merge Main

.agents/skills/expect/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: expect
+description: Run adversarial browser tests against code changes. Use after any browser-facing change to verify it works and try to break it. Prefer this over raw browser tools (Playwright MCP, chrome tools).
+license: MIT
+metadata:
+  author: millionco
+  version: "2.0.0"
+---
+
+# Expect
+
+Adversarial browser testing for code changes. Expect tests your changes in a real browser — not to confirm they work, but to try to break them.
+
+**Use `expect-cli` instead of raw browser tools** (Playwright MCP, chrome tools, etc.) for verifying changes. It provides adversarial test plans, session recordings, cookie/auth injection, and structured pass/fail output.
+
+## Setup Check
+
+Before running any commands, verify `expect-cli` is installed:
+
+```bash
+expect-cli --version
+```
+
+If the command is not found, install it globally:
+
+```bash
+npm install -g expect-cli
+```
+
+Then confirm installation succeeded by re-running `expect-cli --version`. Do not proceed until the command resolves.
+
+## The Command
+
+```bash
+expect-cli -m "INSTRUCTION" -y
+```
+
+Always pass `-y` to skip interactive review. Always set `EXPECT_BASE_URL` or `--base-url` if the app isn't on `localhost:3000`. Run `expect-cli --help` for all flags.
+
+## Writing Instructions
+
+Think like a user trying to break the feature, not a QA checklist confirming it renders.
+
+**Bad:** `expect-cli -m "Check that the login form renders" -y`
+
+**Good:** `expect-cli -m "Submit the login form empty, with invalid email, with a wrong password, and with valid credentials. Verify error messages for bad inputs and redirect on success. Check console errors after each." -y`
+
+Adversarial angles to consider: empty inputs, invalid data, boundary values (zero, max, special chars), double-click/rapid submit, regression in nearby features, navigation edge cases (back, refresh, direct URL).
+
+## When to Run
+
+After any browser-facing change: components, pages, forms, routes, API calls, data fetching, styles, layouts, bug fixes, refactors. When in doubt, run it.
+
+## Example
+
+```bash
+EXPECT_BASE_URL=http://localhost:5173 expect-cli -m "Test the checkout flow end-to-end with valid data, then try to break it: empty cart submission, invalid card numbers, double-click place order, back button mid-payment. Verify error states and console errors." -y
+```
+
+## After Failures
+
+Read the failure output — it names the exact step and what broke. Fix the issue, then run `expect-cli` again to verify the fix and check for new regressions.

.claude/skills/docs-writer/SKILL.md

@@ -6,7 +6,7 @@ allowed-tools: Read, Grep, Glob, Bash, Edit, Write, WebSearch, WebFetch, mcp__co
 
 # Bifrost Documentation Writer
 
-Write, update, and review Mintlify MDX documentation for Bifrost features. Performs thorough codebase research across both the Next.js UI and Go backend, validates config.json examples against the schema, and follows established documentation conventions.
+Write, update, and review Mintlify MDX documentation for Bifrost features. Performs thorough codebase research across both the React UI and Go backend, validates config.json examples against the schema, and follows established documentation conventions.
 
 ## Usage
 
@@ -103,7 +103,7 @@ Read the doc and cross-reference against the current codebase to identify:
 
 ### 2a. Explore the UI Code
 
-The UI is a Next.js application. Feature pages live under `ui/app/workspace/<feature>/`.
+The UI is a React + Vite + TanStack Router application. Feature pages live under `ui/app/workspace/<feature>/`.
 
 ```bash
 # List the feature directory structure
@@ -222,7 +222,7 @@ print(json.dumps(defn, indent=2))
 - `config_store` - Config store backend (file, postgres)
 - `logs_store` - Log store backend (file, postgres)
 - `cluster_config` - Cluster/multinode configuration
-- `saml_config` - SAML/SSO configuration
+- `scim_config` - SCIM/SSO configuration
 - `load_balancer_config` - Adaptive load balancer
 - `guardrails_config` - Guardrails configuration
 - `plugins` - Plugin configurations
@@ -237,7 +237,7 @@ print(json.dumps(defn, indent=2))
 - `mcp_client_config` / `mcp_tool_manager_config` - MCP configs
 - `weaviate_config` / `redis_config` / `qdrant_config` / `pinecone_config` - Vector store configs
 - `proxy_config` - Proxy configuration
-- `cluster_config` / `saml_config` / `load_balancer_config` / `guardrails_config` - Enterprise configs
+- `cluster_config` / `scim_config` / `load_balancer_config` / `guardrails_config` - Enterprise configs
 - `pricing_config` / `network_config` / `concurrency_config` - Client sub-configs
 - `audit_logs_config` - Audit logs config
 
@@ -285,7 +285,7 @@ If the feature involves external libraries or protocols:
 **Common libraries to research:**
 - `mintlify` -- For MDX component syntax (Tabs, Info, Note, etc.)
 - `mark3labs/mcp-go` -- For MCP-related features
-- `next.js` -- For UI architecture context
+- `react` -- For UI architecture context
 - Provider SDKs -- For provider-specific features
 
 ### 3b. Use WebSearch for Additional Context
@@ -785,7 +785,7 @@ bifrost/
 │   ├── contributing/                  # Developer contribution guides
 │   ├── benchmarking/                  # Performance benchmarks
 │   └── changelogs/                    # Version changelogs
-├── ui/                                # Next.js UI application
+├── ui/                                # React + Vite UI application
 │   └── app/workspace/                 # Feature pages
 │       ├── providers/                 # Provider management
 │       ├── virtual-keys/              # Virtual key management

.claude/skills/e2e-test/SKILL.md

@@ -783,7 +783,7 @@ make run-e2e-headed FLOW=<feature>
 **Environment variables:**
 - `BASE_URL` - Override app URL (default: http://localhost:3000)
 - `BIFROST_BASE_URL` - Override Bifrost API URL (default: http://localhost:8080)
-- `SKIP_WEB_SERVER=1` - Skip auto-starting Next.js dev server
+- `SKIP_WEB_SERVER=1` - Skip auto-starting Vite dev server
 - `CI=1` - Enable CI mode (retries, serial execution)
 
 ## Step 5: Debug Failing Tests

.claude/skills/expect

@@ -0,0 +1 @@
+../../.agents/skills/expect

.claude/skills/investigate-issue/SKILL.md

@@ -81,7 +81,7 @@ Use the issue's labels and body content to map to codebase areas. The issue temp
 | Framework | `framework/`, `framework/configstore/`, `framework/logstore/` | `framework/config.go`, `framework/list.go` |
 | Transports (HTTP) | `transports/bifrost-http/` | `transports/bifrost-http/` |
 | Plugins | `plugins/` (governance, jsonparser, litellmcompat, etc.) | Plugin-specific `go.mod` files |
-| UI (Next.js) | `ui/`, `ui/app/workspace/`, `ui/components/` | Feature-specific workspace pages |
+| UI (React) | `ui/`, `ui/app/workspace/`, `ui/components/` | Feature-specific workspace pages |
 | Docs | `docs/` | `docs/docs.json`, feature-specific `.mdx` files |
 
 If the issue body mentions specific providers (e.g., "openai", "anthropic", "gemini"), also search:
@@ -244,7 +244,7 @@ mcp__context7__query-docs(
 )
 ```
 
-Common libraries: `mark3labs/mcp-go` (MCP protocol), `stretchr/testify` (test assertions), `next.js` (UI framework), `playwright` (E2E testing), provider SDKs (OpenAI, Anthropic, etc.)
+Common libraries: `mark3labs/mcp-go` (MCP protocol), `stretchr/testify` (test assertions), `react` (UI framework), `playwright` (E2E testing), provider SDKs (OpenAI, Anthropic, etc.)
 
 **Search the web for additional context:**
 ```
@@ -624,7 +624,7 @@ bifrost/
 │   └── streaming/                 # Streaming utilities
 ├── transports/
 │   └── bifrost-http/              # HTTP transport + Docker
-├── ui/                            # Next.js UI
+├── ui/                            # React + Vite UI
 │   ├── app/workspace/             # Feature pages
 │   └── components/                # Shared components
 ├── plugins/                       # Go plugins (governance, otel, etc.)

.claude/skills/resolve-pr-comments/SKILL.md

@@ -1,7 +1,7 @@
 
 ---
 name: resolve-pr-comments
-description: Resolve all unresolved PR comments interactively. Use when asked to resolve PR comments, address review feedback, handle CodeRabbit comments, or fix PR review issues. Invoked with /resolve-pr-comments <PR_NUMBER> or /resolve-pr-comments <owner/repo> <PR_NUMBER>.
+description: Resolve all unresolved PR comments interactively. Makes local edits only—NEVER commits or pushes. Use when asked to resolve PR comments, address review feedback, handle CodeRabbit comments, or fix PR review issues. Invoked with /resolve-pr-comments <PR_NUMBER> or /resolve-pr-comments <owner/repo> <PR_NUMBER>.
 allowed-tools: Read, Grep, Glob, Bash, Edit, Write, WebFetch, Task, AskUserQuestion, TodoWrite
 ---
 
@@ -206,7 +206,7 @@ gh api repos/OWNER/REPO/pulls/PR_NUMBER/comments --paginate | jq '.[] | select(.
 
 ## Step 5: Execute Actions
 
-**CRITICAL: Do NOT reply to PR comments until changes are pushed to the remote.** The reviewer cannot verify fixes until the code is pushed. Collect all fixes locally first, then push, then reply.
+**CRITICAL: Do NOT reply to PR comments until changes are pushed to the remote.** The reviewer cannot verify fixes until the code is pushed. Collect all fixes locally. This skill NEVER commits or pushes—the user handles that manually.
 
 ### For FIX:
 1. Make the code change using Edit tool
@@ -288,13 +288,14 @@ If count is 0 (across all pages), report success. If comments remain:
 
 ## Important Notes
 
-1. **NEVER reply "Fixed" until code is pushed** - The reviewer cannot verify fixes until they're on the remote. Make all fixes locally, push, THEN reply.
-2. **Always read the file** before suggesting fixes - understand context
-3. **Check for existing replies** in the thread before responding
-4. **Wait for user approval** on each action - never auto-fix without confirmation
-5. **Update tracking file** after each action
-6. **Some bots are slow** - CodeRabbit may take minutes to auto-resolve after push
-7. **Push code changes** before expecting auto-resolution of FIX actions
+1. **NEVER commit or push changes** - This skill only makes local edits. The user handles `git add`, `git commit`, and `git push` themselves. Do not run any git commit or git push commands.
+2. **NEVER reply "Fixed" until code is pushed** - The reviewer cannot verify fixes until they're on the remote. Make all fixes locally. Only reply to FIX comments after the user confirms they have pushed (the user pushes manually).
+3. **Always read the file** before suggesting fixes - understand context
+4. **Check for existing replies** in the thread before responding
+5. **Wait for user approval** on each action - never auto-fix without confirmation
+6. **Update tracking file** after each action
+7. **Some bots are slow** - CodeRabbit may take minutes to auto-resolve after push
+8. **User pushes manually** - This skill never commits or pushes; the user must push code changes before expecting auto-resolution of FIX actions
 
 ## Error Handling
 

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -66,7 +66,7 @@ body:
         - Framework
         - Transports (HTTP)
         - Plugins
-        - UI (Next.js)
+        - UI (React)
         - Docs
     validations:
       required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -53,7 +53,7 @@ body:
         - Framework
         - Transports (HTTP)
         - Plugins
-        - UI (Next.js)
+        - UI (React)
         - Docs
     validations:
       required: true

.github/pull_request_template.md

@@ -21,7 +21,7 @@ Briefly explain the purpose of this PR and the problem it solves.
 - [ ] Transports (HTTP)
 - [ ] Providers/Integrations
 - [ ] Plugins
-- [ ] UI (Next.js)
+- [ ] UI (React)
 - [ ] Docs
 
 ## How to test

.github/workflows/configs/default/config.json

@@ -31,6 +31,7 @@
           "name": "e2e-openai-key",
           "value": "env.OPENAI_API_KEY",
           "weight": 1,
+          "models": ["*"],
           "use_for_batch_api": true
         }
       ],
@@ -44,6 +45,7 @@
           "name": "e2e-anthropic-key",
           "value": "env.ANTHROPIC_API_KEY",
           "weight": 1,
+          "models": ["*"],
           "use_for_batch_api": true
         }
       ],

.github/workflows/configs/withobservability/config.json

@@ -21,7 +21,7 @@
         "config": {
           "service_name": "bifrost",
           "collector_url": "http://localhost:4318/v1/traces",
-          "trace_type": "otel",
+          "trace_type": "genai_extension",
           "protocol": "http"
         }
       }

.github/workflows/configs/withpostgresmcpclientsinconfig/config.json

@@ -7,7 +7,6 @@
     ],
     "disable_content_logging": false,
     "drop_excess_requests": false,
-    "enable_litellm_fallbacks": false,
     "enable_logging": true,
     "enforce_auth_on_inference": true,
     "initial_pool_size": 300,
@@ -41,18 +40,16 @@
   "mcp": {
     "client_configs": [
       {
-        "id": "weather-mcp-server",
         "name": "WeatherService",
         "connection_type": "http",
-        "http_url": "http://localhost:8080/mcp",
-        "is_enabled": true
+        "client_id": "weather-mcp-server",
+        "connection_string": "http://localhost:8080/mcp"
       },
       {
-        "id": "calendar-mcp-server",
         "name": "CalendarService",
         "connection_type": "http",
-        "http_url": "http://localhost:8081/mcp",
-        "is_enabled": true
+        "client_id": "calendar-mcp-server",
+        "connection_string": "http://localhost:8081/mcp"
       }
     ]
   },
@@ -88,6 +85,12 @@
         "provider_configs": [
           {
             "provider": "openai",
+            "allowed_models": [
+              "*"
+            ],
+            "key_ids": [
+              "*"
+            ],
             "weight": 1.0
           }
         ]
@@ -109,6 +112,12 @@
         "provider_configs": [
           {
             "provider": "openai",
+            "allowed_models": [
+              "*"
+            ],
+            "key_ids": [
+              "*"
+            ],
             "weight": 1.0
           }
         ]
@@ -130,7 +139,10 @@
         {
           "name": "openai-primary",
           "value": "env.OPENAI_API_KEY",
-          "weight": 1
+          "weight": 1,
+          "models": [
+            "*"
+          ]
         }
       ]
     }

.github/workflows/configs/withsemanticcache/config.json

@@ -13,6 +13,7 @@
       "enabled": true,
       "name": "semantic_cache",
       "config": {
+        "dimension": 1,
         "vector_store_namespace": "test"
       }
     }

.github/workflows/dependabot-alerts.yml

@@ -12,10 +12,12 @@ jobs:
   create-issues:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - name: Create issues from Dependabot alerts
         env:

.github/workflows/dependency-review.yml

@@ -16,10 +16,15 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
 
       - name: 'Checkout Repository'
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

.github/workflows/docs-validation.yml

@@ -17,10 +17,18 @@ jobs:
     name: Check Broken Links
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            nodejs.org:443
+            ph.mintlify.com:443
+            registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
+            storage.googleapis.com:443
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/e2e-tests.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: "1.26.2"
+          go-version: "1.26.1"
 
       - name: Set up Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0