From 58893520a6fb2b4560a352302b9e9025d7b145b5 Mon Sep 17 00:00:00 2001
From: bussyjd <jd@obol.tech>
Date: Mon, 16 Feb 2026 22:54:42 +0400
Subject: [PATCH] fix(llm): rename APIKeyEnv to EnvVar to fix CodeQL false
 positive

CodeQL flagged ProviderStatus.APIKeyEnv as sensitive data being logged.
The field only stores the env var name (e.g. "ANTHROPIC_API_KEY"), not the
actual key. Rename to EnvVar to avoid triggering the heuristic.
---
 cmd/obol/llm.go     | 4 ++--
 internal/llm/llm.go | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cmd/obol/llm.go b/cmd/obol/llm.go
index 7a5eada..5ea6af1 100644
--- a/cmd/obol/llm.go
+++ b/cmd/obol/llm.go
@@ -68,14 +68,14 @@ func llmCommand(cfg *config.Config) *cli.Command {
 					for _, name := range providers {
 						s := status[name]
 						key := "n/a"
-						if s.APIKeyEnv != "" {
+						if s.EnvVar != "" {
 							if s.HasAPIKey {
 								key = "set"
 							} else {
 								key = "missing"
 							}
 						}
-						fmt.Printf("  %-12s %-8t %-10s %s\n", name, s.Enabled, key, s.APIKeyEnv)
+						fmt.Printf("  %-12s %-8t %-10s %s\n", name, s.Enabled, key, s.EnvVar)
 					}
 					return nil
 				},
diff --git a/internal/llm/llm.go b/internal/llm/llm.go
index 9346438..356e160 100644
--- a/internal/llm/llm.go
+++ b/internal/llm/llm.go
@@ -29,7 +29,7 @@ var providerEnvKeys = map[string]string{
 type ProviderStatus struct {
 	Enabled   bool
 	HasAPIKey bool
-	APIKeyEnv string
+	EnvVar    string // environment variable name (e.g. ANTHROPIC_API_KEY)
 }
 
 // ConfigureLLMSpy enables a cloud provider in the llmspy gateway.
@@ -116,7 +116,7 @@ func GetProviderStatus(cfg *config.Config) (map[string]ProviderStatus, error) {
 				// Ollama needs no API key, so it's always considered "has key".
 				// Cloud providers are updated below from the actual K8s Secret.
 				HasAPIKey: name == "ollama",
-				APIKeyEnv: keyEnv,
+				EnvVar: keyEnv,
 			}
 		}
 	}
@@ -135,7 +135,7 @@ func GetProviderStatus(cfg *config.Config) (map[string]ProviderStatus, error) {
 
 	for provider, envKey := range providerEnvKeys {
 		st := status[provider]
-		st.APIKeyEnv = envKey
+		st.EnvVar = envKey
 		if v, ok := secret.Data[envKey]; ok && strings.TrimSpace(v) != "" {
 			st.HasAPIKey = true
 		}