@blackbelt-technology/pi-agent-dashboard 0.5.1 → 0.5.2

package/packages/server/src/routes/model-proxy-routes.ts

@@ -0,0 +1,330 @@
+/**
+ * Model proxy route handlers: /v1/models, /v1/chat/completions, /v1/messages.
+ *
+ * OpenAI- and Anthropic-compatible endpoints fronting the dashboard's
+ * model registry via pi-ai's streamSimple.
+ *
+ * See change: add-dashboard-model-proxy.
+ */
+import crypto from "node:crypto";
+import type { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
+import type { ModelProxyConfig } from "@blackbelt-technology/pi-dashboard-shared/config.js";
+import {
+  convertOpenAIMessages,
+  convertOpenAITools,
+  eventToSSEChunks,
+  eventToNonStreamingResponse,
+  ToolCallIndexTracker,
+  convertAnthropicMessages,
+  convertAnthropicTools,
+  eventToAnthropicSSE,
+  eventToAnthropicResponse,
+  AnthropicBlockTracker,
+} from "../model-proxy/convert/index.js";
+import { ConcurrencyTracker, ConcurrencyError } from "../model-proxy/concurrency.js";
+import { logRequest, type RequestLogEntry } from "../model-proxy/request-log.js";
+
+export interface ModelProxyRouteDeps {
+  getConfig: () => ModelProxyConfig;
+  /** Resolve the model registry. Returns null when pi-ai is unavailable. */
+  getRegistry: () => Promise<ModelProxyRegistry | null>;
+}
+
+/** Minimal interface for the model registry consumed by route handlers. */
+export interface ModelProxyRegistry {
+  getAvailable(): Promise<any[]>;
+  find(provider: string, modelId: string): Promise<any | null>;
+  getApiKeyAndHeaders(model: any): Promise<{ apiKey: string; headers: Record<string, string> }>;
+}
+
+/** Minimal interface for pi-ai's streamSimple. */
+export type StreamSimpleFn = (opts: any) => AsyncIterable<any>;
+
+const concurrency = new ConcurrencyTracker();
+
+export function registerModelProxyRoutes(
+  fastify: FastifyInstance,
+  deps: ModelProxyRouteDeps & { streamSimple?: StreamSimpleFn },
+): void {
+  const { getConfig, getRegistry } = deps;
+
+  // ── GET /v1/models ──────────────────────────────────────────────────
+  fastify.get("/v1/models", async (request, reply) => {
+    const registry = await getRegistry();
+    if (!registry) {
+      return reply.code(503).send({
+        code: "MODEL_PROXY_RUNTIME_MISSING",
+        message: "pi-ai is not installed or cannot be resolved",
+      });
+    }
+
+    const models = await registry.getAvailable();
+    const data = models.map((m: any) => ({
+      id: `${m.provider}/${m.id}`,
+      object: "model" as const,
+      created: Math.floor(Date.now() / 1000),
+      owned_by: m.provider,
+      "x-pi": {
+        ...(m.contextWindow ? { contextWindow: m.contextWindow } : {}),
+        ...(m.maxTokens ? { maxTokens: m.maxTokens } : {}),
+        ...(m.reasoning != null ? { reasoning: m.reasoning } : {}),
+        ...(m.cost ? { cost: m.cost } : {}),
+        ...(m.input ? { input: m.input } : {}),
+      },
+    }));
+
+    return { object: "list", data };
+  });
+
+  // ── POST /v1/chat/completions ───────────────────────────────────────
+  fastify.post("/v1/chat/completions", {
+    config: { compress: false },
+  }, async (request, reply) => {
+    const body = request.body as any;
+    if (!body?.messages) {
+      return reply.code(400).send({ error: { message: "messages is required", type: "invalid_request_error" } });
+    }
+
+    const config = getConfig();
+    const modelId = body.model || config.defaultModel;
+    if (!modelId) {
+      return reply.code(400).send({ error: { message: "model is required", type: "invalid_request_error" } });
+    }
+
+    const registry = await getRegistry();
+    if (!registry) {
+      return reply.code(503).send({ code: "MODEL_PROXY_RUNTIME_MISSING", message: "pi-ai unavailable" });
+    }
+
+    const stream = body.stream === true;
+    const apiKeyId = (request as any).proxyApiKeyId;
+    const [provider] = modelId.includes("/") ? modelId.split("/", 2) : ["unknown", modelId];
+
+    // Acquire concurrency
+    let release: (() => void) | undefined;
+    try {
+      release = concurrency.acquire({ apiKeyId, provider }, config);
+    } catch (e) {
+      if (e instanceof ConcurrencyError) {
+        const status = e.code === "SERVER_FULL" ? 503 : 429;
+        reply.header("Retry-After", String(Math.ceil(e.retryAfterMs / 1000)));
+        return reply.code(status).send({ code: e.code });
+      }
+      throw e;
+    }
+
+    const startTime = Date.now();
+    const requestId = crypto.randomUUID();
+    const msgId = crypto.randomUUID().slice(0, 8);
+
+    try {
+      const { systemPrompt, messages } = convertOpenAIMessages(body.messages);
+      const tools = body.tools ? convertOpenAITools(body.tools) : undefined;
+
+      // Resolve model
+      const [prov, mid] = modelId.includes("/") ? modelId.split("/", 2) : [undefined, modelId];
+      const model = prov ? await registry.find(prov, mid) : null;
+      if (!model) {
+        return reply.code(404).send({ error: { message: `Model not found: ${modelId}`, type: "invalid_request_error" } });
+      }
+
+      const creds = await registry.getApiKeyAndHeaders(model);
+      const controller = new AbortController();
+
+      // Abort on client disconnect
+      request.raw.on("close", () => controller.abort());
+
+      const streamSimple = deps.streamSimple;
+      if (!streamSimple) {
+        return reply.code(503).send({ code: "MODEL_PROXY_RUNTIME_MISSING", message: "streamSimple unavailable" });
+      }
+
+      const streamOpts: any = {
+        model,
+        messages,
+        ...(systemPrompt ? { system: systemPrompt } : {}),
+        ...(tools ? { tools } : {}),
+        ...(body.max_tokens != null ? { maxTokens: body.max_tokens } : {}),
+        ...(body.temperature != null ? { temperature: body.temperature } : {}),
+        signal: controller.signal,
+        apiKey: creds.apiKey,
+        headers: creds.headers,
+      };
+
+      const eventStream = streamSimple(streamOpts);
+
+      if (stream) {
+        // Streaming SSE response
+        if (typeof request.raw.setTimeout === "function") request.raw.setTimeout(0);
+        reply.raw.writeHead(200, {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache",
+          "Connection": "keep-alive",
+        });
+
+        const tracker = new ToolCallIndexTracker();
+        let lastMsg: any;
+
+        for await (const event of eventStream) {
+          if (event.type === "done") lastMsg = event.message;
+          const sseChunks = eventToSSEChunks(event, modelId, msgId, tracker);
+          for (const chunk of sseChunks) {
+            reply.raw.write(chunk);
+          }
+        }
+
+        reply.raw.end();
+        maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "openai", status: 200, durationMs: Date.now() - startTime, inputTokens: lastMsg?.usage?.input, outputTokens: lastMsg?.usage?.output });
+      } else {
+        // Non-streaming response
+        let finalMsg: any;
+        for await (const event of eventStream) {
+          if (event.type === "done") finalMsg = event.message;
+          if (event.type === "error") {
+            maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "openai", status: 500, durationMs: Date.now() - startTime, error: event.error?.errorMessage });
+            return reply.code(500).send({ error: { message: event.error?.errorMessage || "Provider error", type: "api_error" } });
+          }
+        }
+
+        if (!finalMsg) {
+          return reply.code(500).send({ error: { message: "No response from model", type: "api_error" } });
+        }
+
+        const response = eventToNonStreamingResponse(finalMsg, modelId, msgId);
+        maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "openai", status: 200, durationMs: Date.now() - startTime, inputTokens: finalMsg.usage?.input, outputTokens: finalMsg.usage?.output });
+        return response;
+      }
+    } catch (err: any) {
+      if (err.name === "AbortError") return; // Client disconnected
+      maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "openai", status: 500, durationMs: Date.now() - startTime, error: err.message });
+      return reply.code(500).send({ error: { message: err.message || "Internal error", type: "api_error" } });
+    } finally {
+      release?.();
+    }
+  });
+
+  // ── POST /v1/messages ───────────────────────────────────────────────
+  fastify.post("/v1/messages", {
+    config: { compress: false },
+  }, async (request, reply) => {
+    const body = request.body as any;
+    if (!body?.messages || !body?.max_tokens) {
+      return reply.code(400).send({ error: { type: "invalid_request_error", message: "messages and max_tokens are required" } });
+    }
+
+    const config = getConfig();
+    const modelId = body.model || config.defaultModel;
+    if (!modelId) {
+      return reply.code(400).send({ error: { type: "invalid_request_error", message: "model is required" } });
+    }
+
+    const registry = await getRegistry();
+    if (!registry) {
+      return reply.code(503).send({ code: "MODEL_PROXY_RUNTIME_MISSING", message: "pi-ai unavailable" });
+    }
+
+    const stream = body.stream === true;
+    const apiKeyId = (request as any).proxyApiKeyId;
+    const [provider] = modelId.includes("/") ? modelId.split("/", 2) : ["unknown", modelId];
+
+    let release: (() => void) | undefined;
+    try {
+      release = concurrency.acquire({ apiKeyId, provider }, config);
+    } catch (e) {
+      if (e instanceof ConcurrencyError) {
+        const status = e.code === "SERVER_FULL" ? 503 : 429;
+        reply.header("Retry-After", String(Math.ceil(e.retryAfterMs / 1000)));
+        return reply.code(status).send({ code: e.code });
+      }
+      throw e;
+    }
+
+    const startTime = Date.now();
+    const requestId = crypto.randomUUID();
+    const msgId = `msg_${crypto.randomUUID().slice(0, 12)}`;
+
+    try {
+      const { systemPrompt, messages } = convertAnthropicMessages(body);
+      const tools = body.tools ? convertAnthropicTools(body.tools) : undefined;
+
+      const [prov, mid] = modelId.includes("/") ? modelId.split("/", 2) : [undefined, modelId];
+      const model = prov ? await registry.find(prov, mid) : null;
+      if (!model) {
+        return reply.code(404).send({ error: { type: "invalid_request_error", message: `Model not found: ${modelId}` } });
+      }
+
+      const creds = await registry.getApiKeyAndHeaders(model);
+      const controller = new AbortController();
+      request.raw.on("close", () => controller.abort());
+
+      const streamSimple = deps.streamSimple;
+      if (!streamSimple) {
+        return reply.code(503).send({ code: "MODEL_PROXY_RUNTIME_MISSING", message: "streamSimple unavailable" });
+      }
+
+      const streamOpts: any = {
+        model,
+        messages,
+        ...(systemPrompt ? { system: systemPrompt } : {}),
+        ...(tools ? { tools } : {}),
+        maxTokens: body.max_tokens,
+        ...(body.temperature != null ? { temperature: body.temperature } : {}),
+        signal: controller.signal,
+        apiKey: creds.apiKey,
+        headers: creds.headers,
+      };
+
+      const eventStream = streamSimple(streamOpts);
+
+      if (stream) {
+        if (typeof request.raw.setTimeout === "function") request.raw.setTimeout(0);
+        reply.raw.writeHead(200, {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache",
+          "Connection": "keep-alive",
+        });
+
+        const tracker = new AnthropicBlockTracker();
+        let lastMsg: any;
+
+        for await (const event of eventStream) {
+          if (event.type === "done") lastMsg = event.message;
+          const sseChunks = eventToAnthropicSSE(event, modelId, msgId, tracker);
+          for (const chunk of sseChunks) {
+            reply.raw.write(chunk);
+          }
+        }
+
+        reply.raw.end();
+        maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "anthropic", status: 200, durationMs: Date.now() - startTime, inputTokens: lastMsg?.usage?.input, outputTokens: lastMsg?.usage?.output });
+      } else {
+        let finalMsg: any;
+        for await (const event of eventStream) {
+          if (event.type === "done") finalMsg = event.message;
+          if (event.type === "error") {
+            maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "anthropic", status: 500, durationMs: Date.now() - startTime, error: event.error?.errorMessage });
+            return reply.code(500).send({ error: { type: "api_error", message: event.error?.errorMessage || "Provider error" } });
+          }
+        }
+
+        if (!finalMsg) {
+          return reply.code(500).send({ error: { type: "api_error", message: "No response from model" } });
+        }
+
+        const response = eventToAnthropicResponse(finalMsg, modelId, msgId);
+        maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "anthropic", status: 200, durationMs: Date.now() - startTime, inputTokens: finalMsg.usage?.input, outputTokens: finalMsg.usage?.output });
+        return response;
+      }
+    } catch (err: any) {
+      if (err.name === "AbortError") return;
+      maybeLog(config, { ts: new Date().toISOString(), requestId, apiKeyId, model: modelId, format: "anthropic", status: 500, durationMs: Date.now() - startTime, error: err.message });
+      return reply.code(500).send({ error: { type: "api_error", message: err.message || "Internal error" } });
+    } finally {
+      release?.();
+    }
+  });
+}
+
+function maybeLog(config: ModelProxyConfig, entry: RequestLogEntry): void {
+  if (config.logRequests) logRequest(entry);
+}

package/packages/server/src/routes/openspec-group-routes.ts

@@ -0,0 +1,231 @@
+/**
+ * OpenSpec change-grouping REST routes.
+ *
+ * Five endpoints under `/api/openspec/groups`. All accept a `cwd` query
+ * parameter and validate it against the dashboard's known-cwd set
+ * (sessions ∪ pinned directories) — same pattern as `pi-resource-file`
+ * in `openspec-routes.ts`.
+ *
+ * See change: add-openspec-change-grouping (tasks 3.1–3.13).
+ */
+import type { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
+import type { SessionManager } from "../memory-session-manager.js";
+import type { PreferencesStore } from "../preferences-store.js";
+import type { NetworkGuard } from "./route-deps.js";
+import type {
+  ApiResponse,
+  OpenSpecGroupsFile,
+} from "@blackbelt-technology/pi-dashboard-shared/types.js";
+import {
+  ConcurrentEditError,
+  GroupNotFoundError,
+  UnknownGroupIdError,
+  UnsupportedSchemaVersionError,
+  type OpenSpecGroupStore,
+} from "../openspec-group-store.js";
+
+export interface OpenSpecGroupRoutesDeps {
+  sessionManager: SessionManager;
+  preferencesStore: PreferencesStore;
+  networkGuard: NetworkGuard;
+  store: OpenSpecGroupStore;
+}
+
+export function registerOpenSpecGroupRoutes(
+  fastify: FastifyInstance,
+  deps: OpenSpecGroupRoutesDeps,
+): void {
+  const { sessionManager, preferencesStore, networkGuard, store } = deps;
+
+  /**
+   * Validate `cwd` is non-empty AND in the dashboard's known-cwd set
+   * (active or hidden sessions ∪ pinned directories). Returns true when the
+   * reply has been short-circuited; false when the route should proceed.
+   */
+  function rejectInvalidCwd(reply: FastifyReply, cwd: string | undefined): cwd is undefined {
+    if (!cwd) {
+      reply.code(400);
+      reply.send({ success: false, error: "Missing cwd" } satisfies ApiResponse);
+      return true;
+    }
+    const known = new Set<string>();
+    for (const s of sessionManager.listAll()) known.add(s.cwd);
+    for (const d of preferencesStore.getPinnedDirectories()) known.add(d);
+    if (!known.has(cwd)) {
+      reply.code(403);
+      reply.send({ success: false, error: "cwd not allowed" } satisfies ApiResponse);
+      return true;
+    }
+    return false;
+  }
+
+  /** Map known store errors to HTTP status codes. */
+  function handleError(reply: FastifyReply, err: unknown): ApiResponse {
+    if (err instanceof ConcurrentEditError) {
+      reply.code(409);
+      return {
+        success: false,
+        error: "Concurrent edit detected",
+        data: err.current,
+      } satisfies ApiResponse<OpenSpecGroupsFile>;
+    }
+    if (err instanceof UnsupportedSchemaVersionError) {
+      reply.code(422);
+      return { success: false, error: err.message } satisfies ApiResponse;
+    }
+    if (err instanceof GroupNotFoundError) {
+      reply.code(404);
+      return { success: false, error: "Group not found" } satisfies ApiResponse;
+    }
+    if (err instanceof UnknownGroupIdError) {
+      reply.code(422);
+      return { success: false, error: "Unknown groupId" } satisfies ApiResponse;
+    }
+    reply.code(500);
+    const msg = err instanceof Error ? err.message : "internal error";
+    return { success: false, error: msg } satisfies ApiResponse;
+  }
+
+  // ── GET /api/openspec/groups ─────────────────────────────────
+
+  fastify.get<{ Querystring: { cwd?: string } }>(
+    "/api/openspec/groups",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { cwd } = request.query;
+      if (rejectInvalidCwd(reply, cwd)) return;
+      try {
+        const data = await store.read(cwd!);
+        return { success: true, data } satisfies ApiResponse;
+      } catch (err) {
+        return handleError(reply, err);
+      }
+    },
+  );
+
+  // ── POST /api/openspec/groups ────────────────────────────────
+
+  fastify.post<{
+    Querystring: { cwd?: string };
+    Body: { name?: unknown; color?: unknown };
+  }>(
+    "/api/openspec/groups",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { cwd } = request.query;
+      if (rejectInvalidCwd(reply, cwd)) return;
+      const body = request.body ?? {};
+      const name = typeof body.name === "string" ? body.name.trim() : "";
+      if (!name) {
+        reply.code(400);
+        return { success: false, error: "name is required" } satisfies ApiResponse;
+      }
+      const color = typeof body.color === "string" ? body.color : undefined;
+      try {
+        const created = await store.createGroup(cwd!, { name, ...(color !== undefined ? { color } : {}) });
+        reply.code(201);
+        return { success: true, data: created } satisfies ApiResponse;
+      } catch (err) {
+        return handleError(reply, err);
+      }
+    },
+  );
+
+  // ── PATCH /api/openspec/groups/:id ───────────────────────────
+
+  fastify.patch<{
+    Params: { id: string };
+    Querystring: { cwd?: string };
+    Body: { name?: unknown; color?: unknown; order?: unknown };
+  }>(
+    "/api/openspec/groups/:id",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { cwd } = request.query;
+      if (rejectInvalidCwd(reply, cwd)) return;
+      const { id } = request.params;
+      const body = request.body ?? {};
+      const update: { name?: string; color?: string; order?: number } = {};
+      if (body.name !== undefined) {
+        if (typeof body.name !== "string") {
+          reply.code(400);
+          return { success: false, error: "name must be a string" } satisfies ApiResponse;
+        }
+        update.name = body.name;
+      }
+      if (body.color !== undefined) {
+        if (typeof body.color !== "string") {
+          reply.code(400);
+          return { success: false, error: "color must be a string" } satisfies ApiResponse;
+        }
+        update.color = body.color;
+      }
+      if (body.order !== undefined) {
+        if (typeof body.order !== "number" || !Number.isFinite(body.order)) {
+          reply.code(400);
+          return { success: false, error: "order must be a number" } satisfies ApiResponse;
+        }
+        update.order = body.order;
+      }
+      try {
+        const updated = await store.updateGroup(cwd!, id, update);
+        return { success: true, data: updated } satisfies ApiResponse;
+      } catch (err) {
+        return handleError(reply, err);
+      }
+    },
+  );
+
+  // ── DELETE /api/openspec/groups/:id ──────────────────────────
+
+  fastify.delete<{
+    Params: { id: string };
+    Querystring: { cwd?: string };
+  }>(
+    "/api/openspec/groups/:id",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { cwd } = request.query;
+      if (rejectInvalidCwd(reply, cwd)) return;
+      const { id } = request.params;
+      try {
+        await store.deleteGroup(cwd!, id);
+        return { success: true } satisfies ApiResponse;
+      } catch (err) {
+        return handleError(reply, err);
+      }
+    },
+  );
+
+  // ── PUT /api/openspec/groups/assignments ─────────────────────
+
+  fastify.put<{
+    Querystring: { cwd?: string };
+    Body: { changeName?: unknown; groupId?: unknown };
+  }>(
+    "/api/openspec/groups/assignments",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { cwd } = request.query;
+      if (rejectInvalidCwd(reply, cwd)) return;
+      const body = request.body ?? {};
+      if (typeof body.changeName !== "string" || body.changeName.length === 0) {
+        reply.code(400);
+        return { success: false, error: "changeName must be a non-empty string" } satisfies ApiResponse;
+      }
+      if (body.groupId !== null && typeof body.groupId !== "string") {
+        reply.code(400);
+        return { success: false, error: "groupId must be a string or null" } satisfies ApiResponse;
+      }
+      try {
+        await store.setAssignment(cwd!, body.changeName, body.groupId as string | null);
+        return { success: true } satisfies ApiResponse;
+      } catch (err) {
+        return handleError(reply, err);
+      }
+    },
+  );
+
+  // Silence unused-import warning when types are only used at signature level.
+  void (undefined as unknown as FastifyRequest);
+}

package/packages/server/src/routes/provider-auth-routes.ts

@@ -22,6 +22,7 @@ import { getLatestCatalogue } from "../provider-catalogue-cache.js";
 import { startCallbackServer } from "../oauth-callback-server.js";
 import type { PiGateway } from "../pi-gateway.js";
 import type { BrowserGateway } from "../browser-gateway.js";
+import { refreshModelRegistry } from "../model-proxy/registry-singleton.js";
 
 // ── In-memory flow store (short-lived PKCE + device code state) ──────────────
 
@@ -94,6 +95,8 @@ export function registerProviderAuthRoutes(
     // broadcast and update modelsMap / catalogue cache without needing a
     // global wipe. See change: simplify-model-selection-channels.
     piGateway.broadcast({ type: "credentials_updated" });
+    // Eager-refresh model proxy registry so /v1/models reflects the change.
+    refreshModelRegistry().catch(() => {});
   }
 
   // List OAuth providers

package/packages/server/src/routes/provider-routes.ts

@@ -9,6 +9,9 @@ import type { NetworkGuard } from "./route-deps.js";
 import type { PiGateway } from "../pi-gateway.js";
 import type { BrowserGateway } from "../browser-gateway.js";
 import { probeProvider, resolveProbeApiKey, type ProbeApi } from "../provider-probe.js";
+import { refreshModelRegistry } from "../model-proxy/registry-singleton.js";
+import { isSelfPointing, collectDashboardOrigins } from "../model-proxy/recursion-guard.js";
+import { getTunnelUrl } from "../tunnel.js";
 
 const REDACTED = "***";
 const CONFIG_PATH = join(homedir(), ".pi", "agent", "providers.json");
@@ -47,7 +50,7 @@ function redactProviders(
   return redacted;
 }
 
-export function registerProviderRoutes(fastify: FastifyInstance, deps: { networkGuard: NetworkGuard; piGateway?: PiGateway; browserGateway?: BrowserGateway }): void {
+export function registerProviderRoutes(fastify: FastifyInstance, deps: { networkGuard: NetworkGuard; piGateway?: PiGateway; browserGateway?: BrowserGateway; port?: number }): void {
   const { networkGuard, piGateway } = deps;
   fastify.get(
     "/api/providers",
@@ -68,6 +71,23 @@ export function registerProviderRoutes(fastify: FastifyInstance, deps: { network
       }
 
       const incoming = body.providers as Record<string, ProviderEntry>;
+
+      // Recursion guard: reject providers pointing back at the dashboard
+      const dashboardPort = deps.port ?? 8000;
+      const tunnelUrl = getTunnelUrl();
+      const tunnelHostname = tunnelUrl ? new URL(tunnelUrl).hostname : undefined;
+      const origins = collectDashboardOrigins(dashboardPort, { tunnelHostname });
+      for (const [name, entry] of Object.entries(incoming)) {
+        if (entry.baseUrl && isSelfPointing(entry.baseUrl, origins)) {
+          return reply.code(400).send({
+            success: false,
+            code: "RECURSIVE_PROXY",
+            message: `Provider "${name}" baseUrl points back at this dashboard`,
+            offendingBaseUrl: entry.baseUrl,
+          });
+        }
+      }
+
       const existing = readProvidersRaw();
 
       // Merge: preserve redacted apiKey values from existing file
@@ -106,6 +126,9 @@ export function registerProviderRoutes(fastify: FastifyInstance, deps: { network
         piGateway.broadcast({ type: "credentials_updated" });
       }
 
+      // Eager-refresh model proxy registry so /v1/models reflects the change.
+      refreshModelRegistry().catch(() => {});
+
       return { success: true };
     },
   );