feat: warn about coding plan app allowlists#196
Conversation
…#188) Previously, only enabled reasoning=true for official OpenAI API when the modelId matched a reasoning pattern. This commit extends the heuristic to also match reasoning-capable model IDs on any third-party OpenAI-compatible proxy (univibe, OpenRouter custom endpoint, etc). Fixes issue #188 where configured a proxy with OpenAI-compatible protocol and a Claude 4 reasoning model would return 0 artifacts because the reasoning flag was missing, causing the gateway to reject the request or return empty. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
Signed-off-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
github-actions
Bot
added
area:desktop
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Findings
-
[Blocker]
inferReasoningnow enablesreasoningfor third-partyopenai-chatendpoints based only on model-id heuristics, which can reintroduce request-shape incompatibility for OpenAI-compatible gateways (the same file documents thatreasoning: truechanges role handling foropenai-chat). Evidencepackages/providers/src/index.ts:229(and documented behavior atpackages/providers/src/index.ts:174).
Suggested fix:case 'openai-chat': // Keep third-party gateways on the safest default unless we have // explicit capability detection/opt-in. return isOpenAIOfficial(baseUrl) && isReasoningModelId(modelId);
-
[Major] New UI classes add hardcoded hex fallback colors (
#d97706) instead of token-only values, violating the repo token constraint for UI values. Evidenceapps/desktop/src/renderer/src/components/AddCustomProviderModal.tsx:330andapps/desktop/src/renderer/src/components/ConnectionDiagnosticPanel.tsx:185.
Suggested fix:<div className="... border-[var(--color-warning)] bg-[var(--color-warning-soft)] ..."> <AlertCircle className="... text-[var(--color-warning)]" /> </div>
Summary
- Review mode: initial
- 2 issues found (1 Blocker, 1 Major).
docs/VISION.mdanddocs/PRINCIPLES.md: Not found in repo/docs in this runner, so review used repo-available constraints and diff evidence only.
Testing
- Not run (automation).
- Added tests are helpful for new heuristics/UI rendering, but there is still no guard test that prevents third-party
openai-chatfrom regressing into incompatible reasoning/request-role behavior.
open-codesign Bot
| // For third-party OpenAI-compatible gateways, heuristically match | ||
| // common reasoning model IDs — many gateways still require the | ||
| // reasoning flag to get extended thinking output. | ||
| return REASONING_MODEL_ID_PATTERN.test(modelId); |
There was a problem hiding this comment.
openai-chat now returns true for third-party hosts when model IDs match this heuristic. That conflicts with the safety rationale documented above (reasoning: true alters request role handling and can trigger 400s on many OpenAI-compatible gateways). Consider reverting to official-host-only reasoning unless you add explicit capability detection/opt-in.
case 'openai-chat':
return isOpenAIOfficial(baseUrl) && isReasoningModelId(modelId);| disabled={lockEndpoint} | ||
| /> | ||
| {!lockEndpoint && ( | ||
| <div className="mt-2 rounded-[var(--radius-md)] border border-[var(--color-warning,#d97706)] bg-[var(--color-warning-soft,var(--color-surface))] px-3 py-2 text-[var(--text-xs)] text-[var(--color-text-secondary)]"> |
There was a problem hiding this comment.
This introduces hardcoded fallback color #d97706 in UI classes. Project constraints require token-based UI values only. Please use a token (or add one in packages/ui) and remove literal fallback hex values.
<div className="... border-[var(--color-warning)] bg-[var(--color-warning-soft)] ...">
<AlertCircle className="... text-[var(--color-warning)]" />
</div>| </p> | ||
| )} | ||
| {showGatewayAllowlistHint && ( | ||
| <div className="mt-2 rounded-[var(--radius-md)] border border-[var(--color-warning,#d97706)] bg-[var(--color-warning-soft,var(--color-surface))] px-3 py-2"> |
There was a problem hiding this comment.
Same token-constraint issue here: #d97706 fallback is hardcoded in a UI value. Please switch to token-only color usage (and define missing token upstream if needed).
<div className="... border-[var(--color-warning)] bg-[var(--color-warning-soft)] ...">
...
</div>
github-actions
Bot
removed
the
area:providers
|
Addressed the bot feedback in the latest push:\n\n- Restored packages/providers/src/index.ts and packages/providers/src/index.test.ts to the safe main behavior so this PR no longer changes third-party openai-chat reasoning inference.\n- Replaced the warning UI hex fallbacks with token-only classes (--color-warning, --color-warning-soft).\n\nRe-validated with:\n- corepack pnpm --filter @open-codesign/desktop test -- AddCustomProviderModal ConnectionDiagnosticPanel\n- corepack pnpm --filter @open-codesign/providers test -- src/index.test.ts\n- git push pre-push checks ( ypecheck + �iome check) |
There was a problem hiding this comment.
Findings
- [Major] Over-broad "official host" matching suppresses the new allowlist warning for many third-party gateways —
amazonaws.comandazure.comare treated as universally official, so any relay hosted on those clouds will skip the hint even when app-allowlist rejection is the likely cause. Evidenceapps/desktop/src/renderer/src/components/ConnectionDiagnosticPanel.tsx:25andapps/desktop/src/renderer/src/components/ConnectionDiagnosticPanel.tsx:26.
Suggested fix:// Replace broad cloud-domain suffixes with provider-specific endpoint patterns. const OFFICIAL_PROVIDER_HOST_PATTERNS = [ /(^|\.)openai\.com$/i, /(^|\.)anthropic\.com$/i, /(^|\.)openrouter\.ai$/i, /(^|\.)deepseek\.com$/i, /(^|\.)mistral\.ai$/i, /(^|\.)groq\.com$/i, /(^|\.)cerebras\.ai$/i, /(^|\.)x\.ai$/i, /(^|\.)googleapis\.com$/i, /(^|\.)openai\.azure\.com$/i, /(^|\.)bedrock-runtime\.[a-z0-9-]+\.amazonaws\.com$/i, ];
Summary
- Review mode: follow-up after new commits
- 1 issue found (Major).
docs/VISION.mdanddocs/PRINCIPLES.md: Not found in repo/docs in this runner.
Testing
- Not run (automation).
- Added tests cover helper behavior and modal visibility, but no case currently guards against false negatives for third-party gateways hosted on generic cloud domains.
open-codesign Bot
| 'groq.com', | ||
| 'cerebras.ai', | ||
| 'amazonaws.com', | ||
| 'azure.com', |
There was a problem hiding this comment.
currently includes broad cloud domains (, ). That suppresses this hint for many third-party relays hosted on AWS/Azure, creating false negatives for the exact allowlist problem this UI is trying to explain. Please narrow this to provider-specific official endpoint patterns instead of whole-cloud suffixes.\n\n
1 participant
Summary
Closes #195.
This PR adds clearer user-facing warnings for coding-plan / relay / protocol-conversion endpoints that may reject Open CoDesign because of app allowlists, even when they advertise an OpenAI-compatible API.
What changed
Base URLfield in the Add Custom Provider modal.400/401/403/ parse errors on non-official hosts).en,zh-CN, andpt-BR.Why
Users often connect Open CoDesign to coding plans, Claude Code protocol relays, or other OpenAI-compatible gateways that only allow specific clients such as Claude Code, openclaw, or Hermes. When that happens, the visible error can look like a normal provider compatibility failure (for example issue #184), even though the real cause is an app allowlist on the service side.
This change does not try to work around those restrictions. It just makes the product more explicit about what users should check.
Validation
corepack pnpm --filter @open-codesign/desktop test -- AddCustomProviderModal ConnectionDiagnosticPanelcorepack pnpm --filter @open-codesign/desktop typecheckgit pushpre-push checks passed (typecheck+biome check)Notes
apps/desktop/src/renderer/src/components/Settings.tsxabout an extra hook dependency. This PR does not modify that file.