refactor: standardize empty array conventions for allowed models

[Pratham-Mishra04]

Summary

Standardizes empty array conventions across Bifrost to implement deny-by-default security semantics. Previously, empty arrays for allowed_models and Models fields meant "allow all", creating potential security gaps. Now ["*"] explicitly means "allow all" while empty arrays mean "deny all".

Changes

• Core Logic: Updated model filtering in bifrost.go and selectKeyFromProviderForModel to treat empty Models arrays as deny-all and ["*"] as allow-all
• Database Migration: Added migrationBackfillAllowedModelsWildcard to convert existing empty arrays to ["*"] preserving current behavior for existing records
• Model Catalog: Updated IsModelAllowedForProvider to use wildcard semantics with deny-by-default fallback
• Schema Defaults: Changed default Models value from [] to ["*"] in table definitions and form schemas
• UI Components: Enhanced ModelMultiselect with allowAllOption prop and updated virtual key forms to handle wildcard selection
• Documentation: Updated JSON schemas, comments, and tooltips to reflect new conventions
• Governance: Updated provider config filtering logic to use new wildcard semantics
• Server Bootstrap: Added wildcard filtering when loading models to prevent literal "*" from appearing as a model name

Type of change

• Refactor
• Bug fix
• Feature
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Validate the migration and new semantics:

# Core/Transports
go version
go test ./...

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

Test scenarios:

1. Create new virtual keys - should default to ["*"] for allowed models
2. Create new provider keys - should default to ["*"] for models
3. Verify existing keys with empty arrays are migrated to ["*"]
4. Test that empty arrays now deny all models/keys as expected
5. Verify UI shows "All models allowed" for wildcard and "No models (deny all)" for empty arrays

Screenshots/Recordings

UI changes include:

• Model multiselect now shows "Allow All Models" option
• Virtual key details display "All Models" badge for wildcard vs "No models (deny all)" for empty
• Form placeholders updated to reflect new semantics

Breaking changes

• Yes
• No

Migration Impact: The database migration automatically converts existing empty allowed_models and models_json arrays to ["*"], preserving current behavior. However, any new configurations with empty arrays will now deny access instead of allowing all. Applications relying on "empty = allow all" semantics must be updated to use ["*"] explicitly.

Related issues

Part of security hardening initiative to implement explicit allow-lists and deny-by-default semantics across Bifrost configuration.

Security considerations

This change significantly improves security posture by:

• Eliminating ambiguous "empty means allow all" semantics
• Implementing explicit deny-by-default for new configurations
• Requiring intentional wildcard usage via ["*"] for broad access
• Maintaining backward compatibility through automatic migration

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Pratham-Mishra04]

• fix: apply MCP tool filtering headers to tools/list response when using bifrost as MCP gateway #2127 : 2 dependent PRs (#2135 , #2151 )
• feat: add request-level extra headers support for MCP tool execution #2126
• refactor: replace string slices with WhiteList for allowlist fields #2125
• refactor: standardize empty array conventions for allowed models #2113 👈 (View in Graphite)
• refactor: standardize empty array conventions for VK Provider Config Allowed Keys #2006 : 1 other dependent PR (#2008 )
• feat: VK MCP config now works as an AllowList #1940
• feat: add MCP auto tool injection toggle #1933
• refactor: standardize empty array conventions for VK Provider & MCP Configs, and makes Provider Config weight optional for routing #1932
• v1.5.0

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Warning

Rate limit exceeded

@Pratham-Mishra04 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2306179f-e61a-4882-b9bc-4ced9f9fb1f2

📥 Commits

Reviewing files that changed from the base of the PR and between eab2c1b and 1b7f3a0.

📒 Files selected for processing (34)

• core/bifrost.go
• core/changelog.md
• core/providers/mistral/mistral.go
• core/providers/mistral/models.go
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/partial/config.json
• examples/configs/withconfigstore/config.json
• examples/configs/withlogstore/config.json
• examples/configs/withpostgresmcpclientsinconfig/config.json
• examples/configs/withprompushgateway/config.json
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

📝 Walkthrough

Walkthrough

Empty arrays now deny all (deny-by-default); ["*"] explicitly allows all. Changes propagate wildcard semantics across model/key filtering, DB defaults and a backfill migration, provider resolution fallback, server handlers, UI multiselects/views, schemas/config formats, examples, and tests.

Changes

Cohort / File(s)	Summary
Core model filtering core/bifrost.go	Key selection and provider-key filtering updated: ["*"] = allow-all; empty lists = deny-by-default. Selection predicates now require presence and either wildcard or explicit membership.
Provider / resolver logic framework/modelcatalog/main.go, plugins/governance/main.go, plugins/governance/resolver.go	Provider/catalog fallback and resolution use "*" as wildcard allow; empty allowed_models now deny.
Database defaults & migration framework/configstore/migrations.go, framework/configstore/tables/key.go, framework/configstore/tables/virtualkey.go	Added migration to backfill empty/NULL allowed_models/models_json → ["*"]; table (de)serialization changed to persist Models JSON and support wildcard/key_id semantics.
HTTP handlers & server transports/bifrost-http/handlers/providers.go, transports/bifrost-http/server/server.go, transports/bifrost-http/handlers/governance.go, transports/bifrost-http/lib/config.go	Model filtering and list logic updated for wildcard/deny-by-default; skip literal "*" when assembling concrete model lists; removed derivation/merge of provider configs from virtual keys.
Configuration schemas & charts transports/config.schema.json, helm-charts/bifrost/values.schema.json	Schema descriptions updated to document ["*"] vs empty-array semantics; provider keys → key_ids change reflected; base key models default/docs adjusted.
UI: multiselects, forms & views ui/components/ui/modelMultiselect.tsx, ui/components/ui/asyncMultiselect.tsx, ui/app/.../apiKeysFormFragment.tsx, ui/app/.../providerKeyForm.tsx, ui/app/.../virtualKeySheet.tsx, ui/app/.../virtualKeyDetailsSheet.tsx, ui/lib/types/schemas.ts	Added allowAllOption and data-testid; UI sync enforces ["*"] sentinel, defaults for new keys set to ["*"], placeholders/badges show All/No models, and "*" filtered from concrete lists.
Examples & docs docs/features/governance/routing.mdx, examples/configs/*	Docs and example configs updated to use key_ids and explicit key IDs; provider configs updated to use ["*"] or explicit lists; guidance updated for deny-by-default semantics.
Providers: Mistral response change core/providers/mistral/mistral.go, core/providers/mistral/models.go	ToBifrostListModelsResponse signature expanded with unfiltered flag; when unfiltered is true, allowedModels filtering is skipped.
Tests & changelogs plugins/governance/resolver_test.go, core/changelog.md, framework/changelog.md, transports/changelog.md	Tests updated to assert wildcard allow and explicit deny-all; changelogs and docs entries added documenting the convention change.
Misc / formatting / deps core/schemas/transcriptions.go, core/go.mod	Whitespace/formatting tweaks; removed github.com/gorilla/websocket entry from go.mod.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant UI as "UI"
participant Server as "Bifrost Server"
participant Catalog as "Model Catalog"
participant ConfigDB as "ConfigStore/DB"
UI->>Server: Request provider/use model "M"
Server->>Catalog: Query providers for model "M"
alt Catalog available
Catalog-->>Server: Providers that support "M"
Server->>ConfigDB: Load provider configs & keys
else Catalog unavailable
Server->>ConfigDB: Load provider configs & keys (use allowed_models)
end
ConfigDB-->>Server: provider configs (allowed_models, key.models)
Server->>Server: Apply rules: ["*"] => allow-all; []/nil => deny-all; skip literal "*" when listing models
Server-->>UI: Provider selection / access decision

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~55 minutes

Poem

🐰 I hopped through lists both empty and bright,
Stars like ["*"] now say "all's in sight".
Empty means stop — the door is barred,
Keys and models set, no surprises hard.
The rabbit sorted rules and bounded the night.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the main refactor: standardizing empty array conventions to implement deny-by-default semantics for allowed models.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering summary, changes, type of change, affected areas, testing instructions, breaking changes, security considerations, and all checklist items are marked complete.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 03-16-feat_standardize_empty_array_conventions_in_bifrost

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

ui/components/ui/modelMultiselect.tsx (1)

83-89: ⚠️ Potential issue | 🟡 Minor

Single-select doesn’t normalize "*" to the friendly label.

Multi-select maps wildcard to ALL_MODELS_OPTION, but single-select still renders "*" directly, causing inconsistent UI text.

🛠️ Proposed fix

 	const selectedOptions: ModelOption[] = isSingleSelect
 		? stringValue
-			? [{ label: stringValue, value: stringValue }]
+			? [{ label: stringValue === "*" ? ALL_MODELS_OPTION.label : stringValue, value: stringValue }]
 			: []

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/components/ui/modelMultiselect.tsx` around lines 83 - 89, selectedOptions
currently maps the wildcard "*" to ALL_MODELS_OPTION only for the multi-select
branch, leaving the single-select branch to render stringValue raw; update the
single-select branch in the selectedOptions calculation to normalize stringValue
by checking if stringValue === "*" and, if so, return ALL_MODELS_OPTION
(otherwise keep the existing { label: stringValue, value: stringValue }) so both
isSingleSelect and multi-select use the same friendly label; reference the
selectedOptions variable and the isSingleSelect/stringValue branch when making
the change.

framework/modelcatalog/main.go (1)

498-500: ⚠️ Potential issue | 🟡 Minor

Function docs are stale after the semantic change.

The comment still says empty allowedModels uses catalog-based allowance, but Line 534–536 now denies by default. Please update this block to prevent misconfiguration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/modelcatalog/main.go` around lines 498 - 500, Update the stale
function comment to reflect the new semantics: replace the statement that "If
allowedModels is empty: Uses model catalog to check if provider supports the
model (delegates to GetProvidersForModel...)" with the correct behavior (empty
allowedModels now results in deny-by-default), and keep the existing note that a
non-empty allowedModels list is checked for matches; reference the allowedModels
variable and GetProvidersForModel to locate the comment and ensure the docblock
accurately describes the current deny-by-default behavior.

🧹 Nitpick comments (2)

framework/configstore/migrations.go (1)

4948-4953: Consider scoping VK hash recomputation to only modified rows.

The current query retrieves all distinct VK IDs from the provider configs table, not just those whose allowed_models was actually updated. For deployments with many VKs, this could result in unnecessary hash recomputations.

Since this is a one-time migration, the impact is limited to migration execution time. If performance is acceptable, this can be left as-is.

♻️ Optional optimization to limit scope

-			// Recompute config_hash for all VKs that have provider configs
-			// (any of them may have had their allowed_models updated above).
-			var modifiedVKIDs []string
-			if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
-				Distinct("virtual_key_id").
-				Pluck("virtual_key_id", &modifiedVKIDs).Error; err != nil {
-				return fmt.Errorf("failed to query VK IDs for hash recomputation: %w", err)
-			}
+			// Recompute config_hash only for VKs whose provider configs were updated.
+			// These are the ones that now have allowed_models = '["*"]' (i.e., were backfilled).
+			var modifiedVKIDs []string
+			if err := tx.Model(&tables.TableVirtualKeyProviderConfig{}).
+				Where("allowed_models = ?", `["*"]`).
+				Distinct("virtual_key_id").
+				Pluck("virtual_key_id", &modifiedVKIDs).Error; err != nil {
+				return fmt.Errorf("failed to query VK IDs for hash recomputation: %w", err)
+			}

Note: This assumes all ["*"] values came from this migration. If there are pre-existing ["*"] values that weren't changed, this would still process them, but that's better than processing all VKs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/migrations.go` around lines 4948 - 4953, The migration
currently selects all distinct virtual_key_id values from
tables.TableVirtualKeyProviderConfig which forces hash recomputation for every
VK; restrict the selection to only rows whose allowed_models were set to ["*"]
(or otherwise match the specific marker this migration writes) by adding a WHERE
predicate (e.g., Where("allowed_models = ?", `["*"]`) or equivalent) to the
tx.Model(...).Distinct(...).Pluck(...) query so modifiedVKIDs only contains VKs
actually changed by this migration (reference
tables.TableVirtualKeyProviderConfig and the modifiedVKIDs variable).

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

350-352: Consider extracting weight normalization for readability.

The inline ternary chain is dense and the formatting places budget: on the same line as the weight logic, making it harder to follow. Consider extracting to a helper function.

♻️ Suggested refactor

+const normalizeWeight = (weight: string | number | undefined | null): number | null => {
+	if (weight === undefined || weight === null) return null;
+	if (typeof weight === "string") {
+		const parsed = parseFloat(weight);
+		return Number.isNaN(parsed) ? null : parsed;
+	}
+	return weight;
+};
+
 const normalizeProviderConfigs = (
 	configs: NonNullable<FormData["providerConfigs"]>,
 	existingConfigs?: VirtualKey["provider_configs"],
 ): any[] => {
 	return configs.map((config) => ({
 		...config,
-		weight: config.weight === undefined || config.weight === null
-			? null
-			: typeof config.weight === "string" ? (Number.isNaN(parseFloat(config.weight)) ? null : parseFloat(config.weight)) : config.weight, budget: (() => {
+		weight: normalizeWeight(config.weight),
+		budget: (() => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 350 -
352, Extract the dense inline ternary that normalizes config.weight into a small
helper (e.g., normalizeWeight(value): number | null) and call it where the
object currently builds weight in virtualKeySheet (replace the existing inline
expression using config.weight). The helper should return null for
undefined/null, parse strings with parseFloat and return null for NaN, and
return numeric inputs unchanged; keep the budget property on its own line
afterwards to improve readability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/configstore/migrations.go`:
- Around line 4982-4988: The migration updates models_json on TableKey rows but
fails to recompute the associated config_hash, leaving stale hashes; after
performing the Update("models_json", `["*"]`) against
tx.Model(&tables.TableKey{}), load the affected TableKey records (use the same
query predicate), populate their Key.Models from models_json and recompute and
persist config_hash using the same logic as migrationAddConfigHashColumn (the
code path that derives the hash from key fields including Models) so each
updated key has its config_hash recalculated and saved within the same
transaction.

In `@helm-charts/bifrost/values.schema.json`:
- Line 2738: The JSON schema contains unescaped double quotes inside a string
literal in the "description" fields (currently showing ["*"]) which breaks
parsing; update both occurrences of that description to escape the inner quotes
(replace ["*"] with [\"*\"]) so the string is valid JSON—search for the
"description" entries containing ["*"] and change them to use escaped inner
quotes, ensure the file parses after the change.

In `@transports/config.schema.json`:
- Line 1521: The "keys" schema description is misleading because it implies an
array of strings (["*"]) but "keys" is actually an array of objects with a
key_id property; update the "description" for the keys property to state that
each entry is an object with a "key_id" field and give a valid example such as
[{"key_id":"*"}] to show the wildcard usage and note that an empty array denies
all. Reference the "keys" property and the "key_id" field in the description so
readers understand the required JSON shape.

In `@ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx`:
- Around line 209-232: The ModelMultiselect instance in the API keys form needs
a test selector: update the call in apiKeysFormFragment.tsx to pass a
data-testid (e.g. data-testid="api-keys-models-multiselect-trigger"), and if
ModelMultiselect does not accept/forward that prop, modify
ui/components/ui/modelMultiselect.tsx to add a data-testid (or dataTestId) prop
to the component props and forward it to the interactive trigger/input element
used to open/select models; ensure the attribute name follows the pattern
data-testid="<entity>-<element>-<qualifier>" so tests can reliably target the
control.

In `@ui/lib/types/schemas.ts`:
- Line 173: The schema field models currently calls .default(["*"]).optional(),
which prevents the default from applying; change the chain order so .optional()
comes before .default() on the models schema (i.e., update the
z.array(z.string()) chain for models to call .optional() then .default(["*"]))
so the default value is applied when input is undefined.

---

Outside diff comments:
In `@framework/modelcatalog/main.go`:
- Around line 498-500: Update the stale function comment to reflect the new
semantics: replace the statement that "If allowedModels is empty: Uses model
catalog to check if provider supports the model (delegates to
GetProvidersForModel...)" with the correct behavior (empty allowedModels now
results in deny-by-default), and keep the existing note that a non-empty
allowedModels list is checked for matches; reference the allowedModels variable
and GetProvidersForModel to locate the comment and ensure the docblock
accurately describes the current deny-by-default behavior.

In `@ui/components/ui/modelMultiselect.tsx`:
- Around line 83-89: selectedOptions currently maps the wildcard "*" to
ALL_MODELS_OPTION only for the multi-select branch, leaving the single-select
branch to render stringValue raw; update the single-select branch in the
selectedOptions calculation to normalize stringValue by checking if stringValue
=== "*" and, if so, return ALL_MODELS_OPTION (otherwise keep the existing {
label: stringValue, value: stringValue }) so both isSingleSelect and
multi-select use the same friendly label; reference the selectedOptions variable
and the isSingleSelect/stringValue branch when making the change.

---

Nitpick comments:
In `@framework/configstore/migrations.go`:
- Around line 4948-4953: The migration currently selects all distinct
virtual_key_id values from tables.TableVirtualKeyProviderConfig which forces
hash recomputation for every VK; restrict the selection to only rows whose
allowed_models were set to ["*"] (or otherwise match the specific marker this
migration writes) by adding a WHERE predicate (e.g., Where("allowed_models = ?",
`["*"]`) or equivalent) to the tx.Model(...).Distinct(...).Pluck(...) query so
modifiedVKIDs only contains VKs actually changed by this migration (reference
tables.TableVirtualKeyProviderConfig and the modifiedVKIDs variable).

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 350-352: Extract the dense inline ternary that normalizes
config.weight into a small helper (e.g., normalizeWeight(value): number | null)
and call it where the object currently builds weight in virtualKeySheet (replace
the existing inline expression using config.weight). The helper should return
null for undefined/null, parse strings with parseFloat and return null for NaN,
and return numeric inputs unchanged; keep the budget property on its own line
afterwards to improve readability.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aa931ab3-348b-46c2-8811-27c6ecb655f3

📥 Commits

Reviewing files that changed from the base of the PR and between ef1682b and 4e37675.

📒 Files selected for processing (24)

• core/bifrost.go
• core/changelog.md
• core/go.mod
• core/schemas/transcriptions.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (1)

• core/go.mod

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

transports/bifrost-http/handlers/providers.go (1)

753-775: ⚠️ Potential issue | 🟠 Major

Empty-model keys are still treated as allow-all in this path.

With the new semantics, Line 773 returning all models on !hasRestrictedKey is incorrect when matched keys exist but all have Models=[] (deny-all). That currently re-opens access in the filtered list API.

🛠️ Proposed fix

 func (h *ProviderHandler) filterModelsByKeys(provider schemas.ModelProvider, models []string, keyIDs []string) []string {
@@
 	allowedModels := make(map[string]bool)
 	hasRestrictedKey := false
 	hasUnrestrictedKey := false
+	hasMatchedKey := false
 	for _, keyID := range keyIDs {
 		for _, key := range config.Keys {
 			if key.ID == keyID {
+				hasMatchedKey = true
 				if slices.Contains(key.Models, "*") {
 					// Key allows all models (wildcard)
 					hasUnrestrictedKey = true
 				} else if len(key.Models) > 0 {
@@
 	if hasUnrestrictedKey {
 		return models
 	}
-	// If no keys have model restrictions (e.g., unknown key IDs), return all models
+	// If keys matched but none contributed allowed models, deny all (empty-model semantics).
+	if hasMatchedKey && !hasRestrictedKey {
+		return []string{}
+	}
+	// If no keys matched, keep current permissive behavior.
 	if !hasRestrictedKey {
 		return models
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/providers.go` around lines 753 - 775, The
code incorrectly treats the case where matched API keys exist but all have
Models=[] (deny-all) as "no restrictions" because hasRestrictedKey stays false;
add a new flag (e.g., matchedKeyExists or keysMatchedCount) when iterating keys
in the same block where hasUnrestrictedKey/hasRestrictedKey are set, and change
the final logic so that: if hasUnrestrictedKey return models; else if
!hasRestrictedKey and matchedKeyExists return an empty model list (deny all);
else if !hasRestrictedKey and !matchedKeyExists return models (no matching keys
-> allow all); otherwise build allowedModels as before and return that filtered
list using allowedModels and models variables.

🧹 Nitpick comments (1)

ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx (1)

214-224: Centralize ["*"] normalization in ModelMultiselect.

This form is now carrying the allow-all state machine itself. Since the wildcard semantics are being standardized across the stack, consider having ModelMultiselect emit either ["*"] or a star-free list whenever allowAllOption is enabled so other callers can’t drift on the same edge cases.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx` around lines
214 - 224, The form currently duplicates wildcard normalization logic inside the
onChange handler; move this responsibility into ModelMultiselect so callers
receive either ["*"] or a star-free list when allowAllOption is enabled. Update
ModelMultiselect's change emitter to apply the rules (emit ["*"] if user
selected allow-all, remove "*" if other selections made, or emit selected models
as-is) and then simplify this component’s onChange to directly call
field.onChange(models) (or whatever value ModelMultiselect emits) without
duplicating the star-handling logic; ensure the symbols referenced are
ModelMultiselect (producer) and the onChange callback here that calls
field.onChange.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/modelcatalog/main.go`:
- Around line 528-536: Update the function/docblock comment above this branch to
reflect the new behavior: when allowedModels is empty the function now denies
all instead of falling back to catalog lookup; mention that
slices.Contains(allowedModels, "*") still allows all and uses
mc.GetProvidersForModel(model) and slices.Contains(supportedProviders, provider)
to decide support, and explicitly document that an empty allowedModels returns
false for any provider/model pair (deny-by-default) so callers of this function
(the code using allowedModels, model, provider, mc.GetProvidersForModel) are not
misled by the old examples.

In `@transports/config.schema.json`:
- Around line 1519-1522: The "keys" array schema currently requires each item to
have "name" and "value", which prevents the documented wildcard sentinel
{"key_id":"*"}; update the "keys"."items" schema to allow a oneOf (or anyOf)
with two alternatives: (1) the wildcard object that requires only "key_id"
(string, pattern "^\\*$" or enum ["*"]) and (2) the existing concrete key object
that requires "key_id", "name" and "value" (and keeps its current constraints).
Ensure the concrete object schema remains unchanged and keep the array-level
description; modify the JSON Schema under the "keys" -> "items" node to
implement this split so the sentinel is accepted.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 755-756: The description fallback incorrectly shows "All models"
when key.models is an empty array (which means deny-all); update the places that
set description (the object with description: key.models?.filter((m) => m !==
"*").join(", ") || "All models") to compute the filtered list into a variable
and, if that filtered array is empty, use a clear deny-all label such as "No
models (deny all)" instead of "All models"; apply the same change to the second
occurrence around the other description/provider assignment so both use
key.models and the new deny-all fallback.

---

Outside diff comments:
In `@transports/bifrost-http/handlers/providers.go`:
- Around line 753-775: The code incorrectly treats the case where matched API
keys exist but all have Models=[] (deny-all) as "no restrictions" because
hasRestrictedKey stays false; add a new flag (e.g., matchedKeyExists or
keysMatchedCount) when iterating keys in the same block where
hasUnrestrictedKey/hasRestrictedKey are set, and change the final logic so that:
if hasUnrestrictedKey return models; else if !hasRestrictedKey and
matchedKeyExists return an empty model list (deny all); else if
!hasRestrictedKey and !matchedKeyExists return models (no matching keys -> allow
all); otherwise build allowedModels as before and return that filtered list
using allowedModels and models variables.

---

Nitpick comments:
In `@ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx`:
- Around line 214-224: The form currently duplicates wildcard normalization
logic inside the onChange handler; move this responsibility into
ModelMultiselect so callers receive either ["*"] or a star-free list when
allowAllOption is enabled. Update ModelMultiselect's change emitter to apply the
rules (emit ["*"] if user selected allow-all, remove "*" if other selections
made, or emit selected models as-is) and then simplify this component’s onChange
to directly call field.onChange(models) (or whatever value ModelMultiselect
emits) without duplicating the star-handling logic; ensure the symbols
referenced are ModelMultiselect (producer) and the onChange callback here that
calls field.onChange.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4f1ba152-c60d-407f-9ef0-e4435ac38853

📥 Commits

Reviewing files that changed from the base of the PR and between 4e37675 and 0da4bed.

📒 Files selected for processing (24)

• core/bifrost.go
• core/changelog.md
• core/schemas/transcriptions.go
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

✅ Files skipped from review due to trivial changes (2)

• transports/bifrost-http/handlers/governance.go
• framework/configstore/tables/virtualkey.go

🚧 Files skipped from review as they are similar to previous changes (11)

• core/bifrost.go
• transports/bifrost-http/server/server.go
• framework/changelog.md
• framework/configstore/tables/key.go
• core/changelog.md
• helm-charts/bifrost/values.schema.json
• core/schemas/transcriptions.go
• framework/configstore/migrations.go
• plugins/governance/resolver.go
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/components/ui/modelMultiselect.tsx

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

examples/configs/withvirtualkeys/config.json (1)

207-236: ⚠️ Potential issue | 🟡 Minor

bedrock.keys[*].models: [] now denies all models in this example.

Because this PR standardizes empty arrays as deny-all, these bedrock keys become unusable unless you explicitly set ["*"] (or list specific models). That will make the example behave as intended.

Suggested fix

-                    "models": [],
+                    "models": ["*"],
...
-                    "models": [],
+                    "models": ["*"],
...
-                    "models": [],
+                    "models": ["*"],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/configs/withvirtualkeys/config.json` around lines 207 - 236, The
example config's bedrock key entries currently set "models": [] which now means
deny-all; update each affected key object (e.g., id
"key-bedrock-us-east-1-prod", "key-bedrock-us-west-2-prod",
"key-bedrock-eu-central-1-prod") to use "models": ["*"] (or enumerate allowed
model names) so the keys are usable as intended; locate and change the models
array inside each bedrock_key entry in config.json accordingly.

framework/configstore/tables/virtualkey.go (1)

52-72: ⚠️ Potential issue | 🔴 Critical

Fix UnmarshalJSON to populate the correct TableKey.Name field instead of KeyID.

Line 71 stores config-file key names in the KeyID field, but the resolution logic in CreateVirtualKeyProviderConfig (rdb.go:1832–1843) looks up keys by the Name field. This mismatch causes key resolution to fail with ErrUnresolvedKeys whenever config-file key_ids are provided.

Config specifies: "key_ids": ["my-key"] → stored as TableKey{KeyID: "my-key"} → resolution looks for Name (empty) → fails.

Change line 71 to: pc.Keys[i] = TableKey{Name: keyID} so the key name is stored in the correct field for downstream lookup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@framework/configstore/tables/virtualkey.go` around lines 52 - 72, The
UnmarshalJSON logic in TempProviderConfig currently fills pc.Keys with
TableKey{KeyID: keyID}, but downstream CreateVirtualKeyProviderConfig resolves
keys by TableKey.Name; change the population to use TableKey{Name: keyID} so
config key names from temp.KeyIDs are stored in the Name field and will be
resolved correctly (keep the rest of the UnmarshalJSON behavior and the existing
TempProviderConfig -> TableVirtualKeyProviderConfig assignment).

🧹 Nitpick comments (2)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (2)

350-352: Simplify weight normalization before object construction.

This inline ternary is hard to maintain and easy to break when editing adjacent payload fields. Consider extracting normalizedWeight first.

Refactor sketch

-		return configs.map((config) => ({
-			...config,
-			weight: config.weight === undefined || config.weight === null
-				? null
-				: typeof config.weight === "string" ? (Number.isNaN(parseFloat(config.weight)) ? null : parseFloat(config.weight)) : config.weight, budget: (() => {
+		return configs.map((config) => {
+			const normalizedWeight =
+				config.weight == null
+					? null
+					: typeof config.weight === "string"
+						? (Number.isNaN(parseFloat(config.weight)) ? null : parseFloat(config.weight))
+						: config.weight;
+			return {
+				...config,
+				weight: normalizedWeight,
+				budget: (() => {
 					const budgetMaxLimit = normalizeNumericField(config.budget?.max_limit);
 					if (budgetMaxLimit !== undefined) {
 						return {
 							max_limit: budgetMaxLimit,
 							reset_duration: config.budget?.reset_duration || "1M",
 						};
 					}
@@
-				})(),
-			rate_limit: (() => {
+				})(),
+				rate_limit: (() => {
 					...
-			})(),
-		}));
+				})(),
+			};
+		});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 350 -
352, Extract weight normalization into a separate variable before constructing
the payload object: compute a normalizedWeight (e.g., handle undefined/null,
parse strings with parseFloat and treat NaN as null, and leave numeric values
as-is) and then use normalizedWeight in place of the complex inline ternary
currently setting weight in the object (referencing config.weight and the weight
field in the object constructed in virtualKeySheet.tsx). This moves the logic
out of the inline ternary, makes the payload construction clearer and easier to
maintain, and prevents accidental breakage when editing neighboring fields.

---

755-758: Extract duplicated key model-description logic.

The same fallback logic appears twice; consolidating it into a helper will reduce drift risk as semantics evolve.

Refactor sketch

+const formatAllowedModelsDescription = (models?: string[]) =>
+	models == null || models.includes("*")
+		? "All models"
+		: models.filter((m) => m !== "*").join(", ") || "No models (deny all)";
...
-	description:
-		key.models == null || key.models.includes("*")
-			? "All models"
-			: key.models.filter((m) => m !== "*").join(", ") || "No models (deny all)",
+	description: formatAllowedModelsDescription(key.models),
...
-	description:
-		key.models == null || key.models.includes("*")
-			? "All models"
-			: key.models.filter((m) => m !== "*").join(", ") || "No models (deny all)",
+	description: formatAllowedModelsDescription(key.models),

Also applies to: 769-773

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 755 -
758, The model-description expression for keys is duplicated; create a small
helper (e.g., function formatKeyModels(models: string[] | null): string or
getKeyModelsDescription(key) ) that implements the logic (null or includes("*")
=> "All models", otherwise filter out "*" and join with ", " or return "No
models (deny all)"), then replace both inline expressions in
VirtualKeySheet/virtualKeySheet.tsx (where description: key.models == null ||
key.models.includes("*") ? ... and the similar block later) with calls to that
helper so the logic is centralized and reused.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/features/governance/routing.mdx`:
- Around line 293-295: Update this page's narrative and examples to reflect the
new semantics for key_id lists: empty arrays ([]) are deny-all and ["*"] is
explicit allow-all. Locate references and examples that mention "key_ids" and
any text saying empty arrays are permissive and change them to state deny-all;
replace permissive examples that used [] with ["*"] and adjust explanatory copy
to show the correct behavior. Also update any sample JSON/yaml blocks that show
"key_ids": [] to instead demonstrate deny-all or show "key_ids": ["*"] for
allow-all so examples and prose are consistent.

---

Outside diff comments:
In `@examples/configs/withvirtualkeys/config.json`:
- Around line 207-236: The example config's bedrock key entries currently set
"models": [] which now means deny-all; update each affected key object (e.g., id
"key-bedrock-us-east-1-prod", "key-bedrock-us-west-2-prod",
"key-bedrock-eu-central-1-prod") to use "models": ["*"] (or enumerate allowed
model names) so the keys are usable as intended; locate and change the models
array inside each bedrock_key entry in config.json accordingly.

In `@framework/configstore/tables/virtualkey.go`:
- Around line 52-72: The UnmarshalJSON logic in TempProviderConfig currently
fills pc.Keys with TableKey{KeyID: keyID}, but downstream
CreateVirtualKeyProviderConfig resolves keys by TableKey.Name; change the
population to use TableKey{Name: keyID} so config key names from temp.KeyIDs are
stored in the Name field and will be resolved correctly (keep the rest of the
UnmarshalJSON behavior and the existing TempProviderConfig ->
TableVirtualKeyProviderConfig assignment).

---

Nitpick comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 350-352: Extract weight normalization into a separate variable
before constructing the payload object: compute a normalizedWeight (e.g., handle
undefined/null, parse strings with parseFloat and treat NaN as null, and leave
numeric values as-is) and then use normalizedWeight in place of the complex
inline ternary currently setting weight in the object (referencing config.weight
and the weight field in the object constructed in virtualKeySheet.tsx). This
moves the logic out of the inline ternary, makes the payload construction
clearer and easier to maintain, and prevents accidental breakage when editing
neighboring fields.
- Around line 755-758: The model-description expression for keys is duplicated;
create a small helper (e.g., function formatKeyModels(models: string[] | null):
string or getKeyModelsDescription(key) ) that implements the logic (null or
includes("*") => "All models", otherwise filter out "*" and join with ", " or
return "No models (deny all)"), then replace both inline expressions in
VirtualKeySheet/virtualKeySheet.tsx (where description: key.models == null ||
key.models.includes("*") ? ... and the similar block later) with calls to that
helper so the logic is centralized and reused.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2cc1df1f-ec5b-4b2b-9247-b9a8ee6ff605

📥 Commits

Reviewing files that changed from the base of the PR and between 0da4bed and 13d4479.

📒 Files selected for processing (27)

• core/bifrost.go
• core/changelog.md
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (1)

• transports/bifrost-http/lib/config.go

✅ Files skipped from review due to trivial changes (1)

• framework/changelog.md

🚧 Files skipped from review as they are similar to previous changes (11)

• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/handlers/governance.go
• ui/components/ui/asyncMultiselect.tsx
• plugins/governance/resolver.go
• framework/configstore/tables/key.go
• framework/configstore/migrations.go
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/lib/types/schemas.ts
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• plugins/governance/resolver_test.go
• core/bifrost.go

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

examples/configs/withvirtualkeys/config.json (1)

207-238: ⚠️ Potential issue | 🔴 Critical

Bedrock keys need populated models arrays to allow requests.

Empty models arrays trigger deny-by-default semantics and will block all requests. According to the schema: "empty array denies all (deny-by-default)". Update each Bedrock key to use "models": ["*"] to match the pattern used by other provider keys (Azure, Vertex, OpenAI), unless specific model filtering is intended.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/configs/withvirtualkeys/config.json` around lines 207 - 238, The
Bedrock key entries ("id": "key-bedrock-us-east-1-prod",
"key-bedrock-us-west-2-prod", and "key-bedrock-eu-central-1-prod") have empty
"models" arrays which trigger deny-by-default; update each of those entries'
"models" property to ["*"] (or another explicit allow list if intended) so they
permit requests—modify the "models" field in the corresponding objects
(identified by their id or name fields) from [] to ["*"].

ui/components/ui/modelMultiselect.tsx (1)

85-91: ⚠️ Potential issue | 🟡 Minor

Map "*" to ALL_MODELS_OPTION in single-select mode too.

In single-select, value "*" is currently displayed as "*", while multi-select shows “Allow All Models”. Keep both modes consistent.

💡 Suggested fix

 	const selectedOptions: ModelOption[] = isSingleSelect
 		? stringValue
-			? [{ label: stringValue, value: stringValue }]
+			? [stringValue === "*" ? ALL_MODELS_OPTION : { label: stringValue, value: stringValue }]
 			: []
 		: arrayValue.map((model) => (
 			model === "*" ? ALL_MODELS_OPTION : { label: model, value: model }
 		));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/components/ui/modelMultiselect.tsx` around lines 85 - 91, The
selectedOptions calculation treats "*" specially only for multi-select; update
the single-select branch so when isSingleSelect and stringValue === "*" you
return ALL_MODELS_OPTION (i.e., map the "*" value to ALL_MODELS_OPTION) instead
of the raw string; modify the ternary that builds selectedOptions (references:
selectedOptions, isSingleSelect, stringValue, arrayValue, ALL_MODELS_OPTION) so
both single- and multi-select use the same mapping logic for "*".

🧹 Nitpick comments (1)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

351-353: Run Prettier on the new weight normalization block.

budget is currently glued onto the tail of the weight ternary, which makes this object literal hard to scan and doesn't match the repo formatting rule.

As per coding guidelines, "TypeScript/React code must be formatted with Prettier".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 351 -
353, The object literal's `weight` normalization expression is malformed onto a
single line so `budget` is concatenated to its tail; run Prettier (or reformat)
the `weight` block so the ternary/conditional expression for `config.weight` is
properly multiline and `budget` starts on its own line. Locate the `weight:
config.weight === undefined || config.weight === null ? null : typeof
config.weight === "string" ? (Number.isNaN(parseFloat(config.weight)) ? null :
parseFloat(config.weight)) : config.weight, budget: ...` expression in
virtualKeySheet.tsx and reformat it (or run the repo Prettier configuration) to
break the nested ternary into readable lines and place `budget:` on the next
line to match project formatting rules.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@framework/configstore/tables/virtualkey.go`:
- Line 52: The comment for the KeyIDs field in virtualkey.go is misleading;
update the comment on KeyIDs []string `json:"key_ids"` to reflect that these are
key identifiers that populate TableKey.KeyID (not arbitrary key names) and
retain the usage note (e.g., use ["*"] to allow all); reference the KeyIDs field
and TableKey.KeyID so readers understand the exact mapping and semantics.
- Around line 63-73: The unmarshal branch leaves pc.AllowAllKeys true when
non-wildcard temp.KeyIDs are supplied, creating an ambiguous state; update the
logic in the function handling temp.KeyIDs (referencing temp.KeyIDs, pc.Keys,
pc.AllowAllKeys) so that when you set concrete pc.Keys you explicitly clear
pc.AllowAllKeys (set it false), and conversely when detecting the wildcard ("*")
set pc.AllowAllKeys true and ensure pc.Keys is empty; make these assignments
together to avoid any contradictory state.

In `@transports/config.schema.json`:
- Around line 1532-1536: The JSON schema for the key_ids array currently allows
empty strings which are invalid as key names/UUIDs; update the items schema for
"key_ids" (the items object under the "key_ids" property) to require non-empty
strings by adding "minLength": 1 to the item definition so each array element
must be at least one character long.
- Around line 1517-1519: Add an explicit default of ["*"] to
virtual_key_provider_config.allowed_models so configs that omit this field
inherit the stack-wide allow-all default (match the existing behavior of
base_key.models); locate the allowed_models property in the
virtual_key_provider_config schema and set its default to ["*"], and mirror the
same default for the other allowed_models occurrence referenced in the schema to
keep consistency with base_key.models.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 706-710: The closure that computes keys for ModelMultiselect
treats config.key_ids = ["*"] as an empty set; update it to detect the wildcard
and expand it to all provider key_ids before filtering: inside the keys
computation (referencing availableKeys, config, providerKeys, and configKeyIds)
check if config.key_ids is exactly ["*"] and in that case set configKeyIds to
providerKeys.map(k => k.key_id) so ModelMultiselect receives all provider keys;
leave existing behavior for other config.key_ids values intact.

---

Outside diff comments:
In `@examples/configs/withvirtualkeys/config.json`:
- Around line 207-238: The Bedrock key entries ("id":
"key-bedrock-us-east-1-prod", "key-bedrock-us-west-2-prod", and
"key-bedrock-eu-central-1-prod") have empty "models" arrays which trigger
deny-by-default; update each of those entries' "models" property to ["*"] (or
another explicit allow list if intended) so they permit requests—modify the
"models" field in the corresponding objects (identified by their id or name
fields) from [] to ["*"].

In `@ui/components/ui/modelMultiselect.tsx`:
- Around line 85-91: The selectedOptions calculation treats "*" specially only
for multi-select; update the single-select branch so when isSingleSelect and
stringValue === "*" you return ALL_MODELS_OPTION (i.e., map the "*" value to
ALL_MODELS_OPTION) instead of the raw string; modify the ternary that builds
selectedOptions (references: selectedOptions, isSingleSelect, stringValue,
arrayValue, ALL_MODELS_OPTION) so both single- and multi-select use the same
mapping logic for "*".

---

Nitpick comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 351-353: The object literal's `weight` normalization expression is
malformed onto a single line so `budget` is concatenated to its tail; run
Prettier (or reformat) the `weight` block so the ternary/conditional expression
for `config.weight` is properly multiline and `budget` starts on its own line.
Locate the `weight: config.weight === undefined || config.weight === null ? null
: typeof config.weight === "string" ? (Number.isNaN(parseFloat(config.weight)) ?
null : parseFloat(config.weight)) : config.weight, budget: ...` expression in
virtualKeySheet.tsx and reformat it (or run the repo Prettier configuration) to
break the nested ternary into readable lines and place `budget:` on the next
line to match project formatting rules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc78b5ae-478e-4c0b-9686-0e445b66c577

📥 Commits

Reviewing files that changed from the base of the PR and between 13d4479 and 2ee4667.

📒 Files selected for processing (28)

• core/bifrost.go
• core/changelog.md
• core/go.mod
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (2)

• core/go.mod
• transports/bifrost-http/lib/config.go

✅ Files skipped from review due to trivial changes (2)

• core/changelog.md
• transports/changelog.md

🚧 Files skipped from review as they are similar to previous changes (12)

• helm-charts/bifrost/values.schema.json
• framework/modelcatalog/main.go
• ui/lib/types/schemas.ts
• ui/components/ui/asyncMultiselect.tsx
• transports/bifrost-http/server/server.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/handlers/governance.go
• framework/changelog.md
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• docs/features/governance/routing.mdx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

examples/configs/withvirtualkeys/config.json (1)

207-236: ⚠️ Potential issue | 🟠 Major

Bedrock example keys now resolve to deny-all due to empty models arrays.

Under the new semantics, [] denies all. If these sample keys are meant to be usable, switch to ["*"] explicitly.

🔧 Suggested fix

                 {
                     "id": "key-bedrock-us-east-1-prod",
@@
-                    "models": [],
+                    "models": ["*"],
@@
                 {
                     "id": "key-bedrock-us-west-2-prod",
@@
-                    "models": [],
+                    "models": ["*"],
@@
                 {
                     "id": "key-bedrock-eu-central-1-prod",
@@
-                    "models": [],
+                    "models": ["*"],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/configs/withvirtualkeys/config.json` around lines 207 - 236, The
sample Bedrock key entries (e.g., id "key-bedrock-us-east-1-prod",
"key-bedrock-us-west-2-prod", "key-bedrock-eu-central-1-prod") use empty
"models" arrays which now resolve to deny-all; update each key's "models" value
from [] to ["*"] so these sample keys are usable under the new semantics—search
for the objects with those ids and replace their empty "models" arrays with
["*"].

♻️ Duplicate comments (1)

transports/config.schema.json (1)

1532-1538: ⚠️ Potential issue | 🟡 Minor

Reject empty strings in key_ids.

items: { "type": "string" } still accepts [""], which cannot resolve to either a config key name or an API UUID. Adding minLength: 1 keeps this schema useful as a guardrail.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/config.schema.json` around lines 1532 - 1538, The key_ids array
currently allows empty strings because items only specify "type": "string";
update the "key_ids" schema's items definition (the "key_ids" property) to
reject empty strings by adding "minLength": 1 under items so each element must
be a non-empty string.

🧹 Nitpick comments (2)

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

758-761: Minor cleanup: extract duplicated key-model description formatting.

The same fallback expression appears twice; a small helper would keep this consistent and easier to maintain.

🧹 Suggested cleanup

+const getKeyModelsDescription = (models?: string[]) =>
+  models == null || models.includes("*")
+    ? "All models"
+    : models.filter((m) => m !== "*").join(", ") || "No models (deny all)";

 ...
- description:
-   key.models == null || key.models.includes("*")
-     ? "All models"
-     : key.models.filter((m) => m !== "*").join(", ") || "No models (deny all)",
+ description: getKeyModelsDescription(key.models),

 ...
- description:
-   key.models == null || key.models.includes("*")
-     ? "All models"
-     : key.models.filter((m) => m !== "*").join(", ") || "No models (deny all)",
+ description: getKeyModelsDescription(key.models),

Also applies to: 772-775

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 758 -
761, The duplicated fallback expression for describing key.models in
virtualKeySheet.tsx should be extracted into a small helper (e.g.,
formatKeyModels or describeKeyModels) that accepts the models array (string[] |
null) and returns "All models", "No models (deny all)" or a comma-joined list
excluding "*" as currently implemented; replace both inline expressions (the
description assignments around the key.models checks at the two locations shown)
with calls to this helper to keep logic consistent and easier to maintain.

ui/components/ui/modelMultiselect.tsx (1)

167-176: Consider normalizing wildcard exclusivity inside ModelMultiselect.

"*" handling is now duplicated in consumers. Centralizing it here (when allowAllOption is true) would reduce repeated logic and prevent behavior drift.

♻️ Suggested refactor

 const handleChange = useCallback(
   (options: Option<ModelOption>[]) => {
     if (isSingleSelect) {
       const selected = options[0];
       (onChange as (model: string) => void)(selected?.value || "");
     } else {
-      const modelNames = options.map((opt) => opt.value);
+      const rawModelNames = options.map((opt) => opt.value);
+      const modelNames =
+        allowAllOption && rawModelNames.includes("*")
+          ? rawModelNames.length > 1
+            ? rawModelNames.filter((m) => m !== "*")
+            : ["*"]
+          : rawModelNames;
       (onChange as (models: string[]) => void)(modelNames);
     }
@@
-  [onChange, provider, keys, getModels, getBaseModels, isSingleSelect, shouldLoadOnEmpty, shouldUseBaseModels],
+  [onChange, provider, keys, getModels, getBaseModels, isSingleSelect, shouldLoadOnEmpty, shouldUseBaseModels, allowAllOption],
 );

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/components/ui/modelMultiselect.tsx` around lines 167 - 176, Centralize
wildcard ("*") exclusivity in ModelMultiselect by updating the handleChange
callback: when allowAllOption is true and the incoming options include the "*"
value, ensure "*" is the only selected value (for single-select and multi-select
paths), and when "*" is not present remove any "*" from the selection; then call
onChange with the normalized value(s). Locate handleChange in ModelMultiselect
and adjust the Option<ModelOption>[] handling to filter/normalize "*" before
mapping values (preserve current onChange type casts).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/providers/mistral/models.go`:
- Around line 20-21: The filtering logic treats ["*"] as a literal value so real
models get excluded; update the condition in the model filtering blocks (the if
that currently reads: if !unfiltered && len(allowedModels) > 0 &&
!slices.Contains(allowedModels, model.ID) { continue }) to also allow the
wildcard by adding a check for slices.Contains(allowedModels, "*") (e.g. if
!unfiltered && len(allowedModels) > 0 && !slices.Contains(allowedModels,
model.ID) && !slices.Contains(allowedModels, "*") { continue }), and apply the
same change to the second occurrence at the other block (the lines referenced in
the comment).

In `@framework/configstore/tables/virtualkey.go`:
- Around line 63-74: The code currently treats ["*", "id"] as a literal key
list; add a validation before the existing branch on temp.KeyIDs to reject mixed
wildcard and explicit IDs by checking temp.KeyIDs for the presence of "*" and if
found while len(temp.KeyIDs) > 1 return/fail fast with a clear error; keep the
existing handling for the single "*" case that sets pc.AllowAllKeys = true and
for all-other-items populate pc.Keys = make([]TableKey, ...) and assign
TableKey{KeyID: keyID}.

In `@transports/bifrost-http/handlers/providers.go`:
- Around line 754-765: The loop handling matched keys currently treats an empty
key.Models as "contributes nothing", which leaves hasRestrictedKey false and
causes the fallback to return all models; change the logic to treat
len(key.Models)==0 as an explicit deny-all: set a new flag (e.g., hasDenyAllKey
= true) when encountering an empty Models slice and short-circuit to return an
empty models list (or ensure subsequent logic checks hasDenyAllKey before the
fallback), rather than falling through; update the code paths that use
hasUnrestrictedKey, hasRestrictedKey, and allowedModels so they respect
hasDenyAllKey and do not return the full models slice for deny-all keys.

---

Outside diff comments:
In `@examples/configs/withvirtualkeys/config.json`:
- Around line 207-236: The sample Bedrock key entries (e.g., id
"key-bedrock-us-east-1-prod", "key-bedrock-us-west-2-prod",
"key-bedrock-eu-central-1-prod") use empty "models" arrays which now resolve to
deny-all; update each key's "models" value from [] to ["*"] so these sample keys
are usable under the new semantics—search for the objects with those ids and
replace their empty "models" arrays with ["*"].

---

Duplicate comments:
In `@transports/config.schema.json`:
- Around line 1532-1538: The key_ids array currently allows empty strings
because items only specify "type": "string"; update the "key_ids" schema's items
definition (the "key_ids" property) to reject empty strings by adding
"minLength": 1 under items so each element must be a non-empty string.

---

Nitpick comments:
In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 758-761: The duplicated fallback expression for describing
key.models in virtualKeySheet.tsx should be extracted into a small helper (e.g.,
formatKeyModels or describeKeyModels) that accepts the models array (string[] |
null) and returns "All models", "No models (deny all)" or a comma-joined list
excluding "*" as currently implemented; replace both inline expressions (the
description assignments around the key.models checks at the two locations shown)
with calls to this helper to keep logic consistent and easier to maintain.

In `@ui/components/ui/modelMultiselect.tsx`:
- Around line 167-176: Centralize wildcard ("*") exclusivity in ModelMultiselect
by updating the handleChange callback: when allowAllOption is true and the
incoming options include the "*" value, ensure "*" is the only selected value
(for single-select and multi-select paths), and when "*" is not present remove
any "*" from the selection; then call onChange with the normalized value(s).
Locate handleChange in ModelMultiselect and adjust the Option<ModelOption>[]
handling to filter/normalize "*" before mapping values (preserve current
onChange type casts).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 241da39f-5609-4fdf-9bc6-7f8b22588703

📥 Commits

Reviewing files that changed from the base of the PR and between 2ee4667 and 80ebe07.

📒 Files selected for processing (29)

• core/bifrost.go
• core/changelog.md
• core/providers/mistral/mistral.go
• core/providers/mistral/models.go
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (1)

• transports/bifrost-http/lib/config.go

✅ Files skipped from review due to trivial changes (1)

• transports/changelog.md

🚧 Files skipped from review as they are similar to previous changes (8)

• ui/components/ui/asyncMultiselect.tsx
• transports/bifrost-http/server/server.go
• transports/bifrost-http/handlers/governance.go
• framework/configstore/migrations.go
• helm-charts/bifrost/values.schema.json
• framework/changelog.md
• core/changelog.md
• core/schemas/transcriptions.go

[Pratham-Mishra04]

@coderabbitai full-review

[coderabbitai]

@Pratham-Mishra04 Sure! I'll kick off a full review of this PR right away.

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ui/components/ui/modelMultiselect.tsx (1)

85-91: ⚠️ Potential issue | 🟡 Minor

Handle wildcard label in single-select mode too.

At Line 87, single-select still renders "*" as a literal label, while multi-select maps it to ALL_MODELS_OPTION. This creates inconsistent UI for the same semantic value.

💡 Suggested fix

 const selectedOptions: ModelOption[] = isSingleSelect
 		? stringValue
-			? [{ label: stringValue, value: stringValue }]
+			? [stringValue === "*" ? ALL_MODELS_OPTION : { label: stringValue, value: stringValue }]
 			: []
 		: arrayValue.map((model) => (
 			model === "*" ? ALL_MODELS_OPTION : { label: model, value: model }
 		));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/components/ui/modelMultiselect.tsx` around lines 85 - 91, selectedOptions
builds the UI option list but treats the wildcard "*" differently between
single- and multi-select, causing inconsistent display; update the single-select
branch (where isSingleSelect and stringValue are used) to map stringValue ===
"*" to ALL_MODELS_OPTION (the same mapping used in the arrayValue branch) so
both single- and multi-select use ALL_MODELS_OPTION for the wildcard and keep
labels consistent.

♻️ Duplicate comments (2)

transports/config.schema.json (1)

1532-1536: ⚠️ Potential issue | 🟡 Minor

key_ids still allows empty strings.

Line 1536 accepts "", which cannot represent a valid key name or UUID. Add a minimum length constraint.

🛠️ Suggested fix

         "key_ids": {
           "type": "array",
           "description": "Keys allowed for this provider config. Use [\"*\"] to allow all keys; empty array denies all (deny-by-default). In config.json, values are key names. Via the API, values are key UUIDs.",
           "items": {
-            "type": "string"
+            "type": "string",
+            "minLength": 1
           }
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/config.schema.json` around lines 1532 - 1536, The "key_ids" array
currently allows empty strings; update the schema for the "key_ids" property's
"items" (the object under "key_ids") to include a string length constraint by
adding "minLength": 1 so empty "" values are rejected while preserving "type":
"string" for items.

core/providers/mistral/models.go (1)

20-21: ⚠️ Potential issue | 🔴 Critical

Wildcard ["*"] is still treated as a literal model ID.

At Line 20 and Line 35, wildcard is not special-cased. For allowedModels=["*"], real models are skipped and mistral/* gets backfilled, which breaks allow-all semantics.

🔧 Suggested fix

 	includedModels := make(map[string]bool)
+	allowAll := slices.Contains(allowedModels, "*")
 	for _, model := range response.Data {
-		if !unfiltered && len(allowedModels) > 0 && !slices.Contains(allowedModels, model.ID) {
+		if !unfiltered && !allowAll && len(allowedModels) > 0 && !slices.Contains(allowedModels, model.ID) {
 			continue
 		}
@@
-	if !unfiltered && len(allowedModels) > 0 {
+	if !unfiltered && !allowAll && len(allowedModels) > 0 {
 		for _, allowedModel := range allowedModels {
 			if !includedModels[allowedModel] {

Also applies to: 35-36

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/providers/mistral/models.go` around lines 20 - 21, The loop currently
treats the wildcard "*" as a literal model ID because the membership check uses
slices.Contains(allowedModels, model.ID) without special-casing "*"; add a small
guard (e.g., compute allowAll := slices.Contains(allowedModels, "*") before the
loop) and change the filter condition used around model.ID (the clause that
currently reads !unfiltered && len(allowedModels) > 0 &&
!slices.Contains(allowedModels, model.ID)) to skip the slices.Contains check
when allowAll is true (i.e., only apply the allowedModels membership test when
allowAll is false); apply the same fix to the analogous condition around line 35
so that ["*"] correctly means allow-all.

🧹 Nitpick comments (3)

transports/bifrost-http/server/server.go (1)

536-539: Consolidate wildcard model filtering into a shared helper.

The same model == "*" filtering is duplicated in three places. Centralizing it will keep wildcard semantics consistent as this stack evolves.

♻️ Suggested refactor

+func appendExplicitModels(provider schemas.ModelProvider, keyModels []string, out []schemas.Model) []schemas.Model {
+	for _, model := range keyModels {
+		if model == "*" || model == "" {
+			continue
+		}
+		out = append(out, schemas.Model{ID: string(provider) + "/" + model})
+	}
+	return out
+}

- for _, model := range key.Models {
- 	if model == "*" {
- 		continue
- 	}
- 	modelsInKeys = append(modelsInKeys, schemas.Model{
- 		ID: string(provider) + "/" + model,
- 	})
- }
+ modelsInKeys = appendExplicitModels(provider, key.Models, modelsInKeys)

Apply similarly to the other two loops in this file.

Also applies to: 771-773, 1263-1265

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/server/server.go` around lines 536 - 539, Extract the
duplicate wildcard check (model == "*") into a small shared helper (e.g.,
shouldSkipModel or isWildcardModel) and replace the inline check in each loop
that currently does `if model == "*" { continue }` with a call to that helper;
update all three occurrences in server.go (the loop blocks referencing the
`model` variable around the shown diff and the other two similar loops) so they
all use the new helper to decide whether to continue, keeping the helper
package-private to this file for consistency.

core/bifrost.go (1)

6176-6202: Update the stale model-filter comment to match the new deny-by-default behavior.

Line 6176 still says empty Models means allow-all, but Line 6201-Line 6202 now enforce empty Models as deny-all. Please align the comment to avoid future regressions.

✏️ Suggested comment-only diff

-	// filter out keys which don't support the model, if the key has no models, it is supported for all models
+	// Filter keys by model allowlist semantics:
+	// - ["*"] = allow all models
+	// - [] = deny all models
+	// - explicit list = allow only listed models
 	var supportedKeys []schemas.Key

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/bifrost.go` around lines 6176 - 6202, The comment describing model
filtering is outdated: it claims an empty key.Models allows all models while the
code in the modelSupported computation now treats an empty list as deny-all;
update the comment near the skipModelCheck / model filtering logic (around
variables supportedKeys, skipModelCheck and the modelSupported calculation) to
state that: ["*"] allows all models, an empty slice denies all models, and a
specific list allows only listed models; ensure the explanation references
hasValue and CanProviderKeyValueBeEmpty(baseProviderType) as prerequisites for
modelSupported.

ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx (1)

351-353: Refactor weight normalization for readability and safer maintenance.

Line 351-Line 353 works, but the nested inline ternary makes this branch hard to audit and easy to regress later.

♻️ Suggested refactor

+const parseWeight = (weight: string | number | null | undefined): number | null => {
+  if (weight === undefined || weight === null) return null;
+  if (typeof weight === "number") return weight;
+  const parsed = Number.parseFloat(weight);
+  return Number.isNaN(parsed) ? null : parsed;
+};
+
 return configs.map((config) => ({
   ...config,
-  weight: config.weight === undefined || config.weight === null
-    ? null
-    : typeof config.weight === "string" ? (Number.isNaN(parseFloat(config.weight)) ? null : parseFloat(config.weight)) : config.weight, budget: (() => {
+  weight: parseWeight(config.weight),
+  budget: (() => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx` around lines 351 -
353, The inline nested ternary used to compute weight in the virtual key object
(the expression referencing config.weight) is hard to read and brittle; refactor
by extracting a small helper or local variable (e.g., normalizeWeight or
weightNormalized) that explicitly handles undefined/null => null, string =>
parseFloat with Number.isNaN check returning null on failure, and numeric values
returned as-is, then use that symbol in place of the long ternary when building
the object (update the code around the weight: ... and budget: (() => { ... )
block in virtualKeySheet.tsx).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/changelog.md`:
- Line 3: Update the changelog entry that currently states "standardize empty
array conventions in bifrost. Empty array means no tools/keys are allowed,
[\"*\"] means all tools/keys are allowed." to also document model semantics by
adding that the same convention applies to models (e.g., models: [] denies all,
[\"*\"] allows all), ensuring the entry explicitly mentions tools, keys, and
models so the change is accurately described.

In `@examples/configs/withvirtualkeys/config.json`:
- Around line 88-90: The Bedrock key referenced by "key_ids":
["key-bedrock-eu-central-1-prod"] is currently configured with an empty models
list (models: []), which results in deny-all access; update the key definition
for key-bedrock-eu-central-1-prod to include the allowed model names (or remove
the explicit key reference if you intend to inherit defaults) so model routing
can match, ensuring the models array contains the proper Bedrock model
identifiers instead of being empty.

In `@framework/changelog.md`:
- Line 3: The changelog entry "refactor: standardize empty array conventions in
modelcatalog and tables." must be reclassified as a breaking change and
expanded: update the line in changelog.md to a "breaking:" heading, explicitly
state that empty arrays now mean deny-all and ["*"] means allow-all for
modelcatalog and tables, and add a short migration note advising users to audit
configs and replace empty arrays with ["*"] or explicit entries as needed;
reference the modelcatalog and tables convention change so readers can find
related PRs.

In `@framework/configstore/migrations.go`:
- Around line 4944-4945: The predicate that targets rows with allowed_models set
to an empty JSON array or NULL misses rows where the JSON column contains the
literal text "null"; update the Where predicates around the
Update("allowed_models", `["*"]`) calls to also match the JSON-string literal
`"null"` (e.g. add OR allowed_models = ? with the second arg set to `"null"`),
and apply this same change to both occurrences near the existing
Where(...).Update("allowed_models", `["*"]`) calls so those rows are included in
the backfill.
- Around line 4997-5006: The constructed schemas.Key in the migration omits
fields used by GenerateKeyHash (e.g., VLLMKeyConfig, Enabled, UseForBatchAPI),
causing incorrect config_hash values; update the construction of schemaKey
inside the migration to populate all fields that GenerateKeyHash depends on
(including VLLMKeyConfig, Enabled, UseForBatchAPI and any other key fields),
keeping existing fields like Name, Value, Models, Weight (via getWeight),
AzureKeyConfig, VertexKeyConfig, BedrockKeyConfig, and ReplicateKeyConfig so
GenerateKeyHash produces the correct hash and prevents false config drift.

In `@framework/configstore/tables/key.go`:
- Around line 92-97: When persisting the Key struct, normalize an omitted or
nil/empty k.Models to the wildcard ["*"] before json.Marshal so you don't store
a deny-all; update the code around the block that sets k.ModelsJSON (where
k.Models is marshalled) to check if k.Models == nil || len(k.Models) == 0 and if
so set k.Models = []string{"*"} prior to marshalling, then marshal into
k.ModelsJSON as currently done (ensure this change touches the same method that
contains k.Models, k.ModelsJSON and k.Enabled).

---

Outside diff comments:
In `@ui/components/ui/modelMultiselect.tsx`:
- Around line 85-91: selectedOptions builds the UI option list but treats the
wildcard "*" differently between single- and multi-select, causing inconsistent
display; update the single-select branch (where isSingleSelect and stringValue
are used) to map stringValue === "*" to ALL_MODELS_OPTION (the same mapping used
in the arrayValue branch) so both single- and multi-select use ALL_MODELS_OPTION
for the wildcard and keep labels consistent.

---

Duplicate comments:
In `@core/providers/mistral/models.go`:
- Around line 20-21: The loop currently treats the wildcard "*" as a literal
model ID because the membership check uses slices.Contains(allowedModels,
model.ID) without special-casing "*"; add a small guard (e.g., compute allowAll
:= slices.Contains(allowedModels, "*") before the loop) and change the filter
condition used around model.ID (the clause that currently reads !unfiltered &&
len(allowedModels) > 0 && !slices.Contains(allowedModels, model.ID)) to skip the
slices.Contains check when allowAll is true (i.e., only apply the allowedModels
membership test when allowAll is false); apply the same fix to the analogous
condition around line 35 so that ["*"] correctly means allow-all.

In `@transports/config.schema.json`:
- Around line 1532-1536: The "key_ids" array currently allows empty strings;
update the schema for the "key_ids" property's "items" (the object under
"key_ids") to include a string length constraint by adding "minLength": 1 so
empty "" values are rejected while preserving "type": "string" for items.

---

Nitpick comments:
In `@core/bifrost.go`:
- Around line 6176-6202: The comment describing model filtering is outdated: it
claims an empty key.Models allows all models while the code in the
modelSupported computation now treats an empty list as deny-all; update the
comment near the skipModelCheck / model filtering logic (around variables
supportedKeys, skipModelCheck and the modelSupported calculation) to state that:
["*"] allows all models, an empty slice denies all models, and a specific list
allows only listed models; ensure the explanation references hasValue and
CanProviderKeyValueBeEmpty(baseProviderType) as prerequisites for
modelSupported.

In `@transports/bifrost-http/server/server.go`:
- Around line 536-539: Extract the duplicate wildcard check (model == "*") into
a small shared helper (e.g., shouldSkipModel or isWildcardModel) and replace the
inline check in each loop that currently does `if model == "*" { continue }`
with a call to that helper; update all three occurrences in server.go (the loop
blocks referencing the `model` variable around the shown diff and the other two
similar loops) so they all use the new helper to decide whether to continue,
keeping the helper package-private to this file for consistency.

In `@ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx`:
- Around line 351-353: The inline nested ternary used to compute weight in the
virtual key object (the expression referencing config.weight) is hard to read
and brittle; refactor by extracting a small helper or local variable (e.g.,
normalizeWeight or weightNormalized) that explicitly handles undefined/null =>
null, string => parseFloat with Number.isNaN check returning null on failure,
and numeric values returned as-is, then use that symbol in place of the long
ternary when building the object (update the code around the weight: ... and
budget: (() => { ... ) block in virtualKeySheet.tsx).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ae2d2bfe-edc2-489c-aa00-3a916c5d39fe

📥 Commits

Reviewing files that changed from the base of the PR and between 102a0a7 and 24b4bdb.

📒 Files selected for processing (30)

• core/bifrost.go
• core/changelog.md
• core/go.mod
• core/providers/mistral/mistral.go
• core/providers/mistral/models.go
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (2)

• core/go.mod
• transports/bifrost-http/lib/config.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

examples/configs/withprompushgateway/config.json (1)

33-39: ⚠️ Potential issue | 🟠 Major

Gemini key entry is missing required name.

Line 35-39 defines a provider key without name, but key objects require it in the config schema. This example can fail validation.

🛠️ Proposed fix

         "gemini": {
             "keys": [
                 {
+                    "name": "Gemini API Key",
                     "value": "env.GEMINI_API_KEY",
                     "weight": 1,
                     "use_for_batch_api": true,
                     "models": ["*"]
                 }
             ],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/configs/withprompushgateway/config.json` around lines 33 - 39, The
provider key object inside the "keys" array is missing the required name
property; update the key entry (the object with "value": "env.GEMINI_API_KEY",
"weight": 1, "use_for_batch_api": true, "models": ["*"]) to include a "name"
field (e.g., "name": "GEMINI_API_KEY") so the config conforms to the schema and
the env reference matches the key name.

helm-charts/bifrost/values.schema.json (1)

2736-2754: ⚠️ Potential issue | 🟠 Major

Line 2753 description contradicts the standardized deny-by-default convention established in this commit.

Line 2738 (allowed_models) correctly documents deny-by-default: "empty array denies all (deny-by-default)", but line 2753 (keys) still states the old behavior: "empty means all keys allowed". Update the description to align with the new convention:

         "keys": {
           "type": "array",
-          "description": "Provider keys for this config (empty means all keys allowed for this provider)",
+          "description": "Provider keys for this config. Use [\"*\"] or list specific key names to allow; empty array denies all (deny-by-default).",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm-charts/bifrost/values.schema.json` around lines 2736 - 2754, The "keys"
property description contradicts the deny-by-default convention; update the
description for the "keys" array (the schema entry named "keys") to match
"allowed_models" by stating that an empty array denies all (deny-by-default)
rather than "empty means all keys allowed"; ensure the text clearly mirrors the
phrasing used for "allowed_models" so the behavior is documented consistently
across the schema.

transports/bifrost-http/server/server.go (1)

534-545: ⚠️ Potential issue | 🟠 Major

Don't drop the wildcard signal before seeding the filtered model catalog.

These loops skip * but never remember that a key was unrestricted. After that, models: ["*"] becomes indistinguishable from models: [], and mixed wildcard+restricted keys collapse to the restricted subset only. That seeds the filtered catalog with the wrong visibility, so /api/models and the Virtual Key sheet can under/over-report accessible models. Please carry a separate hasWildcardModels signal here (or reuse the reducer behind filterModelsByKeys) and only treat an empty explicit-model set as deny-all when no wildcard key was present.

Also applies to: 769-779, 1261-1271

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/server/server.go` around lines 534 - 545, The loop
building modelsInKeys currently skips wildcard entries ("*") but never records
that a provider had an unrestricted key, causing UpsertModelDataForProvider to
lose the "allow-all" signal; update the code that iterates providerKeys (and the
similar loops around where provider models are seeded) to track a boolean
hasWildcardModels when any key.Models contains "*" and pass that information
into the logic that computes the final model set before calling
s.Config.ModelCatalog.UpsertModelDataForProvider (or alter
UpsertModelDataForProvider call-site to include the wildcard flag), ensuring
that an explicit models: ["*"] is treated as allow-all (not as empty/deny-all)
and that mixed wildcard+restricted keys preserve the wildcard semantics.

♻️ Duplicate comments (2)

core/providers/mistral/models.go (1)

20-21: ⚠️ Potential issue | 🟠 Major

Honor deny-by-default and wildcard semantics in filtering/backfill.

At Line 20 and Line 35, len(allowedModels) > 0 still makes empty lists behave as allow-all, and ["*"] can be treated like a literal model token. That conflicts with the PR contract ([] deny-all, ["*"] allow-all).

🔧 Suggested fix

 	includedModels := make(map[string]bool)
+	allowAll := slices.Contains(allowedModels, "*")
+	denyAll := len(allowedModels) == 0
 	for _, model := range response.Data {
-		if !unfiltered && len(allowedModels) > 0 && !slices.Contains(allowedModels, model.ID) {
+		if !unfiltered && (denyAll || (!allowAll && !slices.Contains(allowedModels, model.ID))) {
 			continue
 		}
 		bifrostResponse.Data = append(bifrostResponse.Data, schemas.Model{
@@
 	// Backfill allowed models that were not in the response
-	if !unfiltered && len(allowedModels) > 0 {
+	if !unfiltered && !allowAll && !denyAll {
 		for _, allowedModel := range allowedModels {
 			if !includedModels[allowedModel] {
 				bifrostResponse.Data = append(bifrostResponse.Data, schemas.Model{

Also applies to: 35-36

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/providers/mistral/models.go` around lines 20 - 21, The current filter
uses "len(allowedModels) > 0" which treats [] as allow-all and doesn't treat
["*"] as wildcard; update the conditional around allowedModels/unfiltered (the
block using allowedModels, unfiltered, model.ID and slices.Contains) to
explicitly implement deny-by-default and wildcard semantics: when not
unfiltered, first if len(allowedModels) == 0 then skip (deny-all), if
len(allowedModels) == 1 && allowedModels[0] == "*" then allow all (do not skip),
otherwise use slices.Contains(allowedModels, model.ID) to decide skipping; apply
the same change to both occurrences referenced in the diff.

transports/config.schema.json (1)

1517-1522: ⚠️ Potential issue | 🟡 Minor

Reject empty strings in model/key identifier arrays.

Line 1521, Line 1536, and Line 1849 currently allow "", which is not a meaningful model or key identifier. Add minLength: 1 to each item schema.

🛠️ Proposed fix

         "allowed_models": {
           "type": "array",
           "description": "Allowed models for this provider config. Use [\"*\"] to allow all models; empty array denies all (deny-by-default).",
           "items": {
-            "type": "string"
+            "type": "string",
+            "minLength": 1
           }
         },
@@
         "key_ids": {
           "type": "array",
           "description": "Keys allowed for this provider config. Use [\"*\"] to allow all keys; empty array denies all (deny-by-default). In config.json, values are key names. Via the API, values are key UUIDs.",
           "items": {
-            "type": "string"
+            "type": "string",
+            "minLength": 1
           }
         }
@@
         "models": {
           "type": "array",
           "items": {
-            "type": "string"
+            "type": "string",
+            "minLength": 1
           },
           "description": "Models this key can access. Use [\"*\"] to allow all models; empty array denies all (deny-by-default)."
         },

Also applies to: 1532-1537, 1846-1851

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/config.schema.json` around lines 1517 - 1522, The item schema for
string arrays that represent model or key identifiers (e.g., "allowed_models")
currently permits empty strings; update each such array item schema to include
"minLength": 1 so empty strings are rejected. Locate the JSON schema entries for
"allowed_models" and the other identifier arrays flagged in the review (the item
schemas around the commented ranges) and add "minLength": 1 to their "items"
object for type "string" so each array element must be at least one character
long. Ensure you apply the same change to the other two similar array item
schemas mentioned in the comment.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@examples/configs/withprompushgateway/config.json`:
- Around line 33-39: The provider key object inside the "keys" array is missing
the required name property; update the key entry (the object with "value":
"env.GEMINI_API_KEY", "weight": 1, "use_for_batch_api": true, "models": ["*"])
to include a "name" field (e.g., "name": "GEMINI_API_KEY") so the config
conforms to the schema and the env reference matches the key name.

In `@helm-charts/bifrost/values.schema.json`:
- Around line 2736-2754: The "keys" property description contradicts the
deny-by-default convention; update the description for the "keys" array (the
schema entry named "keys") to match "allowed_models" by stating that an empty
array denies all (deny-by-default) rather than "empty means all keys allowed";
ensure the text clearly mirrors the phrasing used for "allowed_models" so the
behavior is documented consistently across the schema.

In `@transports/bifrost-http/server/server.go`:
- Around line 534-545: The loop building modelsInKeys currently skips wildcard
entries ("*") but never records that a provider had an unrestricted key, causing
UpsertModelDataForProvider to lose the "allow-all" signal; update the code that
iterates providerKeys (and the similar loops around where provider models are
seeded) to track a boolean hasWildcardModels when any key.Models contains "*"
and pass that information into the logic that computes the final model set
before calling s.Config.ModelCatalog.UpsertModelDataForProvider (or alter
UpsertModelDataForProvider call-site to include the wildcard flag), ensuring
that an explicit models: ["*"] is treated as allow-all (not as empty/deny-all)
and that mixed wildcard+restricted keys preserve the wildcard semantics.

---

Duplicate comments:
In `@core/providers/mistral/models.go`:
- Around line 20-21: The current filter uses "len(allowedModels) > 0" which
treats [] as allow-all and doesn't treat ["*"] as wildcard; update the
conditional around allowedModels/unfiltered (the block using allowedModels,
unfiltered, model.ID and slices.Contains) to explicitly implement
deny-by-default and wildcard semantics: when not unfiltered, first if
len(allowedModels) == 0 then skip (deny-all), if len(allowedModels) == 1 &&
allowedModels[0] == "*" then allow all (do not skip), otherwise use
slices.Contains(allowedModels, model.ID) to decide skipping; apply the same
change to both occurrences referenced in the diff.

In `@transports/config.schema.json`:
- Around line 1517-1522: The item schema for string arrays that represent model
or key identifiers (e.g., "allowed_models") currently permits empty strings;
update each such array item schema to include "minLength": 1 so empty strings
are rejected. Locate the JSON schema entries for "allowed_models" and the other
identifier arrays flagged in the review (the item schemas around the commented
ranges) and add "minLength": 1 to their "items" object for type "string" so each
array element must be at least one character long. Ensure you apply the same
change to the other two similar array item schemas mentioned in the comment.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec968b72-3627-410f-9ed9-95fda116335a

📥 Commits

Reviewing files that changed from the base of the PR and between 24b4bdb and eab2c1b.

📒 Files selected for processing (34)

• core/bifrost.go
• core/changelog.md
• core/providers/mistral/mistral.go
• core/providers/mistral/models.go
• core/schemas/transcriptions.go
• docs/features/governance/routing.mdx
• examples/configs/partial/config.json
• examples/configs/withconfigstore/config.json
• examples/configs/withlogstore/config.json
• examples/configs/withpostgresmcpclientsinconfig/config.json
• examples/configs/withprompushgateway/config.json
• examples/configs/withvirtualkeys/config.json
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/tables/key.go
• framework/configstore/tables/virtualkey.go
• framework/modelcatalog/main.go
• helm-charts/bifrost/values.schema.json
• plugins/governance/main.go
• plugins/governance/resolver.go
• plugins/governance/resolver_test.go
• transports/bifrost-http/handlers/governance.go
• transports/bifrost-http/handlers/providers.go
• transports/bifrost-http/lib/config.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• transports/config.schema.json
• ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx
• ui/app/workspace/providers/views/providerKeyForm.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/asyncMultiselect.tsx
• ui/components/ui/modelMultiselect.tsx
• ui/lib/types/schemas.ts

💤 Files with no reviewable changes (1)

• transports/bifrost-http/lib/config.go

✅ Files skipped from review due to trivial changes (2)

• core/changelog.md
• transports/changelog.md

🚧 Files skipped from review as they are similar to previous changes (12)

• plugins/governance/main.go
• docs/features/governance/routing.mdx
• plugins/governance/resolver_test.go
• framework/changelog.md
• framework/configstore/tables/virtualkey.go
• framework/configstore/tables/key.go
• plugins/governance/resolver.go
• transports/bifrost-http/handlers/governance.go
• ui/components/ui/modelMultiselect.tsx
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• core/schemas/transcriptions.go
• core/providers/mistral/mistral.go

[Pratham-Mishra04]

Merge activity

• Mar 18, 11:57 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• Mar 18, 12:10 PM UTC: Graphite rebased this pull request as part of a merge.
• Mar 18, 12:12 PM UTC: @Pratham-Mishra04 merged this pull request with Graphite.