fix: harden scene routing and chat auth

Fail closed when configured scenes are missing and ensure the chat auth filter covers the exact /api/chat endpoint.

Author: HandleCoding

application/src/main/java/io/github/huskyagent/application/channel/binding/ChannelSceneRouter.java

@@ -21,6 +21,7 @@ public class ChannelSceneRouter {
 
     public EffectiveChannelRoute resolve(InboundMessage inbound) {
         if (inbound != null && !isBlank(inbound.getSceneId()) && bindingResolver.allowsExplicitSceneOverride(inbound.getChannelIdentity())) {
+            requireScene(inbound.getSceneId(), "explicit scene override");
             return new EffectiveChannelRoute(inbound.getSceneId(), null, EffectiveChannelRoute.Source.EXPLICIT);
         }
 
@@ -30,32 +31,37 @@ public EffectiveChannelRoute resolve(InboundMessage inbound) {
         Optional<ChannelInstanceBinding> binding = configuredBinding.filter(ChannelInstanceBinding::enabled);
         if (binding.isPresent()) {
             ChannelInstanceBinding value = binding.get();
-            if (sceneExists(value.sceneId())) {
-                return new EffectiveChannelRoute(value.sceneId(), value.bindingId(), EffectiveChannelRoute.Source.BINDING);
-            }
-            log.warn("Ignoring channel binding with unknown scene: bindingId={}, sceneId={}", value.bindingId(), value.sceneId());
+            requireScene(value.sceneId(), "channel binding " + value.bindingId());
+            return new EffectiveChannelRoute(value.sceneId(), value.bindingId(), EffectiveChannelRoute.Source.BINDING);
         }
 
         String legacyScene = legacyDefaultScene(inbound, configuredBinding.isEmpty());
         if (!isBlank(legacyScene)) {
+            requireScene(legacyScene, "legacy channel default");
             return new EffectiveChannelRoute(legacyScene, null, EffectiveChannelRoute.Source.CHANNEL_LEGACY_DEFAULT);
         }
 
         Optional<String> globalDefault = bindingResolver.defaultScene();
-        if (globalDefault.isPresent() && sceneExists(globalDefault.get())) {
+        if (globalDefault.isPresent()) {
+            requireScene(globalDefault.get(), "channel binding global default");
             return new EffectiveChannelRoute(globalDefault.get(), null, EffectiveChannelRoute.Source.GLOBAL_DEFAULT);
         }
-        globalDefault.ifPresent(sceneId -> log.warn("Ignoring channel binding global default with unknown scene: sceneId={}", sceneId));
 
         return new EffectiveChannelRoute(sceneResolver.resolveDefault().getSceneId(), null, EffectiveChannelRoute.Source.SCENE_DEFAULT);
     }
 
-    private boolean sceneExists(String sceneId) {
+    private void requireScene(String sceneId, String source) {
         if (isBlank(sceneId)) {
-            return false;
+            throw new IllegalArgumentException("Missing scene for " + source);
+        }
+        try {
+            SceneConfig resolved = sceneResolver.resolve(sceneId);
+            if (resolved == null || !sceneId.equals(resolved.getSceneId())) {
+                throw new IllegalArgumentException("Unknown scene for " + source + ": " + sceneId);
+            }
+        } catch (IllegalArgumentException e) {
+            throw new IllegalArgumentException("Unknown scene for " + source + ": " + sceneId, e);
         }
-        SceneConfig resolved = sceneResolver.resolve(sceneId);
-        return resolved != null && sceneId.equals(resolved.getSceneId());
     }
 
     private String legacyDefaultScene(InboundMessage inbound, boolean noConfiguredBinding) {

application/src/main/java/io/github/huskyagent/application/scene/ConfigSceneResolver.java

@@ -24,7 +24,10 @@ public class ConfigSceneResolver implements SceneResolver {
     private final ConcurrentHashMap<String, SceneConfig> resolved = new ConcurrentHashMap<>();
 
     public SceneConfig resolve(String sceneId) {
-        String effectiveSceneId = sceneId != null && configs.containsKey(sceneId) ? sceneId : defaultScene;
+        String effectiveSceneId = sceneId != null && !sceneId.isBlank() ? sceneId : defaultScene;
+        if (effectiveSceneId == null || effectiveSceneId.isBlank() || !configs.containsKey(effectiveSceneId)) {
+            throw new IllegalArgumentException("Unknown scene: " + effectiveSceneId);
+        }
         return resolved.computeIfAbsent(effectiveSceneId, this::buildSceneConfig);
     }
 

application/src/test/java/io/github/huskyagent/application/channel/binding/ChannelSceneRouterTest.java

@@ -115,14 +115,13 @@ void globalDefaultAppliesBeforeSceneDefault() {
     }
 
     @Test
-    void unknownBindingSceneFallsBackToLegacyDefault() {
+    void unknownBindingSceneFailsClosed() {
         ChannelSceneRouter router = router(binding("bad-binding", "missing-scene"), Optional.empty(), "scene-default");
         InboundMessage inbound = inbound(ChannelType.FEISHU, "cli_assistant", "feishu-qa");
 
-        EffectiveChannelRoute route = router.resolve(inbound);
+        IllegalArgumentException error = assertThrows(IllegalArgumentException.class, () -> router.resolve(inbound));
 
-        assertEquals("feishu-qa", route.sceneId());
-        assertEquals(EffectiveChannelRoute.Source.CHANNEL_LEGACY_DEFAULT, route.source());
+        assertTrue(error.getMessage().contains("missing-scene"));
     }
 
     private ChannelSceneRouter router(Optional<ChannelInstanceBinding> binding,
@@ -159,12 +158,11 @@ public boolean allowsExplicitSceneOverride(ChannelIdentity identity) {
         SceneResolver sceneResolver = new SceneResolver() {
             @Override
             public SceneConfig resolve(String sceneId) {
-                SceneConfig config = new SceneConfig();
                 if (sceneId == null || "missing-scene".equals(sceneId)) {
-                    config.setSceneId(sceneDefault);
-                } else {
-                    config.setSceneId(sceneId);
+                    throw new IllegalArgumentException("Unknown scene: " + sceneId);
                 }
+                SceneConfig config = new SceneConfig();
+                config.setSceneId(sceneId);
                 return config;
             }
 

application/src/test/java/io/github/huskyagent/application/scene/ConfigSceneResolverTest.java

@@ -0,0 +1,33 @@
+package io.github.huskyagent.application.scene;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.LinkedHashMap;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class ConfigSceneResolverTest {
+
+    @Test
+    void unknownSceneFailsClosed() {
+        ConfigSceneResolver resolver = new ConfigSceneResolver();
+        LinkedHashMap<String, ConfigSceneResolver.SceneProperties> configs = new LinkedHashMap<>();
+        configs.put("assistant", new ConfigSceneResolver.SceneProperties());
+        resolver.setConfigs(configs);
+
+        IllegalArgumentException error = assertThrows(IllegalArgumentException.class, () -> resolver.resolve("missing"));
+
+        assertEquals("Unknown scene: missing", error.getMessage());
+    }
+
+    @Test
+    void blankSceneUsesDefaultScene() {
+        ConfigSceneResolver resolver = new ConfigSceneResolver();
+        LinkedHashMap<String, ConfigSceneResolver.SceneProperties> configs = new LinkedHashMap<>();
+        configs.put("assistant", new ConfigSceneResolver.SceneProperties());
+        resolver.setConfigs(configs);
+
+        assertEquals("assistant", resolver.resolve(" ").getSceneId());
+    }
+}

service/src/main/java/io/github/huskyagent/service/auth/ApiKeyAuthFilter.java

@@ -121,7 +121,7 @@ public static FilterRegistrationBean<ApiKeyAuthFilter> registrationBean(AuthConf
                                                                             OpenAiCompatibleProperties openAiProperties) {
         FilterRegistrationBean<ApiKeyAuthFilter> registration = new FilterRegistrationBean<>();
         registration.setFilter(new ApiKeyAuthFilter(authConfig, openAiProperties));
-        registration.addUrlPatterns("/api/chat/*", "/v1/*");
+        registration.addUrlPatterns("/api/chat", "/api/chat/*", "/v1/*");
         registration.setOrder(Ordered.HIGHEST_PRECEDENCE + 10);
         registration.setName("apiKeyAuthFilter");
         return registration;

service/src/main/resources/application.yml

@@ -286,6 +286,7 @@ chatbot:
   enabled: true
 
 # Scene configuration
+# Scene rate-limit fields are parsed into RuntimePolicy but are not enforced yet.
 scenes:
   default-scene: assistant
   configs:

service/src/test/java/io/github/huskyagent/service/auth/ApiKeyAuthFilterTest.java

@@ -77,6 +77,17 @@ void openAiPathReturnsOpenAiErrorShapeForInvalidKey() throws Exception {
         assertTrue(response.getContentAsString().contains("authentication_error"));
     }
 
+    @Test
+    void registrationCoversApiChatEndpointWithoutTrailingSlash() {
+        AuthConfig authConfig = new AuthConfig();
+        authConfig.setEnabled(true);
+        OpenAiCompatibleProperties properties = new OpenAiCompatibleProperties();
+
+        var registration = ApiKeyAuthFilter.registrationBean(authConfig, properties);
+
+        assertTrue(registration.getUrlPatterns().contains("/api/chat"));
+    }
+
     private ApiKeyAuthFilter newFilter() {
         AuthConfig authConfig = new AuthConfig();
         authConfig.setEnabled(true);