RubyGems - lex-llm - Versions diffs - 0.5.3 → 0.5.4 - Mend

lex-llm 0.5.3 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/lib/legion/extensions/llm/error.rb +15 -0
data/lib/legion/extensions/llm/provider.rb +56 -2
data/lib/legion/extensions/llm/version.rb +1 -1
data/spec/legion/extensions/llm/provider_spec.rb +56 -0
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97ce32819eeea5c69b1278c3bab36876fc420f7092d9428da4e801fe26073601
-  data.tar.gz: c91d281b0994aea741558c7ffacced69626da499c2bc7876a58c591b50f56137
+  metadata.gz: a67345a318fe016e8b7c302f08cc335bf25f1e4605a2b16fd9d95a9c9d6ccd04
+  data.tar.gz: a0d2f7b5998b3a70754cb538515e581cb9a17ae7bc38b72de305159cc486edd5
 SHA512:
-  metadata.gz: 931eb07b958e676e014804e044c8da11dfc42c866345b6a187c08294da0070e88b2fb30dc569c577a99ee2de95a5f4d55572c8b05ce6d79f327f3ec4a48a8350
-  data.tar.gz: 78450fa24b76f759218776b30b80a4d693b0395f58828d79593cb1ce4e640c8ca281f423dcc83144220707e837fd00c76bfc9c600c6382e209e18966d92fc5e6
+  metadata.gz: 0e1d43f8bfc296cc15e1389f153adc134baf7dfa051d5604617126bfbfc558ce02416caf24509521d43448fc05bc43b278c8cf4fb6a197465de10af36489ada5
+  data.tar.gz: 0163f3ab169203405a2081c79712343ad5e36ae76bafaa1c703ac20e30ec46324d584bb69da0ebed064a85f9eafcb054ed8f4cb4395789b516607993e3fee53e

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,10 @@
 # Changelog
+## 0.5.4 - 2026-06-17
+### Fixed
+- **Model policy enforced at dispatch (compliance)** — `model_whitelist` / `model_blacklist` were only applied when *listing* models (`discover_offerings`); inference dispatch never checked them, so a denied model could still be invoked directly. Added `enforce_model_allowed!`, called at every dispatch entry point (`complete` — which backs `chat`/`stream_chat` — plus `embed`, `moderate`, `paint`), raising the new `ModelNotAllowedError` *before* any provider API call. Fail-closed, no exceptions. `ModelNotAllowedError` is a distinct, non-HTTP error so callers can treat it as a terminal policy outcome (non-retryable, non-escalatable) rather than a provider failure.
 ## 0.5.3 - 2026-06-16
 ### Fixed

data/lib/legion/extensions/llm/error.rb CHANGED Viewed

@@ -27,6 +27,21 @@ module Legion
       class ModelNotFoundError < StandardError; end
       class UnsupportedAttachmentError < StandardError; end
+      # Raised when a request targets a model excluded by the configured
+      # model_whitelist / model_blacklist. This is a compliance guard enforced at
+      # the provider dispatch boundary (the last line before the model API call),
+      # so a denied model can never be reached regardless of caller. Non-retryable:
+      # retrying the same denied model must never succeed.
+      class ModelNotAllowedError < StandardError
+        attr_reader :model, :provider
+        def initialize(message = nil, model: nil, provider: nil)
+          @model = model
+          @provider = provider
+          super(message || "model #{model.inspect} is not permitted by the configured model policy for provider #{provider.inspect}")
+        end
+      end
       # Backward-compatible unsupported-capability error alias.
       class UnsupportedCapabilityError < Errors::UnsupportedCapability
         def initialize(message = nil, provider: nil, capability: nil, model: nil)

data/lib/legion/extensions/llm/provider.rb CHANGED Viewed

@@ -96,6 +96,7 @@ module Legion
         def complete(messages, tools:, temperature:, model:, params: {}, headers: {}, schema: nil, thinking: nil,
                      tool_prefs: nil, &)
+          enforce_model_allowed!(model)
           normalized_temperature = maybe_normalize_temperature(temperature, model)
           log_provider_request(
             messages: messages,
@@ -184,6 +185,7 @@ module Legion
         end
         def embed(text:, model:, dimensions: nil, params: {}, headers: {})
+          enforce_model_allowed!(model)
           payload = Utils.deep_merge(render_embedding_payload(text, model:, dimensions:), params)
           response = @connection.post(embedding_url(model:), payload) do |req|
             req.headers = headers.merge(req.headers) unless headers.empty?
@@ -192,12 +194,14 @@ module Legion
         end
         def moderate(input, model:)
+          enforce_model_allowed!(model)
           payload = render_moderation_payload(input, model:)
           response = @connection.post moderation_url, payload
           parse_moderation_response(response, model:)
         end
         def paint(prompt, model:, size:, with: nil, mask: nil, params: {}) # rubocop:disable Metrics/ParameterLists
+          enforce_model_allowed!(model)
           validate_paint_inputs!(with:, mask:)
           payload = render_image_payload(prompt, model:, size:, with:, mask:, params:)
           response = @connection.post images_url(with:, mask:), payload
@@ -364,9 +368,19 @@ module Legion
         end
         def model_allowed?(model_name)
+          self.class.policy_allows?(model_name, whitelist: model_whitelist, blacklist: model_blacklist)
+        end
+        # Single source of truth for model-policy matching, usable both at runtime
+        # (instance #model_allowed?) and at instance-config build time (provider
+        # extensions choosing a default_model that does not violate the policy).
+        # Substring, case-insensitive: a whitelist permits models containing any
+        # pattern; a blacklist denies models containing any pattern; whitelist is
+        # applied before blacklist. Empty list = no restriction from that side.
+        def self.policy_allows?(model_name, whitelist: [], blacklist: [])
           name = model_name.to_s.downcase
-          wl = model_whitelist
-          bl = model_blacklist
+          wl = Array(whitelist).map { |p| p.to_s.downcase }
+          bl = Array(blacklist).map { |p| p.to_s.downcase }
           return false if wl.any? && wl.none? { |p| name.include?(p) }
           return false if bl.any? && bl.any? { |p| name.include?(p) }
@@ -374,6 +388,46 @@ module Legion
           true
         end
+        # Effective whitelist/blacklist for an instance config: per-instance config
+        # first, then the provider-level setting (mirrors instance #model_whitelist
+        # resolution order). Used by provider extensions when picking a default_model.
+        def self.model_policy(config, provider_family)
+          cfg = config.is_a?(Hash) ? config : {}
+          provider_conf = CredentialSources.setting(:extensions, :llm, provider_family)
+          provider_conf = {} unless provider_conf.is_a?(Hash)
+          {
+            whitelist: cfg[:model_whitelist] || provider_conf[:model_whitelist] || provider_conf['model_whitelist'],
+            blacklist: cfg[:model_blacklist] || provider_conf[:model_blacklist] || provider_conf['model_blacklist']
+          }
+        end
+        # Choose a default_model that never violates the model policy: prefer an
+        # explicitly-configured default when permitted; else a provider fallback when
+        # permitted; else nil, so routing resolves an allowed discovered model rather
+        # than forcing a policy-forbidden default. Keeps a whitelist/blacklist
+        # authoritative over any hardcoded provider default.
+        def self.policy_safe_default_model(configured:, fallback:, whitelist: [], blacklist: [])
+          return configured if configured && !configured.to_s.empty? &&
+                               policy_allows?(configured, whitelist:, blacklist:)
+          return fallback if fallback && !fallback.to_s.empty? &&
+                             policy_allows?(fallback, whitelist:, blacklist:)
+          nil
+        end
+        # Compliance guard: refuse to dispatch any request for a model excluded by
+        # the configured model_whitelist / model_blacklist. Invoked at every
+        # dispatch entry point (the last line before the model API call) so a
+        # denied model can never reach a provider API, regardless of caller. Fail
+        # closed — raises rather than silently routing elsewhere.
+        def enforce_model_allowed!(model_name)
+          return if model_allowed?(model_name)
+          log.warn("[#{slug}] action=model_denied model=#{model_name} instance=#{provider_instance_id} " \
+                   'reason=model_whitelist_or_blacklist')
+          raise ModelNotAllowedError.new(model: model_name, provider: slug)
+        end
         # ── Offering defaults ─────────────────────────────────────────────
         def offering_transport

data/lib/legion/extensions/llm/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Llm
-      VERSION = '0.5.3'
+      VERSION = '0.5.4'
     end
   end
 end

data/spec/legion/extensions/llm/provider_spec.rb CHANGED Viewed

@@ -357,6 +357,62 @@ RSpec.describe Legion::Extensions::Llm::Provider do
     end
   end
+  describe '#enforce_model_allowed! (dispatch compliance guard)' do
+    let(:provider_class) do
+      Class.new(described_class) do
+        attr_writer :settings
+        def api_base = 'https://test.invalid'
+        def settings = @settings || {}
+        def slug = :test
+        def provider_instance_id = :default
+      end
+    end
+    let(:provider) { provider_class.new(Legion::Extensions::Llm.config) }
+    context 'when a model is excluded by the whitelist' do
+      before { provider.settings = { model_whitelist: %w[haiku] } }
+      it 'raises ModelNotAllowedError carrying the model and provider' do
+        expect { provider.send(:enforce_model_allowed!, 'gpt-5') }
+          .to raise_error(Legion::Extensions::Llm::ModelNotAllowedError) do |error|
+            expect(error.model).to eq('gpt-5')
+            expect(error.provider).to eq(:test)
+          end
+      end
+      it 'permits a whitelisted model' do
+        expect { provider.send(:enforce_model_allowed!, 'claude-haiku-4-5-20251001') }.not_to raise_error
+      end
+      it 'fails closed in #complete before any provider call' do
+        expect { provider.complete([], tools: [], temperature: nil, model: 'gpt-5') }
+          .to raise_error(Legion::Extensions::Llm::ModelNotAllowedError)
+      end
+      it 'fails closed in #embed before any provider call' do
+        expect { provider.embed(text: 'hello', model: 'text-embedding-3-large') }
+          .to raise_error(Legion::Extensions::Llm::ModelNotAllowedError)
+      end
+    end
+    context 'when a model is excluded by the blacklist' do
+      before { provider.settings = { model_blacklist: %w[sonnet] } }
+      it 'fails closed in #complete for a blacklisted model' do
+        expect { provider.complete([], tools: [], temperature: nil, model: 'claude-sonnet-4-6') }
+          .to raise_error(Legion::Extensions::Llm::ModelNotAllowedError)
+      end
+    end
+    context 'with no policy configured' do
+      it 'does not raise for any model' do
+        expect { provider.send(:enforce_model_allowed!, 'anything-goes') }.not_to raise_error
+      end
+    end
+  end
   describe 'multi-host URL resolution' do
     let(:provider_class) do
       Class.new(described_class) do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-llm
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.4
 platform: ruby
 authors:
 - LegionIO