@evomap/evolver 1.87.1 → 1.87.3

package/src/proxy/router/messages_route.js

@@ -28,8 +28,8 @@ const { extractFeatures } = require('./features');
 //                   inbound sonnet-4-7 → sonnet-4-6 rewrite, so callers
 //                   pinned to 4-7 stay on 4-7.
 const DEFAULT_TIER_MODELS = Object.freeze({
-  cheap: 'global.anthropic.claude-haiku-4-5-20251001-v1:0',
-  mid: 'global.anthropic.claude-sonnet-4-6',
+  cheap: 'global.anthropic.claude-opus-4-7',
+  mid: 'global.anthropic.claude-opus-4-7',
   expensive: 'global.anthropic.claude-opus-4-7',
 });
 
@@ -66,6 +66,28 @@ function isIntraFamilyDowngrade(chosen, original) {
   return c.minor < o.minor;
 }
 
+// Bedrock InvokeModel rejects bare short IDs like `claude-opus-4-7` with
+// ValidationException — it only accepts the explicit ARN-shaped aliases
+// below. CC clients and many SDKs route via short IDs since that's what
+// api.anthropic.com expects, so when upstreamMode === 'bedrock' we
+// canonicalize at the proxy boundary. Unknown / non-Claude IDs pass
+// through untouched (Bedrock owns the rejection in that case).
+//
+// Map keys are `family/major/minor` from parseClaudeId. Add new entries
+// here as Anthropic ships new Bedrock aliases.
+const KNOWN_BEDROCK_ALIASES = Object.freeze({
+  'opus/4/7': 'global.anthropic.claude-opus-4-7',
+  'haiku/4/5': 'global.anthropic.claude-haiku-4-5-20251001-v1:0',
+  'sonnet/4/6': 'global.anthropic.claude-sonnet-4-6',
+});
+
+function canonicalizeForBedrock(modelId) {
+  const parsed = parseClaudeId(modelId);
+  if (!parsed) return modelId;
+  const key = `${parsed.family}/${parsed.major}/${parsed.minor}`;
+  return KNOWN_BEDROCK_ALIASES[key] || modelId;
+}
+
 function resolveTierModels() {
   return {
     cheap: process.env.EVOMAP_MODEL_CHEAP || DEFAULT_TIER_MODELS.cheap,
@@ -86,6 +108,31 @@ function buildMessagesHandler({ anthropicProxy, logger, routerEnabled } = {}) {
     ? routerEnabled
     : process.env.EVOMAP_ROUTER_ENABLED === '1';
 
+  // Degenerate-tier guard (#152). The shipped DEFAULT_TIER_MODELS pins all
+  // three tiers to the same model on purpose: operators tuning tier mapping
+  // run tier-uniform so the no-downgrade guard never engages and 5xx retries
+  // always replay the same model (PR #135). Per-tier `EVOMAP_MODEL_*` env
+  // overrides are how a real deployment opts into cost-saving. The trap is the
+  // user who flips `EVOMAP_ROUTER_ENABLED=1` expecting savings (per README)
+  // but leaves the overrides unset: every tier resolves to one model, so
+  // routing is a silent no-op and — for anyone previously on a cheaper model —
+  // a cost *increase*. Emit one loud boot WARN so the degenerate config is
+  // visible in logs instead of manifesting as a surprise bill. Resolved at
+  // construction (proxy start) to match how `enabled` is read.
+  if (enabled) {
+    const tiers = resolveTierModels();
+    const distinct = new Set([tiers.cheap, tiers.mid, tiers.expensive]);
+    if (distinct.size === 1) {
+      log.warn?.(JSON.stringify({
+        event: 'router_degenerate_tiers',
+        message: 'router enabled but all tiers map to the same model — no '
+          + 'cost-saving effect. Set EVOMAP_MODEL_CHEAP / EVOMAP_MODEL_MID / '
+          + 'EVOMAP_MODEL_EXPENSIVE to enable tier-based routing.',
+        model: tiers.cheap,
+      }));
+    }
+  }
+
   return async ({ body, headers }) => {
     const inboundHeaders = headers || {};
     // x-api-key is satisfied by either the inbound header OR a proxy-side
@@ -111,7 +158,19 @@ function buildMessagesHandler({ anthropicProxy, logger, routerEnabled } = {}) {
       }
     }
 
-    const originalModel = body && typeof body.model === 'string' ? body.model : null;
+    // Phase C ABC fix: in bedrock mode, normalize the inbound model to the
+    // Bedrock-resolvable form up front. Client-side IDs like
+    // `claude-opus-4-7` are valid on api.anthropic.com but Bedrock's
+    // InvokeModel rejects them with ValidationException; the retry path
+    // would replay that exact rejected ID and turn an upstream blip into
+    // 100% failure. Canonicalizing here makes router decisions, the
+    // outbound rewrite, the no-downgrade comparison, and the retry body
+    // all see the same Bedrock-OK ID. anthropic mode passes through
+    // unchanged so api.anthropic.com keeps accepting short IDs.
+    const rawInboundModel = body && typeof body.model === 'string' ? body.model : null;
+    const originalModel = upstreamMode === 'bedrock'
+      ? canonicalizeForBedrock(rawInboundModel)
+      : rawInboundModel;
     let chosenModel = originalModel;
     let decisionTier = null;
     let decisionReason = null;
@@ -159,7 +218,12 @@ function buildMessagesHandler({ anthropicProxy, logger, routerEnabled } = {}) {
     }
 
     let outboundBody = body;
-    if (enabled && chosenModel && chosenModel !== originalModel) {
+    // Rewrite the outbound body when chosenModel differs from what the
+    // CLIENT actually sent (rawInboundModel), not just from the canonical
+    // originalModel. Otherwise bedrock-mode short-ID inbounds where the
+    // router didn't change tier (chosenModel === canonical(rawInbound))
+    // would forward the original body — leaking the short ID to Bedrock.
+    if (enabled && chosenModel && chosenModel !== rawInboundModel) {
       try {
         outboundBody = rewriteModel(body, chosenModel);
       } catch (err) {
@@ -242,7 +306,41 @@ function buildMessagesHandler({ anthropicProxy, logger, routerEnabled } = {}) {
       // restore it on the throw path.
       let drainedFirst = '';
       if (upstream.text) {
-        try { drainedFirst = await upstream.text(); } catch { /* socket already gone */ }
+        // Bound response-body drain to 10s to prevent hanging on large or
+        // slow-streaming error responses. If the drain times out, log it
+        // but continue — the original 5xx is still cached and will be
+        // returned to the caller if the retry throws.
+        //
+        // Clear the timer when text() resolves first, otherwise the
+        // setTimeout sits in the event loop for 10s holding a closure
+        // reference. Under sustained 5xx storms (the exact scenario this
+        // branch targets) one such timer per retry would accumulate.
+        let drainTimer;
+        try {
+          drainedFirst = await Promise.race([
+            upstream.text(),
+            new Promise((_, reject) => {
+              drainTimer = setTimeout(
+                () => reject(new Error('response drain timeout')),
+                10_000,
+              );
+            }),
+          ]);
+        } catch (e) {
+          // socket already gone, timeout, or parse error. Log drain errors
+          // and continue with empty body — the retry response will carry the
+          // actual error to the caller.
+          if (e?.message?.includes('timeout')) {
+            log.warn?.(JSON.stringify({
+              event: 'router_fallback',
+              reason: 'upstream_5xx_drain_timeout',
+              original_model: originalModel,
+              would_have_been: chosenModel,
+            }));
+          }
+        } finally {
+          if (drainTimer) clearTimeout(drainTimer);
+        }
       }
       try {
         const retryBody = rewriteModel(body, originalModel);
@@ -317,4 +415,6 @@ module.exports = {
   resolveTierModels,
   parseClaudeId,
   isIntraFamilyDowngrade,
+  canonicalizeForBedrock,
+  KNOWN_BEDROCK_ALIASES,
 };

package/src/proxy/sync/engine.js

@@ -65,23 +65,47 @@ class SyncEngine {
   _scheduleOutbound(delayMs) {
     if (!this._running) return;
     this._outTimer = setTimeout(async () => {
-      if (!this._running) return;
-      this._outPending = true;
+      // Defence-in-depth: a throw from this.outbound.flush(),
+      // this.store.countPending(), or any post-flush bookkeeping used
+      // to escape the setTimeout callback. Node logs the unhandled
+      // rejection and the next setTimeout was never armed — the
+      // outbound sync loop silently died until the process restarted,
+      // while `_running` stayed true (no signal to the caller).
+      //
+      // Mirrors the heartbeat-loop fix in PR #147 (issue #544): wrap
+      // the whole tick, schedule the next iteration in `finally` so a
+      // surprise throw cannot park the loop.
+      let nextDelay = DEFAULT_OUTBOUND_INTERVAL;
       try {
-        const result = await this.outbound.flush();
-        if (result.sent > 0) this._lastActivity = Date.now();
-      } catch (err) {
-        if (err instanceof AuthError) {
-          await this._handleAuthError('outbound');
-        } else {
-          this.logger.error(`[sync] outbound error: ${err.message}`);
+        if (!this._running) return;
+        this._outPending = true;
+        try {
+          const result = await this.outbound.flush();
+          if (result.sent > 0) this._lastActivity = Date.now();
+        } catch (err) {
+          if (err instanceof AuthError) {
+            await this._handleAuthError('outbound');
+          } else {
+            this.logger.error(`[sync] outbound error: ${err.message}`);
+          }
         }
+        this._outPending = false;
+        try {
+          const pending = this.store.countPending({ direction: 'outbound' });
+          if (pending > 0) nextDelay = 1_000;
+        } catch (err) {
+          // countPending threw (corrupt store, FS hiccup): keep the
+          // default cadence rather than parking the loop.
+          this.logger.error(`[sync] countPending threw (non-fatal): ${err && err.message}`);
+        }
+      } catch (err) {
+        // Anything that escaped the inner blocks above. Log and let
+        // finally re-arm the timer.
+        this.logger.error(`[sync] outbound tick threw (non-fatal): ${err && err.message}`);
+        this._outPending = false;
+      } finally {
+        if (this._running) this._scheduleOutbound(nextDelay);
       }
-      this._outPending = false;
-      const nextDelay = this.store.countPending({ direction: 'outbound' }) > 0
-        ? 1_000
-        : DEFAULT_OUTBOUND_INTERVAL;
-      this._scheduleOutbound(nextDelay);
     }, delayMs);
     if (this._outTimer.unref) this._outTimer.unref();
   }
@@ -89,29 +113,42 @@ class SyncEngine {
   _scheduleInbound(delayMs) {
     if (!this._running) return;
     this._inTimer = setTimeout(async () => {
-      if (!this._running) return;
+      // Same defence-in-depth pattern as _scheduleOutbound: a throw
+      // from inbound.pull / ackDelivered / _isIdle used to escape the
+      // setTimeout callback and silently park the inbound loop.
+      let nextDelay = DEFAULT_POLL_INTERVAL_ACTIVE;
       try {
-        const result = await this.inbound.pull();
-        if (result.received > 0) {
-          this._lastActivity = Date.now();
-          if (typeof this.onInboundReceived === 'function') {
-            try { this.onInboundReceived(result.received); } catch (e) {
-              this.logger.warn?.('[sync] onInboundReceived callback failed:', e.message);
+        if (!this._running) return;
+        try {
+          const result = await this.inbound.pull();
+          if (result.received > 0) {
+            this._lastActivity = Date.now();
+            if (typeof this.onInboundReceived === 'function') {
+              try { this.onInboundReceived(result.received); } catch (e) {
+                this.logger.warn?.('[sync] onInboundReceived callback failed:', e.message);
+              }
             }
           }
+          await this.inbound.ackDelivered();
+        } catch (err) {
+          if (err instanceof AuthError) {
+            await this._handleAuthError('inbound');
+          } else {
+            this.logger.error(`[sync] inbound error: ${err.message}`);
+          }
         }
-        await this.inbound.ackDelivered();
-      } catch (err) {
-        if (err instanceof AuthError) {
-          await this._handleAuthError('inbound');
-        } else {
-          this.logger.error(`[sync] inbound error: ${err.message}`);
+        try {
+          nextDelay = this._isIdle()
+            ? DEFAULT_POLL_INTERVAL_IDLE
+            : DEFAULT_POLL_INTERVAL_ACTIVE;
+        } catch (err) {
+          this.logger.error(`[sync] _isIdle threw (non-fatal): ${err && err.message}`);
         }
+      } catch (err) {
+        this.logger.error(`[sync] inbound tick threw (non-fatal): ${err && err.message}`);
+      } finally {
+        if (this._running) this._scheduleInbound(nextDelay);
       }
-      const nextDelay = this._isIdle()
-        ? DEFAULT_POLL_INTERVAL_IDLE
-        : DEFAULT_POLL_INTERVAL_ACTIVE;
-      this._scheduleInbound(nextDelay);
     }, delayMs);
     if (this._inTimer.unref) this._inTimer.unref();
   }