fix: security fixes and executor improvements (rebased from pr-465)

[KooshaPari]

Summary

Rebased version of the security fixes and executor improvements from pr-465-fix branch. Original PR #930 was closed due to merge conflicts with main.

Changes

• Security: Prevent path-injection in token storage and auth file operations
• Executor: Fix payloadModelRulesMatch to properly handle unconditional rules
• Refactor: Consolidate duplicate file operations in management and executor packages
• Tests: Comprehensive test coverage improvements and regression fixes across SDK and auth modules
• Dependencies: Updated go.sum with cloud.google.com dependencies

Resolution Strategy

• Squash merge of 10 commits from pr-465-fix onto main
• Resolved 30+ merge conflicts by accepting pr-465-fix versions (newer logic takes precedence)
• No code loss; all security and executor improvements preserved

Testing

• All conflict resolutions preserved the security-critical path-injection fixes
• Executor rule matching logic restored
• Local testing recommended before merge due to conflict volume

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 14 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 17 minutes and 14 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2e33f433-d96b-4e03-ae21-062355626a58

📥 Commits

Reviewing files that changed from the base of the PR and between 9e55251 and f8a57b6.

📒 Files selected for processing (33)

• pkg/llmproxy/api/handlers/management/auth_files.go
• pkg/llmproxy/api/server.go
• pkg/llmproxy/api/server_test.go
• pkg/llmproxy/auth/kiro/aws.go
• pkg/llmproxy/auth/kiro/aws_test.go
• pkg/llmproxy/auth/kiro/fingerprint.go
• pkg/llmproxy/auth/kiro/fingerprint_test.go
• pkg/llmproxy/auth/kiro/sso_oidc.go
• pkg/llmproxy/auth/synthesizer/file.go
• pkg/llmproxy/auth/synthesizer/file_test.go
• pkg/llmproxy/config/config.go
• pkg/llmproxy/executor/antigravity_executor_buildrequest_test.go
• pkg/llmproxy/executor/claude_executor_test.go
• pkg/llmproxy/executor/payload_helpers.go
• pkg/llmproxy/misc/claude_code_instructions.txt
• pkg/llmproxy/misc/header_utils.go
• pkg/llmproxy/thinking/provider/claude/apply.go
• pkg/llmproxy/translator/claude/openai/chat-completions/claude_openai_request.go
• pkg/llmproxy/translator/claude/openai/responses/claude_openai-responses_request.go
• pkg/llmproxy/translator/codex/claude/codex_claude_request.go
• pkg/llmproxy/translator/codex/claude/codex_claude_response.go
• pkg/llmproxy/translator/codex/openai/responses/codex_openai-responses_response.go
• pkg/llmproxy/translator/gemini-cli/claude/gemini-cli_claude_request.go
• pkg/llmproxy/translator/gemini/claude/gemini_claude_request.go
• pkg/llmproxy/translator/gemini/openai/responses/gemini_openai-responses_response.go
• pkg/llmproxy/translator/openai/claude/openai_claude_response.go
• pkg/llmproxy/translator/openai/gemini/openai_gemini_response.go
• pkg/llmproxy/translator/openai/openai/chat-completions/openai_openai_response.go
• pkg/llmproxy/translator/openai/openai/responses/openai_openai-responses_request.go
• pkg/llmproxy/translator/openai/openai/responses/openai_openai-responses_response.go
• pkg/llmproxy/watcher/clients.go
• pkg/llmproxy/watcher/diff/config_diff.go
• sdk/cliproxy/service.go

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'pre_merge_checks'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-465-squash

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}