feat: add provider-specific gateway authentication#440
Conversation
Signed-off-by: Will Killian <wkillian@nvidia.com>
WalkthroughThe CLI now supports OpenAI and Anthropic upstream authentication headers from configuration files and environment variables. Headers are validated, fingerprinted, propagated through gateway forwarding, tested for precedence and redaction, and documented across CLI and MCP integrations. ChangesProvider authentication
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant AppState
participant ProviderForwarding
participant Upstream
Client->>AppState: Send gateway request
AppState->>ProviderForwarding: Prepare route and auth permission
ProviderForwarding->>ProviderForwarding: Select configured provider header
ProviderForwarding->>Upstream: Forward request with permitted auth
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@crates/cli/src/gateway/routes.rs`:
- Around line 17-49: The route-to-auth-header mapping is duplicated between
ProviderForwarding::configured_auth_header and
ProviderRoute::configured_auth_header. Extract a shared private helper accepting
the route plus OpenAI and Anthropic header options, then delegate both methods
to it while preserving their existing return behavior and route mappings.
In `@crates/cli/tests/coverage/shared/config_tests.rs`:
- Around line 525-571: Update
invalid_provider_auth_header_errors_do_not_expose_secret_values to use valid
TOML while still passing a newline-containing header to validate_auth_header, so
the test exercises validation and secret redaction rather than TOML parsing. Add
an equivalent config-based invalid-header test for Anthropic, asserting the
Anthropic field is identified, the valid HTTP header error appears, and both
secret fragments are absent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 92c09def-54d0-493a-8f91-14920c3f5886
📒 Files selected for processing (15)
crates/cli/src/configuration/mod.rscrates/cli/src/configuration/types.rscrates/cli/src/gateway/mod.rscrates/cli/src/gateway/request.rscrates/cli/src/gateway/routes.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/tests/coverage/shared/session_tests.rsdocs/nemo-relay-cli/basic-usage.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/codex.mdxintegrations/coding-agents/codex/.mcp.json
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
- GitHub Check: Check / Run
- GitHub Check: Preview docs
🧰 Additional context used
📓 Path-based instructions (15)
**/*.mdx
📄 CodeRabbit inference engine (.agents/skills/review-doc-style/SKILL.md)
MDX top-of-file SPDX comments must use {/* ... */} delimiters instead of HTML comment delimiters (Must-Fix)
In MDX files, top-of-file comments must use JSX comment delimiters (
{/*to open and*/}to close); do not use HTML comments for MDX SPDX headers
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
**/*.{md,mdx}
📄 CodeRabbit inference engine (AGENTS.md)
Update
README.md,fern/, package READMEs, and binding-support notes when public behavior, package names, examples, or supported bindings change.
**/*.{md,mdx}: Prefer the documented public API, not internal shortcuts
Keep package names, repo references, and build commands current
Keep release-process and release-notes guidance in repo-maintainer docs such asRELEASING.md, not as user-facing docs pages orCHANGELOG.md
Keep stable user-facing wrappers atscripts/root in docs and examples; only point at namespaced helper paths when documenting internal maintenance work
When detailed dynamic plugin guides exist, keep Rust native plugin examples, Python worker plugin examples, andgrpc-v1protocol details on separate pagesIf links in documentation change, run
just docs-linkcheck.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
**/*.{md,markdown,mdx}
📄 CodeRabbit inference engine (CONTRIBUTING.md)
Add the SPDX license header to all Markdown/MDX documentation files using the HTML comment block form.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
{docs,examples}/**/*
📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)
Update docs and examples.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
**/*
📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)
**/*: Format changed files with the language-native formatter before the final lint/test pass.
If dynamic plugin behavior changed, usemaintain-dynamic-pluginsand include the native SDK, worker protocol, Python SDK, docs, packaging, and Codecov surfaces in the validation plan.
If code changes alter APIs, bindings, commands, paths, packaging behavior, observability/adaptive semantics, or documented best practices, update any dependent maintainer or consumer skills in the same branch.
During iteration, preferuv run pre-commit run --files <changed files...>.
Before review or handoff, runuv run pre-commit run --all-files.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxcrates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rsdocs/nemo-relay-cli/basic-usage.mdxcrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
docs/**/*
📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)
If documentation examples or commands under
docs/change, run the targeted docs checks appropriate to the change.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
{docs/**,README.md,CONTRIBUTING.md,RELEASING.md,SECURITY.md}
⚙️ CodeRabbit configuration file
{docs/**,README.md,CONTRIBUTING.md,RELEASING.md,SECURITY.md}: Review documentation for technical accuracy against the current API, command correctness, and consistency across language bindings.
Flag stale examples, missing SPDX headers where required, and instructions that no longer match CI or pre-commit behavior.
Files:
docs/nemo-relay-cli/codex.mdxdocs/nemo-relay-cli/claude-code.mdxdocs/nemo-relay-cli/basic-usage.mdx
**/*.rs
📄 CodeRabbit inference engine (.agents/skills/prepare-pr/SKILL.md)
**/*.rs: Any Rust change must runjust test-rust
Any Rust change must runcargo fmt --all
Any Rust change must runcargo clippy --workspace --all-targets -- -D warnings
**/*.rs: Runcargo fmt --allfor all FFI work since it is Rust work
Runjust test-rustto validate FFI changes
Runcargo clippy --workspace --all-targets -- -D warningsto enforce strict linting on FFI workWhen Rust files changed as part of Go work, also run
cargo fmt --all,just test-rust, andcargo clippy --workspace --all-targets -- -D warnings
**/*.rs: Runcargo fmt --allwhen Rust files are changed as part of Node work
Runcargo clippy --workspace --all-targets -- -D warningswhen Rust files are changed as part of Node work
Runjust test-rustwhen Rust files are changed as part of Node workWhen changing the core Rust runtime or Rust-facing API surface, format Rust code with
cargo fmt(rustfmt defaults), keepcargo clippy -- -D warningsclean, and satisfycargo deny checkperdeny.toml.
**/*.rs: If any Rust code changed, always runjust test-rust.
If any Rust code changed, also runcargo fmt --all.
If any Rust code changed, also runcargo clippy --workspace --all-targets -- -D warnings.
For Rust changes headed for review, runcargo fmt --allandcargo clippy --workspace --all-targets -- -D warningseven if relying on pre-commit.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py}
📄 CodeRabbit inference engine (AGENTS.md)
Follow binding naming conventions in Rust and Python: use
snake_case.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py,js,mjs,cjs,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{rs,py,js,mjs,cjs,ts,tsx}: UseJson = serde_json::Valuein Rust-facing runtime APIs where the existing code expects JSON payloads.
UseResult<T>withFlowErrorin core runtime paths, and keep errors explicit and binding-appropriate at the wrapper layer.
Keep async behavior on the existing tokio-based model; bindings should preserve callback and future lifetimes rather than blocking or hiding async work unexpectedly.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,py,go,js,ts,c,h}
📄 CodeRabbit inference engine (CONTRIBUTING.md)
Use language-appropriate naming conventions: Rust
snake_case, C FFI exports prefixednemo_relay_, GoPascalCase, Node.jscamelCase, and Pythonsnake_case.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
**/*.{rs,go,js,ts}
📄 CodeRabbit inference engine (CONTRIBUTING.md)
Add the SPDX license header to all Rust, Go, JavaScript, and TypeScript source files using the corresponding
//comment form.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
{crates/**/src/**/*.rs,python/**/*.py}
📄 CodeRabbit inference engine (.agents/skills/maintain-dynamic-plugins/SKILL.md)
Do not add tests under
src; Rust tests belong in cratetests/trees, and Python SDK tests belong underpython/tests.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/src/gateway/routes.rscrates/cli/src/configuration/mod.rs
**/*.{rs,py,go,js,ts}
📄 CodeRabbit inference engine (.agents/skills/validate-change/SKILL.md)
If a language surface changed, always run that language's test target even when Rust core did not change.
Files:
crates/cli/src/configuration/types.rscrates/cli/src/gateway/request.rscrates/cli/src/mcp_environment.rscrates/cli/src/server/mod.rscrates/cli/src/gateway/mod.rscrates/cli/tests/coverage/shared/config_tests.rscrates/cli/src/gateway/routes.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/src/configuration/mod.rscrates/cli/tests/coverage/shared/session_tests.rs
{crates/**/tests/**,python/tests/**,go/nemo_relay/**/*_test.go}
⚙️ CodeRabbit configuration file
{crates/**/tests/**,python/tests/**,go/nemo_relay/**/*_test.go}: Tests should cover the behavior promised by the changed API surface, including error paths and cross-request isolation where relevant.
Prefer assertions on lifecycle events, scope stacks, middleware ordering, and binding parity over shallow smoke tests.
Files:
crates/cli/tests/coverage/shared/config_tests.rscrates/cli/tests/coverage/shared/gateway_tests.rscrates/cli/tests/coverage/shared/server_tests.rscrates/cli/tests/coverage/shared/session_tests.rs
🔇 Additional comments (18)
docs/nemo-relay-cli/basic-usage.mdx (1)
145-181: LGTM!Also applies to: 269-271
docs/nemo-relay-cli/claude-code.mdx (1)
73-82: LGTM!docs/nemo-relay-cli/codex.mdx (1)
120-122: LGTM!integrations/coding-agents/codex/.mcp.json (1)
39-45: LGTM!crates/cli/tests/coverage/shared/config_tests.rs (1)
29-37: LGTM!Also applies to: 43-100, 103-160, 425-476, 491-523, 1978-2020
crates/cli/src/configuration/mod.rs (2)
16-16: LGTM!Also applies to: 63-68, 202-204, 1124-1124, 1149-1172, 1433-1456
1468-1476: 🎯 Functional Correctness | ⚡ Quick winTrim the value before validating/storing it.
validate_auth_headerchecksvalue.trim().is_empty()but returns the original, untrimmedvalue. Stray leading/trailing whitespace (e.g. from a TOML multiline string or env var with a trailing newline) will pass validation and then be sent verbatim as theAuthorizationheader value downstream ininject_provider_auth_with_env— which, for the env-var fallback path, explicitly trims for this exact reason ("sendingBearerwith leading whitespace can confuse upstream auth parsers").🐛 Proposed fix
fn validate_auth_header(name: &str, value: String) -> Result<String, CliError> { - if value.trim().is_empty() { + let value = value.trim().to_string(); + if value.is_empty() { return Err(CliError::Config(format!("{name} must not be empty"))); } HeaderValue::from_str(&value) .map_err(|_| CliError::Config(format!("{name} must be a valid HTTP header value")))?; Ok(value) }crates/cli/src/configuration/types.rs (1)
24-26: LGTM!Also applies to: 115-117
crates/cli/src/gateway/request.rs (1)
33-39: LGTM!Also applies to: 59-59, 75-75
crates/cli/src/server/mod.rs (1)
442-457: LGTM!crates/cli/src/mcp_environment.rs (1)
41-46: LGTM!crates/cli/src/gateway/mod.rs (2)
71-73: LGTM!Also applies to: 134-138, 260-267, 447-454, 720-724, 733-739, 955-959, 1103-1128
872-914: 🎯 Functional CorrectnessConfirm configured auth headers are documented as full header values, not bare keys.
When
configured_auth_headeris set, it's written verbatim toAuthorizationfor every route (including Anthropic, which otherwise usesx-api-key), with no scheme normalization — unlike the env-var fallback a few lines below, which prependsBearerfor OpenAI routes. This appears intentional (openai_auth_header/anthropic_auth_headerare meant to hold a complete header value), but please confirm the docs make this explicit so users don't configure a bare API key expecting automaticBearerprefixing.crates/cli/tests/coverage/shared/gateway_tests.rs (3)
98-98: LGTM!Also applies to: 202-207, 219-225, 238-243, 594-598, 785-789, 911-923, 941-945, 1021-1034, 1044-1056, 1068-1072, 1192-1198, 1229-1235
992-1012: LGTM! Good coverage of provider-isolation and inbound-suppression precedence per path instructions on cross-request isolation testing.
956-990: 🎯 Functional CorrectnessNo issue:
configured_auth_headeris route-drivenProviderForwarding::newonly snapshots the configured auth headers;configured_auth_header(route)matches on the route argument, so reusing the same forwarding value across different routes is valid.> Likely an incorrect or invalid review comment.crates/cli/tests/coverage/shared/server_tests.rs (1)
160-172: LGTM!Also applies to: 175-203, 426-449, 458-458
crates/cli/tests/coverage/shared/session_tests.rs (1)
724-726: LGTM!Also applies to: 1977-1979, 2237-2239, 2318-2320, 2402-2404, 3709-3711, 3787-3789, 3861-3863, 3919-3921, 4404-4406, 4533-4535, 4632-4634, 4749-4751, 4844-4846, 6675-6677, 6691-6693
| #[derive(Clone)] | ||
| pub(super) struct ProviderForwarding { | ||
| pub(super) route: ProviderRoute, | ||
| pub(super) allow_environment_provider_auth: bool, | ||
| pub(super) allow_provider_auth_injection: bool, | ||
| openai_auth_header: Option<String>, | ||
| anthropic_auth_header: Option<String>, | ||
| } | ||
|
|
||
| impl ProviderForwarding { | ||
| pub(super) fn new(route: ProviderRoute, allow_environment_provider_auth: bool) -> Self { | ||
| pub(super) fn new( | ||
| route: ProviderRoute, | ||
| allow_provider_auth_injection: bool, | ||
| config: &crate::configuration::GatewayConfig, | ||
| ) -> Self { | ||
| Self { | ||
| route, | ||
| allow_environment_provider_auth, | ||
| allow_provider_auth_injection, | ||
| openai_auth_header: config.openai_auth_header.clone(), | ||
| anthropic_auth_header: config.anthropic_auth_header.clone(), | ||
| } | ||
| } | ||
|
|
||
| pub(super) fn configured_auth_header(&self, route: ProviderRoute) -> Option<&str> { | ||
| match route { | ||
| ProviderRoute::OpenAiResponses | ||
| | ProviderRoute::OpenAiChatCompletions | ||
| | ProviderRoute::OpenAiModels => self.openai_auth_header.as_deref(), | ||
| ProviderRoute::AnthropicMessages | ProviderRoute::AnthropicCountTokens => { | ||
| self.anthropic_auth_header.as_deref() | ||
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win
Duplicated OpenAI/Anthropic route-mapping logic between ProviderForwarding::configured_auth_header and ProviderRoute::configured_auth_header.
Both methods encode the exact same route→header selection. Extracting a single shared helper (e.g. a private free function taking (route, openai_header: Option<&str>, anthropic_header: Option<&str>)) that both ProviderForwarding::configured_auth_header and ProviderRoute::configured_auth_header delegate to would remove the duplication and the risk of the two match statements drifting when new routes are added.
Also applies to: 125-138
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@crates/cli/src/gateway/routes.rs` around lines 17 - 49, The
route-to-auth-header mapping is duplicated between
ProviderForwarding::configured_auth_header and
ProviderRoute::configured_auth_header. Extract a shared private helper accepting
the route plus OpenAI and Anthropic header options, then delegate both methods
to it while preserving their existing return behavior and route mappings.
| #[test] | ||
| fn invalid_provider_auth_header_errors_do_not_expose_secret_values() { | ||
| let temp = tempfile::tempdir().unwrap(); | ||
| let path = temp.path().join("config.toml"); | ||
| std::fs::write( | ||
| &path, | ||
| r#" | ||
| [upstream] | ||
| openai_auth_header = "Bearer private\nsecret" | ||
| "#, | ||
| ) | ||
| .unwrap(); | ||
|
|
||
| let error = resolve_server_config(&GatewayOverrides { | ||
| config: Some(path), | ||
| ..GatewayOverrides::default() | ||
| }) | ||
| .unwrap_err() | ||
| .to_string(); | ||
|
|
||
| assert!(error.contains("upstream.openai_auth_header"), "{error}"); | ||
| assert!(error.contains("valid HTTP header value"), "{error}"); | ||
| assert!(!error.contains("private"), "{error}"); | ||
| assert!(!error.contains("secret"), "{error}"); | ||
| } | ||
|
|
||
| #[test] | ||
| fn invalid_provider_auth_environment_errors_do_not_expose_secret_values() { | ||
| let temp = tempfile::tempdir().unwrap(); | ||
| let xdg = temp.path().join("xdg"); | ||
| std::fs::create_dir_all(&xdg).unwrap(); | ||
| let scope = PluginConfigDiscoveryScope::enter(temp.path(), &xdg); | ||
| let path = temp.path().join("config.toml"); | ||
| std::fs::write(&path, "").unwrap(); | ||
| scope.set_auth_headers("Bearer private\nsecret", "Basic valid"); | ||
|
|
||
| let error = resolve_server_config(&GatewayOverrides { | ||
| config: Some(path), | ||
| ..GatewayOverrides::default() | ||
| }) | ||
| .unwrap_err() | ||
| .to_string(); | ||
|
|
||
| assert!(error.contains("NEMO_RELAY_OPENAI_AUTH_HEADER"), "{error}"); | ||
| assert!(!error.contains("private"), "{error}"); | ||
| assert!(!error.contains("secret"), "{error}"); | ||
| } |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
python - <<'PY'
from pathlib import Path
path = Path("crates/cli/tests/coverage/shared/config_tests.rs")
text = path.read_text()
assert 'openai_auth_header = "Bearer private\\nsecret"' in text
print("Confirmed: the TOML fixture contains a literal newline inside a single-line quoted value.")
PYRepository: NVIDIA/NeMo-Relay
Length of output: 245
Make the auth-header error test use valid TOML and cover Anthropic too. crates/cli/tests/coverage/shared/config_tests.rs:529-571 The literal newline in openai_auth_header makes the fixture fail parsing before validate_auth_header runs, so the secret-redaction assertion never hits the intended path. Add the same invalid-header case for Anthropic.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@crates/cli/tests/coverage/shared/config_tests.rs` around lines 525 - 571,
Update invalid_provider_auth_header_errors_do_not_expose_secret_values to use
valid TOML while still passing a newline-containing header to
validate_auth_header, so the test exercises validation and secret redaction
rather than TOML parsing. Add an equivalent config-based invalid-header test for
Anthropic, asserting the Anthropic field is identified, the valid HTTP header
error appears, and both secret fragments are absent.
Source: Path instructions
Overview
Adds provider-specific custom authentication for OpenAI- and Anthropic-compatible CLI gateway routes and documents endpoint-based upstream selection.
Details
openai_auth_headerandanthropic_auth_headerunder[upstream], with environment overrides, validation, managed-gateway fingerprinting, and MCP environment forwarding.Authorizationvalue, then falls back to the existing provider API-key injection.openai_base_url, while Messages usesanthropic_base_url, independent of the compatible client.cargo fmt --all,just test-rust,cargo clippy --workspace --all-targets -- -D warnings,just docs, anduv run pre-commit run --all-files. The docs build passed with the remote FDR redirect comparison skipped after an HTTP 403 warning.Where should the reviewer start?
Start with
crates/cli/src/gateway/mod.rsfor authentication precedence and managed-gateway enforcement, then reviewcrates/cli/src/configuration/mod.rsfor resolution and validation.Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)
Summary by CodeRabbit
New Features
Documentation