refactor: move virtual key validation and context attachment before passthrough check

[Pratham-Mishra04]

Summary

Virtual key validation and team/customer context attachment now occur before the passthrough path check, ensuring that metadata is correctly populated on the context even for passthrough requests that use a virtual key.

Changes

• Moved virtual key lookup and validation (including the inactive key early-return) to execute before the passthrough path check, so that team and customer IDs/names are attached to the context regardless of whether the request is a passthrough.
• The payload, virtualKey, ok, and needsMarshal variable declarations were relocated accordingly to maintain correct scoping after the reorder.
• Previously, passthrough requests with a valid virtual key would skip team/customer context attachment entirely, which could cause missing metadata downstream.

Type of change

• Bug fix

Affected areas

• Plugins

How to test

1. Configure a virtual key with an associated team and/or customer.
2. Send a request to a passthrough endpoint using that virtual key.
3. Verify that BifrostContextKeyGovernanceTeamID, BifrostContextKeyGovernanceTeamName, BifrostContextKeyGovernanceCustomerID, and BifrostContextKeyGovernanceCustomerName are correctly set on the context after the pre-hook runs.
4. Verify that requests with no virtual key and no routing rules still return early without processing.
5. Verify that requests using an inactive virtual key still return early.

go test ./plugins/governance/...

Breaking changes

• No

Security considerations

No new auth mechanisms introduced. The existing virtual key active/inactive check is preserved and now runs earlier in the flow, which is strictly more restrictive for passthrough paths.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Pratham-Mishra04]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• refactor: move virtual key validation and context attachment before passthrough check #3213 👈 (View in Graphite)
• fix: add SSE heartbeats and defer trace completion to prevent deadlock on MCP SSE streaming #3212
• fix: handle per-user OAuth re-auth, refresh token expiry, and reconnect UX #3211
• feat: remove direct key bypass from HTTP gateway and Go SDK #3241
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 99b976cc-8559-4de0-ab90-d9a55e744851

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors HTTPTransportPreHook to optimize payload processing with early-exit paths when governance rules are absent, defers unmarshalling, adds content-type parsing, and introduces a dedicated governLargePayload function for read-only large requests.

Changes

HTTPTransportPreHook Optimization & Large-Payload Routing

Layer / File(s)	Summary
Early-Exit Gating plugins/governance/main.go	HTTPTransportPreHook now short-circuits when no virtual key and no routing rules exist, avoiding unnecessary unmarshalling and processing for non-governed paths.
VK Processing & Context Attachment plugins/governance/main.go	Virtual key is fetched, activity validated, and governance metadata (team ID/name, customer ID/name) attached to the Bifrost context when VK is present.
Content-Type Parsing plugins/governance/main.go	Content-Type header is parsed and normalized to determine payload structure (multipart/form-data or application/json), with conditional marshalling/unmarshalling based on type.
Routing & Load-Balancing Integration plugins/governance/main.go	Routing rules are evaluated and load-balancing applied after VK processing; MCP tool-injection integrated behind routing-availability checks.
Large-Payload Handler plugins/governance/main.go	New governLargePayload function introduced to handle read-only large payloads by constructing synthetic payloads from pre-extracted metadata and applying governance without body rewriting.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

A rabbit hops through governance with glee,
Short-circuiting paths with efficiency,
Large payloads glide through new workaround streams,
While Content-Types parse all the dream schemes.
Early exits dance, unmarshalling waits—
This refactor optimizes the gates! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main refactoring change: moving virtual key validation and context attachment before the passthrough check, which directly aligns with the core objective of the pull request.
Description check	✅ Passed	The pull request description includes all required sections from the template with substantial content: summary explaining the bug fix, detailed changes, type of change marked, affected areas selected, testing instructions provided, breaking changes addressed, and security considerations documented.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 04-30-fix_passthrough_detection_for_routing_fixes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Confidence Score: 4/5

Safe to merge; the reordering correctly fixes passthrough metadata gaps with no change to the non-passthrough code path.

The core reordering is correct and the existing inactive-key guard is preserved. governLargePayload now does a second store lookup for a key already resolved upstream, leaving a small staleness window if the key is deactivated mid-request.

plugins/governance/main.go — specifically the governLargePayload call site and function, which now redundantly re-validates a key already checked upstream.

Important Files Changed

Filename	Overview
plugins/governance/main.go	Virtual key validation and team/customer context attachment moved before the passthrough check; governLargePayload now performs a redundant VK store lookup since the key was already resolved upstream.

_{Reviews (1): Last reviewed commit: "fix: passthrough detection for routing f..." | Re-trigger Greptile}

[greptile-apps]

Redundant VK lookup in governLargePayload

HTTPTransportPreHook now validates the virtual key and attaches team/customer context before reaching this call site, but governLargePayload re-runs the same p.store.GetVirtualKey lookup and re-sets the identical context values unconditionally. Because governLargePayload is only ever called from this path, both the store roundtrip and the ctx.SetValue calls are now no-ops in the happy path. If the key happens to be deactivated between the two lookups, the context will already carry stale team/customer metadata from the first lookup even though governLargePayload returns early without applying governance — a subtle inconsistency. Consider passing the already-resolved *configstoreTables.TableVirtualKey directly to governLargePayload to eliminate the double lookup and the staleness window.

The base branch was changed.