Mode detection is silent — invalid API key auto-enters cloud mode and fails

[AndresL230]

Mode detection is silent — invalid API key auto-enters cloud mode and fails

Severity: Medium
Affected repos: middleware-node, middleware-python
Component boundary: middleware init / transport mode selection

Symptom

Mode is selected by Boolean(config.apiKey). Any truthy string (including "undefined" from a missing env var that wasn't checked, or "rc-" with nothing after) enters cloud mode. The first flush then 401s, and the SDK silently drops data (high/08).

Evidence

• middleware-node/src/core/transport.ts — mode = config.apiKey ? "cloud" : "local".
• middleware-python/recost/_transport.py — same shape.
• Neither SDK validates the format of apiKey (length, rc- prefix) before committing to cloud mode.

Impact

• Misconfiguration is silent. Common shape: apiKey: process.env.RECOST_API_KEY where the env var is undefined; in Node, undefined is falsy so it falls back to local — but the literal string "undefined" (from someone reading from a config file) is truthy.
• No early feedback to the developer.

Fix recommendation

In init():

if (config.apiKey !== undefined) {
  if (typeof config.apiKey !== "string" || !config.apiKey.startsWith("rc-")) {
    throw new Error(
      `ReCost: apiKey must be a string beginning with "rc-". Got: ${typeof config.apiKey === "string" ? config.apiKey.slice(0, 8) + "..." : typeof config.apiKey}`
    );
  }
}

Same in Python (isinstance(api_key, str) and api_key.startswith("rc-")).

Verification

• init({ apiKey: "undefined" }) throws with a useful message.
• init({ apiKey: "rc-abc123" }) proceeds.

Related

Parity with recost-dev/middleware-node#18. Same validation shape applies on the Python side.