docs: fix Copilot review comments on README and SECURITY

sena-labs · claude · sena-labs · commit a3e403abfa8c · 2026-05-07T01:05:06.000+02:00
- Rename Feature gallery heading to avoid anchor collision with
  Configuration &gt; Provider Routing section
- Fix "behaviour" → "behavior" (US English consistency)
- Correct SECURITY.md TLS bullet to reflect actual validator behavior
  (accepts https:// and http://, does not reject http)
- Remove Dependabot claim — no dependabot.yml exists in the repo

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ reasoning tokens, streaming, fallbacks, and cache control out of the box.
 <!-- TODO: media/screenshot-reasoning.png -->
 *`<think>` blocks streamed in real time with configurable effort levels.*
 
-### Provider routing
+### Provider routing in action
 
 <!-- TODO: media/screenshot-routing.png -->
 *Sort, prefer, exclude and require parameters across providers per request.*
@@ -107,7 +107,7 @@ python test_pipe.py        # 252 tests — verify everything is green
 
 ## Usage
 
-All behaviour is controlled through **Valves** in the Open WebUI admin panel. Every valve accepts
+All behavior is controlled through **Valves** in the Open WebUI admin panel. Every valve accepts
 an environment variable fallback (see [Configuration](#configuration)).
 
 ### Common valve combinations
diff --git a/SECURITY.md b/SECURITY.md
@@ -61,7 +61,7 @@ The pipe implements the following security practices:
 
 - **No key logging** — `OPENROUTER_API_KEY` is never written to logs or included in error messages.
 - **Pre-flight validation** — invalid keys are caught at model-fetch time via the `/models` response, before any user message is sent.
-- **TLS only** — all HTTP requests use HTTPS; the `OPENROUTER_BASE_URL` validator rejects non-HTTPS values.
+- **TLS enforced by default** — `OPENROUTER_BASE_URL` defaults to `https://openrouter.ai/api/v1`; the Pydantic validator requires the value to start with `https://` or `http://` and rejects any other scheme.
 - **Internal key stripping** — Open WebUI internal fields (`chat_id`, `title`, `task`, `metadata`, `files`, `tool_ids`, `session_id`, `message_id`) are removed from the payload before forwarding.
 - **No data persistence** — the pipe does not store user messages, model responses, or API keys beyond the scope of a single request.
 - **Deep-copy payload** — `copy.deepcopy` is used on the request body to prevent mutation of Open WebUI's internal state.
@@ -71,7 +71,6 @@ The pipe implements the following security practices:
 Every push to `main` and every pull request runs:
 
 - **Unit tests** (`.github/workflows/tests.yml`) — 252 tests across Python 3.10–3.13. Failures block merge.
-- **Dependabot** — weekly dependency updates for `requests` and `pydantic` with reviewer auto-assignment.
 
 ## Disclosure Policy
 
