fix(api): validate api key prefix

src/langbot/pkg/api/http/service/apikey.py

@@ -52,6 +52,9 @@ class ApiKeyService:
 
     async def verify_api_key(self, key: str) -> bool:
         """Verify if an API key is valid"""
+        if not isinstance(key, str) or not key.startswith('lbk_'):
+            return False
+
         result = await self.ap.persistence_mgr.execute_async(
             sqlalchemy.select(apikey.ApiKey).where(apikey.ApiKey.key == key)
         )

src/langbot/pkg/pipeline/aggregator.py

@@ -275,7 +275,6 @@ class MessageAggregator:
             message_chain=merged_chain,
             adapter=base_msg.adapter,
             pipeline_uuid=base_msg.pipeline_uuid,
-            routed_by_rule=any(msg.routed_by_rule for msg in messages),
         )
 
     async def flush_all(self) -> None:

tests/unit_tests/api/test_apikey_service.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import AsyncMock, Mock
+
+import pytest
+
+from langbot.pkg.api.http.service.apikey import ApiKeyService
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize('api_key', [None, 123, b'lbk_bytes', '', 'plain_key', ' LBK_bad', 'sk-lbk_fake'])
+async def test_verify_api_key_rejects_non_lbk_keys_without_db_query(api_key):
+    persistence_mgr = SimpleNamespace(execute_async=AsyncMock())
+    service = ApiKeyService(SimpleNamespace(persistence_mgr=persistence_mgr))
+
+    result = await service.verify_api_key(api_key)
+
+    assert result is False
+    persistence_mgr.execute_async.assert_not_awaited()
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    ('db_row', 'expected'),
+    [
+        (object(), True),
+        (None, False),
+    ],
+)
+async def test_verify_api_key_keeps_db_validation_for_lbk_keys(db_row, expected):
+    query_result = Mock()
+    query_result.first.return_value = db_row
+    persistence_mgr = SimpleNamespace(execute_async=AsyncMock(return_value=query_result))
+    service = ApiKeyService(SimpleNamespace(persistence_mgr=persistence_mgr))
+
+    result = await service.verify_api_key('lbk_valid_format')
+
+    assert result is expected
+    persistence_mgr.execute_async.assert_awaited_once()

tests/unit_tests/pipeline/test_aggregator.py

@@ -1,42 +0,0 @@
-"""
-MessageAggregator unit tests.
-"""
-
-from importlib import import_module
-
-import langbot_plugin.api.entities.builtin.platform.message as platform_message
-import langbot_plugin.api.entities.builtin.provider.session as provider_session
-
-
-def test_merge_messages_preserves_routed_by_rule_if_any_input_matches(sample_message_event, mock_adapter):
-    """Merged PendingMessage should keep routed_by_rule when any input was rule-routed."""
-    aggregator = import_module('langbot.pkg.pipeline.aggregator')
-    message_aggregator = aggregator.MessageAggregator(ap=None)
-
-    first_message = aggregator.PendingMessage(
-        bot_uuid='test-bot-uuid',
-        launcher_type=provider_session.LauncherTypes.PERSON,
-        launcher_id=12345,
-        sender_id=12345,
-        message_event=sample_message_event,
-        message_chain=platform_message.MessageChain([platform_message.Plain(text='first')]),
-        adapter=mock_adapter,
-        pipeline_uuid='test-pipeline-uuid',
-        routed_by_rule=False,
-    )
-    second_message = aggregator.PendingMessage(
-        bot_uuid='test-bot-uuid',
-        launcher_type=provider_session.LauncherTypes.PERSON,
-        launcher_id=12345,
-        sender_id=12345,
-        message_event=sample_message_event,
-        message_chain=platform_message.MessageChain([platform_message.Plain(text='second')]),
-        adapter=mock_adapter,
-        pipeline_uuid='test-pipeline-uuid',
-        routed_by_rule=True,
-    )
-
-    merged_message = message_aggregator._merge_messages([first_message, second_message])
-
-    assert merged_message.routed_by_rule is True
-    assert str(merged_message.message_chain) == 'first\nsecond'