supply-api/internal/pkg/pathutil/path.go

// Package pathutil provides path manipulation utilities.
package pathutil

// SplitPath splits a URL or file path by '/' and returns non-empty segments.
// Unlike strings.Split, this skips empty segments from leading/trailing/consecutive slashes.
func SplitPath(path string) []string {
	if path == "" {
		return nil
	}
	var parts []string
	var current string
	for _, c := range path {
		if c == '/' {
			if current != "" {
				parts = append(parts, current)
				current = ""
			}
		} else {
			current += string(c)
		}
	}
	if current != "" {
		parts = append(parts, current)
	}
	return parts
}
fix: P0/P1 security fixes across gateway, token-runtime, and supply-api P0 fixes: - platform-token-runtime: Add store.Save() after Refresh token update (P0-3) - platform-token-runtime: Add sync.RWMutex to InMemoryRuntimeStore (P0-4) - platform-token-runtime: Add bearer token auth to /audit-events endpoint (P0-5) - gateway: Fail startup in production if PASSWORD_ENCRYPTION_KEY uses default (P0-1) - gateway: Require explicit CORS_ALLOW_ORIGINS in production (P0-2) P1 fixes: - gateway: Add TrustedProxies config field + env var GATEWAY_TRUSTED_PROXIES (P1-5) - gateway: Sanitize X-Request-ID header to prevent log injection (P1-6) - gateway: Strip internal error details from error responses to clients (P1-7) - supply-api: Upgrade deriveDEK from trivial byte-rotation to HKDF-SHA256 (P1-1) - supply-api: Reject HS256/HS384/HS512 in production, require RSA (P1-2) Code quality fixes: - supply-api: Add BruteForceMaxAttempts + BruteForceLockoutDuration to AuthConfig (MED-12) - supply-api: Add TrustedProxies to token_auth_middleware (IP spoofing protection) - supply-api: Use shared pathutil.SplitPath instead of duplicate splitPath - supply-api: Fix query_key_reject_middleware call sites with trustedProxies param - gateway: Wire TrustedProxies into AuthMiddlewareConfig and extractClientIP - gateway: Add CORSAllowOrigins to AuthConfig, wire into CORSMiddleware - gateway: Fix CompletionsHandle to have context and RecordResult like ChatCompletions - gateway: Add sanitizeRequestID helper for X-Request-ID log injection prevention - gateway: Add os import for PASSWORD_ENCRYPTION_KEY check - gateway: Add strings import to handler.go for sanitizeRequestID Environment issues documented in TEST_ENVIRONMENT_ISSUES.md 2026-04-17 14:36:02 +08:00			`// Package pathutil provides path manipulation utilities.`
			`package pathutil`

			`// SplitPath splits a URL or file path by '/' and returns non-empty segments.`
			`// Unlike strings.Split, this skips empty segments from leading/trailing/consecutive slashes.`
			`func SplitPath(path string) []string {`
			`if path == "" {`
			`return nil`
			`}`
			`var parts []string`
			`var current string`
			`for _, c := range path {`
			`if c == '/' {`
			`if current != "" {`
			`parts = append(parts, current)`
			`current = ""`
			`}`
			`} else {`
			`current += string(c)`
			`}`
			`}`
			`if current != "" {`
			`parts = append(parts, current)`
			`}`
			`return parts`
			`}`