Skip to content

[Candidate Intake] Upstream PR #224 - feat(api-keys): add per-API-key model allowlist filtering#6

Draft
nsalvacao wants to merge 1 commit intomasterfrom
upstream-prs/pr-224
Draft

[Candidate Intake] Upstream PR #224 - feat(api-keys): add per-API-key model allowlist filtering#6
nsalvacao wants to merge 1 commit intomasterfrom
upstream-prs/pr-224

Conversation

@nsalvacao
Copy link

@nsalvacao nsalvacao commented Mar 16, 2026
edited
Loading

Context

This draft PR mirrors upstream branch 'upstream-prs/pr-224' into 'master' for review, provenance, and later decision-making only.
It must not be merged wholesale. If we adopt anything from it, the intended path is commit-level intake only.

Upstream Source

Current Intake Recommendation

  • Decision: Candidate intake
  • Status: Planned review only, with no integration performed yet
  • Credit policy: preserve original author metadata, use git cherry-pick -x for any later intake, and keep any conflict adaptation in separate follow-up commits with explicit upstream attribution

Selected Commits For Any Future Intake

  • 89830a0 feat(api-keys): add per-API-key model allowlist filtering

Skipped / Excluded Scope

  • No additional excluded commit set beyond the currently selected scope.

Acceptance Gates

  • Do not merge this mirrored branch as-is.
  • If anything is adopted later, intake only the explicitly selected commits or a newly re-validated subset.
  • Preserve upstream authorship and provenance in Git history.
  • Keep conflict-resolution/adaptation commits separate from upstream-authored commits.
  • Reconfirm branch contents against current master at intake time before changing the selected scope.

Verification / Validation Checklist

  • Keys can store and edit allowedModels safely.
  • Requests for disallowed models are rejected with the intended status.
  • Existing keys without allowlists remain backward compatible.

Review Focus

  • API key schema and storage changes for allowedModels
  • Authorization behavior for blocked models
  • UI affordance for editing allowlists without breaking existing keys

Notes

  • This PR is intentionally draft and exists to support review, provenance, and later commit-level intake decisions.

@toanalien
feat(api-keys): add per-API-key model allowlist filtering
89830a0 
Implement fine-grained access control by allowing API keys to restrict
which models they can access via pattern matching.

Features:
- Pattern matching: exact (gh/gpt-5.1), wildcard (gh/*), multiple patterns
- Database schema: allowedModels array with auto-migration
- API validation: 403 when model denied, backward compatible (empty = unrestricted)
- REST API: CRUD operations for managing allowedModels
- Dashboard UI: visual pattern selector with quick-add buttons
- Comprehensive tests: 17/17 passing, 95.23% coverage

Implementation Details:
- src/shared/utils/model-pattern-matcher.js: Core pattern matching logic
- src/shared/components/AllowedModelsInput.js: Dashboard UI component
- src/lib/localDb.js: Schema migration and validation
- src/sse/services/auth.js: Model validation in authentication
- src/app/api/keys/*: REST endpoints for allowedModels CRUD

Breaking Changes: None (backward compatible)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nsalvacao @toanalien