Implement security validation to prevent HTTP header injection attacks:
- Reject header values containing \r or \n characters
- Add comprehensive test coverage for CRLF protection
- Replace multiline YAML test with proper rejection test
Security improvements:
- Validates header values to prevent header injection
- Clear warning messages when values are rejected
- Four new test cases covering LF, CR, CRLF, and multiline scenarios
This addresses a critical security concern where malicious headers
could be injected via newline characters in header values.
All 84 tests passing.
Address Copilot AI feedback:
- Remove underscore support from header names (RFC 7230 compliance)
- Add explicit null check for JSON parsing
- Update validation regex to /^[A-Za-z0-9-]+$/
- Add test case for null value handling
- Update documentation to clarify header name requirements
Changes:
- Header names now only accept alphanumeric characters and hyphens
- Improved error messages for invalid headers
- Added test for null JSON input
- Updated APIM example tests
All 81 tests passing.
This change adds support for custom HTTP headers in AI inference requests,
enabling integration with API Management platforms (Azure APIM, AWS API
Gateway, Kong, etc.) and custom request routing/tracking.
Features:
- New 'custom-headers' input supporting both YAML and JSON formats
- Auto-detection of input format for better UX
- Header name validation (alphanumeric, hyphens, underscores)
- Automatic masking of sensitive headers in logs
- Full backward compatibility (optional parameter)
Changes:
- Added parseCustomHeaders() function in helpers.ts
- Updated InferenceRequest interface with optional customHeaders field
- Modified simpleInference() and mcpInference() to pass headers to OpenAI client
- Added 18 comprehensive test cases
- Updated documentation with examples and use cases
All 80 tests passing. Zero breaking changes.
The temporary file created for response-file was being cleaned up
before downstream steps could access it. Now using keep: true to
ensure the file persists until the job completes.
Also added script/ to eslint ignores for the mock server.
In a tool loop, you can't set response_format because the model needs to
be able to think in plain English. But you still need the final response
to be in the desired format, so we add response_format only on the last
iteration.
