- QQBot: report malformed access-token JSON with provider-owned errors instead of leaking raw parser failures.

- OpenAI embeddings: report malformed batch output JSONL with provider-owned errors instead of leaking raw parser failures.

- Synology Chat: report malformed JSON webhook payloads with stable channel-owned parser errors.

- Mattermost: report malformed interaction callback JSON with stable channel-owned parser errors.

- Models config/auth: stop inferring provider env-var markers from broad `^[A-Z_][A-Z0-9_]*$` strings, and resolve config-backed provider `apiKey` values only through structured env SecretRefs (`secrets.providers[id]` / `secrets.defaults`), so unrelated env vars cannot accidentally become provider credentials. Thanks @sallyom.

- Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @shakkernerd.

- CLI/onboarding: forward provider-specific auth flags (e.g. `--openai-api-key`) through the onboarding wizard so they reach provider auth methods via `ctx.opts`, letting `--openai-api-key "$OPENAI_API_KEY"` skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @sjf.

remoteAddress?: string;

headers?: Record<string, string>;

}): IncomingMessage {

const body = params.body === undefined ? "" : JSON.stringify(params.body);

const body =

params.body === undefined

? ""

: typeof params.body === "string"

? params.body

: JSON.stringify(params.body);

const listeners = new Map<string, Array<(...args: unknown[]) => void>>();

const req = {

expectSuccessfulApprovalUpdate(res, requestLog);

});

it("rejects malformed JSON callback requests with a stable parser error", async () => {

const log = vi.fn();

const handler = createMattermostInteractionHandler({

client: createMattermostClientMock(async () => {

throw new Error("unexpected client request");

}),

botUserId: "bot",

accountId: "acct",

log,

});

const res = await runHandler(handler, { body: "{not json" });

expect(res.statusCode).toBe(400);

expect(res.body).toBe(JSON.stringify({ error: "Invalid request body" }));

expect(log).toHaveBeenCalledWith(

"mattermost interaction: failed to parse body: Error: Mattermost interaction body was malformed JSON",

);

});

it("accepts forwarded Mattermost source IPs from a trusted proxy", async () => {

const { res } = await runApproveInteraction({

allowedSourceIps: ["198.51.100.8"],

const { client, accountId, log } = params;

const core = getMattermostRuntime();

function parseInteractionPayload(raw: string): MattermostInteractionPayload {

try {

return JSON.parse(raw) as MattermostInteractionPayload;

} catch {

throw new Error("Mattermost interaction body was malformed JSON");

}

}

return async (req: IncomingMessage, res: ServerResponse) => {

// Only accept POST

if (req.method !== "POST") {

let payload: MattermostInteractionPayload;

try {

const raw = await readInteractionBody(req);

payload = JSON.parse(raw) as MattermostInteractionPayload;

payload = parseInteractionPayload(raw);

} catch (err) {

log?.(`mattermost interaction: failed to parse body: ${String(err)}`);

res.statusCode = 400;