Skip to content

Add key access allowlists and improve logs filtering#158

Merged
mcowger merged 2 commits into
mcowger:mainfrom
zicochaos:feat/key-allowlists-logs
Apr 12, 2026
Merged

Add key access allowlists and improve logs filtering#158
mcowger merged 2 commits into
mcowger:mainfrom
zicochaos:feat/key-allowlists-logs

Conversation

@zicochaos
Copy link
Copy Markdown
Contributor

@zicochaos zicochaos commented Apr 12, 2026
edited
Loading

Summary

  • add optional allowedModels and allowedProviders to API key config and persist them in SQLite/Postgres
  • enforce key allowlists during request routing across chat, messages, embeddings, speech, transcriptions, and image routes
  • add server-side logs sorting plus an apiKey filter in the Logs UI and fix /ui/* SPA deep-link handling

Details

  • key allowlists are propagated from auth middleware into request metadata and enforced in the dispatcher before/while selecting candidates
  • the Logs page now supports filtering by key alongside model/provider, while retaining server-side sorting for correct pagination
  • Keys UI copy was tightened to explain the allowlist behavior more clearly
  • added focused backend coverage for key policy propagation, dispatcher enforcement, and usage filtering/sorting

Migration Note

  • migrations were regenerated from schema rather than kept as manual SQL/journal edits
  • the generated Postgres migration also includes request_usage.vision_fallthrough_model, which Drizzle surfaced as existing schema/migration drift

Verification

  • docker run --rm -v "$HOME"/Projects/plexus-new:/work -w /work oven/bun:1 bash -lc 'bun install --frozen-lockfile >/tmp/bun-install.log && cd packages/backend && bun test src/routes/inference/__tests__/auth.test.ts src/services/__tests__/dispatcher-failover.test.ts src/services/__tests__/usage-storage-performance.test.ts'
  • docker run --rm -v "$HOME"/Projects/plexus-new:/work -w /work oven/bun:1 bash -lc 'bun install --frozen-lockfile >/tmp/bun-install.log && cd packages/frontend && bun run build'
  • local Docker verification against a copied live config/SQLite snapshot from 192.168.66.12:
    • /ui/logs loads successfully
    • server-side apiKey log filtering works
    • model/provider key restrictions were exercised with blocked and allowed requests

zicochaos and others added 2 commits April 12, 2026 22:11
@zicochaos
Add key access allowlists and improve logs filtering
319011d
@mcowger
refactor: deduplicate key policy normalization between auth.ts and di…
df920bb 
…spatcher

Move trim/filter normalization to a single canonical location in
attachKeyAccessPolicy() (auth.ts) and remove the duplicate logic from
getKeyAccessPolicy() in the dispatcher. The dispatcher now trusts that
the policy metadata is already clean, with a comment noting the
dependency.
@mcowger mcowger merged commit f5a08d2 into mcowger:main Apr 12, 2026
1 check passed
@mcowger
Copy link
Copy Markdown
Owner

mcowger commented Apr 12, 2026

Really nicely done PR, and thanks for the SPA fix - I had been meaning to get to that.

I'm going to follow it up with a UI change to make the selectors drop downs with filtering, and then will cut a release.

github-actions Bot pushed a commit that referenced this pull request Apr 13, 2026
@mcowger
Merge pull request #158 from zicochaos/feat/key-allowlists-logs
3a6cbad 
Add key access allowlists and improve logs filtering
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zicochaos @mcowger