chore(gateway): make secrets-event trust explicit for opengrep

davidangularme · davidangularme · commit e16f5bf2728f · 2026-04-30T07:46:00.000+03:00
The secrets-reloader state event interpolates only an enum code and an internal message string, which matches the GHSA-gfmx-pph7-g46x triage note for low-risk callers. Add the explicit trusted: true to self-document intent and clear the opengrep finding; runtime behavior is unchanged because trusted defaults to true.
diff --git a/src/gateway/server.impl.ts b/src/gateway/server.impl.ts
@@ -487,6 +487,7 @@ export async function startGatewayServer(
     enqueueSystemEvent(`[${code}] ${message}`, {
       sessionKey: resolveMainSessionKey(cfg),
       contextKey: code,
+      trusted: true,
     });
   };
   const activateRuntimeSecrets = createRuntimeSecretsActivator({
