) with the active developer directory using CommandLineTools rather than full Xcode.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 12:26 AM ET / 04:26 UTC.

Summary
This PR adds a shared endpoint override validator for MiniMax and Alibaba Coding Plan, wires fail-closed validation into credentialed fetches, updates diagnostics, adds focused tests, and documents the endpoint override policy.

Reproducibility: yes. source inspection shows current main accepts raw explicit endpoint override schemes and then uses those URLs in credentialed MiniMax and Alibaba fetch paths. I did not run live provider probes because AGENTS.md warns against credentialed checks that may trigger Keychain or account access.

Review metrics: 2 noteworthy metrics.

• Changed surface: 14 files affected. The diff spans shared validation, two credentialed providers, diagnostics, focused tests, and user-facing docs.
• Provider policy knobs: 2 strict-mode env flags added. The new MiniMax and Alibaba strict endpoint flags make this a maintainer-visible provider policy change, not only a parser fix.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get explicit maintainer sign-off on the MiniMax and Alibaba endpoint override policy before merge.

Risk before merge

• [P1] Existing users with explicit http://, userinfo, or encoded-delimiter endpoint overrides for MiniMax or Alibaba will now fail closed before credentialed requests; that is likely the intended security outcome but it is still a runtime compatibility break.
• [P1] The PR defines the default boundary as arbitrary custom HTTPS proxy/test hosts plus optional strict provider-owned-host mode, which is a provider auth/privacy policy choice that green CI cannot settle.

Maintainer options:

1. Approve the provider endpoint boundary (recommended)
   If maintainers accept HTTPS-only fail-closed behavior plus default custom HTTPS compatibility and strict provider-host opt-in, merge after the normal check and branch gates.
2. Tighten the default policy before merge
   If maintainers prefer provider-owned hosts by default, revise the PR to make strict mode the default and add explicit migration documentation for custom proxy/test users.
3. Pause for an auth/privacy decision
   If the project has not settled the provider endpoint policy, hold the PR open for owner review instead of asking the contributor for more mechanical changes.

Next step before merge

• [P2] Human review is needed because the remaining blocker is provider auth/privacy policy approval, not a narrow automated code repair.

Security
Cleared: No concrete security or supply-chain regression was found in the diff; the security-sensitive endpoint policy still needs maintainer sign-off before merge.

Review details

Best possible solution:

Land this after maintainer approval of the endpoint override policy, keeping default custom HTTPS compatibility while failing closed for unsafe scheme and authority forms.

Do we have a high-confidence way to reproduce the issue?

Yes: source inspection shows current main accepts raw explicit endpoint override schemes and then uses those URLs in credentialed MiniMax and Alibaba fetch paths. I did not run live provider probes because AGENTS.md warns against credentialed checks that may trigger Keychain or account access.

Is this the best way to solve the issue?

Yes, the implementation is a narrow shared validator plus fail-closed fetch checks and focused tests; the remaining question is maintainer approval of the chosen provider auth/privacy boundary.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d7b58a050cb1.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes redacted terminal proof from a local executable using the real CodexBarCore product to exercise the changed settings-reader and fetcher validation paths after the fix.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P1: The PR changes credentialed provider endpoint routing for cookies and API keys, making it urgent security/auth-provider review work.
• merge-risk: 🚨 compatibility: Existing insecure or authority-confusing endpoint overrides will fail closed at runtime after merge.
• merge-risk: 🚨 auth-provider: The diff changes how MiniMax and Alibaba provider requests resolve endpoints before attaching cookies or API credentials.
• merge-risk: 🚨 security-boundary: The PR defines which configured hosts may receive credentialed provider traffic and adds strict provider-owned-host policy controls.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes redacted terminal proof from a local executable using the real CodexBarCore product to exercise the changed settings-reader and fetcher validation paths after the fix.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted terminal proof from a local executable using the real CodexBarCore product to exercise the changed settings-reader and fetcher validation paths after the fix.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; it steers provider/parser changes toward focused tests and avoids live provider or credential checks that could trigger Keychain prompts. (AGENTS.md:19, d7b58a050cb1)
• Vision requires sign-off: VISION.md says behavior changes affecting provider auth or user privacy need sign-off, which applies to this credentialed endpoint override boundary. (VISION.md:19, d7b58a050cb1)
• Current main lacks the validator: A source search on current main finds no ProviderEndpointOverrideValidator, invalidEndpointOverride case, or strict endpoint override flags. (d7b58a050cb1)
• Current main accepts raw overrides: Current main's MiniMax settings reader returns cleaned host overrides and accepts any explicit URL scheme in URL overrides before fetchers consume them. (Sources/CodexBarCore/Providers/MiniMax/MiniMaxSettingsReader.swift:29, d7b58a050cb1)
• Current main accepts raw Alibaba overrides: Current main's Alibaba settings reader returns cleaned host overrides and accepts any explicit quota URL scheme before credentialed API or cookie fetches use the resolved URL. (Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanSettingsReader.swift:25, d7b58a050cb1)
• PR validator behavior: The PR validator normalizes bare hosts to HTTPS, rejects non-HTTPS schemes and userinfo, rejects decoded or encoded authority delimiters, allows arbitrary HTTPS hosts by default, and supports provider-owned-only mode. (Sources/CodexBarCore/ProviderEndpointOverrideValidator.swift:31, ec67da36e763)

Likely related people:

• Peter Steinberger: Current-main blame ties the baseline MiniMax and Alibaba settings readers to v0.32.4, and recent log entries show additional MiniMax provider fallback fixes in this area. (role: current provider-area owner; confidence: high; commits: 723734ef3422, d6e225af364a, 26a53f20d87e; files: Sources/CodexBarCore/Providers/MiniMax/MiniMaxSettingsReader.swift, Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift, Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanSettingsReader.swift)
• XWind: Recent MiniMax token-plan and fallback history touches the same usage fetcher and nearby endpoint resolution behavior. (role: recent MiniMax area contributor; confidence: medium; commits: 90368202df70, 65a41cbee9b3, bfff3dfe494a; files: Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift, Tests/CodexBarTests/MiniMaxProviderTests.swift)
• YanxinXue: Recent Alibaba credential mapping and SEC-token fallback commits touch the same provider surface this PR changes. (role: recent Alibaba adjacent contributor; confidence: medium; commits: e652f74e0e4e, 8c043a4598cb; files: Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanUsageFetcher.swift, Tests/CodexBarTests/AlibabaCodingPlanProviderTests.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e898bc703

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Hinotoi-agent]

Updated for the review blockers:

• Rejected explicit endpoint overrides now fail closed before credentialed provider requests instead of falling back silently.
• Added fail-closed regression coverage for MiniMax and Alibaba Coding Plan API/cookie paths.
• Added redacted real local env/settings-path proof to the PR body showing accepted provider HTTPS overrides and rejected attacker/HTTP/userinfo/encoded-host overrides.

Maintainers: please explicitly sign off on the provider-owned-only endpoint policy. This intentionally breaks arbitrary proxy/test override domains for these credentialed provider paths; HTTPS provider-owned hosts and bare provider hosts remain supported.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26790795211
• Updated: 2026-06-02T00:37:38.911Z

[Hinotoi-agent]

Updated again for the Alibaba diagnostic categorization blocker and pushed af676e46.

What changed:

• AlibabaCodingPlanUsageError.invalidEndpointOverride(...) now maps explicitly to diagnostic category configuration, matching MiniMax and avoiding the generic localized-text classifier that could see “API”/“HTTPS” and misclassify it as api.
• Added focused regression coverage for the Alibaba invalid endpoint override diagnostic category and safe description.

Validation:

swift build --target CodexBarCore
Build of target: 'CodexBarCore' complete!

git diff --check
# passed

Standalone diagnostic proof from a temporary local package depending on this checkout's CodexBarCore:

category=configuration
safeDescription=Configuration issue - check provider source and settings
PASS Alibaba invalid endpoint override diagnostic is configuration

The direct focused test command is still blocked locally by the existing KeyboardShortcuts / SwiftUI #Preview macro toolchain issue (PreviewsMacros plugin not found), so I used the standalone package proof above to exercise the diagnostic path.

Maintainers: still requesting explicit sign-off on the provider-owned-only endpoint policy for these credentialed provider overrides.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26791515006
• Updated: 2026-06-02T00:58:53.818Z

[Hinotoi-agent]

Addressed the latest ClawSweeper blocker and pushed an amended commit (59b2f45c).

What changed:

• Added the explicit Alibaba invalid endpoint override diagnostic regression so AlibabaCodingPlanUsageError.invalidEndpointOverride("ALIBABA_CODING_PLAN_QUOTA_URL") maps to configuration, not api/fallback wording.
• Preserved the safe generic diagnostic text: Configuration issue - check provider source and settings.
• Fixed the CI SwiftLint line-length failures in the MiniMax/Alibaba invalid override error strings.

Validation:

swift build --target CodexBarCore
Build of target: 'CodexBarCore' complete!

git diff --check
PASS

swift run DiagnosticSmoke
PASS Alibaba invalid endpoint override diagnostic category: configuration
PASS Alibaba invalid endpoint override safe description: Configuration issue - check provider source and settings

Local focused swift test --filter ProviderDiagnosticExportTests/test_alibabaInvalidEndpointOverrideUsesConfigurationCategory is still blocked before the test runs by the existing local KeyboardShortcuts / SwiftUI preview macro issue:

external macro implementation type 'PreviewsMacros.SwiftUIView' could not be found for macro 'Preview(_:body:)'; plugin for module 'PreviewsMacros' not found

The temporary smoke executable imports the real CodexBarCore product and exercises the same exported diagnostic path without credentials.

@clawsweeper could you re-review this update when you get a chance?

[Hinotoi-agent]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26812503190
• Updated: 2026-06-02T10:03:48.820Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27183639554
• Updated: 2026-06-09T04:27:04.417Z