@vellumai/assistant 0.8.3 → 0.8.4

package/src/providers/anthropic/client.ts

@@ -537,6 +537,55 @@ function formatOrphanedWebSearchResultAsText(block: {
  *
  * Builds a fresh result array without mutating the input.
  */
+/**
+ * Find the start index of the active tool-use continuation span at the tail
+ * of the formatted message array. Messages from this index onward may contain
+ * thinking blocks that must be preserved for Anthropic's tool-use protocol.
+ *
+ * The active span is the trailing sequence of alternating
+ * assistant(tool_use) → user(tool_result) messages. Everything before it is
+ * a completed historical turn whose thinking blocks can be safely stripped.
+ *
+ * Returns `messages.length` when there is no active tool-use continuation
+ * (i.e. all messages are historical — strip thinking from everything).
+ */
+function findActiveToolUseContinuationStart(
+  messages: Anthropic.MessageParam[],
+): number {
+  // Walk backwards from the end. The tail pattern we're looking for is:
+  //   ... assistant(tool_use) user(tool_result) [assistant(tool_use) user(tool_result)]* ...
+  // The last message is typically a user message (the new prompt), so if it
+  // doesn't contain tool_result blocks, there's no active continuation.
+  let i = messages.length - 1;
+
+  while (i >= 0) {
+    const msg = messages[i];
+    if (msg.role === "user") {
+      const content = Array.isArray(msg.content) ? msg.content : [];
+      const hasToolResult = content.some(
+        (b) => typeof b !== "string" && isToolResultBlock(b),
+      );
+      if (!hasToolResult) break;
+      // This user message has tool_result — the preceding assistant message
+      // should have the matching tool_use and its thinking blocks preserved.
+      i--;
+    } else if (msg.role === "assistant") {
+      const content = Array.isArray(msg.content) ? msg.content : [];
+      const hasToolUse = content.some(
+        (b) => typeof b !== "string" && isToolUseBlock(b),
+      );
+      if (!hasToolUse) break;
+      // This assistant message has tool_use — it's part of the active span.
+      // Check if the preceding user message continues the chain.
+      i--;
+    } else {
+      break;
+    }
+  }
+
+  return i + 1;
+}
+
 function ensureToolPairing(
   messages: Anthropic.MessageParam[],
 ): Anthropic.MessageParam[] {
@@ -925,10 +974,32 @@ export class AnthropicProvider implements Provider {
         }
       }
 
-      // Thinking blocks are stripped at rest by DB migration 209 so
-      // historical messages are clean when loaded. Within a turn,
-      // assistant messages have original thinking with valid signatures
-      // — the API accepts them. No provider-side stripping needed.
+      // Strip thinking/redacted_thinking blocks from completed historical
+      // assistant turns. Anthropic only requires these blocks for active
+      // tool-use continuation (the tail span where assistant tool_use is
+      // followed by user tool_result). Replaying stale thinking blocks from
+      // earlier turns causes 400 errors when the signature is no longer
+      // valid (e.g. after a provider/model/profile switch).
+      const activeToolUseStart =
+        findActiveToolUseContinuationStart(formatted);
+      for (let i = 0; i < activeToolUseStart; i++) {
+        const msg = formatted[i];
+        if (msg.role !== "assistant" || !Array.isArray(msg.content)) continue;
+        const stripped = (
+          msg.content as Anthropic.ContentBlockParam[]
+        ).filter(
+          (b) =>
+            typeof b === "string" ||
+            (b.type !== "thinking" && b.type !== "redacted_thinking"),
+        );
+        if (stripped.length === 0) {
+          stripped.push({
+            type: "text" as const,
+            text: PLACEHOLDER_BLOCKS_OMITTED,
+          });
+        }
+        formatted[i] = { ...msg, content: stripped };
+      }
 
       sentMessages = ensureToolPairing(
         repairOrphanedServerToolBlocks(formatted),
@@ -1274,6 +1345,19 @@ export class AnthropicProvider implements Provider {
         let lastInputJsonEmitMs = 0;
         let pendingInputJsonFlush: ReturnType<typeof setTimeout> | undefined;
 
+        // Anthropic streams `server_tool_use` block input via `input_json_delta`
+        // events (the block's own `input` field is `{}` at content_block_start).
+        // We accumulate the JSON separately from regular `tool_use` blocks so
+        // the daemon can read the resolved query when the paired
+        // `web_search_tool_result` arrives — without this, downstream activity
+        // metadata sees an empty query.
+        let currentServerToolUseId: string | undefined;
+        let accumulatedServerToolInputJson = "";
+        const resolvedServerToolInputs = new Map<
+          string,
+          Record<string, unknown>
+        >();
+
         stream.on("streamEvent", (event) => {
           // Reset the text sentinel buffer at each content-block boundary.
           // A new block starts fresh; at the end of a block, flush any
@@ -1300,6 +1384,8 @@ export class AnthropicProvider implements Provider {
             event.type === "content_block_start" &&
             event.content_block.type === "server_tool_use"
           ) {
+            currentServerToolUseId = event.content_block.id;
+            accumulatedServerToolInputJson = "";
             onEvent?.({
               type: "server_tool_start",
               name: event.content_block.name,
@@ -1315,11 +1401,21 @@ export class AnthropicProvider implements Provider {
           ) {
             const block = event.content_block as {
               tool_use_id: string;
-              content?: { type: "web_search_tool_result_error" } | unknown[];
+              content?:
+                | { type: "web_search_tool_result_error"; error_code?: string }
+                | unknown[];
             };
             const isError =
               !Array.isArray(block.content) &&
               block.content?.type === "web_search_tool_result_error";
+            const errorCode =
+              isError && !Array.isArray(block.content)
+                ? block.content?.error_code
+                : undefined;
+            const resolvedInput = resolvedServerToolInputs.get(
+              block.tool_use_id,
+            );
+            resolvedServerToolInputs.delete(block.tool_use_id);
             onEvent?.({
               type: "server_tool_complete",
               toolUseId: block.tool_use_id,
@@ -1327,6 +1423,8 @@ export class AnthropicProvider implements Provider {
               ...(Array.isArray(block.content)
                 ? { content: block.content }
                 : {}),
+              ...(resolvedInput ? { resolvedInput } : {}),
+              ...(errorCode ? { errorCode } : {}),
             });
           }
           if (event.type === "content_block_stop") {
@@ -1345,6 +1443,25 @@ export class AnthropicProvider implements Provider {
             currentStreamingToolName = undefined;
             currentStreamingToolUseId = undefined;
             accumulatedInputJson = "";
+            // Finalize the resolved input for a `server_tool_use` block (e.g.
+            // the actual web-search query) so the paired `web_search_tool_result`
+            // emits `server_tool_complete` with `resolvedInput` populated.
+            if (currentServerToolUseId && accumulatedServerToolInputJson) {
+              try {
+                const parsed = JSON.parse(accumulatedServerToolInputJson);
+                if (parsed && typeof parsed === "object") {
+                  resolvedServerToolInputs.set(
+                    currentServerToolUseId,
+                    parsed as Record<string, unknown>,
+                  );
+                }
+              } catch {
+                // Malformed partial JSON — drop silently; downstream falls
+                // back to whatever was captured at server_tool_start.
+              }
+            }
+            currentServerToolUseId = undefined;
+            accumulatedServerToolInputJson = "";
             // Flush residual text buffer unless it's exactly a sentinel.
             if (textBuffer.length > 0 && !isCompleteSentinel(textBuffer)) {
               onEvent?.({ type: "text_delta", text: textBuffer });
@@ -1354,6 +1471,13 @@ export class AnthropicProvider implements Provider {
         });
 
         stream.on("inputJson", (partialJson) => {
+          if (currentServerToolUseId) {
+            // Server-tool input (e.g. `web_search` query) — accumulate without
+            // emitting `input_json_delta`; the daemon only consumes the
+            // finalized value from `server_tool_complete.resolvedInput`.
+            accumulatedServerToolInputJson += partialJson;
+            return;
+          }
           if (!currentStreamingToolName) return;
           accumulatedInputJson += partialJson;
           const now = Date.now();
@@ -1544,6 +1668,9 @@ export class AnthropicProvider implements Provider {
       case "text":
         return { type: "text", text: block.text };
       case "thinking":
+        if (!block.signature) {
+          return null;
+        }
         return {
           type: "thinking",
           thinking: block.thinking,

package/src/providers/fireworks/client.ts

@@ -1,3 +1,4 @@
+import { PROVIDER_CATALOG } from "../model-catalog.js";
 import { OpenAIChatCompletionsProvider } from "../openai/chat-completions-provider.js";
 
 export interface FireworksProviderOptions {
@@ -8,6 +9,15 @@ export interface FireworksProviderOptions {
 
 const DEFAULT_FIREWORKS_BASE_URL = "https://api.fireworks.ai/inference/v1";
 
+const FIREWORKS_MODEL_EFFORT_CEILINGS: ReadonlyMap<
+  string,
+  "high" | "xhigh" | "max"
+> = new Map(
+  PROVIDER_CATALOG.find((p) => p.id === "fireworks")?.models.flatMap((m) =>
+    m.maxEffort ? ([[m.id, m.maxEffort]] as const) : [],
+  ) ?? [],
+);
+
 export class FireworksProvider extends OpenAIChatCompletionsProvider {
   constructor(
     apiKey: string,
@@ -19,9 +29,17 @@ export class FireworksProvider extends OpenAIChatCompletionsProvider {
       providerName: "fireworks",
       providerLabel: "Fireworks",
       streamTimeoutMs: options.streamTimeoutMs,
-      // Fireworks' OpenAI-compatible chat-completions API documents only
-      // low|medium|high for reasoning_effort; sending "xhigh" 4xxs upstream.
+      // Fallback for models not declared in the catalog. Most Fireworks
+      // chat-completions models only document `low|medium|high`; per-model
+      // overrides (e.g. DeepSeek V4 → "max") come from
+      // {@link resolveMaxReasoningEffort}.
       maxReasoningEffort: "high",
     });
   }
+
+  protected override resolveMaxReasoningEffort(
+    model: string,
+  ): "high" | "xhigh" | "max" {
+    return FIREWORKS_MODEL_EFFORT_CEILINGS.get(model) ?? "high";
+  }
 }

package/src/providers/inference/__tests__/base-url-route-validation.test.ts

@@ -0,0 +1,342 @@
+/**
+ * Route-level validation tests for base_url provider-type gate and SSRF
+ * protection on inference provider connections.
+ *
+ * These tests exercise the POST (create) and PATCH (update) route handlers
+ * with mocked DB, config, and DNS resolution.
+ */
+import { Database } from "bun:sqlite";
+import { describe, expect, mock, test } from "bun:test";
+
+import { drizzle } from "drizzle-orm/bun-sqlite";
+
+import { migrateCreateProviderConnections } from "../../../memory/migrations/243-provider-connections.js";
+import { migrateProviderConnectionStatusLabel } from "../../../memory/migrations/244-provider-connection-status-label.js";
+import { migrateProviderConnectionBaseUrlAndModels } from "../../../memory/migrations/250-provider-connection-base-url-and-models.js";
+import * as schema from "../../../memory/schema.js";
+
+function createTestDb() {
+  const sqlite = new Database(":memory:");
+  sqlite.exec("PRAGMA journal_mode=WAL");
+  return drizzle(sqlite, { schema });
+}
+
+function bootDb() {
+  const db = createTestDb();
+  migrateCreateProviderConnections(db);
+  migrateProviderConnectionStatusLabel(db);
+  migrateProviderConnectionBaseUrlAndModels(db);
+  return db;
+}
+
+// Create and hold a test DB; the mock returns it from getDb().
+const testDb = bootDb();
+
+mock.module("../../../memory/db-connection.js", () => ({
+  getDb: () => testDb,
+}));
+
+mock.module("../../../config/assistant-feature-flags.js", () => ({
+  isAssistantFeatureFlagEnabled: (flag: string) =>
+    flag === "openai-compatible-endpoints",
+}));
+
+mock.module("../../../config/loader.js", () => ({
+  getConfig: () => ({ llm: {} }),
+  getConfigReadOnly: () => ({ llm: {} }),
+}));
+
+// Mock DNS resolution: all hostnames resolve to a public IP by default.
+// Tests that need private-IP resolution override this per-test.
+let mockResolvedAddresses: string[] = ["93.184.216.34"];
+
+// Import the real url-safety module for use inside the mock.
+const {
+  isPrivateOrLocalHost: realIsPrivateOrLocalHost,
+  isPrivateIPv4,
+  isPrivateIPv6,
+  isIPv4,
+  isIPv6,
+  parseUrl,
+  unwrapBracketedHostname,
+  extractEmbeddedIPv4FromIPv6,
+  looksLikeHostPortShorthand,
+  looksLikePathOnlyInput,
+  buildHostHeader,
+  stripUrlUserinfo,
+  sanitizeUrlForOutput,
+  sanitizeUrlStringForOutput,
+} = await import("../../../tools/network/url-safety.js");
+
+mock.module("../../../tools/network/url-safety.js", () => ({
+  isPrivateOrLocalHost: realIsPrivateOrLocalHost,
+  isPrivateIPv4,
+  isPrivateIPv6,
+  isIPv4,
+  isIPv6,
+  parseUrl,
+  unwrapBracketedHostname,
+  extractEmbeddedIPv4FromIPv6,
+  looksLikeHostPortShorthand,
+  looksLikePathOnlyInput,
+  buildHostHeader,
+  stripUrlUserinfo,
+  sanitizeUrlForOutput,
+  sanitizeUrlStringForOutput,
+  resolveHostAddresses: async () => mockResolvedAddresses,
+  resolveRequestAddress: async (
+    hostname: string,
+    _resolveHost: unknown,
+    allowPrivateNetwork: boolean,
+  ) => {
+    if (!allowPrivateNetwork && realIsPrivateOrLocalHost(hostname)) {
+      return { addresses: [], blockedAddress: hostname };
+    }
+    const addresses = mockResolvedAddresses;
+    if (!allowPrivateNetwork) {
+      for (const addr of addresses) {
+        if (realIsPrivateOrLocalHost(addr)) {
+          return { addresses: [], blockedAddress: addr };
+        }
+      }
+    }
+    return { addresses };
+  },
+}));
+
+const { ROUTES } = await import(
+  "../../../runtime/routes/inference-provider-connection-routes.js"
+);
+
+const handleCreate = ROUTES.find(
+  (r) => r.operationId === "inference_provider_connections_create",
+)!.handler;
+
+const handleUpdate = ROUTES.find(
+  (r) => r.operationId === "inference_provider_connections_update",
+)!.handler;
+
+// ---------------------------------------------------------------------------
+// Provider-type gate: base_url rejected for non-openai-compatible providers
+// ---------------------------------------------------------------------------
+
+describe("base_url provider-type gate (create)", () => {
+  test("rejects base_url on anthropic provider", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "exfil-anthropic",
+          provider: "anthropic",
+          auth: { type: "api_key", credential: "cred-exfil" },
+          base_url: "https://evil.example.com/v1",
+        },
+      }),
+    ).rejects.toThrow(/base_url is only valid for openai-compatible/);
+  });
+
+  test("rejects base_url on openai provider", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "exfil-openai",
+          provider: "openai",
+          auth: { type: "api_key", credential: "cred-exfil" },
+          base_url: "https://evil.example.com/v1",
+        },
+      }),
+    ).rejects.toThrow(/base_url is only valid for openai-compatible/);
+  });
+
+  test("rejects base_url on gemini provider", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "exfil-gemini",
+          provider: "gemini",
+          auth: { type: "api_key", credential: "cred-exfil" },
+          base_url: "https://evil.example.com/v1",
+        },
+      }),
+    ).rejects.toThrow(/base_url is only valid for openai-compatible/);
+  });
+
+  test("accepts base_url on openai-compatible provider", async () => {
+    mockResolvedAddresses = ["93.184.216.34"];
+    const result = await handleCreate({
+      body: {
+        name: "valid-oai-compat",
+        provider: "openai-compatible",
+        auth: { type: "api_key", credential: "cred-vllm" },
+        base_url: "https://my-vllm.example.com/v1",
+        models: [{ id: "my-model" }],
+      },
+    });
+    expect(result).toBeDefined();
+    expect((result as { baseUrl: string }).baseUrl).toBe(
+      "https://my-vllm.example.com/v1",
+    );
+  });
+
+  test("allows null base_url on non-openai-compatible provider", async () => {
+    // Setting base_url to null is always allowed (it's a no-op clear).
+    const result = await handleCreate({
+      body: {
+        name: "null-baseurl-anthropic",
+        provider: "anthropic",
+        auth: { type: "api_key", credential: "cred-test" },
+        base_url: null,
+      },
+    });
+    expect(result).toBeDefined();
+    expect((result as { baseUrl: string | null }).baseUrl).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// SSRF protection: private/local network addresses blocked
+// ---------------------------------------------------------------------------
+
+describe("base_url SSRF protection (create)", () => {
+  test("rejects private IP (192.168.x.x)", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-private-ip",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://192.168.1.1/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects localhost", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-localhost",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://localhost:8080/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects 0.0.0.0", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-zero",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://0.0.0.0:8080/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects 10.x.x.x", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-ten",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://10.0.0.1/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects 127.0.0.1", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-loopback",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://127.0.0.1:8080/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects metadata.google.internal", async () => {
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-metadata",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "http://metadata.google.internal/computeMetadata/v1/",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/private or local network/);
+  });
+
+  test("rejects hostname that resolves to a private IP", async () => {
+    mockResolvedAddresses = ["10.0.0.5"];
+    await expect(
+      handleCreate({
+        body: {
+          name: "ssrf-dns-rebind",
+          provider: "openai-compatible",
+          auth: { type: "api_key", credential: "cred-ssrf" },
+          base_url: "https://dns-rebind.example.com/v1",
+          models: [{ id: "m" }],
+        },
+      }),
+    ).rejects.toThrow(/resolves to a private network/);
+  });
+
+  test("accepts a valid public URL", async () => {
+    mockResolvedAddresses = ["93.184.216.34"];
+    const result = await handleCreate({
+      body: {
+        name: "valid-public-url",
+        provider: "openai-compatible",
+        auth: { type: "api_key", credential: "cred-valid" },
+        base_url: "https://api.example.com/v1",
+        models: [{ id: "my-model" }],
+      },
+    });
+    expect(result).toBeDefined();
+    expect((result as { baseUrl: string }).baseUrl).toBe(
+      "https://api.example.com/v1",
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Update handler: base_url validation on existing connections
+// ---------------------------------------------------------------------------
+
+describe("base_url provider-type gate (update)", () => {
+  test("rejects adding base_url to an existing anthropic connection", async () => {
+    // Seed a connection first.
+    await handleCreate({
+      body: {
+        name: "update-test-anthropic",
+        provider: "anthropic",
+        auth: { type: "api_key", credential: "cred-update" },
+      },
+    });
+
+    await expect(
+      handleUpdate({
+        pathParams: { name: "update-test-anthropic" },
+        body: {
+          auth: { type: "api_key", credential: "cred-update" },
+          base_url: "https://evil.example.com/v1",
+        },
+      }),
+    ).rejects.toThrow(/base_url is only valid for openai-compatible/);
+  });
+});