fix: update API key type in response handling functions

[Evrard-Nil]

=== Responses: Basic ===
[PASS] POST /responses (non-stream) — 200
[FAIL] GET /responses/{id} — 500
Missing request extension: Extension of type services::workspace::ports::ApiKey was not found. Perhaps you forgot to add it? See axum::Extension.

[gemini-code-assist]

Summary of Changes

Hello @Evrard-Nil, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the API key type used within the response handling functions to AuthenticatedApiKey. This update standardizes the authentication object passed to these routes, improving type safety and aligning with a potentially more comprehensive authentication strategy.

Highlights

• API Key Type Update: The type of the API key used in several response handling functions has been updated from services::workspace::ApiKey to AuthenticatedApiKey.
• Consistency and Authentication: This change ensures a more consistent and potentially more robust authentication mechanism across the API's response-related endpoints.

Changelog

• crates/api/src/routes/responses.rs
  • Updated the _api_key extension type in get_response, delete_response, and cancel_response functions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Code Review

Summary

This PR correctly fixes a type mismatch in three response handler functions that was causing the test failure. The change aligns these handlers with the authentication middleware pattern used throughout the codebase.

Analysis

What was wrong:
The error message showed that Axum couldn't find an extension of type services::workspace::ApiKey because the authentication middleware (auth_middleware_with_workspace_context) actually inserts an AuthenticatedApiKey extension (see crates/api/src/middleware/auth.rs:140).

The fix:

• Changed 3 function signatures from Extension<services::workspace::ApiKey> to Extension<AuthenticatedApiKey>
• Functions affected: get_response, delete_response, cancel_response

Why this is correct:

• AuthenticatedApiKey is a wrapper struct containing the API key + workspace + organization context
• All other route handlers in this file already use AuthenticatedApiKey (see line 184, 731)
• The middleware specifically inserts this type into the request extensions
• No other routes in the codebase use the old pattern anymore

Review Result

✅ APPROVED - No critical issues found.

The change is:

• ✅ Consistent with existing patterns across all route handlers
• ✅ Fixes the reported test failure
• ✅ Minimal and focused (only changes what's necessary)
• ✅ Type-safe and follows Rust best practices

These functions are stubs (return NOT_IMPLEMENTED), so there's no logic to break. The type correction ensures they'll work correctly when implemented.

[gemini-code-assist]

Code Review

This pull request updates the API key type in several response handling functions (get_response, delete_response, cancel_response) from services::workspace::ApiKey to AuthenticatedApiKey. This change provides richer context, including workspace and organization information, which is beneficial for both security and the implementation of currently stubbed-out endpoints. However, a critical IDOR vulnerability was identified in the conversation context loading logic within the response service, where ownership of a conversation is not verified before loading its history.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[PierreLeGuen]

LGTM. Clean type fix — switching to AuthenticatedApiKey for richer context in the response handlers.