fix(sdk): reject Cloudflare-native model IDs, bridge multi-part auth env vars#397
Open
sentry-junior[bot] wants to merge 5 commits into
Open
fix(sdk): reject Cloudflare-native model IDs, bridge multi-part auth env vars#397sentry-junior[bot] wants to merge 5 commits into
sentry-junior[bot] wants to merge 5 commits into
@sentry/warden / warden
completed
Jun 5, 2026 in 7m 23s
1 issue
Medium
`findMissingCloudflareEnv` only checks the first set model field, skipping the Cloudflare env check when a non-Cloudflare `model` is paired with a Cloudflare `auxiliaryModel`/`synthesisModel` - `packages/warden/src/action/workflow/schedule.ts:182-184`
findMissingCloudflareEnv resolves a single model via target.model ?? target.auxiliaryModel ?? target.synthesisModel, so when model is a non-Cloudflare selector (e.g. anthropic/claude-...) and auxiliaryModel/synthesisModel is cloudflare-workers-ai/..., the provider guard sees only the primary model and skips validation. CLOUDFLARE_ACCOUNT_ID is never checked at startup and the user still hits the opaque runtime failure this PR aims to prevent.
Also found at:
packages/warden/src/cli/main.ts:10packages/warden/src/sdk/runtimes/model-selectors.ts:129packages/warden/src/action/triggers/executor.ts:138-140packages/warden/src/action/workflow/schedule.ts:18packages/warden/src/cli/main.ts:1531packages/warden/src/sdk/runtimes/model-selectors.test.ts:124
2 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 51.7s | $0.34 |
| code-review | 1 | 5m 34s | $3.24 |
⏱ 6m 26s · 1.8M in / 81.7k out · $3.58
Loading