chore(security): soften gatewayUrl override messaging

2026-05-07 13:51:26 +00:00 · 2026-02-14 21:39:39 +01:00
parent 2d5647a804
commit e95ce05c1e
3 changed files with 6 additions and 6 deletions
--- a/src/agents/tools/gateway.e2e.test.ts
+++ b/src/agents/tools/gateway.e2e.test.ts
@@ -39,9 +39,9 @@ describe("gateway tool defaults", () => {
  it("rejects non-allowlisted overrides (SSRF hardening)", async () => {
    await expect(
      callGatewayTool("health", { gatewayUrl: "ws://127.0.0.1:8080", gatewayToken: "t" }, {}),
-    ).rejects.toThrow(/gatewayUrl override blocked/i);
+    ).rejects.toThrow(/gatewayUrl override rejected/i);
    await expect(
      callGatewayTool("health", { gatewayUrl: "ws://169.254.169.254", gatewayToken: "t" }, {}),
-    ).rejects.toThrow(/gatewayUrl override blocked/i);
+    ).rejects.toThrow(/gatewayUrl override rejected/i);
  });
 });
--- a/src/agents/tools/gateway.ts
+++ b/src/agents/tools/gateway.ts
@@ -67,9 +67,9 @@ function validateGatewayUrlOverrideForAgentTools(urlOverride: string): string {
  if (!allowed.has(parsed.key)) {
    throw new Error(
      [
-        "gatewayUrl override blocked (SSRF hardening).",
+        "gatewayUrl override rejected.",
        `Allowed: ws(s) loopback on port ${port} (127.0.0.1/localhost/[::1])`,
-        "Or: configure gateway.remote.url and omit gatewayUrl.",
+        "Or: configure gateway.remote.url and omit gatewayUrl to use the configured remote gateway.",
      ].join(" "),
    );
  }