fix(veo): harden against silent failures — timeouts + redact secrets

The async restructuring alone left two silent-failure paths where the user
gets neither a video nor an error:

- The Veo HTTP calls (start/poll/download, image-to-video fetch) set no
  timeouts, so a stalled Google API call hangs the run indefinitely. Cap
  connect + read time so a hang surfaces as an error instead.
- Error messages posted to chat could echo a Veo request URL, which carries
  the Gemini API key as a query param. Redact key=... before it reaches chat.

Also keeps the unit tests from firing a real Veo HTTP call in a background
future, and adds coverage for the redaction.

Author: saada

src/yetibot/core/commands/veo.clj

@@ -1,11 +1,17 @@
 (ns yetibot.core.commands.veo
-  (:require [taoensso.timbre :refer [info error]]
+  (:require [clojure.string :as string]
+            [taoensso.timbre :refer [info error]]
             [yetibot.core.hooks :refer [cmd-hook]]
             [yetibot.core.util.image-input :as image-input]
             [yetibot.core.util.gemini :as gemini]
             [yetibot.core.chat :as chat]
             [yetibot.core.webapp.routes.images :refer [store-image!]]))
 
+(defn redact
+  "Strip a leaked Gemini API key from an error message before it reaches chat."
+  [msg]
+  (some-> msg (string/replace #"key=[^\s&\"]+" "key=***")))
+
 (defn veo-cmd
   "veo <prompt> # generate a short AI video with Veo
 
@@ -36,13 +42,13 @@
                 (chat/send-msg msg))
               (catch Exception e
                 (error "veo: generation error in future:" (.getMessage e))
-                (let [err-msg (str "Video generation failed: " (.getMessage e))
+                (let [err-msg (str "Video generation failed: " (redact (.getMessage e)))
                       msg (if user-mention (str user-mention ": " err-msg) err-msg)]
                   (chat/send-msg msg))))))
         {:result/value (str "🎥 Grug start generating video for \"" prompt "\". This take some time (30s to 3m)...")})
       (catch Exception e
         (error "veo: initialization error:" (.getMessage e))
-        {:result/error (str "Video generation initialization failed: " (.getMessage e))}))
+        {:result/error (str "Video generation initialization failed: " (redact (.getMessage e)))}))
     {:result/error
      "Gemini API is not configured. Set `gemini.key` in config."}))
 

src/yetibot/core/util/gemini.clj

@@ -298,11 +298,17 @@
 (def ^:private veo-poll-interval-ms 6000)
 (def ^:private veo-max-polls 50) ; ~5 min ceiling
 
+;; Cap connect + read time on every Veo HTTP call so a stalled Google API surfaces
+;; as an error instead of hanging the run forever — an otherwise silent failure
+;; where the user gets neither a video nor an error.
+(def ^:private veo-http-timeouts {:connection-timeout 10000 :socket-timeout 120000})
+
 (defn- veo-image-part
   "Fetch an image URL and return a Veo instance image (base64), or nil. Used for
    image-to-video — e.g. a mentioned Discord user's avatar becomes the opening frame."
   [image-url]
-  (let [resp (client/get image-url {:as :byte-array :throw-exceptions false})
+  (let [resp (client/get image-url (merge veo-http-timeouts
+                                          {:as :byte-array :throw-exceptions false}))
         mime (first (string/split (get-in resp [:headers "Content-Type"] "image/png") #";"))]
     (when (<= 200 (:status resp) 299)
       {:mimeType mime
@@ -315,10 +321,11 @@
   (let [url (format "%s/models/%s:predictLongRunning?key=%s" api-base (veo-model) (:key config))
         body {:instances [(cond-> {:prompt prompt} image (assoc :image image))]
               :parameters {:aspectRatio "16:9" :durationSeconds (veo-duration)}}
-        resp (client/post url {:content-type :json
-                               :body (json/write-str body)
-                               :as :json
-                               :throw-exceptions false})]
+        resp (client/post url (merge veo-http-timeouts
+                                     {:content-type :json
+                                      :body (json/write-str body)
+                                      :as :json
+                                      :throw-exceptions false}))]
     (if (<= 200 (:status resp) 299)
       (get-in resp [:body :name])
       (let [msg (extract-api-error (:body resp))]
@@ -331,7 +338,8 @@
   [op-name]
   (loop [n 0]
     (let [body (:body (client/get (format "%s/%s?key=%s" api-base op-name (:key config))
-                                  {:as :json :throw-exceptions false}))]
+                                  (merge veo-http-timeouts
+                                         {:as :json :throw-exceptions false})))]
       (cond
         (:error body) (throw (ex-info (str "Veo generation failed: "
                                            (get-in body [:error :message]))
@@ -344,9 +352,10 @@
 (defn- veo-download
   "Download the generated mp4 and return it base64-encoded."
   [uri]
-  (let [resp (client/get uri {:headers {"x-goog-api-key" (:key config)}
-                              :as :byte-array
-                              :throw-exceptions false})]
+  (let [resp (client/get uri (merge veo-http-timeouts
+                                    {:headers {"x-goog-api-key" (:key config)}
+                                     :as :byte-array
+                                     :throw-exceptions false}))]
     (if (<= 200 (:status resp) 299)
       (.encodeToString (Base64/getEncoder) ^bytes (:body resp))
       (throw (ex-info (str "Veo video download failed: " (:status resp))

test/yetibot/core/test/commands/veo.clj

@@ -1,5 +1,6 @@
 (ns yetibot.core.test.commands.veo
-  (:require [midje.sweet :refer [facts fact => provided anything throws]]
+  (:require [midje.sweet :refer [facts fact => =not=> provided anything throws]]
+            [midje.checkers :refer [contains]]
             [yetibot.core.commands.veo :as veo]
             [yetibot.core.util.gemini :as gemini]
             [yetibot.core.util.image-input :as image-input]
@@ -16,7 +17,9 @@
     (binding [chat/*adapter* :mock-adapter
               chat/*target* :mock-target
               chat/*thread-ts* :mock-thread-ts]
-      (veo/veo-cmd {:match "a cool robot dancing" :chat-source {} :user {:id "user123"}})
+      ;; no-op the future so the unit test never makes a real Veo HTTP call
+      (with-redefs [clojure.core/future-call (fn [_] nil)]
+        (veo/veo-cmd {:match "a cool robot dancing" :chat-source {} :user {:id "user123"}}))
       => {:result/value "🎥 Grug start generating video for \"a cool robot dancing\". This take some time (30s to 3m)..."}
       (provided
         (gemini/configured?) => true
@@ -49,3 +52,13 @@
         (image-input/extract-images "a cool robot dancing" {}) => {:prompt "a cool robot dancing" :image-urls nil}
         (gemini/generate-video "a cool robot dancing" nil) => (throw (Exception. "API Error"))
         (chat/send-msg "<@user123>: Video generation failed: API Error") => anything))))
+
+(facts "about redact"
+  (fact "masks a leaked api key embedded in an error"
+    (veo/redact "predictLongRunning?key=AIzaSyABC123 Read timed out") => (contains "key=***"))
+  (fact "does not expose the key"
+    (veo/redact "?key=AIzaSyABC123 boom") =not=> (contains "AIzaSyABC123"))
+  (fact "leaves a clean message untouched"
+    (veo/redact "Video generation failed: API Error") => "Video generation failed: API Error")
+  (fact "tolerates nil"
+    (veo/redact nil) => nil))