fix(security): pass user Anthropic key directly to SDK, never via env

CRITICAL multi-tenant fix. The previous code wrote the visitor-supplied
Anthropic API key into os.environ["ANTHROPIC_API_KEY"] before calling
_call_anthropic, which let the SDK pick it up via env. Three real
problems with that on a public Space:

1. os.environ is process-global — visitor A's key persisted in env
after their request returned, and was visible to visitor B's
concurrent (or subsequent) request from the same Python worker.
2. Visitor B's call would use visitor A's key, billed to A's account.
3. If visitor B then submitted with no key, the SDK would silently
succeed using A's leaked key instead of erroring as expected.

Fix:
app.py
- _call_anthropic now accepts api_key= keyword-only arg
- When supplied, passes directly to Anthropic(api_key=...) constructor
- When None, calls Anthropic() with no kwargs (SDK reads env as
its normal default — used for the Space-owner key path)
diagnose()
- Captures user-supplied key into a local variable; does NOT write
to os.environ
- For provider=anthropic WITH user key, bypasses the generic
dispatcher and calls _call_anthropic(..., api_key=user_key)
directly
- For provider=anthropic WITHOUT user key (env-only path), goes
through the dispatcher as before — SDK reads env on its own
- All other providers unchanged

Three new tests covering the regression:
test_diagnose_premium_user_key_passed_directly_not_via_env
Asserts user key goes to backend via kwarg, env stays untouched
even when a Space-owner key is set in env
test_diagnose_premium_does_not_mutate_env_with_user_key
Cross-tenant leak guard — env is unset before AND after a
user-key Premium call
test_call_anthropic_passes_api_key_to_sdk_constructor
Asserts the api_key kwarg flows to the Anthropic() constructor
rather than being silently ignored
test_call_anthropic_without_api_key_uses_env_via_sdk
Symmetry: when no api_key supplied, SDK is called with no kwargs
(so it uses its normal env-reading default)

Also updated the existing test (renamed
test_diagnose_premium_user_key_overrides_env →
test_diagnose_premium_user_key_passed_directly_not_via_env) to assert
the new contract (key via kwarg, env intact) instead of the old
contract (env mutated to user key).

Total: 62 unit tests pass + 1 skipped opt-in integration.

Privacy disclosure on /labs/compounding-test-ai updated to be honest:
- "The Space code does not write your input or your API key to disk
and does not retain them across requests" (true post-fix)
- "As with any hosted service, HuggingFace's platform may log request
bodies as part of its infrastructure; the Space owner can view
these logs" (true, was previously underplayed)
- "Don't paste anything you wouldn't paste into any third-party LLM
service" with explicit pointer to the deterministic version for
sensitive content

What's NOT a problem (audited but no fix needed):
- File writes — none
- localStorage/cookies — none, React state is in-memory only
- URL params — key never in URL
- Logging — we don't log requests; only platform-level logs apply
- Error formatting — Anthropic SDK doesn't include keys in errors,
and our F14 wrapper would surface them only to the visitor whose
request caused the error (not other visitors)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app.py

@@ -253,12 +253,19 @@ def _detect_provider(env=None) -> str:
     return "anthropic"
 
 
-def _call_anthropic(system_block: str, user_prompt: str) -> str:
+def _call_anthropic(system_block: str, user_prompt: str, *, api_key: Optional[str] = None) -> str:
     """Anthropic backend. System block is cache-marked; the user prompt
-    is sent fresh. Returns the raw assistant text."""
+    is sent fresh. Returns the raw assistant text.
+
+    `api_key`: an optional per-call key. When provided, it goes directly
+    to the SDK constructor and is NEVER written to os.environ. This is
+    important on a multi-tenant public Space — mutating env would leak
+    one visitor's key into a concurrent request from another visitor.
+    When `api_key` is None, the SDK reads ANTHROPIC_API_KEY from env
+    (the Space-owner's key path)."""
     from anthropic import Anthropic
 
-    client = Anthropic()
+    client = Anthropic(api_key=api_key) if api_key else Anthropic()
     resp = client.messages.create(
         model=ANTHROPIC_MODEL_ID,
         max_tokens=2500,
@@ -668,6 +675,7 @@ def diagnose(
     # either via the page's API-key field (per-call) or via an
     # ANTHROPIC_API_KEY env var on the Space. Without either, fail fast
     # with a friendly explanation before we hit the SDK.
+    user_key_for_anthropic: Optional[str] = None
     if provider == "anthropic":
         env_key = os.environ.get("ANTHROPIC_API_KEY", "").strip()
         user_key = (anthropic_api_key or "").strip()
@@ -679,8 +687,14 @@ def diagnose(
                 "",
             )
         if user_key:
-            # Per-call override; never persisted beyond this request.
-            os.environ["ANTHROPIC_API_KEY"] = user_key
+            # IMPORTANT: do NOT write the user-supplied key to os.environ.
+            # That would leak the key into concurrent requests from other
+            # visitors on this Space (the process env is shared across
+            # all in-flight requests in the Python worker). Instead we
+            # pass it directly to _call_anthropic below, which scopes it
+            # to a single SDK client instance that's garbage-collected
+            # when the call returns.
+            user_key_for_anthropic = user_key
 
     user_prompt = (
         PROMPT_TEMPLATE
@@ -691,7 +705,16 @@ def diagnose(
     )
 
     try:
-        raw = _call_model(SYSTEM_BLOCK, user_prompt, provider)
+        # When the visitor supplied their own Anthropic key, bypass the
+        # generic dispatcher so we can pass the key directly via kwarg
+        # without ever touching os.environ. All other paths go through
+        # the dispatcher and read credentials from env as usual.
+        if provider == "anthropic" and user_key_for_anthropic:
+            raw = _call_anthropic(
+                SYSTEM_BLOCK, user_prompt, api_key=user_key_for_anthropic,
+            )
+        else:
+            raw = _call_model(SYSTEM_BLOCK, user_prompt, provider)
     except Exception as e:
         # API timeout / rate limit / auth / server / network failure
         # (Anthropic SDK, huggingface_hub InferenceClient, or

test_diagnose.py

@@ -370,26 +370,130 @@ def test_diagnose_premium_with_env_key_dispatches_to_anthropic(monkeypatch):
     assert parsed["quadrant"] == "compounder"
 
 
-def test_diagnose_premium_user_key_overrides_env(monkeypatch):
+def test_diagnose_premium_user_key_passed_directly_not_via_env(monkeypatch):
     """The page's API-key field should take precedence over any
-    ANTHROPIC_API_KEY env var the Space owner has configured. This is
-    the F15-ish defense — a visitor pasting their own key should never
-    inadvertently use the Space owner's key."""
+    ANTHROPIC_API_KEY env var the Space owner has configured. Critically,
+    the visitor's key must be passed DIRECTLY to _call_anthropic via
+    kwarg — never written to os.environ — or concurrent requests from
+    other visitors could pick up the wrong key from shared process env.
+    See _call_anthropic docstring."""
     monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-space-owner-xxx")
     captured = {}
 
-    def fake_anthropic(system, user):
-        captured["env_key_at_call_time"] = os.environ.get("ANTHROPIC_API_KEY")
+    def fake_call_anthropic(system, user, *, api_key=None):
+        captured["api_key_kwarg"] = api_key
+        captured["env_at_call_time"] = os.environ.get("ANTHROPIC_API_KEY")
         return _VALID_BACKEND_RESPONSE
 
-    monkeypatch.setitem(PROVIDERS, "anthropic", fake_anthropic)
+    monkeypatch.setattr(app_module, "_call_anthropic", fake_call_anthropic)
 
     diagnose(
         _LONG_DESCRIPTION, None, None, None,
         provider="anthropic",
         anthropic_api_key="sk-user-yyy",
     )
-    assert captured.get("env_key_at_call_time") == "sk-user-yyy"
+    # User key passed directly via kwarg (the override mechanism)
+    assert captured["api_key_kwarg"] == "sk-user-yyy"
+    # CRITICAL: env was NOT clobbered with the user's key — Space
+    # owner's key remained intact for any concurrent request that
+    # legitimately needs it (or for no request at all if there's no
+    # owner-set key).
+    assert captured["env_at_call_time"] == "sk-space-owner-xxx"
+
+
+def test_diagnose_premium_does_not_mutate_env_with_user_key(monkeypatch):
+    """Cross-tenant key-leak regression test. On a public Space, two
+    concurrent visitors may both submit Premium requests. Each must use
+    only their own key; neither should ever see the other's key via
+    os.environ. The fix is to never write user-supplied keys to env."""
+    monkeypatch.delenv("ANTHROPIC_API_KEY", raising=False)
+    captured = {}
+
+    def fake_call_anthropic(system, user, *, api_key=None):
+        captured["api_key_kwarg"] = api_key
+        captured["env_at_call_time"] = os.environ.get("ANTHROPIC_API_KEY")
+        return _VALID_BACKEND_RESPONSE
+
+    monkeypatch.setattr(app_module, "_call_anthropic", fake_call_anthropic)
+
+    diagnose(
+        _LONG_DESCRIPTION, None, None, None,
+        provider="anthropic",
+        anthropic_api_key="sk-visitor-A-secret",
+    )
+    # The key went directly to the SDK, not via env
+    assert captured["api_key_kwarg"] == "sk-visitor-A-secret"
+    # Env was never set during the call
+    assert captured["env_at_call_time"] is None
+    # And env is still unset after the call returns — no residue for
+    # the next visitor's concurrent request to pick up
+    assert os.environ.get("ANTHROPIC_API_KEY") is None
+
+
+def test_call_anthropic_passes_api_key_to_sdk_constructor(monkeypatch):
+    """When _call_anthropic receives api_key=, it must be passed to the
+    Anthropic() SDK constructor — not stored in os.environ, not
+    discarded, not exposed elsewhere."""
+    captured_init = {}
+
+    class FakeContentBlock:
+        text = "ok"
+
+    class FakeMessage:
+        content = [FakeContentBlock()]
+
+    class FakeClient:
+        class messages:  # noqa: N801
+            @staticmethod
+            def create(**kwargs):
+                return FakeMessage()
+
+    def fake_anthropic_ctor(**kwargs):
+        captured_init.update(kwargs)
+        return FakeClient()
+
+    import anthropic as anthropic_module
+    monkeypatch.setattr(anthropic_module, "Anthropic", fake_anthropic_ctor)
+    monkeypatch.delenv("ANTHROPIC_API_KEY", raising=False)
+
+    _call_anthropic("sys", "usr", api_key="sk-direct-yyy")
+
+    assert captured_init.get("api_key") == "sk-direct-yyy"
+    # And env was not touched
+    assert os.environ.get("ANTHROPIC_API_KEY") is None
+
+
+def test_call_anthropic_without_api_key_uses_env_via_sdk(monkeypatch):
+    """When api_key is not supplied, the SDK constructor is called with
+    no kwargs — letting it read ANTHROPIC_API_KEY from env, as is the
+    SDK's normal default behavior. We don't explicitly pass api_key=None
+    because the SDK treats that differently than 'not supplied'."""
+    captured_init = {}
+
+    class FakeContentBlock:
+        text = "ok"
+
+    class FakeMessage:
+        content = [FakeContentBlock()]
+
+    class FakeClient:
+        class messages:  # noqa: N801
+            @staticmethod
+            def create(**kwargs):
+                return FakeMessage()
+
+    def fake_anthropic_ctor(**kwargs):
+        captured_init.update(kwargs)
+        return FakeClient()
+
+    import anthropic as anthropic_module
+    monkeypatch.setattr(anthropic_module, "Anthropic", fake_anthropic_ctor)
+    monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-env-default")
+
+    _call_anthropic("sys", "usr")  # no api_key kwarg
+
+    # SDK constructor called with no api_key — it'll use env on its own
+    assert "api_key" not in captured_init
 
 
 def test_diagnose_premium_backend_exception_returns_friendly_error(monkeypatch):