github-router 0.3.36 → 0.3.37

package/dist/main.js

@@ -3055,10 +3055,11 @@ async function bridgeCall(endpoint, tool, args, timeoutMs, signal) {
 		const id = randomUUID();
 		const ws = new WebSocket(`ws://127.0.0.1:${endpoint.port}`, { headers: { authorization: `Bearer ${endpoint.token}` } });
 		let settled = false;
+		let timer = void 0;
 		const finish = (fn) => {
 			if (settled) return;
 			settled = true;
-			clearTimeout(timer);
+			if (timer !== void 0) clearTimeout(timer);
 			if (signal) signal.removeEventListener("abort", onAbort);
 			try {
 				ws.close();
@@ -3073,7 +3074,7 @@ async function bridgeCall(endpoint, tool, args, timeoutMs, signal) {
 			}
 			signal.addEventListener("abort", onAbort, { once: true });
 		}
-		const timer = setTimeout(() => finish(() => reject(/* @__PURE__ */ new Error(`timeout after ${timeoutMs}ms`))), timeoutMs);
+		timer = setTimeout(() => finish(() => reject(/* @__PURE__ */ new Error(`timeout after ${timeoutMs}ms`))), timeoutMs);
 		ws.on("open", () => {
 			if (settled) {
 				try {
@@ -5181,6 +5182,117 @@ async function acquireWorkerSlot(signal) {
 	};
 }
 
+//#endregion
+//#region src/lib/diagnose-response.ts
+const PREVIEW_LIMIT = 200;
+async function parseJsonOrDiagnose(response, routePath) {
+	const cloned = response.clone();
+	try {
+		return await response.json();
+	} catch (error) {
+		const contentType = response.headers.get("content-type") ?? "(none)";
+		const bodyText = await cloned.text().catch(() => "(unreadable)");
+		const preview = bodyText.length > PREVIEW_LIMIT ? bodyText.slice(0, PREVIEW_LIMIT) + "...(truncated)" : bodyText;
+		consola.error(`Upstream JSON parse failed at ${routePath}: status=${response.status} content-type="${contentType}" body[0..${PREVIEW_LIMIT}]=${JSON.stringify(preview)}`);
+		throw error;
+	}
+}
+
+//#endregion
+//#region src/lib/response-cap.ts
+/**
+* Hard byte cap for non-streaming upstream response bodies.
+*
+* Anthropic responses with large tool_use blocks can legitimately reach
+* several MB, but a multi-GB body is either a buggy upstream or a malicious
+* one. Buffering it would OOM the proxy and crash all in-flight requests.
+*
+* Applies to /v1/messages, /v1/chat/completions, and /v1/responses.
+*/
+const MAX_RESPONSE_BODY_BYTES = 10 * 1024 * 1024;
+/**
+* Read a Response body with a hard byte cap, then parse as JSON.
+*
+* Falls back to the fast path (response.json()) when Content-Length is
+* present and within the cap, avoiding the streaming-reader overhead for
+* the vast majority of normal responses.
+*
+* When the cap is hit:
+*   - the reader is cancelled to release the upstream socket
+*   - a structured Anthropic-format error is returned to the caller
+*     (the caller wraps it in c.json(), not throws — the client gets a
+*     clean 413 error, not an unhandled-rejection crash)
+*
+* Returns `{ ok: true, value }` on success or `{ ok: false, errorResponse, status }`
+* on cap exceeded.
+*/
+async function readResponseBodyCapped(response, routePath, capBytes = MAX_RESPONSE_BODY_BYTES) {
+	const contentLengthHeader = response.headers.get("content-length");
+	const contentLength = contentLengthHeader ? parseInt(contentLengthHeader, 10) : NaN;
+	if (!isNaN(contentLength) && contentLength <= capBytes) return {
+		ok: true,
+		value: await parseJsonOrDiagnose(response, routePath)
+	};
+	const reader = response.body?.getReader();
+	if (!reader) return {
+		ok: true,
+		value: await parseJsonOrDiagnose(response, routePath)
+	};
+	const chunks = [];
+	let totalBytes = 0;
+	let capped = false;
+	try {
+		while (true) {
+			const { done, value } = await reader.read();
+			if (done) break;
+			if (!value) continue;
+			totalBytes += value.byteLength;
+			if (totalBytes > capBytes) {
+				capped = true;
+				try {
+					await reader.cancel("size_cap");
+				} catch {}
+				break;
+			}
+			chunks.push(value);
+		}
+	} catch (err) {
+		if (!capped) consola.warn(`readResponseBodyCapped: read error at ${routePath}:`, err);
+	}
+	if (capped) {
+		consola.warn(`Non-streaming upstream response at ${routePath} exceeded ${capBytes} bytes (10 MiB cap); dropping body to prevent OOM. Check upstream health.`);
+		return {
+			ok: false,
+			status: 502,
+			errorResponse: {
+				type: "error",
+				error: {
+					type: "api_error",
+					message: `Upstream response body exceeded the 10 MiB size cap for non-streaming ${routePath}. The upstream may be misbehaving. Try enabling streaming (stream: true) which handles large responses chunk-by-chunk.`
+				}
+			}
+		};
+	}
+	const merged = new Uint8Array(totalBytes);
+	let offset = 0;
+	for (const chunk of chunks) {
+		merged.set(chunk, offset);
+		offset += chunk.byteLength;
+	}
+	const text = new TextDecoder().decode(merged);
+	try {
+		return {
+			ok: true,
+			value: JSON.parse(text)
+		};
+	} catch (err) {
+		const preview = text.slice(0, 200);
+		const contentType = response.headers.get("content-type") ?? "(none)";
+		consola.error(`Upstream JSON parse failed at ${routePath}: status=${response.status} content-type="${contentType}" body[0..200]=${JSON.stringify(preview)}`);
+		throw err;
+	}
+}
+
 //#endregion
 //#region src/services/copilot/create-chat-completions.ts
 const createChatCompletions = async (payload, modelHeaders, callerSignal) => {
@@ -5222,7 +5334,12 @@ const createChatCompletions = async (payload, modelHeaders, callerSignal) => {
 		}));
 	}
 	if (payload.stream) return events(response);
-	return await response.json();
+	const cappedResult = await readResponseBodyCapped(response, "/v1/chat/completions", MAX_RESPONSE_BODY_BYTES);
+	if (!cappedResult.ok) throw new HTTPError("Upstream /v1/chat/completions response exceeded 10 MiB size cap", new Response(JSON.stringify(cappedResult.errorResponse), {
+		status: cappedResult.status,
+		headers: { "content-type": "application/json" }
+	}));
+	return cappedResult.value;
 };
 
 //#endregion
@@ -5883,7 +6000,12 @@ const createResponses = async (payload, modelHeaders, callerSignal) => {
 		throw new HTTPError("Failed to create responses", response);
 	}
 	if (payload.stream) return events(response);
-	return await response.json();
+	const cappedResult = await readResponseBodyCapped(response, "/v1/responses", MAX_RESPONSE_BODY_BYTES);
+	if (!cappedResult.ok) throw new HTTPError("Upstream /v1/responses response exceeded 10 MiB size cap", new Response(JSON.stringify(cappedResult.errorResponse), {
+		status: cappedResult.status,
+		headers: { "content-type": "application/json" }
+	}));
+	return cappedResult.value;
 };
 function detectVision(input) {
 	if (typeof input === "string") return false;
@@ -6847,6 +6969,34 @@ async function readWithInactivityTimeout(reader, timeoutMs) {
 	}
 }
 /**
+* Race an `AsyncIterableIterator.next()` call against an inactivity timeout.
+*
+* Follows the same pattern as `readWithInactivityTimeout` (including the
+* noop catcher to avoid Node 24 unhandled-rejection crashes) but works
+* with typed iterators that yield parsed objects rather than raw bytes.
+*
+* On timeout, throws an `InactivityTimeout` error (same classification as
+* the byte-reader variant — surfaced to the consumer as `timeout_error` via
+* `buildOpenAIErrorEvent`).
+*
+* @param iterator - An AsyncIterableIterator whose `.next()` we want to race.
+* @param timeoutMs - Milliseconds before the timeout fires.
+*/
+async function readIteratorWithTimeout(iterator, timeoutMs) {
+	let timeoutHandle;
+	const timeoutPromise = new Promise((_, reject) => {
+		timeoutHandle = setTimeout(() => {
+			reject(Object.assign(/* @__PURE__ */ new Error("upstream_inactive"), { name: "InactivityTimeout" }));
+		}, timeoutMs);
+	});
+	timeoutPromise.catch(() => {});
+	try {
+		return await Promise.race([iterator.next(), timeoutPromise]);
+	} finally {
+		if (timeoutHandle !== void 0) clearTimeout(timeoutHandle);
+	}
+}
+/**
 * Build the SSE wire bytes for an Anthropic-format streaming error event.
 * Per Anthropic streaming spec, errors are sent as:
 *   event: error
@@ -7162,7 +7312,7 @@ function sseEvent(type, data) {
 function buildAdvisorStream(opts) {
 	const advisorModel = opts.advisorModel ?? ADVISOR_DEFAULT_MODEL;
 	const advisorEffort = opts.advisorEffort ?? ADVISOR_DEFAULT_EFFORT;
-	const aborter = new AbortController();
+	const aborter = opts.externalAborter ?? new AbortController();
 	let conversation = [...opts.initialConversation];
 	return new ReadableStream({
 		async start(controller) {
@@ -10948,7 +11098,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version = "0.3.36";
+var version = "0.3.37";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -11365,7 +11515,7 @@ async function handleCompletion$1(c) {
 		return c.json(response);
 	}
 	const iterator = response[Symbol.asyncIterator]();
-	const firstResult = await iterator.next();
+	const firstResult = await readIteratorWithTimeout(iterator, UPSTREAM_INACTIVITY_TIMEOUT_MS);
 	if (firstResult.done) consola.warn(`Upstream /chat/completions returned an empty stream at ${c.req.path}`);
 	let pendingFirstChunk = firstResult.done ? void 0 : firstResult.value;
 	let upstreamFinished = firstResult.done;
@@ -11405,7 +11555,7 @@ async function handleCompletion$1(c) {
 				return;
 			}
 			try {
-				const result = await iterator.next();
+				const result = await readIteratorWithTimeout(iterator, UPSTREAM_INACTIVITY_TIMEOUT_MS);
 				if (consumerCancelled) {
 					safeClose(controller);
 					return;
@@ -11726,22 +11876,6 @@ function sanitizeAnthropicBody(rawBody) {
 	return JSON.stringify(parsed);
 }
 
-//#endregion
-//#region src/lib/diagnose-response.ts
-const PREVIEW_LIMIT = 200;
-async function parseJsonOrDiagnose(response, routePath) {
-	const cloned = response.clone();
-	try {
-		return await response.json();
-	} catch (error) {
-		const contentType = response.headers.get("content-type") ?? "(none)";
-		const bodyText = await cloned.text().catch(() => "(unreadable)");
-		const preview = bodyText.length > PREVIEW_LIMIT ? bodyText.slice(0, PREVIEW_LIMIT) + "...(truncated)" : bodyText;
-		consola.error(`Upstream JSON parse failed at ${routePath}: status=${response.status} content-type="${contentType}" body[0..${PREVIEW_LIMIT}]=${JSON.stringify(preview)}`);
-		throw error;
-	}
-}
-
 //#endregion
 //#region src/routes/messages/count-tokens-handler.ts
 const isWebSearchTool$1 = (tool) => typeof tool.type === "string" && tool.type.startsWith("web_search") || tool.name === "web_search";
@@ -11912,89 +12046,6 @@ function stripAnthropicOnlyFields$1(body) {
 
 //#endregion
 //#region src/routes/messages/handler.ts
-const NON_STREAMING_BODY_CAP_BYTES = 10 * 1024 * 1024;
-/**
-* Read a Response body with a hard byte cap, then parse as JSON.
-*
-* Falls back to the fast path (response.json()) when Content-Length is
-* present and within the cap, avoiding the streaming-reader overhead for
-* the vast majority of normal responses.
-*
-* When the cap is hit:
-*   - the reader is cancelled to release the upstream socket
-*   - a structured Anthropic-format error is returned to the caller
-*     (the caller wraps it in c.json(), not throws — the client gets a
-*     clean 413 error, not an unhandled-rejection crash)
-*
-* Returns `{ ok: true, value }` on success or `{ ok: false, errorResponse }`
-* on cap exceeded.
-*/
-async function readResponseBodyCapped(response, routePath, capBytes) {
-	const contentLengthHeader = response.headers.get("content-length");
-	const contentLength = contentLengthHeader ? parseInt(contentLengthHeader, 10) : NaN;
-	if (!isNaN(contentLength) && contentLength <= capBytes) return {
-		ok: true,
-		value: await parseJsonOrDiagnose(response, routePath)
-	};
-	const reader = response.body?.getReader();
-	if (!reader) return {
-		ok: true,
-		value: await parseJsonOrDiagnose(response, routePath)
-	};
-	const chunks = [];
-	let totalBytes = 0;
-	let capped = false;
-	try {
-		while (true) {
-			const { done, value } = await reader.read();
-			if (done) break;
-			if (!value) continue;
-			totalBytes += value.byteLength;
-			if (totalBytes > capBytes) {
-				capped = true;
-				try {
-					await reader.cancel("size_cap");
-				} catch {}
-				break;
-			}
-			chunks.push(value);
-		}
-	} catch (err) {
-		if (!capped) consola.warn(`readResponseBodyCapped: read error at ${routePath}:`, err);
-	}
-	if (capped) {
-		consola.warn(`Non-streaming upstream response at ${routePath} exceeded ${capBytes} bytes (10 MiB cap); dropping body to prevent OOM. Check upstream health.`);
-		return {
-			ok: false,
-			status: 502,
-			errorResponse: {
-				type: "error",
-				error: {
-					type: "api_error",
-					message: "Upstream response body exceeded the 10 MiB size cap for non-streaming /v1/messages. The upstream may be misbehaving. Try enabling streaming (stream: true) which handles large responses chunk-by-chunk."
-				}
-			}
-		};
-	}
-	const merged = new Uint8Array(totalBytes);
-	let offset = 0;
-	for (const chunk of chunks) {
-		merged.set(chunk, offset);
-		offset += chunk.byteLength;
-	}
-	const text = new TextDecoder().decode(merged);
-	try {
-		return {
-			ok: true,
-			value: JSON.parse(text)
-		};
-	} catch (err) {
-		const preview = text.slice(0, 200);
-		const contentType = response.headers.get("content-type") ?? "(none)";
-		consola.error(`Upstream JSON parse failed at ${routePath}: status=${response.status} content-type="${contentType}" body[0..200]=${JSON.stringify(preview)}`);
-		throw err;
-	}
-}
 const isWebSearchTool = (tool) => typeof tool.type === "string" && tool.type.startsWith("web_search") || tool.name === "web_search";
 /**
 * Extract whitelisted beta headers from the incoming request to forward
@@ -12134,12 +12185,13 @@ async function handleCompletion(c) {
 	const modelId = resolvedModel ?? originalModel;
 	if (modelId) logEndpointMismatch(modelId, "/v1/messages");
 	const effectiveBetas = applyDefaultBetas(betaHeaders, resolvedModel ?? originalModel);
+	const advisorAborter = advisorEnabled ? new AbortController() : void 0;
 	let response;
 	try {
 		response = await createMessages(resolvedBody, {
 			...selectedModel?.requestHeaders,
 			...effectiveBetas
-		});
+		}, advisorAborter?.signal);
 	} catch (error) {
 		if (error instanceof HTTPError) {
 			const errorBody = await error.response.clone().text().catch(() => "");
@@ -12197,7 +12249,8 @@ async function handleCompletion(c) {
 				requestHeaders: {
 					...selectedModel?.requestHeaders,
 					...effectiveBetas
-				}
+				},
+				externalAborter: advisorAborter
 			}), {
 				status: response.status,
 				headers: streamHeaders
@@ -12208,7 +12261,7 @@ async function handleCompletion(c) {
 			headers: streamHeaders
 		});
 	}
-	const cappedResult = await readResponseBodyCapped(response, c.req.path, NON_STREAMING_BODY_CAP_BYTES);
+	const cappedResult = await readResponseBodyCapped(response, c.req.path, MAX_RESPONSE_BODY_BYTES);
 	if (!cappedResult.ok) return c.json(cappedResult.errorResponse, cappedResult.status);
 	const responseBody = cappedResult.value;
 	logRequest({
@@ -12561,7 +12614,7 @@ async function handleResponses(c) {
 	let firstChunk;
 	let upstreamFinished = false;
 	while (true) {
-		const r = await iterator.next();
+		const r = await readIteratorWithTimeout(iterator, UPSTREAM_INACTIVITY_TIMEOUT_MS);
 		if (r.done) {
 			upstreamFinished = true;
 			break;
@@ -12613,7 +12666,7 @@ async function handleResponses(c) {
 				return;
 			}
 			try {
-				const result = await iterator.next();
+				const result = await readIteratorWithTimeout(iterator, UPSTREAM_INACTIVITY_TIMEOUT_MS);
 				if (consumerCancelled) {
 					safeClose(controller);
 					return;
@@ -12722,11 +12775,14 @@ async function handleResponsesCompact(c) {
 	if (!state.copilotToken) throw new Error("Copilot token not found");
 	if (state.manualApprove) await awaitApproval();
 	const body = await c.req.json();
-	const response = await fetch(`${copilotBaseUrl(state)}/responses/compact`, {
+	const compactUrl = `${copilotBaseUrl(state)}/responses/compact`;
+	const doFetch = () => fetch(compactUrl, {
 		method: "POST",
 		headers: copilotHeaders(state),
-		body: JSON.stringify(body)
+		body: JSON.stringify(body),
+		signal: AbortSignal.timeout(UPSTREAM_FETCH_TIMEOUT_MS || 3e5)
 	});
+	const response = await tryRefreshAndRetry(doFetch, "/responses/compact");
 	if (response.ok) {
 		logRequest({
 			method: "POST",
@@ -12737,6 +12793,7 @@ async function handleResponsesCompact(c) {
 	}
 	if (response.status === 404) {
 		consola.debug("Copilot API does not support /responses/compact, using synthetic compaction");
+		await response.body?.cancel().catch(() => {});
 		return await syntheticCompact(c, body, startTime);
 	}
 	logRequest({