Security Advisory: SCR-03 — AgentOS v2 API Key Exposure in Query Parameters

Version: 1.0.450
Control: SCR-03
Category: API Connection Security
Affected file: src/lib/agentos/client.ts
Severity: High (master-level credential, persistent log exposure)

Background

The platform integrates with the AgentOS v2 People Portal API to retrieve landlord portfolio and contacts data. The AgentOS v2 API requires authentication via a ?api_key= query parameter — this is the upstream vendor's documented and mandated authentication mechanism.

What Was Found

A supply chain security review (SCR-03) identified that passing the AGENTOS_API_KEY as a URL query parameter causes it to be recorded in multiple log surfaces:

Log surface	Exposure risk
Vercel function logs	API key appears in full request URLs
CDN access logs	Logged at edge before the function executes
Server access logs	Standard HTTP access log format includes query strings
Browser history	Risk if any v2 URL is ever reflected to the client side

The AGENTOS_API_KEY is a master-level credential. Its AllowPatterns grant access to landlord portfolio and contacts endpoints across the platform. Exposure of this key in logs creates a persistent attack surface: any party with access to log data — including third-party log aggregators, monitoring tools, or a future log drain misconfiguration — could extract and reuse the key.

For comparison, the HMRC and TrueLayer integrations in the same codebase already include an SSRF guard (validateOutboundUrl()) before making outbound requests. This protection was absent from the AgentOS client.

Risk Summary

Confidentiality: High — master key visible in plaintext across multiple log systems.
Integrity: Medium — a leaked key could be used to read or manipulate landlord and contacts data.
Root cause: Vendor API design (query-param auth); not a platform coding error, but requires platform-side mitigations.

Recommended Mitigations

1. Vercel Log Drain Redaction

Configure the Vercel log drain to redact or strip the ?api_key= parameter from access log entries before they are forwarded to any external log aggregator. This limits the blast radius of any future log data leak.

2. Add SSRF Guard to AgentOS Client

Add a validateOutboundUrl() call in src/lib/agentos/client.ts before any outbound v2 request is dispatched. This brings the AgentOS client into parity with the HMRC and TrueLayer clients and prevents server-side request forgery against the AgentOS endpoint.

// Example — align with existing HMRC/TrueLayer pattern
await validateOutboundUrl(agentOsV2Url);
const response = await fetch(`${agentOsV2Url}?api_key=${AGENTOS_API_KEY}`);

3. Update ROPA and Security Documentation

Record this risk formally in the platform's Record of Processing Activities (ROPA) and internal security documentation. The entry should note:

The credential scope (AllowPatterns: landlord portfolio, contacts)
The log surfaces where the key may appear
The mitigations applied and their current status

4. Request Header-Based Auth from AgentOS

Raise a support or partnership request with AgentOS asking them to support header-based authentication (e.g. Authorization: Bearer <key>) for the v2 API. HTTP headers are not included in standard access log formats, which would eliminate the log-exposure vector entirely without requiring log redaction configuration.

5. IP Allowlist on AgentOS Side

Configure an IP allowlist in the AgentOS account settings to restrict which server IPs are permitted to use the AGENTOS_API_KEY. This provides a defence-in-depth control: even if the key is extracted from logs, it cannot be used from an unauthorised IP address.

Affected Credential

Variable	Scope	Storage
`AGENTOS_API_KEY`	Landlord portfolio, contacts (AllowPatterns)	Environment variable

No User-Facing Impact

This advisory does not affect any user-facing features, submission workflows, or HMRC integrations. No action is required from end users.

This advisory was produced as part of the platform's ongoing supply chain security review programme.