From d287eb56a619f597010c963cc882084759742890 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Mon, 1 Jun 2026 09:35:18 +0000 Subject: [PATCH] fix(handlers): add missing rows.Err() check in llm_billing_mode readWorkspaceDeriveInputs iterated workspace_secrets via rows.Next() but never checked rows.Err() after the loop. A transient iteration error (network, cursor failure) would silently be ignored, causing the resolver to derive billing mode from a partial secret set. Add the standard post-Next rows.Err() check, logging the error and continuing with whatever was gathered (fail-closed: incomplete inputs cause DeriveProvider to default to platform_managed). Closes internal#734 CWE-78 follow-up (last missing check in handlers). --- workspace-server/internal/handlers/llm_billing_mode.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/workspace-server/internal/handlers/llm_billing_mode.go b/workspace-server/internal/handlers/llm_billing_mode.go index af8aafadf..1576ea548 100644 --- a/workspace-server/internal/handlers/llm_billing_mode.go +++ b/workspace-server/internal/handlers/llm_billing_mode.go @@ -377,6 +377,9 @@ func readWorkspaceDeriveInputs(ctx context.Context, workspaceID string) (runtime availableAuthEnv = append(availableAuthEnv, k) } } + if err := rows.Err(); err != nil { + log.Printf("llm_billing_mode: rows iteration error for %s: %v (deriving with partial model/auth-env)", workspaceID, err) + } return runtime, model, availableAuthEnv } -- 2.52.0