fix: Suppress false positive security warnings for API keys loaded from env

Refactored _discover_api_keys_from_config_backends in src/core/common/logging_utils.py to check if the discovered API key matches the corresponding environment variable. If it matches, the security warning is suppressed, as this is the intended and secure configuration pattern.
Also added a new test case 	est_api_key_discovery_suppresses_env_vars to 	ests/unit/core/test_logging_utils.py to verify this behavior and prevent regression.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: Mateusz

src/core/common/logging_utils.py

@@ -125,8 +125,6 @@ def __init__(
     "credentials",
 }
 
-# Keep track of security warnings already logged to avoid spamming logs
-_logged_security_warnings: set[str] = set()
 
 # Regular expressions for redacting sensitive information
 # Match common API key prefixes with more specific patterns to reduce false positives:
@@ -509,7 +507,7 @@ def configure_logging_with_environment_tagging(
         handlers.append(file_handler)
 
     # Configure structlog
-    structlog_processors = [
+    structlog_processors: list[Any] = [
         structlog.stdlib.PositionalArgumentsFormatter(),
         structlog.processors.StackInfoRenderer(),
         structlog.processors.format_exc_info,
@@ -634,6 +632,11 @@ def _discover_api_keys_from_config_backends(
                                 if k:
                                     found.add(str(k))
                                     # SECURITY WARNING: Log when API keys are found in config
+                                    # Check if the key matches the environment variable (false positive check)
+                                    env_var = f"{b.upper()}_API_KEY"
+                                    if str(k) == os.getenv(env_var):
+                                        continue
+
                                     warn_key = f"backends.{b}.api_key"
                                     if warn_key not in _logged_security_warnings:
                                         logger = get_logger(__name__)
@@ -645,6 +648,11 @@ def _discover_api_keys_from_config_backends(
                         else:
                             found.add(str(ak))
                             # SECURITY WARNING: Log when API keys are found in config
+                            # Check if the key matches the environment variable (false positive check)
+                            env_var = f"{b.upper()}_API_KEY"
+                            if str(ak) == os.getenv(env_var):
+                                continue
+
                             warn_key = f"backends.{b}.api_key"
                             if warn_key not in _logged_security_warnings:
                                 logger = get_logger(__name__)

tests/unit/core/test_logging_utils.py

@@ -3,6 +3,7 @@
 """
 
 import logging
+import sys
 from unittest.mock import MagicMock, patch
 
 import pytest
@@ -256,3 +257,62 @@ def test_log_context(self) -> None:
 
             # Verify bind was called with the correct context
             mock_logger.bind.assert_called_once_with(request_id="123", user_id="456")
+
+    def test_api_key_discovery_suppresses_env_vars(self) -> None:
+        """Test that API key discovery suppresses warnings for keys found in env vars."""
+        from src.core.common.logging_utils import (
+            _logged_security_warnings,
+            discover_api_keys_from_config_and_env,
+        )
+        from src.core.config.app_config import AppConfig
+
+        # Clear previous warnings
+        _logged_security_warnings.clear()
+
+        # Setup mocks
+        config = MagicMock(spec=AppConfig)
+        backends = MagicMock()
+        config.backends = backends
+
+        # Mock Minimax backend config
+        minimax_config = MagicMock()
+        minimax_config.api_key = "test-minimax-key"
+        backends.minimax = minimax_config
+
+        # Mock backend registry
+        with patch.dict(
+            "sys.modules", {"src.core.services.backend_registry": MagicMock()}
+        ):
+            sys.modules[
+                "src.core.services.backend_registry"
+            ].backend_registry.get_registered_backends.return_value = ["minimax"]
+
+            # Case 1: Key matches env var -> No warning
+            with patch.dict("os.environ", {"MINIMAX_API_KEY": "test-minimax-key"}):
+                with patch(
+                    "src.core.common.logging_utils.get_logger"
+                ) as mock_get_logger:
+                    mock_logger = MagicMock()
+                    mock_get_logger.return_value = mock_logger
+
+                    discover_api_keys_from_config_and_env(config)
+
+                    # Verify no warning logged
+                    mock_logger.warning.assert_not_called()
+
+            # Reset warnings for next case
+            _logged_security_warnings.clear()
+
+            # Case 2: Key does NOT match env var -> Warning logged
+            with patch.dict("os.environ", {"MINIMAX_API_KEY": "different-key"}):
+                with patch(
+                    "src.core.common.logging_utils.get_logger"
+                ) as mock_get_logger:
+                    mock_logger = MagicMock()
+                    mock_get_logger.return_value = mock_logger
+
+                    discover_api_keys_from_config_and_env(config)
+
+                    # Verify warning logged
+                    mock_logger.warning.assert_called_once()
+                    assert "SECURITY WARNING" in mock_logger.warning.call_args[0][0]