zfc/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(openai): mark fast-policy entrypoints business-limited

Browse Source 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
benjamin 2026-05-26 17:21:45 +08:00
parent 5d7df678b1
commit 9c56fe0b0b
5 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
backend/internal/service/openai_gateway_chat_completions.go
View File

@ -193,6 +193,7 @@ func (s *OpenAIGatewayService) ForwardAsChatCompletions(
if policyErr != nil { if policyErr != nil {
var blocked *OpenAIFastBlockedError var blocked *OpenAIFastBlockedError
if errors.As(policyErr, &blocked) { if errors.As(policyErr, &blocked) {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
writeChatCompletionsError(c, http.StatusForbidden, "permission_error", blocked.Message) writeChatCompletionsError(c, http.StatusForbidden, "permission_error", blocked.Message)
} }
return nil, policyErr return nil, policyErr

1
backend/internal/service/openai_gateway_chat_completions_raw.go
View File

@ -93,6 +93,7 @@ func (s *OpenAIGatewayService) forwardAsRawChatCompletions(
if policyErr != nil { if policyErr != nil {
var blocked *OpenAIFastBlockedError var blocked *OpenAIFastBlockedError
if errors.As(policyErr, &blocked) { if errors.As(policyErr, &blocked) {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
writeChatCompletionsError(c, http.StatusForbidden, "permission_error", blocked.Message) writeChatCompletionsError(c, http.StatusForbidden, "permission_error", blocked.Message)
} }
return nil, policyErr return nil, policyErr

1
backend/internal/service/openai_gateway_messages.go
View File

@ -231,6 +231,7 @@ func (s *OpenAIGatewayService) ForwardAsAnthropic(
if policyErr != nil { if policyErr != nil {
var blocked *OpenAIFastBlockedError var blocked *OpenAIFastBlockedError
if errors.As(policyErr, &blocked) { if errors.As(policyErr, &blocked) {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
writeAnthropicError(c, http.StatusForbidden, "forbidden_error", blocked.Message) writeAnthropicError(c, http.StatusForbidden, "forbidden_error", blocked.Message)
} }
return nil, policyErr return nil, policyErr

1
backend/internal/service/openai_ws_forwarder.go
View File

@ -2612,6 +2612,7 @@ func (s *OpenAIGatewayService) ProxyResponsesWebSocketFromClient(
return openAIWSClientPayload{}, NewOpenAIWSClientCloseError(coderws.StatusPolicyViolation, "invalid websocket request payload", policyErr) return openAIWSClientPayload{}, NewOpenAIWSClientCloseError(coderws.StatusPolicyViolation, "invalid websocket request payload", policyErr)
} }
if blocked != nil { if blocked != nil {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
// Send a Realtime-style error event to the client first, then // Send a Realtime-style error event to the client first, then
// signal the handler to close the connection with PolicyViolation. // signal the handler to close the connection with PolicyViolation.
// We intentionally do NOT forward this frame upstream. // We intentionally do NOT forward this frame upstream.

2
backend/internal/service/openai_ws_v2_passthrough_adapter.go
View File

@ -280,6 +280,7 @@ func (s *OpenAIGatewayService) proxyResponsesWebSocketV2Passthrough(
return fmt.Errorf("apply openai fast policy on first ws frame: %w", policyErr) return fmt.Errorf("apply openai fast policy on first ws frame: %w", policyErr)
} }
if blocked != nil { if blocked != nil {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
// coder/websocket@v1.8.14 Conn.Write is synchronous: it acquires // coder/websocket@v1.8.14 Conn.Write is synchronous: it acquires
// writeFrameMu, writes the entire frame, and Flushes the underlying // writeFrameMu, writes the entire frame, and Flushes the underlying
// bufio writer before returning (write.go:42 → write.go:307-311). // bufio writer before returning (write.go:42 → write.go:307-311).
@ -442,6 +443,7 @@ func (s *OpenAIGatewayService) proxyResponsesWebSocketV2Passthrough(
return out, blocked, policyErr return out, blocked, policyErr
}, },
onBlock: func(blocked *OpenAIFastBlockedError) { onBlock: func(blocked *OpenAIFastBlockedError) {
MarkOpsClientBusinessLimited(c, OpsClientBusinessLimitedReasonLocalPolicyDenied)
// See note above on Conn.Write being synchronous w.r.t. flush; // See note above on Conn.Write being synchronous w.r.t. flush;
// no explicit flush is required to ensure the error event lands // no explicit flush is required to ensure the error event lands
// before the close frame. // before the close frame.