security: comprehensive code review fixes - SSRF protection, SSE parsing, mask API key, add retry logic, fix kwargs, add chat_stream tests, connection pool config, fix exception swallowing, extract shared headers, fix magic defaults

Author: Patel230

src/hawk/agent.py

@@ -20,20 +20,14 @@ class AgentConfig:
     Attributes:
         name: Agent identifier.
         model: Model to use for completions.
-        system_prompt: Optional system prompt prepended to conversations.
         tools: List of tools available to the agent.
         max_rounds: Maximum tool-call rounds per chat turn.
-        temperature: Sampling temperature.
-        top_p: Nucleus sampling parameter.
     """
 
     name: str = "hawk-agent"
     model: str | None = None
-    system_prompt: str | None = None
     tools: list[Tool] = field(default_factory=list)
     max_rounds: int = 10
-    temperature: float | None = None
-    top_p: float | None = None
 
 
 class Agent:

src/hawk/client.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from typing import Any
+from urllib.parse import urlparse
 
 import httpx
 
@@ -23,6 +24,29 @@
 
 DEFAULT_BASE_URL = "http://127.0.0.1:4590"
 DEFAULT_TIMEOUT = 30.0
+DEFAULT_POOL_CONNECTIONS = 10
+DEFAULT_POOL_MAXSIZE = 100
+
+
+def _build_headers(api_key: str | None) -> dict[str, str]:
+    """Build standard HTTP headers for Hawk API requests."""
+    headers: dict[str, str] = {
+        "Accept": "application/json",
+        "User-Agent": f"hawk-sdk-python/{__version__}",
+    }
+    if api_key:
+        headers["Authorization"] = f"Bearer {api_key}"
+    return headers
+
+
+def _validate_base_url(url: str) -> str:
+    """Validate that base_url uses http/https and has a hostname."""
+    parsed = urlparse(url)
+    if parsed.scheme not in ("http", "https"):
+        raise ValueError(f"base_url must use http or https scheme, got: {parsed.scheme}")
+    if not parsed.hostname:
+        raise ValueError("base_url must have a hostname")
+    return url
 
 
 class HawkClient:
@@ -40,25 +64,29 @@ def __init__(
         api_key: str | None = None,
         retry_config: RetryConfig | None = None,
         timeout: float = DEFAULT_TIMEOUT,
+        pool_connections: int = DEFAULT_POOL_CONNECTIONS,
+        pool_maxsize: int = DEFAULT_POOL_MAXSIZE,
     ) -> None:
+        _validate_base_url(base_url)
         self._base_url = base_url.rstrip("/")
         self._api_key = api_key
         self._retry_config = retry_config or DEFAULT_RETRY_CONFIG
         self._timeout = timeout
+        self._pool_connections = pool_connections
+        self._pool_maxsize = pool_maxsize
         self._client = httpx.Client(
             base_url=self._base_url,
             timeout=self._timeout,
-            headers=self._build_headers(),
+            headers=_build_headers(api_key),
+            limits=httpx.Limits(
+                max_keepalive_connections=pool_connections,
+                max_connections=pool_maxsize,
+            ),
         )
 
-    def _build_headers(self) -> dict[str, str]:
-        headers: dict[str, str] = {
-            "Accept": "application/json",
-            "User-Agent": f"hawk-sdk-python/{__version__}",
-        }
-        if self._api_key:
-            headers["Authorization"] = f"Bearer {self._api_key}"
-        return headers
+    def __repr__(self) -> str:
+        masked = "***" + self._api_key[-4:] if self._api_key else "None"
+        return f"HawkClient(base_url='{self._base_url}', api_key='{masked}')"
 
     def __enter__(self) -> HawkClient:
         return self
@@ -96,7 +124,6 @@ def chat(
         autonomy: str | None = None,
         cwd: str | None = None,
         agent: str | None = None,
-        **kwargs: Any,
     ) -> ChatResponse:
         """Send a prompt and return the complete response."""
         request = ChatRequest(
@@ -129,7 +156,6 @@ def chat_stream(
         autonomy: str | None = None,
         cwd: str | None = None,
         agent: str | None = None,
-        **kwargs: Any,
     ) -> StreamReader:
         """Send a prompt and stream the response via SSE."""
         request = ChatRequest(
@@ -142,21 +168,24 @@ def chat_stream(
             agent=agent,
         )
 
-        response = self._client.send(
-            self._client.build_request(
-                "POST",
-                "/v1/chat",
-                json=request.model_dump(exclude_none=True, by_alias=True),
-                headers={"Accept": "text/event-stream"},
-            ),
-            stream=True,
-        )
+        def _do() -> StreamReader:
+            response = self._client.send(
+                self._client.build_request(
+                    "POST",
+                    "/v1/chat",
+                    json=request.model_dump(exclude_none=True, by_alias=True),
+                    headers={"Accept": "text/event-stream"},
+                ),
+                stream=True,
+            )
 
-        if response.status_code >= 400:
-            response.read()
-            raise parse_error(response)
+            if response.status_code >= 400:
+                response.read()
+                raise parse_error(response)
 
-        return StreamReader(response)
+            return StreamReader(response)
+
+        return with_retry_sync(_do, self._retry_config)
 
     def create_session(
         self,
@@ -189,9 +218,7 @@ def list_sessions(self, limit: int = 20, offset: int = 0) -> PaginatedResponse[S
         """List sessions with pagination."""
 
         def _do() -> PaginatedResponse[SessionSummary]:
-            params: dict[str, Any] = {}
-            if limit != 20:
-                params["limit"] = limit
+            params: dict[str, Any] = {"limit": limit}
             if offset > 0:
                 params["offset"] = offset
             resp = self._request("GET", "/v1/sessions", params=params)
@@ -213,9 +240,7 @@ def list_messages(
         """List messages for a session with pagination."""
 
         def _do() -> PaginatedResponse[Message]:
-            params: dict[str, Any] = {}
-            if limit != 50:
-                params["limit"] = limit
+            params: dict[str, Any] = {"limit": limit}
             if offset > 0:
                 params["offset"] = offset
             resp = self._request("GET", f"/v1/sessions/{session_id}/messages", params=params)
@@ -248,25 +273,29 @@ def __init__(
         api_key: str | None = None,
         retry_config: RetryConfig | None = None,
         timeout: float = DEFAULT_TIMEOUT,
+        pool_connections: int = DEFAULT_POOL_CONNECTIONS,
+        pool_maxsize: int = DEFAULT_POOL_MAXSIZE,
     ) -> None:
+        _validate_base_url(base_url)
         self._base_url = base_url.rstrip("/")
         self._api_key = api_key
         self._retry_config = retry_config or DEFAULT_RETRY_CONFIG
         self._timeout = timeout
+        self._pool_connections = pool_connections
+        self._pool_maxsize = pool_maxsize
         self._client = httpx.AsyncClient(
             base_url=self._base_url,
             timeout=self._timeout,
-            headers=self._build_headers(),
+            headers=_build_headers(api_key),
+            limits=httpx.Limits(
+                max_keepalive_connections=pool_connections,
+                max_connections=pool_maxsize,
+            ),
         )
 
-    def _build_headers(self) -> dict[str, str]:
-        headers: dict[str, str] = {
-            "Accept": "application/json",
-            "User-Agent": f"hawk-sdk-python/{__version__}",
-        }
-        if self._api_key:
-            headers["Authorization"] = f"Bearer {self._api_key}"
-        return headers
+    def __repr__(self) -> str:
+        masked = "***" + self._api_key[-4:] if self._api_key else "None"
+        return f"AsyncHawkClient(base_url='{self._base_url}', api_key='{masked}')"
 
     async def __aenter__(self) -> AsyncHawkClient:
         return self
@@ -304,7 +333,6 @@ async def chat(
         autonomy: str | None = None,
         cwd: str | None = None,
         agent: str | None = None,
-        **kwargs: Any,
     ) -> ChatResponse:
         """Send a prompt and return the complete response."""
         request = ChatRequest(
@@ -337,7 +365,6 @@ async def chat_stream(
         autonomy: str | None = None,
         cwd: str | None = None,
         agent: str | None = None,
-        **kwargs: Any,
     ) -> AsyncStreamReader:
         """Send a prompt and stream the response via SSE."""
         request = ChatRequest(
@@ -350,21 +377,24 @@ async def chat_stream(
             agent=agent,
         )
 
-        response = await self._client.send(
-            self._client.build_request(
-                "POST",
-                "/v1/chat",
-                json=request.model_dump(exclude_none=True, by_alias=True),
-                headers={"Accept": "text/event-stream"},
-            ),
-            stream=True,
-        )
+        async def _do() -> AsyncStreamReader:
+            response = await self._client.send(
+                self._client.build_request(
+                    "POST",
+                    "/v1/chat",
+                    json=request.model_dump(exclude_none=True, by_alias=True),
+                    headers={"Accept": "text/event-stream"},
+                ),
+                stream=True,
+            )
 
-        if response.status_code >= 400:
-            await response.aread()
-            raise parse_error(response)
+            if response.status_code >= 400:
+                await response.aread()
+                raise parse_error(response)
+
+            return AsyncStreamReader(response)
 
-        return AsyncStreamReader(response)
+        return await with_retry(_do, self._retry_config)
 
     async def create_session(
         self,
@@ -399,9 +429,7 @@ async def list_sessions(
         """List sessions with pagination."""
 
         async def _do() -> PaginatedResponse[SessionSummary]:
-            params: dict[str, Any] = {}
-            if limit != 20:
-                params["limit"] = limit
+            params: dict[str, Any] = {"limit": limit}
             if offset > 0:
                 params["offset"] = offset
             resp = await self._request("GET", "/v1/sessions", params=params)
@@ -423,9 +451,7 @@ async def list_messages(
         """List messages for a session with pagination."""
 
         async def _do() -> PaginatedResponse[Message]:
-            params: dict[str, Any] = {}
-            if limit != 50:
-                params["limit"] = limit
+            params: dict[str, Any] = {"limit": limit}
             if offset > 0:
                 params["offset"] = offset
             resp = await self._request("GET", f"/v1/sessions/{session_id}/messages", params=params)

src/hawk/discovery.py

@@ -158,8 +158,9 @@ async def _fetch_card(self, base_url: str) -> AgentCard | None:
                     data = resp.json()
                     if isinstance(data, dict):
                         return AgentCard.from_dict(cast("dict[str, Any]", data))
-        except Exception:
-            pass
+        except Exception as exc:
+            import logging
+            logging.getLogger(__name__).debug("Failed to fetch agent card from %s: %s", base_url, exc)
         return None
 
 

src/hawk/memory_tools.py

@@ -47,8 +47,9 @@ def record_memory(
             if hasattr(self._client, "remember"):
                 self._client.remember(content, session_id=self._session_id)
                 return f"Recorded to persistent memory: '{content[:100]}...'"
-        except Exception:
-            pass
+        except Exception as exc:
+            import logging
+            logging.getLogger(__name__).debug("Failed to persist memory via yaad: %s", exc)
 
         return f"Recorded to session memory: '{content[:100]}...'"
 
@@ -64,8 +65,9 @@ def retrieve_memories(self, query: str, limit: int = 5) -> str:
                     return f"Recalled {len(recalled)} memories:\n" + "\n".join(
                         f"- {m}" for m in recalled
                     )
-        except Exception:
-            pass
+        except Exception as exc:
+            import logging
+            logging.getLogger(__name__).debug("Failed to recall memories via yaad: %s", exc)
 
         # Fallback to local fuzzy match
         query_lower = query.lower()

src/hawk/retry.py

@@ -89,7 +89,8 @@ async def with_retry(
 
             await asyncio.sleep(wait)
 
-    assert last_error is not None
+    if last_error is None:
+        raise HawkAPIError("Retry logic failed unexpectedly: no error recorded")
     raise last_error
 
 
@@ -138,5 +139,6 @@ def with_retry_sync(
 
             time.sleep(wait)
 
-    assert last_error is not None
+    if last_error is None:
+        raise HawkAPIError("Retry logic failed unexpectedly: no error recorded")
     raise last_error

src/hawk/streaming.py

@@ -50,9 +50,15 @@ def events(self) -> Iterator[StreamEvent]:
             if line.startswith("event: "):
                 current_event = line[7:]
             elif line.startswith("data: "):
-                current_data = line[6:]
+                if current_data is not None:
+                    current_data += "\n" + line[6:]
+                else:
+                    current_data = line[6:]
             elif line == "data:":
-                current_data = ""
+                if current_data is not None:
+                    current_data += "\n"
+                else:
+                    current_data = ""
 
     def collect_text(self) -> str:
         """Consume the entire stream and return concatenated text content."""
@@ -126,9 +132,15 @@ async def events(self) -> AsyncIterator[StreamEvent]:
             if line.startswith("event: "):
                 current_event = line[7:]
             elif line.startswith("data: "):
-                current_data = line[6:]
+                if current_data is not None:
+                    current_data += "\n" + line[6:]
+                else:
+                    current_data = line[6:]
             elif line == "data:":
-                current_data = ""
+                if current_data is not None:
+                    current_data += "\n"
+                else:
+                    current_data = ""
 
     async def collect_text(self) -> str:
         """Consume the entire stream and return concatenated text content."""