feat: implement prompt injection protection and OpenRouter paid API key support

- Add comprehensive prompt injection security module with 160+ attack pattern detection - Implement security checks in message handling with proper blocking and user feedback - Add OpenRouter paid API key support (OPENROUTER_PAID_API_KEY) for premium models - Update model discovery and chat functions to use paid API key for premium models - Add comprehensive test suite with 434 test cases (98.39% accuracy) - Tests cover legitimate WordPress development queries, injection attacks, obfuscated attempts - Improve builder loading indicators with text-based progress (building/planning) - Replace spinning animations with 'Starting build/planning process' messages
2026-02-08 13:23:59 +00:00
parent 6e0d039d7c
commit 0f631dc99a
6 changed files with 1440 additions and 39 deletions
--- a/opencode/packages/opencode/src/provider/provider.ts
+++ b/opencode/packages/opencode/src/provider/provider.ts
@@ -324,9 +324,16 @@ export namespace Provider {
        },
      }
    },
-    openrouter: async () => {
+    openrouter: async (input) => {
+      const hasKey = await (async () => {
+        const env = Env.all()
+        if (input.env.some((item) => env[item])) return true
+        if (await Auth.get(input.id)) return true
+        return false
+      })()
+
      return {
-        autoload: false,
+        autoload: hasKey,
        options: {
          headers: {
            "HTTP-Referer": "https://opencode.ai/",
@@ -335,9 +342,16 @@ export namespace Provider {
        },
      }
    },
-    vercel: async () => {
+    vercel: async (input) => {
+      const hasKey = await (async () => {
+        const env = Env.all()
+        if (input.env.some((item) => env[item])) return true
+        if (await Auth.get(input.id)) return true
+        return false
+      })()
+
      return {
-        autoload: false,
+        autoload: hasKey,
        options: {
          headers: {
            "http-referer": "https://opencode.ai/",
@@ -404,9 +418,16 @@ export namespace Provider {
        },
      }
    },
-    zenmux: async () => {
+    zenmux: async (input) => {
+      const hasKey = await (async () => {
+        const env = Env.all()
+        if (input.env.some((item) => env[item])) return true
+        if (await Auth.get(input.id)) return true
+        return false
+      })()
+
      return {
-        autoload: false,
+        autoload: hasKey,
        options: {
          headers: {
            "HTTP-Referer": "https://opencode.ai/",
@@ -518,9 +539,16 @@ export namespace Provider {
        options: {},
      }
    },
-    cerebras: async () => {
+    cerebras: async (input) => {
+      const hasKey = await (async () => {
+        const env = Env.all()
+        if (input.env.some((item) => env[item])) return true
+        if (await Auth.get(input.id)) return true
+        return false
+      })()
+
      return {
-        autoload: false,
+        autoload: hasKey,
        options: {
          headers: {
            "X-Cerebras-3rd-Party-Integration": "opencode",