refactor: standardize empty array conventions for VK Provider Config Allowed Keys

[Pratham-Mishra04]

Summary

Migrates VK provider config allowed keys from implicit allow-all semantics to explicit deny-by-default behavior. Adds AllowAllKeys boolean field to enable granular key access control while maintaining backward compatibility.

Changes

• Added AllowAllKeys boolean field to TableVirtualKeyProviderConfig with database migration
• Backfilled existing configs with allow_all_keys=true to preserve current behavior
• Updated key resolution logic: empty keys now denies all access, ["*"] wildcard allows all keys
• Modified governance resolver to set empty includeOnlyKeys slice when no keys are configured
• Enhanced HTTP handlers to recognize ["*"] wildcard and set AllowAllKeys flag appropriately
• Updated UI to display "Allow All Keys" option and show deny-by-default messaging
• Added JSON unmarshaling support for ["*"] wildcard in config files

Type of change

• Feature
• Bug fix
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Validate the migration and new key access control behavior:

# Core/Transports
go version
go test ./...

# Test migration runs successfully
go run main.go migrate

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

Test scenarios:

1. Create VK with empty key_ids - should deny all keys
2. Create VK with key_ids: ["*"] - should allow all keys
3. Create VK with specific key IDs - should allow only those keys
4. Verify existing VKs maintain their current behavior after migration

Screenshots/Recordings

UI now shows:

• "Allow All Keys" option in key selection dropdown
• "No keys allowed" vs "All keys allowed" status indicators
• "No providers configured (deny-by-default)" messaging

Breaking changes

• Yes
• No

The migration preserves existing behavior by setting allow_all_keys=true for configs that previously had no keys specified.

Related issues

Part of VK access control enhancement initiative.

Security considerations

Improves security posture by implementing deny-by-default semantics for key access. Existing deployments maintain current access patterns through automatic backfill migration.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[Pratham-Mishra04]

• refactor: standardize empty array conventions for VK Provider Config Allowed Keys #2006 : 2 dependent PRs (#2008 , #2113 ) 👈 (View in Graphite)
• feat: VK MCP config now works as an AllowList #1940
• feat: add MCP auto tool injection toggle #1933
• refactor: standardize empty array conventions for VK Provider & MCP Configs, and makes Provider Config weight optional for routing #1932
• v1.5.0

This stack of pull requests is managed by Graphite. Learn more about stacking.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Warning

Rate limit exceeded

@Pratham-Mishra04 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 24 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 29049b35-d3eb-4b35-89c0-a072c4b1eefc

📥 Commits

Reviewing files that changed from the base of the PR and between 12acd31 and 9ca7d6c.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

📝 Walkthrough

Walkthrough

Add an allow_all_keys boolean to virtual key provider configs, backfill it via a DB migration (set true for prior empty-key configs and recompute config_hash), propagate the flag through HTTP handlers, resolver flow, UI, tests, and context utilities.

Changes

Cohort / File(s)	Summary
Database Migration framework/configstore/migrations.go, framework/changelog.md	Add migrationAddAllowAllKeysToProviderConfig: create allow_all_keys column, backfill existing provider configs (set true for prior empty-key entries), recompute/persist affected virtual key config_hash, wire into triggerMigrations, and provide rollback.
Core Data Model framework/configstore/tables/virtualkey.go, ui/lib/types/governance.ts	Add AllowAllKeys / allow_all_keys boolean to provider config types; JSON unmarshalling maps ["*"] to allow-all and otherwise treats empty keys as deny-all; update struct/interface comments.
Governance Resolver & Logic plugins/governance/resolver.go, plugins/governance/main.go, plugins/governance/resolver_test.go, plugins/governance/changelog.md	Extend EvaluateVirtualKeyRequest signature with an extra boolean argument (controls rate-limit/budget bypass / indicates user-auth presence), merge filtering into main flow, apply include-only-keys only when AllowAllKeys == false, and update tests/call sites.
HTTP Handlers transports/bifrost-http/handlers/governance.go, transports/changelog.md	Treat provider KeyIDs wildcard ["*"] as allowAllKeys=true; compute and persist AllowAllKeys on create/update and avoid DB key lookups when wildcard is used.
UI — Views & Forms ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx, ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx	Change empty-state messaging to deny-by-default, add * wildcard option in Allowed Keys selector, initialize key_ids to ["*"] when allow_all_keys is true, and update selection/rendering/help text and default behaviors.
Utilities / Context core/utils.go	Clear BifrostContextKeyGovernanceIncludeOnlyKeys in clearCtxForFallback to avoid stale include-only filters.
Changelogs & Docs framework/changelog.md, plugins/governance/changelog.md, transports/changelog.md	Document deny-by-default semantics and wildcard ["*"] handling; update/remove prior MCP-related changelog entries.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Handler as Bifrost HTTP Handler
    participant DB as Database
    participant Resolver

    rect rgba(200,230,255,0.5)
    User->>Handler: POST/PUT /virtual-keys (provider_configs with key_ids = ["*"] or [])
    Handler->>Handler: compute allowAllKeys = (key_ids == ["*"])
    Handler->>DB: create/update provider_config (allow_all_keys, keys...)
    DB-->>Handler: persist result
    Handler-->>User: 200 Created/Updated
    end

    rect rgba(200,255,200,0.5)
    User->>Resolver: EvaluateVirtualKeyRequest(ctx, virtualKey, provider, model, requestType, flag)
    Resolver->>DB: fetch provider_config (allow_all_keys, keys)
    DB-->>Resolver: provider_config
    alt allow_all_keys == true
        Resolver->>Resolver: clear includeOnlyKeys (no key filtering)
    else allow_all_keys == false
        Resolver->>Resolver: build includeOnlyKeys from config.keys (apply filter)
    end
    Resolver-->>User: evaluation result
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• refactor: standardize empty array conventions for VK Provider Config Allowed Keys #2006: Implements the same AllowAllKeys field, DB migration/backfill, wildcard ["*"] handling in handlers, and resolver signature changes.

Suggested reviewers

• akshaydeo
• danpiths

Poem

🐰 I nibble wildcards — "*" lets keys hop free,

Empty lists close burrows, deny-by-default we see.
Migrations plant the flag, handlers mark it true,
Resolvers mind the filters, UI shows what’s due.
A tiny hop in code — cheers from bunny crew.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding explicit allow-list semantics with AllowAllKeys field and deny-by-default behavior for VK provider config allowed keys.
Description check	✅ Passed	The description comprehensively covers all required template sections including summary, changes, type of change, affected areas, testing instructions, breaking changes, and security considerations with proper detail.
Docstring Coverage	✅ Passed	Docstring coverage is 90.48% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 03-10-feat_vk_provider_config_key_ids_now_supports_wildcard_to_allow_all_keys_empty_key_ids_denies_all

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

transports/bifrost-http/handlers/governance.go (1)

404-415: ⚠️ Potential issue | 🟠 Major

Treat any key_ids payload containing "*" as allow-all.

The new stack semantics are “contains * => wildcard”, but these branches only recognize the single-element form. A request like ["*", "key-id"] now falls through the key lookup path, so "*" is handled like a concrete key ID instead of allow-all.

Suggested fix

-				allowAllKeys := false
-				if len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" {
-					allowAllKeys = true
-				} else if len(pc.KeyIDs) > 0 {
+				allowAllKeys := false
+				for _, keyID := range pc.KeyIDs {
+					if keyID == "*" {
+						allowAllKeys = true
+						break
+					}
+				}
+				if !allowAllKeys && len(pc.KeyIDs) > 0 {
 					var err error
 					keys, err = h.configStore.GetKeysByIDs(ctx, pc.KeyIDs)
 					if err != nil {

Also applies to: 730-742, 805-819

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 404 - 415, The
code treats allow-all only when pc.KeyIDs is exactly ["*"], but must treat any
pc.KeyIDs containing "*" as wildcard; update the branches around pc.KeyIDs (the
condition that sets allowAllKeys and the subsequent call to
h.configStore.GetKeysByIDs) to check for presence of "*" (e.g., iterate
pc.KeyIDs or use a helper like containsWildcard) and if found set allowAllKeys =
true and skip GetKeysByIDs/length checks; apply the same change to the other
similar blocks handling pc.KeyIDs (the blocks around lines 730-742 and 805-819)
so "*" anywhere in the slice is treated as allow-all.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 64-74: The code currently treats a missing allowed_keys the same
as an explicit empty list, causing omission to become deny-all; modify the
deserialization/handling so you can detect whether allowed_keys was present in
the JSON and only apply the new deny-by-default semantics when the field was
actually provided. Concretely: change the temporary struct used during unmarshal
to track presence (e.g., add an AllowedKeysPresent bool or make AllowedKeys a
pointer like *[]string), then in the branch that inspects temp.AllowedKeys only
proceed if AllowedKeysPresent (or temp.AllowedKeys != nil); if present and
len==1 and "*" set pc.AllowAllKeys=true, if present and len==0 set pc.Keys=nil
and pc.AllowAllKeys=false (explicit empty = deny-all), otherwise map values into
pc.Keys; if not present leave pc.Keys and pc.AllowAllKeys unchanged. Use
temp.AllowedKeys, temp.AllowedKeysPresent (or pointer), pc.Keys, and
pc.AllowAllKeys to implement this.

In `@plugins/governance/resolver.go`:
- Around line 237-249: The loop over vk.ProviderConfigs sets
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys only when pc.AllowAllKeys is
false, leaving any previous include-only slice in ctx when AllowAllKeys is true;
update the branch for AllowAllKeys in the provider-config handling (the loop
that inspects pc and uses ctx.SetValue) to explicitly clear/overwrite the
context key (e.g., set nil or an empty slice via
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil) or an
empty []string{}) before breaking so stale filters are removed; apply the same
change to the other identical block handling provider configs (the second
occurrence around the other provider-config loop).

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 663-665: The filter that builds disallowed uses key.models without
guarding for undefined, which can throw; update the predicate in the
allowedModels.filter to safely handle absent models by checking key.models first
(e.g., treat missing models as empty: (!key.models || key.models.length === 0 ||
key.models.includes(model))) so the expression referencing key.models (in the
selectedKeys.some callback) never calls .length or .includes on undefined.
- Around line 680-714: The UI currently bails out when providerKeys.length ===
0, hiding the Allowed Keys picker even though allKeyOptions contains the
wildcard; remove or change the early "if (providerKeys.length === 0) return
null;" so the component always renders the Allowed Keys block (Label,
description and AsyncMultiSelect) and ensure selectedProviderKeys and
allKeyOptions logic still work when providerKeys is empty (hasWildcard should
still select the wildcard option and providerKeys.map will produce no concrete
options). This preserves the ability to opt into future keys and to display
allow_all_keys state after concrete keys disappear.

---

Outside diff comments:
In `@transports/bifrost-http/handlers/governance.go`:
- Around line 404-415: The code treats allow-all only when pc.KeyIDs is exactly
["*"], but must treat any pc.KeyIDs containing "*" as wildcard; update the
branches around pc.KeyIDs (the condition that sets allowAllKeys and the
subsequent call to h.configStore.GetKeysByIDs) to check for presence of "*"
(e.g., iterate pc.KeyIDs or use a helper like containsWildcard) and if found set
allowAllKeys = true and skip GetKeysByIDs/length checks; apply the same change
to the other similar blocks handling pc.KeyIDs (the blocks around lines 730-742
and 805-819) so "*" anywhere in the slice is treated as allow-all.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89579dd3-62de-4907-a78b-bc0032228b4c

📥 Commits

Reviewing files that changed from the base of the PR and between 0c1f9ca and 785179a.

📒 Files selected for processing (10)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

plugins/governance/resolver.go (1)

237-249: ⚠️ Potential issue | 🟠 Major

Clear BifrostContextKeyGovernanceIncludeOnlyKeys on the allow-all path.

When pc.AllowAllKeys is true, these branches leave any previously stored include-only slice untouched. If the same BifrostContext was populated by an earlier evaluation, the stale filter still constrains key selection and "all keys" silently becomes "previous keys only". Please overwrite/clear this context value on every matching provider config; reserve an empty slice only for the explicit deny-by-default case.

Also applies to: 312-322

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver.go` around lines 237 - 249, The provider-config
branch leaves a previously-set include-only keys filter in context when
pc.AllowAllKeys is true; update the matching-provider branch in the loop over
vk.ProviderConfigs to explicitly clear the
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys value (e.g., call
ctx.SetValue with nil/empty removal) when pc.AllowAllKeys == true so the "allow
all" path cannot be silently constrained by stale data; keep the current
behavior of setting a non-nil empty slice only for the explicit deny-by-default
case (same change also needs to be applied to the other matching block around
the 312-322 region).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/configstore/migrations.go`:
- Around line 4267-4291: This backfill flips allow_all_keys on
tables.TableVirtualKeyProviderConfig rows but does not refresh
governance_virtual_keys.config_hash, leaving stale hashes; collect all
virtual_key_id values affected (query
governance_virtual_key_provider_config_keys for provider_config ids you update),
dedupe them, and then recompute/update their governance_virtual_keys.config_hash
using the same logic/helper used by migrationBackfillEmptyVirtualKeyConfigs so
the touched VirtualKey rows get their config_hash regenerated (update
governance_virtual_keys for the collected IDs after the backfill).

---

Duplicate comments:
In `@plugins/governance/resolver.go`:
- Around line 237-249: The provider-config branch leaves a previously-set
include-only keys filter in context when pc.AllowAllKeys is true; update the
matching-provider branch in the loop over vk.ProviderConfigs to explicitly clear
the schemas.BifrostContextKeyGovernanceIncludeOnlyKeys value (e.g., call
ctx.SetValue with nil/empty removal) when pc.AllowAllKeys == true so the "allow
all" path cannot be silently constrained by stale data; keep the current
behavior of setting a non-nil empty slice only for the explicit deny-by-default
case (same change also needs to be applied to the other matching block around
the 312-322 region).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03b543f1-52a0-4021-bf84-1b9e88893d9b

📥 Commits

Reviewing files that changed from the base of the PR and between 785179a and 5a214b3.

📒 Files selected for processing (10)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• ui/lib/types/governance.ts
• plugins/governance/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• framework/configstore/tables/virtualkey.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

framework/configstore/tables/virtualkey.go (1)

64-76: ⚠️ Potential issue | 🟠 Major

Preserve omitted allowed_keys during unmarshal.

A missing allowed_keys still deserializes the same as [], so syncing a legacy config.json that omits the field will flip that provider config to deny-all on the next reconcile. Track field presence with *[]string (or equivalent) so only an explicit empty array means deny-all.

Suggested fix

 	type Alias TableVirtualKeyProviderConfig
 	type TempProviderConfig struct {
 		Alias
-		AllowedKeys []string `json:"allowed_keys"` // Config file format: array of key names
+		AllowedKeys *[]string `json:"allowed_keys"` // nil = omitted, [] = explicit deny-all
 	}
@@
-	if len(temp.AllowedKeys) > 0 && len(pc.Keys) == 0 {
-		// Check for wildcard — ["*"] means allow all keys
-		if len(temp.AllowedKeys) == 1 && temp.AllowedKeys[0] == "*" {
+	if temp.AllowedKeys != nil && len(pc.Keys) == 0 {
+		allowedKeys := *temp.AllowedKeys
+		pc.AllowAllKeys = false
+		pc.Keys = nil
+
+		// Check for wildcard — ["*"] means allow all keys
+		if len(allowedKeys) == 1 && allowedKeys[0] == "*" {
 			pc.AllowAllKeys = true
-		} else {
-			pc.Keys = make([]TableKey, len(temp.AllowedKeys))
-			for i, keyName := range temp.AllowedKeys {
+		} else if len(allowedKeys) > 0 {
+			pc.Keys = make([]TableKey, len(allowedKeys))
+			for i, keyName := range allowedKeys {
 				pc.Keys[i] = TableKey{Name: keyName}
 			}
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 64 - 76, The
unmarshalling currently treats a missing allowed_keys the same as an empty
slice, causing configs that omit the field to be treated as deny-all; change the
temporary unmarshal type used in virtualkey.go so AllowedKeys is a pointer to a
slice (e.g. *[]string) and update the logic in the block that examines
temp.AllowedKeys (the code that currently checks len(temp.AllowedKeys) > 0 &&
len(pc.Keys) == 0) to first test for nil (meaning field was omitted) and only
apply the wildcard/empty-array handling when temp.AllowedKeys != nil; ensure you
still set pc.AllowAllKeys for ["*"] and populate pc.Keys when the pointer is
non-nil and has entries.

🧹 Nitpick comments (1)

transports/changelog.md (1)

1-1: Consider clarifying backwards compatibility and improving readability.

The changelog entry accurately describes the feature behavior but could be enhanced for users upgrading:

1. Missing migration context: The entry doesn't mention that this introduces a database migration with automatic backfill. Users should know existing VK configs will be preserved (allow_all_keys=true backfilled automatically).

2. Readability: The entry is quite long for a single line. Consider splitting into sub-bullets:

   - feat: VK provider config key_ids now supports wildcard and deny-by-default semantics
     - `["*"]` wildcard allows all keys (resolved to AllowAllKeys flag, no DB lookups)
     - Empty key_ids denies all keys
     - Non-breaking: migration backfills existing configs with allow_all_keys=true to preserve current behavior

This helps operators understand both the feature and upgrade implications at a glance. As per coding guidelines, since this PR is part of a stack, ensure this changelog entry covers the full scope of the stack's VK provider config changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/changelog.md` at line 1, Update the changelog entry for the VK
provider config (referencing key_ids and AllowAllKeys) to explicitly note the DB
migration and automatic backfill behavior (existing VK configs are preserved by
backfilling allow_all_keys=true), and improve readability by splitting the
single long line into a short header plus sub-bullets that state: `["*"]`
resolves to AllowAllKeys (no DB lookups), empty key_ids denies all, and the
non-breaking migration/backfill behavior for existing configs; ensure the entry
covers the full stack scope of VK provider config changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/governance/changelog.md`:
- Line 1: Update the changelog entry to explicitly document the external
wildcard contract by noting that callers express allow-all via key_ids: ["*"]
(in addition to the internal AllowAllKeys flag), clarify that the resolver sets
an empty includeOnlyKeys slice to enforce deny-by-default when no keys are
configured, and fix the wording from “blocks all” to “block all”; reference the
AllowAllKeys flag and includeOnlyKeys behavior so readers see both the
DB/internal flag and the externally visible key_ids: ["*"] semantics.

---

Duplicate comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 64-76: The unmarshalling currently treats a missing allowed_keys
the same as an empty slice, causing configs that omit the field to be treated as
deny-all; change the temporary unmarshal type used in virtualkey.go so
AllowedKeys is a pointer to a slice (e.g. *[]string) and update the logic in the
block that examines temp.AllowedKeys (the code that currently checks
len(temp.AllowedKeys) > 0 && len(pc.Keys) == 0) to first test for nil (meaning
field was omitted) and only apply the wildcard/empty-array handling when
temp.AllowedKeys != nil; ensure you still set pc.AllowAllKeys for ["*"] and
populate pc.Keys when the pointer is non-nil and has entries.

---

Nitpick comments:
In `@transports/changelog.md`:
- Line 1: Update the changelog entry for the VK provider config (referencing
key_ids and AllowAllKeys) to explicitly note the DB migration and automatic
backfill behavior (existing VK configs are preserved by backfilling
allow_all_keys=true), and improve readability by splitting the single long line
into a short header plus sub-bullets that state: `["*"]` resolves to
AllowAllKeys (no DB lookups), empty key_ids denies all, and the non-breaking
migration/backfill behavior for existing configs; ensure the entry covers the
full stack scope of VK provider config changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4738cc85-6a3d-434f-8de4-00a18925f5ac

📥 Commits

Reviewing files that changed from the base of the PR and between 5a214b3 and e68b8cf.

📒 Files selected for processing (10)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• plugins/governance/resolver.go
• framework/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx

[coderabbitai]

♻️ Duplicate comments (1)

framework/configstore/tables/virtualkey.go (1)

51-76: ⚠️ Potential issue | 🟠 Major

allowed_keys omission still falls through to deny-all.

A legacy config-file provider that omits allowed_keys still unmarshals here as AllowAllKeys=false with no keys, so a later config sync can overwrite the migration backfill and block every key for that provider. This needs presence-aware decoding so nil preserves allow-all, [] means deny-all, and ["*"] means allow-all.

Suggested fix

 type TempProviderConfig struct {
 	Alias
-	AllowedKeys []string `json:"allowed_keys"` // Config file format: array of key names
+	AllowedKeys *[]string `json:"allowed_keys"` // Config file format: array of key names
 }
@@
-	// If allowed_keys is provided (config file format), convert to Keys or set AllowAllKeys
-	// This takes precedence if Keys is empty but allowed_keys has values
-	if len(temp.AllowedKeys) > 0 && len(pc.Keys) == 0 {
-		// Check for wildcard — ["*"] means allow all keys
-		if len(temp.AllowedKeys) == 1 && temp.AllowedKeys[0] == "*" {
-			pc.AllowAllKeys = true
-		} else {
-			pc.Keys = make([]TableKey, len(temp.AllowedKeys))
-			for i, keyName := range temp.AllowedKeys {
-				pc.Keys[i] = TableKey{Name: keyName}
-			}
-		}
+	// If keys were not supplied in DB/API format, interpret config-file allowed_keys semantics.
+	if len(pc.Keys) == 0 {
+		switch {
+		case temp.AllowedKeys == nil:
+			pc.AllowAllKeys = true
+			pc.Keys = nil
+		case len(*temp.AllowedKeys) == 1 && (*temp.AllowedKeys)[0] == "*":
+			pc.AllowAllKeys = true
+			pc.Keys = nil
+		default:
+			pc.AllowAllKeys = false
+			pc.Keys = make([]TableKey, len(*temp.AllowedKeys))
+			for i, keyName := range *temp.AllowedKeys {
+				pc.Keys[i] = TableKey{Name: keyName}
+			}
+		}
 	}

As per coding guidelines, "always check the stack if there is one for the current PR. do not give localized reviews for the PR, always see all changes in the light of the whole stack of PRs".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 51 - 76, The current
unmarshal loses the distinction between omitted vs empty allowed_keys; change
TempProviderConfig.AllowedKeys to a pointer type (AllowedKeys *[]string) so you
can detect nil (omitted) vs non-nil (present, possibly empty). After
json.Unmarshal into temp, keep the existing copy of Alias into *pc, then only
run the Keys/AllowAllKeys logic when temp.AllowedKeys != nil: if the slice has
one element "*" set pc.AllowAllKeys=true, if len>0 populate pc.Keys from
*temp.AllowedKeys (an empty non-nil slice should leave pc.Keys empty to
represent deny-all); if temp.AllowedKeys is nil do nothing so existing
pc.AllowAllKeys/Keys are preserved. Use the identifiers TempProviderConfig,
AllowedKeys, pc, Keys, and AllowAllKeys to locate and implement the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 51-76: The current unmarshal loses the distinction between omitted
vs empty allowed_keys; change TempProviderConfig.AllowedKeys to a pointer type
(AllowedKeys *[]string) so you can detect nil (omitted) vs non-nil (present,
possibly empty). After json.Unmarshal into temp, keep the existing copy of Alias
into *pc, then only run the Keys/AllowAllKeys logic when temp.AllowedKeys !=
nil: if the slice has one element "*" set pc.AllowAllKeys=true, if len>0
populate pc.Keys from *temp.AllowedKeys (an empty non-nil slice should leave
pc.Keys empty to represent deny-all); if temp.AllowedKeys is nil do nothing so
existing pc.AllowAllKeys/Keys are preserved. Use the identifiers
TempProviderConfig, AllowedKeys, pc, Keys, and AllowAllKeys to locate and
implement the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aaf2764e-b05a-4f45-8534-75053737bb00

📥 Commits

Reviewing files that changed from the base of the PR and between e68b8cf and ad76bf0.

📒 Files selected for processing (10)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• ui/lib/types/governance.ts
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• transports/changelog.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

transports/bifrost-http/handlers/governance.go (1)

436-449: ⚠️ Potential issue | 🟠 Major

Reject malformed key_ids as a client error.

These branches treat mixed wildcard payloads (for example ["*", "key-1"]) and unresolved key IDs as generic transaction failures, so create/update can respond with a 500 for invalid user input. Since * is now part of the public API contract, validate it as mutually exclusive and surface missing IDs as a typed 4xx before persisting anything.

Also applies to: 762-775, 837-853

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 436 - 449, The
branch that processes pc.KeyIDs must validate the wildcard "*" as mutually
exclusive and surface any bad/missing key IDs as a client error instead of a
generic transaction failure: in the block that sets allowAllKeys and calls
h.configStore.GetKeysByIDs, check if pc.KeyIDs contains "*" together with other
IDs and return a typed 4xx client validation error (rather than a 500) for that
malformed input; likewise if GetKeysByIDs returns fewer keys than requested,
return a 4xx indicating missing key IDs (include pc.Provider and expected vs
found) so callers get a client-level validation response; apply the same change
to the other similar blocks around the pc.KeyIDs handling (the other occurrences
you noted).

♻️ Duplicate comments (1)

framework/configstore/tables/virtualkey.go (1)

47-76: ⚠️ Potential issue | 🟠 Major

Keep omitted allowed_keys distinct from explicit [].

TempProviderConfig.AllowedKeys is a plain []string, so a legacy config that omits allowed_keys is indistinguishable from an explicit empty list. On the next config sync, that can overwrite a migrated row with AllowAllKeys=false and no keys, effectively denying every key for that provider. Make this field presence-aware (*[]string or similar) and only apply the new deny-all semantics when allowed_keys was actually present.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 47 - 76, The
UnmarshalJSON should detect whether allowed_keys was present vs omitted: change
TempProviderConfig.AllowedKeys from []string to *[]string, unmarshal into that,
and only run the conversion/deny-all logic when temp.AllowedKeys != nil (treat
nil as omitted and do not mutate pc.Keys or pc.AllowAllKeys); update the
wildcard check to use *temp.AllowedKeys and construct pc.Keys from the
dereferenced slice when present, leaving existing values unchanged when
allowed_keys was omitted.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@transports/bifrost-http/handlers/governance.go`:
- Around line 436-449: The branch that processes pc.KeyIDs must validate the
wildcard "*" as mutually exclusive and surface any bad/missing key IDs as a
client error instead of a generic transaction failure: in the block that sets
allowAllKeys and calls h.configStore.GetKeysByIDs, check if pc.KeyIDs contains
"*" together with other IDs and return a typed 4xx client validation error
(rather than a 500) for that malformed input; likewise if GetKeysByIDs returns
fewer keys than requested, return a 4xx indicating missing key IDs (include
pc.Provider and expected vs found) so callers get a client-level validation
response; apply the same change to the other similar blocks around the pc.KeyIDs
handling (the other occurrences you noted).

---

Duplicate comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 47-76: The UnmarshalJSON should detect whether allowed_keys was
present vs omitted: change TempProviderConfig.AllowedKeys from []string to
*[]string, unmarshal into that, and only run the conversion/deny-all logic when
temp.AllowedKeys != nil (treat nil as omitted and do not mutate pc.Keys or
pc.AllowAllKeys); update the wildcard check to use *temp.AllowedKeys and
construct pc.Keys from the dereferenced slice when present, leaving existing
values unchanged when allowed_keys was omitted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60974006-f5d3-4bf6-b678-96443126c6a8

📥 Commits

Reviewing files that changed from the base of the PR and between ad76bf0 and f5103e6.

📒 Files selected for processing (10)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• ui/lib/types/governance.ts
• framework/configstore/migrations.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/configstore/migrations.go`:
- Around line 4309-4329: The VirtualKeyProviderConfig's AllowAllKeys field is
missing from the hash input causing GenerateVirtualKeyHash to ignore changes to
it; update the VirtualKeyProviderConfigHashInput type/struct (used by
GenerateVirtualKeyHash in clientconfig.go) to include AllowAllKeys and ensure
the code that builds the hash input for each TableVirtualKeyProviderConfig
populates that field so the generated hash changes when AllowAllKeys toggles
(this will make the recomputation loop that loads TableVirtualKey and calls
GenerateVirtualKeyHash pick up the change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e3c0afb9-3eea-4719-b6f1-83540b2fe7de

📥 Commits

Reviewing files that changed from the base of the PR and between f5103e6 and 2a794d7.

📒 Files selected for processing (5)

• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/resolver.go

🚧 Files skipped from review as they are similar to previous changes (3)

• framework/changelog.md
• plugins/governance/resolver.go
• plugins/governance/changelog.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

755-824: ⚠️ Potential issue | 🟡 Minor

Add a stable selector to the Allowed Keys multiselect.

This is a new interactive control in the sheet, but it’s the only one in this block without a data-testid. Please add one that follows the existing vk-*-<index> convention so E2E coverage can target it reliably.

As per coding guidelines, UI interactive elements must have data-testid attributes following the pattern 'data-testid="--"'.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 755 -
824, The Allowed Keys AsyncMultiSelect is missing a stable test selector; add a
data-testid attribute following the vk-*-<index> convention (e.g.,
data-testid={`vk-allowed-keys-${index}`}) to the AsyncMultiSelect component so
E2E tests can reliably target it—locate the AsyncMultiSelect usage in this file
(the component that uses selectedProviderKeys, hasWildcard, and calls
handleUpdateProviderConfig) and add the data-testid prop.

♻️ Duplicate comments (2)

plugins/governance/resolver.go (1)

240-250: ⚠️ Potential issue | 🟠 Major

Clear stale include-only filters on allow-all path.
At Line 243, when pc.AllowAllKeys is true, schemas.BifrostContextKeyGovernanceIncludeOnlyKeys is not overwritten. A prior value can leak into this request path and incorrectly restrict keys.

🔧 Proposed fix

-	// Find the provider config that matches the request's provider and apply key filtering
+	// Reset key filter first; nil means "no include-only restriction"
+	ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil)
+
+	// Find the provider config that matches the request's provider and apply key filtering
 	for _, pc := range vk.ProviderConfigs {
 		if schemas.ModelProvider(pc.Provider) == provider {
 			if !pc.AllowAllKeys {
 				// Restrict to specific keys (empty slice = no keys allowed)
 				includeOnlyKeys := make([]string, 0, len(pc.Keys))
 				for _, dbKey := range pc.Keys {
 					includeOnlyKeys = append(includeOnlyKeys, dbKey.KeyID)
 				}
 				ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, includeOnlyKeys)
 			}
 			break
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver.go` around lines 240 - 250, The code sets
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when pc.AllowAllKeys is false
but does not clear it when pc.AllowAllKeys is true, allowing a previous
request's include-only filter to leak; inside the loop over vk.ProviderConfigs
(and specifically in the branch handling schemas.ModelProvider(pc.Provider) ==
provider) ensure that in the pc.AllowAllKeys == true path you explicitly clear
the context key (e.g., call
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil) or set an
empty slice) so stale include-only filters are removed for allow-all requests.

transports/bifrost-http/handlers/governance.go (1)

499-503: ⚠️ Potential issue | 🟠 Major

Reject mixed wildcard + explicit key IDs before key lookup.

At Line 499-503, Line 840-843, and Line 915-918, ["*", "<id>"] still falls through to ID lookup and can bubble as a 500 path instead of a deterministic 400 client error. Please validate this input shape up front and fail fast before any DB lookup.

♻️ Consolidated fix (single parser reused across all 3 call sites)

+var errInvalidProviderKeyIDs = errors.New("invalid provider key_ids")
+
+func parseProviderKeyIDs(keyIDs []string) (allowAll bool, explicitIDs []string, err error) {
+	if len(keyIDs) == 0 {
+		return false, nil, nil
+	}
+	if len(keyIDs) == 1 && keyIDs[0] == "*" {
+		return true, nil, nil
+	}
+	for _, id := range keyIDs {
+		if id == "*" {
+			return false, nil, fmt.Errorf("%w: cannot mix '*' with explicit ids", errInvalidProviderKeyIDs)
+		}
+	}
+	return false, keyIDs, nil
+}

-allowAllKeys := false
-if len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" {
-	allowAllKeys = true
-} else if len(pc.KeyIDs) > 0 {
+allowAllKeys, explicitKeyIDs, err := parseProviderKeyIDs(pc.KeyIDs)
+if err != nil {
+	return err
+}
+if len(explicitKeyIDs) > 0 {
 	var err error
-	keys, err = h.configStore.GetKeysByIDs(ctx, pc.KeyIDs)
+	keys, err = h.configStore.GetKeysByIDs(ctx, explicitKeyIDs)
 	if err != nil {
 		return fmt.Errorf("failed to get keys by IDs for provider %s: %w", pc.Provider, err)
 	}
-	if len(keys) != len(pc.KeyIDs) {
-		return fmt.Errorf("some keys not found for provider %s: expected %d, found %d", pc.Provider, len(pc.KeyIDs), len(keys))
+	if len(keys) != len(explicitKeyIDs) {
+		return fmt.Errorf("some keys not found for provider %s: expected %d, found %d", pc.Provider, len(explicitKeyIDs), len(keys))
 	}
}

Also applies to: 840-843, 915-918

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 499 - 503,
Reject mixed wildcard and explicit KeyIDs up front: validate pc.KeyIDs in the
handlers (where allowAllKeys is computed) and return a deterministic 400 if the
slice contains "*" together with any other IDs (e.g., ["*", "<id>"]) before
performing any DB/key lookup. Update the logic around the allowAllKeys
computation (the pc.KeyIDs handling blocks) to detect this invalid shape and
fail fast; factor this check into a small helper/validator (reused at the three
call sites) so the same validation runs at the locations currently setting
allowAllKeys.

🧹 Nitpick comments (2)

plugins/governance/resolver_test.go (1)

29-29: Add explicit tests for skipRateLimitsAndBudgets=true.
All updated callsites here pass false, so the new auth-driven bypass branch is currently unverified in resolver tests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver_test.go` at line 29, The test currently only
calls resolver.EvaluateVirtualKeyRequest with skipRateLimitsAndBudgets=false;
add an explicit unit test that calls EvaluateVirtualKeyRequest(ctx,
"sk-bf-test", schemas.OpenAI, "gpt-4", schemas.ChatCompletionRequest, true) to
exercise the auth-driven bypass branch. In that new test, assert the expected
bypass behavior (e.g., that rate limit/budget checks are skipped or that the
returned decision reflects bypass) and reuse the same setup/mocks as the
existing test to verify the true path in the resolver package.

framework/configstore/migrations.go (1)

4363-4389: Collapse the backfill scan into a set-based query.

This currently loads every provider config and then runs one COUNT(*) per row while the global migration lock is held. A single LEFT JOIN/NOT EXISTS query will make startup time much more predictable on larger installs.

♻️ Example refactor

-			var allConfigs []tables.TableVirtualKeyProviderConfig
-			if err := tx.Find(&allConfigs).Error; err != nil {
-				return fmt.Errorf("failed to query provider configs: %w", err)
-			}
+			type keylessProviderConfig struct {
+				ID           uint
+				VirtualKeyID string
+			}
+			var keylessConfigs []keylessProviderConfig
+			if err := tx.
+				Table("governance_virtual_key_provider_configs AS pc").
+				Select("pc.id, pc.virtual_key_id").
+				Joins("LEFT JOIN governance_virtual_key_provider_config_keys AS pck ON pck.table_virtual_key_provider_config_id = pc.id").
+				Where("pck.table_virtual_key_provider_config_id IS NULL").
+				Scan(&keylessConfigs).Error; err != nil {
+				return fmt.Errorf("failed to query keyless provider configs: %w", err)
+			}
@@
-			for _, pc := range allConfigs {
-				var keyCount int64
-				if err := tx.Table("governance_virtual_key_provider_config_keys").
-					Where("table_virtual_key_provider_config_id = ?", pc.ID).
-					Count(&keyCount).Error; err != nil {
-					return fmt.Errorf("failed to count keys for provider config %d: %w", pc.ID, err)
-				}
-
-				if keyCount == 0 {
-					if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
-						Where("id = ?", pc.ID).
-						Update("allow_all_keys", true).Error; err != nil {
-						return fmt.Errorf("failed to backfill allow_all_keys for provider config %d: %w", pc.ID, err)
-					}
-					modifiedVKIDs[pc.VirtualKeyID] = struct{}{}
-				}
+			for _, pc := range keylessConfigs {
+				if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
+					Where("id = ?", pc.ID).
+					Update("allow_all_keys", true).Error; err != nil {
+					return fmt.Errorf("failed to backfill allow_all_keys for provider config %d: %w", pc.ID, err)
+				}
+				modifiedVKIDs[pc.VirtualKeyID] = struct{}{}
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/migrations.go` around lines 4363 - 4389, The current
loop in migrations.go loads all tables.TableVirtualKeyProviderConfig rows then
does a per-row COUNT on governance_virtual_key_provider_config_keys while
holding the migration lock; replace this with a single set-based UPDATE/SELECT
using a LEFT JOIN or NOT EXISTS to find configs with zero keys and update
allow_all_keys = true in one statement, then populate modifiedVKIDs with the
VirtualKeyID values returned by that query (or by a single SELECT of affected
rows) so you avoid per-row COUNTs using tx and keep the same semantics for
modifiedVKIDs and the allow_all_keys backfill.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 755-824: The Allowed Keys AsyncMultiSelect is missing a stable
test selector; add a data-testid attribute following the vk-*-<index> convention
(e.g., data-testid={`vk-allowed-keys-${index}`}) to the AsyncMultiSelect
component so E2E tests can reliably target it—locate the AsyncMultiSelect usage
in this file (the component that uses selectedProviderKeys, hasWildcard, and
calls handleUpdateProviderConfig) and add the data-testid prop.

---

Duplicate comments:
In `@plugins/governance/resolver.go`:
- Around line 240-250: The code sets
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when pc.AllowAllKeys is false
but does not clear it when pc.AllowAllKeys is true, allowing a previous
request's include-only filter to leak; inside the loop over vk.ProviderConfigs
(and specifically in the branch handling schemas.ModelProvider(pc.Provider) ==
provider) ensure that in the pc.AllowAllKeys == true path you explicitly clear
the context key (e.g., call
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil) or set an
empty slice) so stale include-only filters are removed for allow-all requests.

In `@transports/bifrost-http/handlers/governance.go`:
- Around line 499-503: Reject mixed wildcard and explicit KeyIDs up front:
validate pc.KeyIDs in the handlers (where allowAllKeys is computed) and return a
deterministic 400 if the slice contains "*" together with any other IDs (e.g.,
["*", "<id>"]) before performing any DB/key lookup. Update the logic around the
allowAllKeys computation (the pc.KeyIDs handling blocks) to detect this invalid
shape and fail fast; factor this check into a small helper/validator (reused at
the three call sites) so the same validation runs at the locations currently
setting allowAllKeys.

---

Nitpick comments:
In `@framework/configstore/migrations.go`:
- Around line 4363-4389: The current loop in migrations.go loads all
tables.TableVirtualKeyProviderConfig rows then does a per-row COUNT on
governance_virtual_key_provider_config_keys while holding the migration lock;
replace this with a single set-based UPDATE/SELECT using a LEFT JOIN or NOT
EXISTS to find configs with zero keys and update allow_all_keys = true in one
statement, then populate modifiedVKIDs with the VirtualKeyID values returned by
that query (or by a single SELECT of affected rows) so you avoid per-row COUNTs
using tx and keep the same semantics for modifiedVKIDs and the allow_all_keys
backfill.

In `@plugins/governance/resolver_test.go`:
- Line 29: The test currently only calls resolver.EvaluateVirtualKeyRequest with
skipRateLimitsAndBudgets=false; add an explicit unit test that calls
EvaluateVirtualKeyRequest(ctx, "sk-bf-test", schemas.OpenAI, "gpt-4",
schemas.ChatCompletionRequest, true) to exercise the auth-driven bypass branch.
In that new test, assert the expected bypass behavior (e.g., that rate
limit/budget checks are skipped or that the returned decision reflects bypass)
and reuse the same setup/mocks as the existing test to verify the true path in
the resolver package.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0aed7f09-2378-40b6-a85d-1742a7840911

📥 Commits

Reviewing files that changed from the base of the PR and between 5463080 and a6efe9a.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• framework/changelog.md
• framework/configstore/tables/virtualkey.go
• core/utils.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

751-824: ⚠️ Potential issue | 🟡 Minor

Add a data-testid on the Allowed Keys selector wrapper.

This changed interactive block lacks a test selector in the view, which makes E2E targeting brittle.

Suggested fix

-																		<AsyncMultiSelect
+																		<div data-testid={`vk-allowed-keys-multiselect-${index}`}>
+																			<AsyncMultiSelect
 																			hideSelectedOptions
 																			isNonAsync
@@
-																		/>
+																			/>
+																		</div>

As per coding guidelines ui/**/*.{ts,tsx}: UI interactive elements must have data-testid attributes following the pattern data-testid="<entity>-<element>-<qualifier>".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 751 -
824, The Allowed Keys selector block (the JSX returning the <div
className="mx-0.5 space-y-2"> containing <Label> and AsyncMultiSelect) lacks a
test selector; add a data-testid attribute on that wrapper div (or the
AsyncMultiSelect) following the project pattern
data-testid="virtualkey-allowed-keys-wrapper" (or
data-testid="virtualkey-allowed-keys-select" if placed on AsyncMultiSelect) so
E2E tests can target the element; update the JSX for the wrapper around Label
and AsyncMultiSelect (the element returned in the anonymous render where
AsyncMultiSelect is used) to include the data-testid string.

♻️ Duplicate comments (1)

framework/configstore/migrations.go (1)

4391-4408: ⚠️ Potential issue | 🟠 Major

config_hash recomputation can still miss allow_all_keys changes.

At Line 4391, the migration recomputes hashes, but GenerateVirtualKeyHash (in framework/configstore/clientconfig.go) appears to build provider-config hash input without AllowAllKeys. That means toggling allow-all semantics may not change config_hash when key links stay the same.

Suggested fix (cross-file)

--- a/framework/configstore/clientconfig.go
+++ b/framework/configstore/clientconfig.go
@@
 type VirtualKeyProviderConfigHashInput struct {
   Provider      string
   Weight        *float64
   AllowedModels []string
+  AllowAllKeys  bool
   BudgetID      *string
   RateLimitID   *string
   KeyIDs        []string
 }
@@
   providerConfigsForHash[i] = VirtualKeyProviderConfigHashInput{
     Provider:      pc.Provider,
     Weight:        pc.Weight,
     AllowedModels: sortedAllowedModels,
+    AllowAllKeys:  pc.AllowAllKeys,
     BudgetID:      pc.BudgetID,
     RateLimitID:   pc.RateLimitID,
     KeyIDs:        keyIDs,
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/migrations.go` around lines 4391 - 4408, The migration
recomputes config_hash for modified virtual keys but GenerateVirtualKeyHash
currently omits the allow-all-keys flag from the hash input, so toggling
AllowAllKeys doesn't change config_hash; update GenerateVirtualKeyHash (in
framework/configstore/clientconfig.go) to include the VirtualKey-level
AllowAllKeys (or per-provider AllowAllKeys if present) in the data used to
compute the provider-config hash, and ensure the migration loop that loads
TableVirtualKey (the block using tx.Preload(...).First(&vk, "id = ?", vkID) and
then Update("config_hash", newHash)) will pick up the changed AllowAllKeys value
when calling GenerateVirtualKeyHash so hashes are recomputed correctly.

🧹 Nitpick comments (2)

plugins/governance/resolver_test.go (1)

17-33: Consider adding test coverage for skipRateLimitsAndBudgets = true.

All tests pass false for the new parameter. Adding at least one test case with skipRateLimitsAndBudgets = true would verify that rate-limit and budget checks are correctly bypassed when user-level governance handles limits.

💡 Example test case

// TestBudgetResolver_EvaluateRequest_SkipRateLimitsAndBudgets tests that rate limits and budgets are bypassed
func TestBudgetResolver_EvaluateRequest_SkipRateLimitsAndBudgets(t *testing.T) {
	logger := NewMockLogger()

	// VK with rate limit already at max - would normally be blocked
	rateLimit := buildRateLimitWithUsage("rl1", 10000, 10000, 1000, 0) // Tokens at max
	vk := buildVirtualKeyWithRateLimit("vk1", "sk-bf-test", "Test VK", rateLimit)

	store, err := NewLocalGovernanceStore(context.Background(), logger, nil, &configstore.GovernanceConfig{
		VirtualKeys: []configstoreTables.TableVirtualKey{*vk},
		RateLimits:  []configstoreTables.TableRateLimit{*rateLimit},
	}, nil)
	require.NoError(t, err)

	resolver := NewBudgetResolver(store, nil, logger)
	ctx := &schemas.BifrostContext{}

	// With skipRateLimitsAndBudgets=true, should allow despite rate limit being exceeded
	result := resolver.EvaluateVirtualKeyRequest(ctx, "sk-bf-test", schemas.OpenAI, "gpt-4", schemas.ChatCompletionRequest, true)

	assertDecision(t, DecisionAllow, result)
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver_test.go` around lines 17 - 33, Add a test that
verifies skipRateLimitsAndBudgets=true bypasses rate and budget checks: create a
VK that references a rate limit already at max using buildRateLimitWithUsage and
buildVirtualKeyWithRateLimit, initialize the store via NewLocalGovernanceStore
(include the rate limit in GovernanceConfig.RateLimits), call
resolver.EvaluateVirtualKeyRequest(...) with the final parameter true, and
assert the decision is DecisionAllow and the virtual key is found; use the
existing TestBudgetResolver_EvaluateRequest_AllowedRequest pattern for setup and
assertions.

transports/bifrost-http/handlers/governance.go (1)

499-511: Consider extracting key ID parsing into a helper function.

The same pattern for parsing KeyIDs (wildcard check, key fetching, count validation) is repeated three times across createVirtualKey and updateVirtualKey. A small helper could reduce duplication:

♻️ Optional refactor

func (h *GovernanceHandler) parseProviderKeyIDs(ctx context.Context, keyIDs []string, provider string) (allowAllKeys bool, keys []configstoreTables.TableKey, err error) {
	if len(keyIDs) == 1 && keyIDs[0] == "*" {
		return true, nil, nil
	}
	if len(keyIDs) > 0 {
		keys, err = h.configStore.GetKeysByIDs(ctx, keyIDs)
		if err != nil {
			return false, nil, fmt.Errorf("failed to get keys by IDs for provider %s: %w", provider, err)
		}
		if len(keys) != len(keyIDs) {
			return false, nil, fmt.Errorf("some keys not found for provider %s: expected %d, found %d", provider, len(keyIDs), len(keys))
		}
	}
	return false, keys, nil
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 499 - 511,
Extract the repeated KeyIDs parsing logic used in createVirtualKey and
updateVirtualKey into a helper on GovernanceHandler (e.g., parseProviderKeyIDs)
that takes ctx, keyIDs []string and provider string and returns (allowAllKeys
bool, keys []configstoreTables.TableKey, err error); move the wildcard check
(len==1 && "*"), the call to h.configStore.GetKeysByIDs, and the
count-validation into that helper and replace the duplicated blocks in
createVirtualKey and updateVirtualKey with calls to this helper, preserving the
original error messages and behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 751-824: The Allowed Keys selector block (the JSX returning the
<div className="mx-0.5 space-y-2"> containing <Label> and AsyncMultiSelect)
lacks a test selector; add a data-testid attribute on that wrapper div (or the
AsyncMultiSelect) following the project pattern
data-testid="virtualkey-allowed-keys-wrapper" (or
data-testid="virtualkey-allowed-keys-select" if placed on AsyncMultiSelect) so
E2E tests can target the element; update the JSX for the wrapper around Label
and AsyncMultiSelect (the element returned in the anonymous render where
AsyncMultiSelect is used) to include the data-testid string.

---

Duplicate comments:
In `@framework/configstore/migrations.go`:
- Around line 4391-4408: The migration recomputes config_hash for modified
virtual keys but GenerateVirtualKeyHash currently omits the allow-all-keys flag
from the hash input, so toggling AllowAllKeys doesn't change config_hash; update
GenerateVirtualKeyHash (in framework/configstore/clientconfig.go) to include the
VirtualKey-level AllowAllKeys (or per-provider AllowAllKeys if present) in the
data used to compute the provider-config hash, and ensure the migration loop
that loads TableVirtualKey (the block using tx.Preload(...).First(&vk, "id = ?",
vkID) and then Update("config_hash", newHash)) will pick up the changed
AllowAllKeys value when calling GenerateVirtualKeyHash so hashes are recomputed
correctly.

---

Nitpick comments:
In `@plugins/governance/resolver_test.go`:
- Around line 17-33: Add a test that verifies skipRateLimitsAndBudgets=true
bypasses rate and budget checks: create a VK that references a rate limit
already at max using buildRateLimitWithUsage and buildVirtualKeyWithRateLimit,
initialize the store via NewLocalGovernanceStore (include the rate limit in
GovernanceConfig.RateLimits), call resolver.EvaluateVirtualKeyRequest(...) with
the final parameter true, and assert the decision is DecisionAllow and the
virtual key is found; use the existing
TestBudgetResolver_EvaluateRequest_AllowedRequest pattern for setup and
assertions.

In `@transports/bifrost-http/handlers/governance.go`:
- Around line 499-511: Extract the repeated KeyIDs parsing logic used in
createVirtualKey and updateVirtualKey into a helper on GovernanceHandler (e.g.,
parseProviderKeyIDs) that takes ctx, keyIDs []string and provider string and
returns (allowAllKeys bool, keys []configstoreTables.TableKey, err error); move
the wildcard check (len==1 && "*"), the call to h.configStore.GetKeysByIDs, and
the count-validation into that helper and replace the duplicated blocks in
createVirtualKey and updateVirtualKey with calls to this helper, preserving the
original error messages and behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c61ad7c1-c91e-40fa-b399-5b85b62e2e68

📥 Commits

Reviewing files that changed from the base of the PR and between a6efe9a and 0e423ab.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (6)

• framework/changelog.md
• core/utils.go
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• plugins/governance/changelog.md
• transports/changelog.md
• plugins/governance/main.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

755-824: ⚠️ Potential issue | 🟡 Minor

Add a data-testid to the Allowed Keys multiselect control.

This interactive element is part of the changed flow but has no selector, which makes E2E targeting brittle.

🧪 Suggested change

 																		<AsyncMultiSelect
+																			data-testid={`provider-allowed-keys-multiselect-${index}`}
 																			hideSelectedOptions

As per coding guidelines, ui/**/*.{ts,tsx} interactive elements must have data-testid attributes following data-testid="<entity>-<element>-<qualifier>".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 755 -
824, Add a data-testid to the Allowed Keys multiselect by adding a data-testid
prop on the AsyncMultiSelect component (the AsyncMultiSelect instance that uses
value={selectedProviderKeys} and onChange={...}) following the project
convention, e.g. data-testid="virtual-key-allowed-keys-multiselect"
(entity-element-qualifier). Ensure the attribute is added directly to the
AsyncMultiSelect JSX so E2E tests can reliably target this control.

🧹 Nitpick comments (3)

transports/bifrost-http/handlers/governance.go (1)

499-502: Consider extracting repeated wildcard-detection logic into a helper.

The pattern len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" is repeated in three places. While the current implementation is correct and consistent, extracting this into a small helper function would reduce duplication and make future changes easier.

💡 Optional helper extraction

// isAllowAllKeysWildcard returns true if keyIDs is the single-element wildcard ["*"].
func isAllowAllKeysWildcard(keyIDs []string) bool {
	return len(keyIDs) == 1 && keyIDs[0] == "*"
}

Usage:

-allowAllKeys := false
-if len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" {
-	allowAllKeys = true
-} else if len(pc.KeyIDs) > 0 {
+allowAllKeys := isAllowAllKeysWildcard(pc.KeyIDs)
+if !allowAllKeys && len(pc.KeyIDs) > 0 {

Also applies to: 840-843, 915-918

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 499 - 502,
Extract the repeated wildcard check into a helper like
isAllowAllKeysWildcard(keyIDs []string) bool and replace each occurrence of the
pattern len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" (and its local allowAllKeys
assignments) with a call to isAllowAllKeysWildcard(pc.KeyIDs); update all three
spots where pc.KeyIDs is tested (the blocks that set allowAllKeys) to use this
helper to reduce duplication and keep behavior identical.

framework/configstore/migrations.go (1)

4361-4389: Avoid per-config COUNT queries in this backfill loop.

Line 4373-4378 performs one query per provider config, which can significantly extend startup migration time on large datasets. Prefer a single LEFT JOIN ... GROUP BY ... HAVING COUNT(...) = 0 scan and batch update IDs.

♻️ Proposed refactor (single-pass selection + batch update)

-			for _, pc := range allConfigs {
-				var keyCount int64
-				if err := tx.Table("governance_virtual_key_provider_config_keys").
-					Where("table_virtual_key_provider_config_id = ?", pc.ID).
-					Count(&keyCount).Error; err != nil {
-					return fmt.Errorf("failed to count keys for provider config %d: %w", pc.ID, err)
-				}
-
-				if keyCount == 0 {
-					if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
-						Where("id = ?", pc.ID).
-						Update("allow_all_keys", true).Error; err != nil {
-						return fmt.Errorf("failed to backfill allow_all_keys for provider config %d: %w", pc.ID, err)
-					}
-					modifiedVKIDs[pc.VirtualKeyID] = struct{}{}
-				}
-			}
+			type zeroKeyConfig struct {
+				ID          uint
+				VirtualKeyID string
+			}
+			var zeroKeyConfigs []zeroKeyConfig
+			if err := tx.
+				Table("governance_virtual_key_provider_configs pc").
+				Select("pc.id, pc.virtual_key_id").
+				Joins("LEFT JOIN governance_virtual_key_provider_config_keys k ON k.table_virtual_key_provider_config_id = pc.id").
+				Group("pc.id, pc.virtual_key_id").
+				Having("COUNT(k.table_key_id) = 0").
+				Scan(&zeroKeyConfigs).Error; err != nil {
+				return fmt.Errorf("failed to find zero-key provider configs: %w", err)
+			}
+
+			ids := make([]uint, 0, len(zeroKeyConfigs))
+			for _, row := range zeroKeyConfigs {
+				ids = append(ids, row.ID)
+				modifiedVKIDs[row.VirtualKeyID] = struct{}{}
+			}
+			if len(ids) > 0 {
+				if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
+					Where("id IN ?", ids).
+					Update("allow_all_keys", true).Error; err != nil {
+					return fmt.Errorf("failed to backfill allow_all_keys: %w", err)
+				}
+			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/migrations.go` around lines 4361 - 4389, The loop does
a per-config COUNT against governance_virtual_key_provider_config_keys which is
slow; instead perform a single query that LEFT JOINs
governance_virtual_key_provider_config_keys onto
tables.TableVirtualKeyProviderConfig, GROUP BY the provider config id and HAVING
COUNT(key_id) = 0 to select all provider-config IDs with zero keys in one pass,
then batch UPDATE those IDs to set allow_all_keys = true (using
tx.Model(&tables.TableVirtualKeyProviderConfig{}).Where("id IN (?)",
ids).Update(...)) and collect the corresponding VirtualKeyID values into
modifiedVKIDs for later hash recompute; replace the tx.Find + per-row
tx.Table(...).Count loop with this single JOIN+GROUP selection followed by a
single batch update and population of modifiedVKIDs.

plugins/governance/main.go (1)

1013-1019: Prefer a named flag instead of positional boolean literals in EvaluateVirtualKeyRequest.

Line 1015 and Line 1018 pass true/false directly into a multi-argument API that has changed in this stack. A named flag with a single call makes intent clearer and reduces inversion risk during stacked rebases.

♻️ Proposed refactor

-	if result.Decision == DecisionAllow && evaluationRequest.VirtualKey != "" {
-		if evaluationRequest.UserID != "" {
-			// User auth present: only use VK for routing/filtering (skip rate limits and budgets)
-			result = p.resolver.EvaluateVirtualKeyRequest(ctx, evaluationRequest.VirtualKey, evaluationRequest.Provider, evaluationRequest.Model, requestType, true)
-		} else {
-			// No user auth: full VK governance (routing + limits)
-			result = p.resolver.EvaluateVirtualKeyRequest(ctx, evaluationRequest.VirtualKey, evaluationRequest.Provider, evaluationRequest.Model, requestType, false)
-		}
-	}
+	if result.Decision == DecisionAllow && evaluationRequest.VirtualKey != "" {
+		skipRateLimitsAndBudgets := evaluationRequest.UserID != ""
+		// User auth present => skip VK budgets/rate limits; VK still used for routing/filtering.
+		result = p.resolver.EvaluateVirtualKeyRequest(
+			ctx,
+			evaluationRequest.VirtualKey,
+			evaluationRequest.Provider,
+			evaluationRequest.Model,
+			requestType,
+			skipRateLimitsAndBudgets,
+		)
+	}

As per coding guidelines **: always check the stack if there is one for the current PR.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/main.go` around lines 1013 - 1019, The call sites to
EvaluateVirtualKeyRequest use positional boolean literals (true/false) which are
error-prone; update both branches to call a single EvaluateVirtualKeyRequest
invocation that passes a clearly named option instead of a positional bool
(e.g., an options struct or a named parameter like SkipRateLimits/OnlyRouting),
so replace the two calls to p.resolver.EvaluateVirtualKeyRequest(...) with one
call that constructs and passes the named flag (or options) indicating "only use
VK for routing/filtering" when evaluationRequest.UserID != "" and the opposite
when empty; ensure you modify the EvaluateVirtualKeyRequest signature or its
caller wrapper accordingly so intent is explicit and inversion risk is
eliminated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 755-824: Add a data-testid to the Allowed Keys multiselect by
adding a data-testid prop on the AsyncMultiSelect component (the
AsyncMultiSelect instance that uses value={selectedProviderKeys} and
onChange={...}) following the project convention, e.g.
data-testid="virtual-key-allowed-keys-multiselect" (entity-element-qualifier).
Ensure the attribute is added directly to the AsyncMultiSelect JSX so E2E tests
can reliably target this control.

---

Nitpick comments:
In `@framework/configstore/migrations.go`:
- Around line 4361-4389: The loop does a per-config COUNT against
governance_virtual_key_provider_config_keys which is slow; instead perform a
single query that LEFT JOINs governance_virtual_key_provider_config_keys onto
tables.TableVirtualKeyProviderConfig, GROUP BY the provider config id and HAVING
COUNT(key_id) = 0 to select all provider-config IDs with zero keys in one pass,
then batch UPDATE those IDs to set allow_all_keys = true (using
tx.Model(&tables.TableVirtualKeyProviderConfig{}).Where("id IN (?)",
ids).Update(...)) and collect the corresponding VirtualKeyID values into
modifiedVKIDs for later hash recompute; replace the tx.Find + per-row
tx.Table(...).Count loop with this single JOIN+GROUP selection followed by a
single batch update and population of modifiedVKIDs.

In `@plugins/governance/main.go`:
- Around line 1013-1019: The call sites to EvaluateVirtualKeyRequest use
positional boolean literals (true/false) which are error-prone; update both
branches to call a single EvaluateVirtualKeyRequest invocation that passes a
clearly named option instead of a positional bool (e.g., an options struct or a
named parameter like SkipRateLimits/OnlyRouting), so replace the two calls to
p.resolver.EvaluateVirtualKeyRequest(...) with one call that constructs and
passes the named flag (or options) indicating "only use VK for
routing/filtering" when evaluationRequest.UserID != "" and the opposite when
empty; ensure you modify the EvaluateVirtualKeyRequest signature or its caller
wrapper accordingly so intent is explicit and inversion risk is eliminated.

In `@transports/bifrost-http/handlers/governance.go`:
- Around line 499-502: Extract the repeated wildcard check into a helper like
isAllowAllKeysWildcard(keyIDs []string) bool and replace each occurrence of the
pattern len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" (and its local allowAllKeys
assignments) with a call to isAllowAllKeysWildcard(pc.KeyIDs); update all three
spots where pc.KeyIDs is tested (the blocks that set allowAllKeys) to use this
helper to reduce duplication and keep behavior identical.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6e62a992-d72a-466f-ae8d-5851fde0f6aa

📥 Commits

Reviewing files that changed from the base of the PR and between 0e423ab and 102a0a7.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (7)

• core/utils.go
• plugins/governance/resolver_test.go
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/lib/types/governance.ts
• plugins/governance/resolver.go
• transports/changelog.md
• plugins/governance/changelog.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

755-824: ⚠️ Potential issue | 🟡 Minor

Add data-testid to the Allowed Keys selector.

This interactive control is part of the changed flow but currently lacks a stable selector.

💡 Suggested fix

<AsyncMultiSelect
+	data-testid={`vk-keys-${index}`}
	hideSelectedOptions
	isNonAsync
	closeMenuOnSelect={false}

As per coding guidelines ui/**/*.{ts,tsx}: UI interactive elements must have data-testid attributes following the pattern data-testid="<entity>-<element>-<qualifier>".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 755 -
824, The Allowed Keys AsyncMultiSelect lacks a stable test selector; add a
data-testid prop to the AsyncMultiSelect instance (the component rendered in
virtualKeySheet.tsx) following the pattern
data-testid="virtual-key-allowed-keys-selector" (or similar per
entity-element-qualifier rules). Ensure the attribute is placed on the
AsyncMultiSelect JSX element (the one with props value={selectedProviderKeys}
and onChange={...}) so tests can reliably query it.

♻️ Duplicate comments (3)

framework/configstore/tables/virtualkey.go (1)

64-74: ⚠️ Potential issue | 🟠 Major

allowed_keys presence is still not distinguishable from explicit empty.

With AllowedKeys []string, omitted allowed_keys and allowed_keys: [] collapse to the same state during unmarshal. That can unintentionally resolve legacy omitted configs as deny-all in config-sync paths.

🔧 Suggested fix

 type TempProviderConfig struct {
 	Alias
-	AllowedKeys []string `json:"allowed_keys"` // Config file format: array of key names
+	AllowedKeys *[]string `json:"allowed_keys"` // nil => field omitted, [] => explicitly empty
 }
@@
-	if len(temp.AllowedKeys) > 0 && len(pc.Keys) == 0 {
-		// Check for wildcard — ["*"] means allow all keys
-		if len(temp.AllowedKeys) == 1 && temp.AllowedKeys[0] == "*" {
+	if temp.AllowedKeys != nil && len(pc.Keys) == 0 {
+		// Check for wildcard — ["*"] means allow all keys
+		if len(*temp.AllowedKeys) == 1 && (*temp.AllowedKeys)[0] == "*" {
 			pc.AllowAllKeys = true
+			pc.Keys = nil
+		} else if len(*temp.AllowedKeys) == 0 {
+			// Explicit empty list => deny all
+			pc.AllowAllKeys = false
+			pc.Keys = nil
 		} else {
-			pc.Keys = make([]TableKey, len(temp.AllowedKeys))
-			for i, keyName := range temp.AllowedKeys {
+			pc.AllowAllKeys = false
+			pc.Keys = make([]TableKey, len(*temp.AllowedKeys))
+			for i, keyName := range *temp.AllowedKeys {
 				pc.Keys[i] = TableKey{Name: keyName}
 			}
 		}
 	}

#!/bin/bash
# Verify whether omitted vs explicit-empty `allowed_keys` is distinguished
# and whether tests cover both cases.

set -euo pipefail

echo "=== Unmarshal implementation ==="
sed -n '47,90p' framework/configstore/tables/virtualkey.go

echo
echo "=== Presence tracking pattern check ==="
rg -nP 'AllowedKeys\s+\*?\[\]string|allowed_keys' framework/configstore/tables/virtualkey.go

echo
echo "=== Coverage check for omitted vs empty allowed_keys semantics ==="
rg -nP 'allowed_keys|AllowAllKeys|UnmarshalJSON' --type go framework/configstore

Expected verification outcome:

• AllowedKeys should be pointer-backed (or equivalent presence-tracking mechanism).
• There should be tests covering both omitted allowed_keys and explicit empty allowed_keys: [].

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 64 - 74, The
unmarshalling logic in virtualkey.go cannot tell if allowed_keys was omitted vs
explicitly set empty because AllowedKeys is a []string; change AllowedKeys to a
pointer type (e.g. *[]string) or add an explicit presence flag and update the
UnmarshalJSON/parse flow so you can detect nil (omitted) vs non-nil empty slice
(explicit empty). Update the branch that currently checks len(temp.AllowedKeys)
to instead check for nil to preserve legacy "omitted" semantics (only apply
deny-all/AllowAllKeys logic when AllowedKeys is non-nil), and add unit tests for
both omitted allowed_keys and explicit allowed_keys: [] to validate behavior.
Ensure references to pc.Keys and pc.AllowAllKeys remain consistent with the new
presence-aware field.

plugins/governance/resolver.go (1)

240-250: ⚠️ Potential issue | 🟠 Major

Clear include-only key filter on the AllowAllKeys path.

When pc.AllowAllKeys is true, the code breaks without overwriting schemas.BifrostContextKeyGovernanceIncludeOnlyKeys. If that key was previously set in the same request context, filtering can remain unintentionally active.

💡 Suggested fix

for _, pc := range vk.ProviderConfigs {
	if schemas.ModelProvider(pc.Provider) == provider {
-		if !pc.AllowAllKeys {
+		if pc.AllowAllKeys {
+			ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil)
+		} else {
 			// Restrict to specific keys (empty slice = no keys allowed)
 			includeOnlyKeys := make([]string, 0, len(pc.Keys))
 			for _, dbKey := range pc.Keys {
 				includeOnlyKeys = append(includeOnlyKeys, dbKey.KeyID)
 			}
 			ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, includeOnlyKeys)
 		}
		break
	}
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver.go` around lines 240 - 250, The request context
key schemas.BifrostContextKeyGovernanceIncludeOnlyKeys is only set when
pc.AllowAllKeys is false, so if a previous provider set that key and a later
provider has pc.AllowAllKeys == true the old include-only filter remains; update
the branch for pc.AllowAllKeys == true in the loop over vk.ProviderConfigs
(within the code handling schemas.ModelProvider(pc.Provider) == provider) to
explicitly clear/overwrite the context key via
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil or an empty
slice) so the include-only filter is removed when AllowAllKeys is true.

transports/bifrost-http/handlers/governance.go (1)

499-503: ⚠️ Potential issue | 🟠 Major

Reject mixed wildcard + explicit key IDs before key lookup.

key_ids=["*", "<id>"] still falls through to GetKeysByIDs(...), which can surface as a 500-path instead of a deterministic 400 validation error. This is duplicated in all three branches, so the same bug shape exists for create and update flows.

💡 Suggested fix (single parser reused in all three call sites)

+var errInvalidProviderKeyIDs = errors.New("invalid provider key_ids")
+
+func parseProviderKeyIDs(keyIDs []string) (allowAll bool, explicit []string, err error) {
+	if len(keyIDs) == 0 {
+		return false, nil, nil
+	}
+	if len(keyIDs) == 1 && keyIDs[0] == "*" {
+		return true, nil, nil
+	}
+	for _, id := range keyIDs {
+		if id == "*" {
+			return false, nil, fmt.Errorf("%w: cannot mix '*' with explicit key_ids", errInvalidProviderKeyIDs)
+		}
+	}
+	return false, keyIDs, nil
+}

-allowAllKeys := false
-if len(pc.KeyIDs) == 1 && pc.KeyIDs[0] == "*" {
-	allowAllKeys = true
-} else if len(pc.KeyIDs) > 0 {
+allowAllKeys, explicitKeyIDs, err := parseProviderKeyIDs(pc.KeyIDs)
+if err != nil {
+	return err
+}
+if len(explicitKeyIDs) > 0 {
 	var err error
-	keys, err = h.configStore.GetKeysByIDs(ctx, pc.KeyIDs)
+	keys, err = h.configStore.GetKeysByIDs(ctx, explicitKeyIDs)
 	if err != nil {
 		return fmt.Errorf("failed to get keys by IDs for provider %s: %w", pc.Provider, err)
 	}
-	if len(keys) != len(pc.KeyIDs) {
-		return fmt.Errorf("some keys not found for provider %s: expected %d, found %d", pc.Provider, len(pc.KeyIDs), len(keys))
+	if len(keys) != len(explicitKeyIDs) {
+		return fmt.Errorf("some keys not found for provider %s: expected %d, found %d", pc.Provider, len(explicitKeyIDs), len(keys))
 	}
}

Also applies to: 840-844, 915-919

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/governance.go` around lines 499 - 503,
Reject any KeyIDs arrays that mix the wildcard "*" with explicit IDs before
attempting key lookup: in the governance handlers where pc.KeyIDs is processed
(the block that sets allowAllKeys and calls GetKeysByIDs), add a validation that
returns a 400 error if len(pc.KeyIDs) > 1 and one of the entries equals "*"
(rather than falling through to GetKeysByIDs). Apply the same check to the
equivalent parsing code paths used for create and update flows (the duplicated
branches that now call GetKeysByIDs) so they all deterministically return a
validation error for mixed wildcard+explicit key IDs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 755-824: The Allowed Keys AsyncMultiSelect lacks a stable test
selector; add a data-testid prop to the AsyncMultiSelect instance (the component
rendered in virtualKeySheet.tsx) following the pattern
data-testid="virtual-key-allowed-keys-selector" (or similar per
entity-element-qualifier rules). Ensure the attribute is placed on the
AsyncMultiSelect JSX element (the one with props value={selectedProviderKeys}
and onChange={...}) so tests can reliably query it.

---

Duplicate comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 64-74: The unmarshalling logic in virtualkey.go cannot tell if
allowed_keys was omitted vs explicitly set empty because AllowedKeys is a
[]string; change AllowedKeys to a pointer type (e.g. *[]string) or add an
explicit presence flag and update the UnmarshalJSON/parse flow so you can detect
nil (omitted) vs non-nil empty slice (explicit empty). Update the branch that
currently checks len(temp.AllowedKeys) to instead check for nil to preserve
legacy "omitted" semantics (only apply deny-all/AllowAllKeys logic when
AllowedKeys is non-nil), and add unit tests for both omitted allowed_keys and
explicit allowed_keys: [] to validate behavior. Ensure references to pc.Keys and
pc.AllowAllKeys remain consistent with the new presence-aware field.

In `@plugins/governance/resolver.go`:
- Around line 240-250: The request context key
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys is only set when
pc.AllowAllKeys is false, so if a previous provider set that key and a later
provider has pc.AllowAllKeys == true the old include-only filter remains; update
the branch for pc.AllowAllKeys == true in the loop over vk.ProviderConfigs
(within the code handling schemas.ModelProvider(pc.Provider) == provider) to
explicitly clear/overwrite the context key via
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil or an empty
slice) so the include-only filter is removed when AllowAllKeys is true.

In `@transports/bifrost-http/handlers/governance.go`:
- Around line 499-503: Reject any KeyIDs arrays that mix the wildcard "*" with
explicit IDs before attempting key lookup: in the governance handlers where
pc.KeyIDs is processed (the block that sets allowAllKeys and calls
GetKeysByIDs), add a validation that returns a 400 error if len(pc.KeyIDs) > 1
and one of the entries equals "*" (rather than falling through to GetKeysByIDs).
Apply the same check to the equivalent parsing code paths used for create and
update flows (the duplicated branches that now call GetKeysByIDs) so they all
deterministically return a validation error for mixed wildcard+explicit key IDs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 751b3822-be4e-4e61-b0ba-30d3a0aee929

📥 Commits

Reviewing files that changed from the base of the PR and between 102a0a7 and 033e271.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (5)

• core/utils.go
• framework/changelog.md
• plugins/governance/main.go
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• plugins/governance/resolver_test.go

[coderabbitai]

♻️ Duplicate comments (2)

framework/configstore/tables/virtualkey.go (1)

51-76: ⚠️ Potential issue | 🟠 Major

Preserve omitted allowed_keys semantics during unmarshal.

On Line 53 and Line 66, allowed_keys omission and explicit [] are still indistinguishable. That can make legacy config entries that omit allowed_keys deserialize into deny-all and overwrite migrated allow-all rows during sync.

💡 Suggested fix

 type TempProviderConfig struct {
 	Alias
-	AllowedKeys []string `json:"allowed_keys"` // Config file format: array of key names
+	AllowedKeys *[]string `json:"allowed_keys"` // nil => omitted, [] => explicit deny-all
 }
@@
-	if len(temp.AllowedKeys) > 0 && len(pc.Keys) == 0 {
-		// Check for wildcard — ["*"] means allow all keys
-		if len(temp.AllowedKeys) == 1 && temp.AllowedKeys[0] == "*" {
+	if temp.AllowedKeys != nil && len(pc.Keys) == 0 {
+		allowedKeys := *temp.AllowedKeys
+		// Check for wildcard — ["*"] means allow all keys
+		if len(allowedKeys) == 1 && allowedKeys[0] == "*" {
 			pc.AllowAllKeys = true
+			pc.Keys = nil
+		} else if len(allowedKeys) == 0 {
+			// Explicit empty list => deny all
+			pc.AllowAllKeys = false
+			pc.Keys = nil
 		} else {
-			pc.Keys = make([]TableKey, len(temp.AllowedKeys))
-			for i, keyName := range temp.AllowedKeys {
+			pc.AllowAllKeys = false
+			pc.Keys = make([]TableKey, len(allowedKeys))
+			for i, keyName := range allowedKeys {
 				pc.Keys[i] = TableKey{Name: keyName}
 			}
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 51 - 76, The
unmarshal can't tell whether allowed_keys was omitted or explicitly set to []
because AllowedKeys is a slice; change TempProviderConfig.AllowedKeys to a
pointer to a slice (e.g., *[]string) so absence yields nil and an explicit []
yields non-nil/len==0, then update the post-unmarshal logic in the block that
inspects temp.AllowedKeys to first check for nil (skip if nil), otherwise handle
the wildcard case (["*"] -> set pc.AllowAllKeys) or populate pc.Keys from the
slice; keep assignment of standard fields via
TableVirtualKeyProviderConfig(temp.Alias) as-is.

plugins/governance/resolver.go (1)

240-250: ⚠️ Potential issue | 🟠 Major

Clear include-only key context explicitly on allow-all provider configs.

When pc.AllowAllKeys is true, this branch does not overwrite schemas.BifrostContextKeyGovernanceIncludeOnlyKeys. If that context key is already set, key filtering can remain unintentionally active.

💡 Suggested fix

 for _, pc := range vk.ProviderConfigs {
 	if schemas.ModelProvider(pc.Provider) == provider {
-		if !pc.AllowAllKeys {
-			// Restrict to specific keys (empty slice = no keys allowed)
-			includeOnlyKeys := make([]string, 0, len(pc.Keys))
-			for _, dbKey := range pc.Keys {
-				includeOnlyKeys = append(includeOnlyKeys, dbKey.KeyID)
-			}
-			ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, includeOnlyKeys)
-		}
+		if pc.AllowAllKeys {
+			// Clear any previously set key filter
+			ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil)
+		} else {
+			// Restrict to specific keys (empty slice = no keys allowed)
+			includeOnlyKeys := make([]string, 0, len(pc.Keys))
+			for _, dbKey := range pc.Keys {
+				includeOnlyKeys = append(includeOnlyKeys, dbKey.KeyID)
+			}
+			ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, includeOnlyKeys)
+		}
 		break
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver.go` around lines 240 - 250, The code only sets
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when pc.AllowAllKeys is
false, leaving a previously set include-only key list in place when
pc.AllowAllKeys is true; update the loop over vk.ProviderConfigs (and the
pc.AllowAllKeys branch) to explicitly clear that context key for allow-all
provider configs by calling
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil) or an
empty slice when pc.AllowAllKeys is true so key filtering is disabled; reference
vk.ProviderConfigs, pc.AllowAllKeys, ctx.SetValue and
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when making the change.

🧹 Nitpick comments (1)

plugins/governance/resolver_test.go (1)

29-479: Add one focused test for skipRateLimitsAndBudgets=true.

All updated call sites pass false, so the new boolean branch is still unverified in this suite. A dedicated test would prevent regressions where skip-mode accidentally enforces budgets/rate limits.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/resolver_test.go` around lines 29 - 479, Add a focused
test that calls BudgetResolver.EvaluateVirtualKeyRequest with the
skipRateLimitsAndBudgets boolean set to true to verify budgets and rate-limits
are bypassed; create a VK that would normally be blocked (e.g., use
buildRateLimitWithUsage or buildBudgetWithUsage and wrap with
buildVirtualKeyWithRateLimit/buildVirtualKeyWithBudget), call
resolver.EvaluateVirtualKeyRequest(ctx, "sk-bf-test", schemas.OpenAI, "gpt-4",
schemas.ChatCompletionRequest, true) and assert the decision is DecisionAllow
(and that virtual key is found) to ensure the skip branch is exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@framework/configstore/tables/virtualkey.go`:
- Around line 51-76: The unmarshal can't tell whether allowed_keys was omitted
or explicitly set to [] because AllowedKeys is a slice; change
TempProviderConfig.AllowedKeys to a pointer to a slice (e.g., *[]string) so
absence yields nil and an explicit [] yields non-nil/len==0, then update the
post-unmarshal logic in the block that inspects temp.AllowedKeys to first check
for nil (skip if nil), otherwise handle the wildcard case (["*"] -> set
pc.AllowAllKeys) or populate pc.Keys from the slice; keep assignment of standard
fields via TableVirtualKeyProviderConfig(temp.Alias) as-is.

In `@plugins/governance/resolver.go`:
- Around line 240-250: The code only sets
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when pc.AllowAllKeys is
false, leaving a previously set include-only key list in place when
pc.AllowAllKeys is true; update the loop over vk.ProviderConfigs (and the
pc.AllowAllKeys branch) to explicitly clear that context key for allow-all
provider configs by calling
ctx.SetValue(schemas.BifrostContextKeyGovernanceIncludeOnlyKeys, nil) or an
empty slice when pc.AllowAllKeys is true so key filtering is disabled; reference
vk.ProviderConfigs, pc.AllowAllKeys, ctx.SetValue and
schemas.BifrostContextKeyGovernanceIncludeOnlyKeys when making the change.

---

Nitpick comments:
In `@plugins/governance/resolver_test.go`:
- Around line 29-479: Add a focused test that calls
BudgetResolver.EvaluateVirtualKeyRequest with the skipRateLimitsAndBudgets
boolean set to true to verify budgets and rate-limits are bypassed; create a VK
that would normally be blocked (e.g., use buildRateLimitWithUsage or
buildBudgetWithUsage and wrap with
buildVirtualKeyWithRateLimit/buildVirtualKeyWithBudget), call
resolver.EvaluateVirtualKeyRequest(ctx, "sk-bf-test", schemas.OpenAI, "gpt-4",
schemas.ChatCompletionRequest, true) and assert the decision is DecisionAllow
(and that virtual key is found) to ensure the skip branch is exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4ac1a76c-660f-4326-9aa6-c6cadd58bc9a

📥 Commits

Reviewing files that changed from the base of the PR and between 033e271 and 12acd31.

📒 Files selected for processing (13)

• core/utils.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/virtualkey.go
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/changelog.md
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/lib/types/governance.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• core/utils.go
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• framework/changelog.md
• transports/changelog.md

[Pratham-Mishra04]

Merge activity

• Mar 18, 11:57 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• Mar 18, 12:07 PM UTC: Graphite rebased this pull request as part of a merge.
• Mar 18, 12:08 PM UTC: @Pratham-Mishra04 merged this pull request with Graphite.