fix(python-sdk): wrap proxy callable so caller cannot override account [PLEN-2345]

The previous PLEN-2345 commits used ``functools.partial`` to pre-bind
``connected_account_id`` onto the ``execute_request`` proxy callable.
Codex flagged that ``partial`` lets a caller-supplied keyword override
a pre-bound value: a custom tool calling
``execute_request(connected_account_id="ca_other")`` would run the
proxy under that account while ``auth_credentials`` came from the
trusted resolved account — a credential/identity mismatch (CWE-639).

Replace the partial with a closure whose signature omits
``connected_account_id`` entirely. The id is fixed by the SDK to the
account whose credentials were also passed to the tool function; any
attempt to override it now raises ``TypeError`` at the call site rather
than silently swapping the account out from under the credentials.

Side effect: the public ``ExecuteRequestFn`` Protocol no longer
declares ``connected_account_id`` (it would never have been honoured
anyway given the new wrapper). Sentinel switched ``NotGiven``→``Omit``
on the same Protocol to match the underlying ``client.tools.proxy``
type signature — both sentinels are runtime-equivalent in Stainless'
``is_given``/``strip_not_given``, but the type alignment removes a
mypy error in the wrapper forwarding code.

Pinned by ``test_execute_request_rejects_caller_supplied_connected_account_id``
(new). Existing PLEN-2345 proxy-binding assertions adjusted to match
the wrapper's ``body=omit, parameters=omit`` forwarding.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Co-authored-by: Karan Vaidya <karan@composio.dev>

Author: zen-agent

python/composio/core/models/custom_tools.py

@@ -30,9 +30,10 @@
 import inspect
 import typing as t
 
+from composio_client import Omit, omit
 from pydantic import BaseModel
 
-from composio.client import HttpClient, NotGiven
+from composio.client import HttpClient
 from composio.client.types import (
     Tool,
     tool_list_response,
@@ -45,15 +46,22 @@
 
 
 class ExecuteRequestFn(t.Protocol):
+    """Proxy callable handed to custom tools.
+
+    ``connected_account_id`` is intentionally absent. The SDK binds the
+    proxy call to the same connected account that supplied
+    ``auth_credentials``, so the proxy and credentials always address the
+    same trusted account; a caller-supplied ``connected_account_id`` would
+    introduce a credential/identity mismatch and is rejected with
+    ``TypeError`` at the call site.
+    """
+
     def __call__(
         self,
         endpoint: str,
         method: t.Literal["GET", "POST", "PUT", "DELETE", "PATCH"],
-        body: t.Dict | NotGiven = HttpClient.not_given,
-        connected_account_id: str | NotGiven = HttpClient.not_given,
-        parameters: (
-            t.Iterable[tool_proxy_params.Parameter] | NotGiven
-        ) = HttpClient.not_given,
+        body: t.Dict | Omit = omit,
+        parameters: t.Iterable[tool_proxy_params.Parameter] | Omit = omit,
     ) -> tool_proxy_response.ToolProxyResponse: ...
 
 
@@ -232,10 +240,30 @@ def invoke_trusted(
             user_id=user_id,
             connected_account_id=connected_account_id,
         )
-        execute_request = functools.partial(
-            self.client.tools.proxy,
-            connected_account_id=account_id,
-        )
+
+        # Bind the proxy to the resolved account via a wrapper rather than
+        # ``functools.partial``: ``partial`` lets a caller-supplied keyword
+        # override the pre-bound value, so a tool that does
+        # ``execute_request(connected_account_id="ca_other")`` could run
+        # the proxy under one account while ``auth_credentials`` came
+        # from another (CWE-639). The wrapper omits ``connected_account_id``
+        # from its signature so any attempt to override it raises TypeError.
+        client = self.client
+
+        def execute_request(
+            endpoint: str,
+            method: t.Literal["GET", "POST", "PUT", "DELETE", "PATCH"],
+            body: t.Dict | Omit = omit,
+            parameters: t.Iterable[tool_proxy_params.Parameter] | Omit = omit,
+        ) -> tool_proxy_response.ToolProxyResponse:
+            return client.tools.proxy(
+                endpoint=endpoint,
+                method=method,
+                body=body,
+                parameters=parameters,
+                connected_account_id=account_id,
+            )
+
         return t.cast(CustomToolWithProxyProtocol, self.f)(
             request=request,
             execute_request=t.cast(ExecuteRequestFn, execute_request),

python/tests/test_custom_tools_security.py

@@ -367,6 +367,54 @@ def test_execute_with_connected_account_id_filters_list_by_envelope(
     assert result == {"issue_number": 7, "token": "explicit-token"}
 
 
+def test_execute_request_rejects_caller_supplied_connected_account_id(
+    mock_http_client_with_explicit_account: MagicMock,
+) -> None:
+    """``execute_request`` MUST refuse a caller-supplied ``connected_account_id``.
+
+    ``functools.partial`` would let a caller-supplied keyword override the
+    SDK-bound id while ``auth_credentials`` still came from the trusted
+    account — that would re-introduce a credential/identity mismatch
+    (CWE-639) right at the proxy call site. The wrapper omits
+    ``connected_account_id`` from its signature so any attempt to set it
+    raises ``TypeError`` rather than silently swapping the account.
+    """
+    captured: dict = {}
+
+    def proxy_tool(request: _IssueInput, execute_request, auth_credentials):
+        """Try to override the SDK-bound account id from inside the tool."""
+        try:
+            execute_request(
+                endpoint="/api/x",
+                method="GET",
+                connected_account_id="ca_other",  # type: ignore[call-arg]
+            )
+        except TypeError as exc:
+            captured["error"] = str(exc)
+            return {"rejected": True}
+        return {"rejected": False}
+
+    tool = CustomTool(
+        f=proxy_tool,
+        client=mock_http_client_with_explicit_account,
+        toolkit="github",
+    )
+    tools = CustomTools(client=mock_http_client_with_explicit_account)
+    tools.custom_tools_registry[tool.slug] = tool
+
+    result = tools.execute(
+        slug=tool.slug,
+        request={"issue_number": 1},
+        user_id="trusted-user",
+        connected_account_id="ca_explicit",
+    )
+
+    assert result == {"rejected": True}
+    assert "connected_account_id" in captured["error"]
+    # Proxy was NOT called — wrapper rejected the override before reaching it.
+    mock_http_client_with_explicit_account.tools.proxy.assert_not_called()
+
+
 def test_explicit_connected_account_id_outside_envelope_raises(
     mock_http_client_with_explicit_account: MagicMock,
     custom_tools: CustomTools,
@@ -427,11 +475,13 @@ def proxy_tool(request: _IssueInput, execute_request, auth_credentials):
         connected_account_id="ca_explicit",
     )
 
-    mock_http_client_with_explicit_account.tools.proxy.assert_called_once_with(
-        endpoint="/api/x",
-        method="GET",
-        connected_account_id="ca_explicit",
-    )
+    # The wrapper forwards body/parameters as the Stainless ``NOT_GIVEN``
+    # sentinel when the user's tool omits them — same semantics as if the
+    # user passed the bare ``client.tools.proxy``, plus the SDK-bound id.
+    proxy_call = mock_http_client_with_explicit_account.tools.proxy.call_args
+    assert proxy_call.kwargs["endpoint"] == "/api/x"
+    assert proxy_call.kwargs["method"] == "GET"
+    assert proxy_call.kwargs["connected_account_id"] == "ca_explicit"
     assert captured["credentials"] == {"access_token": "explicit-token"}
 
 
@@ -469,11 +519,10 @@ def proxy_tool(request: _IssueInput, execute_request, auth_credentials):
         toolkit_slugs=["github"],
         user_ids=["trusted-user"],
     )
-    mock_http_client_with_explicit_account.tools.proxy.assert_called_once_with(
-        endpoint="/api/y",
-        method="GET",
-        connected_account_id="ca_fallback",
-    )
+    proxy_call = mock_http_client_with_explicit_account.tools.proxy.call_args
+    assert proxy_call.kwargs["endpoint"] == "/api/y"
+    assert proxy_call.kwargs["method"] == "GET"
+    assert proxy_call.kwargs["connected_account_id"] == "ca_fallback"
 
 
 def test_explicit_connected_account_id_wins_over_smuggled_one(