v1.5.0-prerelease4 cut

[akshaydeo]

Summary

This release (core v1.5.3, framework v1.3.3, transports v1.5.0-prerelease4, Helm chart v2.1.2) delivers a broad set of provider compatibility improvements, governance infrastructure for team budgets, SQLite migration correctness fixes, and UI polish across logs, virtual keys, and teams views.

Changes

• Claude Opus 4.7 support — Added adaptive thinking, task-budgets beta header, display parameter handling, and xhigh effort mapping for Anthropic's new model
• Anthropic structured outputs — Added response_format and structured output support across chat completions and Responses API (thanks @emirhanmutlu-natuvion!)
• MCP tool annotations — Preserve title, readOnly, destructive, idempotent, and openWorld annotations in bidirectional MCP ↔ Bifrost tool conversion
• Anthropic server-side tools — Expanded schema and Responses converters to surface web search, code execution, and computer use containers
• OCR request support — Added OCR request type with stream terminal detection, full body accumulation for passthrough streams, input logging, and per-request pricing
• Team budgets — New per-team spending tracking with atomic ratelimit updates, new DB tables, and access profile filter to exclude access-profile-managed virtual keys
• Deny-by-default virtual keys — Virtual key provider and MCP configs now block all access when empty; migration backfills existing keys to preserve behavior
• SQLite migration correctness — Fixed a production bug where ALTER TABLE RENAME propagated into FK references in other tables, corrupting them. Replaced the rename-based column drop strategy with a dump-data → drop-original → recreate-clean → restore-data approach. FK constraints are now created after legacy column drops to prevent propagation corruption. Added assertNoCorruptedFKReferences test helper and two new migration tests
• Provider queue shutdown panic — Eliminated send on closed channel panics by leaving channels open and exiting workers via the done signal
• OpenAI Responses API tool results — Flatten array-form tool_result output into a newline-joined string so strict upstreams no longer reject with HTTP 400 (thanks @martingiguere!)
• vLLM streaming token usage — Treat delta.content="" the same as nil so synthesis chunks retain finish_reason and token usage is correctly attributed
• Gemini tool outputs — Handle content block tool outputs in Responses API path (thanks @tom-diacono!)
• Bedrock streaming — Emit message_stop event for Anthropic invoke stream; case-insensitive anthropic-beta header merging (thanks @tefimov!)
• Bedrock tool images — Preserve image content blocks in tool results for Converse API (thanks @Edward-Upton!)
• Gemini thinking level — Preserve thinkingLevel parameters across round-trip conversions and correct finish reason mapping
• WebSearch tool — Removed Claude Code user agent restriction so WebSearch arguments flow for all clients; added claude-vscode to ClaudeCLI user agent identifiers
• Responses streaming errors — Capture mid-stream errors in the Responses API so clients see failures instead of silent termination
• OAuth fixes — Preserve existing query parameters in upstream authorize URLs; only treat invalid_grant and unauthorized_client as permanent errors; don't mark OAuth config expired on transient refresh failures
• Separate streaming clients — Use per-provider streaming clients to prevent read timeout collisions
• Plugin timer concurrency — Fix concurrent map access causing potential race conditions
• Custom providers — Allow custom providers without a list-models endpoint to accept any model
• OTel plugin — Default insecure to true when omitted; update semconv to v1.40.0; include fallbacks in emitted metrics
• Helm chart — encryption_key is now optional; fixed encryptionKeySecret template condition to check .name; removed stale Okta role-mapping note from docs
• UI — Logs — Tool call boxes now show function names; function call output rendered with collapsible code view; call_id shown in Responses message headers; tool result name shown in message metadata; timeline widget removed from detail sidebar; log table column widths rebalanced; message font size reduced to 12px
• UI — Teams page — Replaced static TeamsView with a paginated, searchable TeamsTable with RBAC guards, polling, and offset snap-back on delete
• UI — Virtual keys — Fixed budget_lines / rate_limits field name references in access profile hooks and detail sheet; fixed inert attribute type
• Go version — Downgraded all modules from Go 1.26.2 to 1.26.1

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

# Core/Transports
go test ./...

# Framework migrations (SQLite FK corruption regression)
cd framework
go test ./configstore/... -run TestMigrationAddMultiBudgetTables_DropsLegacyBudgetColumnsAndBackfillsOwners
go test ./configstore/... -run TestMigrationAddTeamBudgetsToBudgetsTable_DropsLegacyBudgetColumnAndBackfillsOwners

# UI
cd ui
pnpm i
pnpm build

Validate team budgets by creating a team, assigning a budget, and confirming spend tracking increments atomically under concurrent load. Validate OCR requests by submitting an OCR-type request and confirming pricing metadata and logs appear correctly.

Breaking changes

• Yes
• No

Virtual key provider and MCP configs are now deny-by-default — empty configs block all access. Existing deployments are automatically migrated to preserve current behavior, but any programmatic creation of virtual keys with empty provider/MCP configs will now result in denied access rather than open access.

Security considerations

• Deny-by-default virtual key configs reduce the blast radius of misconfigured keys.
• OAuth permanent-error classification narrowed to invalid_grant and unauthorized_client only, preventing premature token invalidation on transient network failures.
• encryption_key is now optional in the Helm chart; deployments omitting it will operate without at-rest encryption — operators should explicitly set this field in production.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63c8697e-5352-409d-bca3-872b31ee5209

📥 Commits

Reviewing files that changed from the base of the PR and between 3a313c3 and 44bb06e.

📒 Files selected for processing (61)

• .github/workflows/helm-release.yml
• .github/workflows/scripts/schemasync/go.mod
• core/changelog.md
• core/schemas/useragents.go
• core/version
• docs/enterprise/setting-up-okta.mdx
• examples/plugins/hello-world/go.mod
• framework/changelog.md
• framework/configstore/migrations.go
• framework/configstore/migrations_test.go
• framework/go.mod
• framework/version
• helm-charts/bifrost/Chart.yaml
• helm-charts/bifrost/README.md
• helm-charts/bifrost/templates/deployment.yaml
• helm-charts/index.yaml
• plugins/compat/changelog.md
• plugins/compat/go.mod
• plugins/compat/version
• plugins/governance/changelog.md
• plugins/governance/go.mod
• plugins/governance/version
• plugins/jsonparser/changelog.md
• plugins/jsonparser/go.mod
• plugins/jsonparser/version
• plugins/logging/changelog.md
• plugins/logging/go.mod
• plugins/logging/operations.go
• plugins/logging/version
• plugins/maxim/changelog.md
• plugins/maxim/go.mod
• plugins/maxim/version
• plugins/mocker/changelog.md
• plugins/mocker/go.mod
• plugins/mocker/version
• plugins/otel/changelog.md
• plugins/otel/go.mod
• plugins/otel/version
• plugins/prompts/changelog.md
• plugins/prompts/go.mod
• plugins/prompts/version
• plugins/semanticcache/changelog.md
• plugins/semanticcache/go.mod
• plugins/semanticcache/version
• plugins/telemetry/changelog.md
• plugins/telemetry/go.mod
• plugins/telemetry/version
• tests/async/go.mod
• transports/changelog.md
• transports/go.mod
• transports/version
• ui/app/workspace/governance/teams/page.tsx
• ui/app/workspace/logs/sheets/logDetailView.tsx
• ui/app/workspace/logs/views/columns.tsx
• ui/app/workspace/logs/views/logChatMessageView.tsx
• ui/app/workspace/logs/views/logResponsesMessageView.tsx
• ui/app/workspace/model-catalog/views/modelCatalogView.tsx
• ui/app/workspace/virtual-keys/hooks/useVirtualKeyUsage.ts
• ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx
• ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx
• ui/components/ui/MultiBudgetLines.tsx

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Team budget system with per-team spending tracking and atomic updates
  • Anthropic Claude Opus compatibility improvements
  • Anthropic structured outputs support via response_format
  • OCR request support with logging and pricing
  • Enhanced user-agent detection for better client identification

• Bug Fixes

  • Eliminated provider queue shutdown panics
  • Fixed tool-call duplication issues
  • Resolved streaming client timeout conflicts
  • Improved OAuth parameter and token handling
  • Fixed tool output rendering in logs

• Documentation

  • Encryption key configuration now optional in Helm charts

• UI Improvements

  • Enhanced log views with better function/tool naming
  • Improved governance teams page with search and pagination

Walkthrough

This PR introduces version bumps across core (1.5.2→1.5.3) and framework (1.3.2→1.3.3) modules, adds SQLite migration logic to drop legacy budget_id columns and backfill owner relationships, updates UI components for teams governance and log visualization with improved data handling, downgrades Go toolchain to 1.26.1, and makes Helm encryption key configuration optional. Extensive changelog updates document new features (team budgets, Anthropic Claude Opus support, OCR support) and bug fixes.

Changes

Cohort / File(s)	Summary
Go Toolchain Updates .github/workflows/helm-release.yml, .github/workflows/scripts/schemasync/go.mod, framework/go.mod, plugins/.../*.mod, examples/plugins/hello-world/go.mod, transports/go.mod, tests/async/go.mod	Downgraded Go version from 1.26.2 to 1.26.1 across all go.mod files; no functional logic changes.
Core & Framework Dependencies framework/go.mod, plugins/compat/go.mod, plugins/governance/go.mod, plugins/logging/go.mod, plugins/maxim/go.mod, plugins/mocker/go.mod, plugins/otel/go.mod, plugins/prompts/go.mod, plugins/semanticcache/go.mod, plugins/telemetry/go.mod, plugins/jsonparser/go.mod, examples/plugins/hello-world/go.mod, transports/go.mod	Downgraded github.com/maximhq/bifrost/core (v1.5.2→v1.5.1) and framework (v1.3.2→v1.3.1) module versions; some plugins also downgraded with minor version adjustments.
Version Identifiers core/version, framework/version, plugins/governance/version, plugins/jsonparser/version, plugins/logging/version, plugins/maxim/version, plugins/mocker/version, plugins/otel/version, plugins/prompts/version, plugins/semanticcache/version, plugins/telemetry/version, plugins/compat/version, transports/version	Version string increments (core 1.5.2→1.5.3, framework 1.3.2→1.3.3, various plugins 1.5.2→1.5.3 or equivalent, transports 1.5.0-prerelease3→1.5.0-prerelease4).
Database Migration Logic framework/configstore/migrations.go, framework/configstore/migrations_test.go	Added SQLite-specific logic to drop legacy budget_id columns from governance_virtual_keys, governance_virtual_key_provider_configs, and governance_teams tables using dump-and-restore pattern; introduced conditional column-dropping helpers for SQLite vs non-SQLite backends; updated migration control flow to drop legacy columns before creating new foreign-key constraints; reordered migrationAddMultiBudgetTables to now drop budget_id first then establish owner FK relationships; added comprehensive test coverage for legacy column drops and backfill verification. High complexity: careful review of table restructuring and data integrity required.
User Agent Detection core/schemas/useragents.go	Added "claude-vscode" substring to ClaudeCLI user-agent identifiers set alongside existing "claude-cli" and "claude-code".
Helm Chart Configuration helm-charts/bifrost/Chart.yaml, helm-charts/bifrost/templates/deployment.yaml, helm-charts/bifrost/README.md, helm-charts/index.yaml	Updated chart version 2.1.1→2.1.2, app version 1.5.0→1.5.0-prerelease4; made encryption_key optional by conditionally checking encryptionKeySecret.name presence instead of entire object; updated chart index with new v2.1.2 entry.
Teams Governance UI ui/app/workspace/governance/teams/page.tsx	Replaced TeamsView with new TeamsTable-driven page featuring RBAC-gated queries, debounced search with pagination reset, polling intervals, composite loading states, error deduplication with toasts, and pagination offset snap-back logic; passes search/pagination props to TeamsTable. High complexity: substantial UI restructuring with new data-fetching and state-management patterns.
Log Display & Visualization ui/app/workspace/logs/sheets/logDetailView.tsx, ui/app/workspace/logs/views/logChatMessageView.tsx, ui/app/workspace/logs/views/logResponsesMessageView.tsx, ui/app/workspace/logs/views/columns.tsx	Removed Timeline latency visualization; enhanced tool-call metadata display (showing function names instead of counts); updated ResponsesMessage rendering to display msg.name/msg.call_id where applicable; added output rendering for ResponsesMessage.output; adjusted column widths and fallback font sizing in LogMessageCell.
Virtual Key Management UI ui/app/workspace/virtual-keys/hooks/useVirtualKeyUsage.ts, ui/app/workspace/virtual-keys/views/virtualKeyDetailsSheet.tsx, ui/app/workspace/virtual-keys/views/virtualKeySheet.tsx	Updated profile budget source from managingProfile.budgets to managingProfile.budget_lines; updated rate-limit source from managingProfile.rate_limit to managingProfile.rate_limits; updated "Budget Information" header conditional to check budget_lines.length; changed inert attribute from empty string to explicit boolean.
Model Catalog UI ui/app/workspace/model-catalog/views/modelCatalogView.tsx	Reordered imports; expanded fallback statistics object in triggerStats(...).catch(...) to include user_facing_total_requests: 0.
Changelog Documentation core/changelog.md, framework/changelog.md, plugins/*/changelog.md, transports/changelog.md	Added comprehensive changelog entries documenting new features (team budgets, Claude Opus/structured output support, OCR/MCP tool handling, user-agent detection, optional encryption keys) and bug fixes (provider routing, streaming isolation, OAuth handling, concurrent map access, tool execution, Responses API conversions, rate-limit operations).
Documentation docs/enterprise/setting-up-okta.mdx	Removed role-assignment fallback behavior note describing highest-privilege role selection and default fallback assignments.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Suggested reviewers

• danpiths
• Pratham-Mishra04

Poem

🐰 Migrations hopping through SQLite's den,
Budget columns dropped, then built again!
UI teams now dance with pagination's grace,
Log details flourish in their rightful place.
Version bumps forward—prerelease takes the stage! 🚀

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v1.5.0-prerelease5-version-cut-1

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ akshaydeo
❌ danpiths
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[akshaydeo]

• v1.5.0-prerelease4 cut #2877 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #2877

[greptile-apps]

Confidence Score: 5/5

Safe to merge — the SQLite migration fix is correct and well-tested; the only remaining finding is a P2 unused-prop style issue.

The core migration fix is sound: DDL operations run inside a GORM transaction (UseTransaction: true), SQLite supports transactional DDL, and post-drop verification is in place. New tests cover both VK/provider-config and team budget column drops on SQLite with FK-corruption assertions. All other findings are P2 or lower.

No files require special attention.

Important Files Changed

Filename	Overview
framework/configstore/migrations.go	Adds SQLite-specific dump→drop→recreate→restore strategy for dropping the legacy budget_id column from three governance tables; non-SQLite path uses GORM's DropColumn; both paths include post-drop verification.
framework/configstore/migrations_test.go	Adds two new tests for SQLite legacy budget column drops plus an assertNoCorruptedFKReferences helper to verify the SQLite rename-propagation bug is not reproduced.
core/schemas/useragents.go	New file registering known AI-CLI user-agent identifiers with a case-insensitive substring matcher; clean and well-scoped.
ui/app/workspace/logs/views/logChatMessageView.tsx	Minor: index is included in the ContentBlockView props type and passed by the caller but never destructured or used inside the component.
ui/app/workspace/virtual-keys/hooks/useVirtualKeyUsage.ts	New hook resolving AP-managed VK budget/rate-limit display; handles single-assignee invariant and prevents budget misattribution in multi-AP setups.
ui/components/ui/MultiBudgetLines.tsx	New component for multi-budget-line configuration UI; detects duplicate reset periods and exposes onReset/showReset controls.

Comments Outside Diff (1)

1. ui/app/workspace/logs/views/logChatMessageView.tsx, line 12 (link)

   Unused index parameter in ContentBlockView

   index is declared in the props type and passed by the caller at line 177 (index={blockIndex}), but the function only destructures { block } — index is never read. Either destructure and use it, or drop it from the type to avoid confusion.

_{Reviews (1): Last reviewed commit: "fix: handle sqlite legacy budget column ..." | Re-trigger Greptile}