From f48288bf2e4206427719cfc059237c1de72825c6 Mon Sep 17 00:00:00 2001
From: Rodin <rodin@forgedthought.ai>
Date: Sun, 3 May 2026 08:42:08 -0700
Subject: [PATCH] =?UTF-8?q?fix:=20address=20review=20feedback=20=E2=80=94?=
 =?UTF-8?q?=20tokens,=20secrets,=20no=20hardcoded=20IPs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix token_secret for gpt41/gpt5-mini/gpt41-mini: use GPT_REVIEW_TOKEN
  instead of SONNET_REVIEW_TOKEN (wrong reviewer identity)
- Move LLM base URL back to secrets.LLM_BASE_URL (prevents exfiltration
  via PR-controlled matrix values)
- Remove hardcoded internal IP from workflow file; only provider path
  suffix (/anthropic/v1, /openai/v1) remains in matrix

Addresses: security-review-bot REQUEST_CHANGES (major: exfiltration risk,
minor: HTTP/hardcoded IP) and sonnet-review-bot REQUEST_CHANGES (major:
wrong token_secret on gpt entries).
---
 .gitea/workflows/ci.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 494af11..39e0065 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -29,32 +29,32 @@ jobs:
           - name: sonnet
             token_secret: SONNET_REVIEW_TOKEN
             provider: anthropic
-            base_url: http://100.86.77.84:6655/anthropic/v1
+            llm_path: /anthropic/v1
             model: claude-sonnet-4-6
           - name: gpt
             token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5
           - name: gpt41
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-4.1
           - name: gpt5-mini
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5-mini
           - name: gpt41-mini
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-4.1-mini
           - name: security
             token_secret: SECURITY_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5
             system_prompt_file: SECURITY_REVIEW.md
     steps:
@@ -70,7 +70,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}
           REVIEWER_NAME: ${{ matrix.name }}
-          LLM_BASE_URL: ${{ matrix.base_url }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}${{ matrix.llm_path }}
           LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
           LLM_MODEL: ${{ matrix.model }}
           LLM_PROVIDER: ${{ matrix.provider }}