fix(audit): add missing rows.Err() check after rows.Next() loop

scanAuditRows now surfaces iteration errors instead of silently returning partial results. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(handlers): add missing rows.Err() check in llm_billing_mode
2026-06-01 10:32:28 +00:00 · 2026-06-01 09:35:18 +00:00
2 changed files with 6 additions and 0 deletions
@@ -252,6 +252,9 @@ func scanAuditRows(rows *sql.Rows) ([]auditEventRow, error) {
 		}
 		result = append(result, ev)
 	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
 	return result, nil
 }

@@ -377,6 +377,9 @@ func readWorkspaceDeriveInputs(ctx context.Context, workspaceID string) (runtime
 			availableAuthEnv = append(availableAuthEnv, k)
 		}
 	}
+	if err := rows.Err(); err != nil {
+		log.Printf("llm_billing_mode: rows iteration error for %s: %v (deriving with partial model/auth-env)", workspaceID, err)
+	}
 	return runtime, model, availableAuthEnv
 }
Author	SHA1	Message	Date
Molecule AI Dev Engineer A (Kimi)	bb52d43dc1	fix(audit): add missing rows.Err() check after rows.Next() loop ci-arm64-advisory / fast-checks (pull_request) Waiting to run Details E2E Chat / detect-changes (pull_request) Failing after 1s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s Details E2E Chat / E2E Chat (pull_request) Has been skipped Details Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s Details Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 3s Details gate-check-v3 / gate-check (pull_request_target) Successful in 7s Details qa-review / approved (pull_request_target) Failing after 6s Details sop-checklist / review-refire (pull_request_target) Has been skipped Details CI / Python Lint & Test (pull_request) Successful in 11s Details sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2 Details sop-checklist / na-declarations (pull_request) N/A: (none) Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s Details security-review / approved (pull_request_target) Failing after 6s Details sop-checklist / all-items-acked (pull_request_target) Successful in 5s Details sop-tier-check / tier-check (pull_request_target) Successful in 4s Details Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 14s Details verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 23s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 23s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 25s Details CI / Detect changes (pull_request) Successful in 27s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s Details CI / Canvas (Next.js) (pull_request) Successful in 15s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m14s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m28s Details CI / Platform (Go) (pull_request) Successful in 3m56s Details CI / all-required (pull_request) Successful in 4m34s Details Harness Replays / detect-changes (pull_request) Failing after 1s Details Harness Replays / Harness Replays (pull_request) Has been skipped Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 17s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1m22s Details audit-force-merge / audit (pull_request_target) Has been skipped Details scanAuditRows now surfaces iteration errors instead of silently returning partial results. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-01 10:32:28 +00:00
Molecule AI Dev Engineer A (Kimi)	d287eb56a6	fix(handlers): add missing rows.Err() check in llm_billing_mode ci-arm64-advisory / fast-checks (pull_request) Waiting to run Details E2E API Smoke Test / detect-changes (pull_request) Failing after 0s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 2s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Has been skipped Details Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s Details CI / Python Lint & Test (pull_request) Successful in 6s Details CI / Detect changes (pull_request) Successful in 7s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s Details Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 11s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s Details Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 15s Details Harness Replays / detect-changes (pull_request) Successful in 16s Details E2E Chat / detect-changes (pull_request) Successful in 16s Details CI / Canvas (Next.js) (pull_request) Successful in 6s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Harness Replays / Harness Replays (pull_request) Successful in 3s Details E2E Chat / E2E Chat (pull_request) Successful in 4s Details verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 25s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m4s Details CI / Platform (Go) (pull_request) Successful in 4m2s Details CI / all-required (pull_request) Successful in 4m22s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 0s Details sop-checklist / review-refire (pull_request_target) Has been skipped Details sop-checklist / all-items-acked (pull_request_target) Successful in 3s Details gate-check-v3 / gate-check (pull_request_target) Successful in 5s Details sop-tier-check / tier-check (pull_request_target) Successful in 4s Details sop-checklist / all-items-acked (pull_request) acked: 7/7 Details sop-checklist / na-declarations (pull_request) N/A: (none) Details sop-tier-check / tier-check (pull_request_review) Successful in 4s Details security-review / approved (pull_request_target) Successful in 13s Details qa-review / approved (pull_request_target) Successful in 14s Details audit-force-merge / audit (pull_request_target) Has been skipped Details readWorkspaceDeriveInputs iterated workspace_secrets via rows.Next() but never checked rows.Err() after the loop. A transient iteration error (network, cursor failure) would silently be ignored, causing the resolver to derive billing mode from a partial secret set. Add the standard post-Next rows.Err() check, logging the error and continuing with whatever was gathered (fail-closed: incomplete inputs cause DeriveProvider to default to platform_managed). Closes internal#734 CWE-78 follow-up (last missing check in handlers).	2026-06-01 09:35:18 +00:00