#22873: fix(tools): enforce global inline-secret blocking for tool inputs

## Summary - Problem: tools could receive inline credential-like params (`apiKey`, `password`, `accessToken`, etc.) from model/user calls. - Why it matters: inline secrets increase leakage risk and bypass config/env/auth-profile boundaries. - What changed: - Added global detector: `src/agents/tool-inline-secret-policy.ts`. - Enforced in runtime hook gate: `src/agents/pi-tools.before-tool-call.ts`. - Enforced in HTTP gateway path: `src/gateway/tools-invoke-http.ts`. - Added tests for detector, hook blocking, and gateway rejection. - Scope boundary: no provider/plugin credential storage changes; this is execution-time input enforcement. ## Change Type - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [x] Security hardening - [ ] Chore/infra ## Scope - [x] Skills / tool execution - [x] API / contracts - [ ] Gateway / orchestration - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] UI / DX - [ ] CI/CD / infra ## Security Impact - New permissions/capabilities? (No) - Secrets/tokens handling changed? (Yes) - New/changed network calls? (No) - Command/tool execution surface changed? (Yes) - Data access scope changed? (No) If any Yes, explain risk + mitigation: - Runtime now blocks inline secret-like args and returns explicit errors to force safer credential sources. ## Repro + Verification Steps: 1. Call a tool with inline secret-like args (e.g. `{ "apiKey": "..." }`). 2. Observe tool call is blocked before execution. Expected: - 400/tool_error in HTTP path and blocked execution in runtime path. Actual: - Inline secret-like params are rejected with a clear remediation message. Evidence: - `pnpm vitest run src/agents/tool-inline-secret-policy.test.ts src/gateway/tools-invoke-http.test.ts` - `pnpm vitest run --config vitest.e2e.config.ts src/agents/pi-tools.before-tool-call.e2e.test.ts` - `pnpm check` <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds global inline-secret blocking for tool inputs to prevent credential leakage risks. The implementation introduces a new detector (`tool-inline-secret-policy.ts`) that scans tool parameters for sensitive keys like `apiKey`, `password`, `token`, etc., and enforces blocking at two critical execution points: - **Runtime hook path**: enforced in `pi-tools.before-tool-call.ts` via `wrapToolWithBeforeToolCallHook` - **HTTP gateway path**: enforced in `tools-invoke-http.ts` before tool execution The detector uses a comprehensive heuristic approach with case-insensitive normalized key matching, recursive traversal of nested objects/arrays, and circular reference protection. It includes an allowlist for non-secret resource identifiers (e.g., `fileToken`, `pageToken`) and an emergency bypass via environment variable. The PR also includes a clean refactor that extracts gateway startup config logic into `startup-config.ts` and adds a method catalog consistency test to ensure all gateway handlers are properly tracked. Test coverage is thorough with unit tests for the detector, E2E tests for runtime hook blocking, and HTTP integration tests for gateway rejection. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is well-designed with dual enforcement paths (runtime hook + HTTP gateway), comprehensive test coverage, and defensive coding patterns. The detector logic is sound with proper circular reference handling, and the refactor cleanly extracts startup config without changing behavior. No bypass paths exist, and the emergency escape hatch is properly gated. - No files require special attention _{Last reviewed commit: 520f616} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->