feat: Add versioned /api/v1 endpoints with secure auth, credit tracking, and usage auditing#2
Merged
ChristopherTrimboli merged 14 commits intomainfrom Oct 4, 2025
Merged
Conversation
…ting UI for api key generation
…ion with fallback response
…session auth and api key authorization management
|
@samarth30 is attempting to deploy a commit to the elizaOS team on Vercel, but is not a member of this team. To resolve this issue, you can:
To read more about collaboration on Vercel, click here. |
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. Note 🎁 Summarized by CodeRabbit FreeYour organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login. Comment |
samarth30
changed the title
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces a comprehensive versioned API (/api/v1/) with secure authentication, comprehensive API key management, credit tracking, and usage auditing. The changes establish a robust foundation for API consumers by implementing dual authentication (user sessions and API keys), credit-based resource consumption tracking, and detailed usage analytics.
Key changes include:
- Complete API key CRUD management with regeneration capabilities and permission-based access control
- Secure versioned endpoints for chat, image, and video generation with credit deduction and usage tracking
- Enhanced authentication system supporting both session-based and API key-based access
- Video generation capabilities with FAL AI integration and fallback mechanisms
Reviewed Changes
Copilot reviewed 58 out of 59 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
lib/auth.ts |
Adds dual authentication system supporting both user sessions and API keys with comprehensive validation |
app/api/v1/api-keys/ |
Implements complete CRUD operations for API key management with organization-scoped security |
app/api/v1/generate-* |
Creates secure generation endpoints with credit tracking and usage auditing |
components/api-keys/ |
Provides comprehensive UI for API key management with proper security practices |
components/video/ |
Adds complete video generation interface with real-time preview and usage tracking |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This was referenced Oct 7, 2025
wtfsayo
added a commit
that referenced
this pull request
Oct 13, 2025
Critical Fixes: - Make non-streaming credit deduction synchronous (prevents revenue loss) - Return 402 error if credit deduction fails after API call - Increase credit buffer from 20% to 50% for safety margin - Fix message validation to allow null content for tool/function calls - Fix type safety for multimodal content in estimateRequestCost Error Handling Improvements: - Add structured error propagation from Vercel Gateway - Properly parse and forward OpenAI-formatted errors with status codes - Add timeout handling (60s for chat/embeddings, 30s for models) - Use AbortController for all gateway requests Performance & Reliability: - Only analytics (usage records, generation records) run in background - Critical billing operations (credit deduction) are synchronous - Better error messages for timeout scenarios - Proper cleanup of timeout handlers This addresses all critical issues from PR review: - Issue #1: Synchronous credit deduction ✅ - Issue #2: Increased credit buffer ✅ - Issue #3: Tool call message validation ✅ - Issue #4: Multimodal content type safety ✅ - Issue #5: Gateway error propagation ✅ - Issue #6: Timeout handling ✅
This was referenced Feb 4, 2026
This was referenced Feb 5, 2026
This was referenced Feb 6, 2026
Merged
This was referenced Feb 6, 2026
This was referenced Feb 7, 2026
This was referenced Feb 12, 2026
8 tasks
This was referenced Feb 19, 2026
This was referenced Mar 4, 2026
0xSolace
added a commit
that referenced
this pull request
Mar 9, 2026
Critical bugs fixed: - #1: resolveContainer() now hydrates from DB after restart instead of falling back to first node. Added findBySandboxId() and listByNodeId() repository methods for DB-backed container resolution. - #2: create() now uses DockerNodeManager.getAvailableNode() for least-loaded placement instead of random env-var selection. Increments allocated_count on create, decrements on stop. Falls back to env var only when DB has no nodes registered. - #3: Port allocation now queries DB for ports already assigned on the target node. allocatePort() takes an exclusion set and retries until it finds a free port. Security fixes: - #4: runCommand() now shell-escapes cmd and each arg individually via shellQuote() before passing to SSH exec. Container names also quoted in docker exec/stop/rm commands. - #5: Added validateAgentId() check (UUID-safe chars only, max 128) called before any shell interpolation of agentId. getVolumePath() validates before constructing path. Functional fixes: - #6: checkHealth() now polls with retry loop (3s interval, 60s total timeout) matching Vercel provider behavior, instead of single-shot 8s request. - #7: getContainerName() now uses full agentId instead of truncated first-8-chars to eliminate collision risk. Code quality fixes: - #8: Exported DockerSandboxMetadata interface for strongly-typed metadata. milaidy-sandbox.ts imports and narrows with it instead of Record<string, unknown> + as casts. - #9: Fixed step numbering in create() comments (was 8→10, now 8→9→10). - #10: SSH pool key changed from hostname-only to hostname:port to prevent collisions when nodes share hostname with different ports. - #11: parseDockerNodes() result now cached at module level, only re-parsed when MILAIDY_DOCKER_NODES env var changes. - #12: Moved DOCKER_HEADSCALE_PLAN.md and DOCKER_PROVISIONING_SUMMARY.md from repo root to docs/ directory. No new type errors (tsc --noEmit passes with only 2 pre-existing errors).
0xSolace
added a commit
that referenced
this pull request
Mar 9, 2026
Fixes all 11 findings from the automated review: Critical: - (#1) Fix migration number references: 0034 → 0046 in schema comments and docs - (#2) Port race TOCTOU: add partial UNIQUE index on (node_id, bridge_port) for active sandboxes. allocatePort() already retries; DB constraint is the safety net for concurrent provisioning - (#3) SSH pool serverless compat: add idle timeout (5min) eviction on getClient(), track lastActivityMs on exec() Security: - (#4) Remove `as any` cast on statusFilter — validate against known status set, return 400 for invalid values, cast to MiladySandboxStatus type - (#5) Add SENSITIVE_KEYS set to redact TS_AUTHKEY, DATABASE_URL, etc. from any logged docker run commands - (#6) Document MILADY_DOCKER_NODES fallback as seed-only path with no load balancing — production should use Admin API node registration Code quality: - (#7) Remove ssh! non-null assertions in health check route — use definite assignment after early-return guard - (#8) Migration already uses IF NOT EXISTS on all statements ✓ - (#9) Unit tests noted as follow-up work (not blocking) Nits: - (#10) Add logger.warn fallback when Vercel sandbox has neither shutdown() nor close() method - (#11) PR draft status — will mark ready after fixes are confirmed
This was referenced Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new versioned API under the
/api/v1/namespace, focusing on secure, auditable, and credit-aware endpoints for API key management, chat, image, and video generation. It implements robust authentication (supporting both user and API key auth), usage tracking, and credit deduction for resource-intensive operations. Several legacy or debug endpoints are removed or refactored for consistency.The most important changes are:
API Key Management (CRUD):
app/api/v1/api-keys/route.ts,app/api/v1/api-keys/[id]/route.ts,app/api/v1/api-keys/[id]/regenerate/route.ts) (app/api/v1/api-keys/route.tsR1-R60, app/api/v1/api-keys/[id]/route.tsR1-R86, app/api/v1/api-keys/[id]/regenerate/route.tsR1-R56)AI Generation Endpoints (Chat, Image, Video):
/api/v1/chat,/api/v1/generate-image, and/api/v1/generate-videoendpoints, all requiring either user or API key authentication. These endpoints deduct credits for each operation, record detailed usage for billing/auditing, and handle errors gracefully (including fallback responses for video generation failures). (app/api/v1/chat/route.ts,app/api/v1/generate-image/route.ts,app/api/v1/generate-video/route.ts) [1] [2] [3]Model Listing Endpoint:
/api/v1/models. (app/api/v1/models/route.ts)Third-Party Proxy and Debug Cleanup:
app/api/fal/proxy/route.ts)app/api/debug/user/route.ts)app/api/generate-image/route.ts)These changes collectively provide a secure, scalable, and auditable foundation for API consumers and internal users, ensuring resource usage is tracked and billed appropriately.