kgod/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity

feat(openai): OpenAI Fast/Flex Policy 完整实现(HTTP + WebSocket + Admin)

Browse Source 
对称参照 Claude BetaPolicy 的 fast-mode 过滤实现,新增针对 OpenAI 上游
service_tier 字段(priority / flex,含客户端 "fast" → "priority" 归一化)的
pass / filter / block 三态策略,覆盖全部 OpenAI 入口 + admin 配置入口。

后端核心
- 新增 SettingKeyOpenAIFastPolicySettings、OpenAIFastPolicyRule、
  OpenAIFastPolicySettings 配置模型,含规则的 service_tier × action × scope
  × 模型白名单 × fallback action 维度。
- SettingService.Get/SetOpenAIFastPolicySettings;缺失时返回内置默认策略
  (所有模型的 priority 走 filter,whitelist 为空,fallback=pass)。设计
  依据:service_tier=fast 是用户级开关,与 model 字段正交,默认锁定特定
  model slug 会留下"用 gpt-4 + fast 透传 priority 上游"的绕过路径。JSON
  解析失败不再静默 fallback,slog.Warn 记录脏数据,便于运维定位。
- service_tier 归一化(trim + ToLower + fast→priority + 白名单 priority/flex)
  与策略评估(evaluateOpenAIFastPolicy)作为唯一真实来源,HTTP / WS 共用。
  抽出纯函数 evaluateOpenAIFastPolicyWithSettings,配合 ctx-bound settings
  快照(withOpenAIFastPolicyContext / openAIFastPolicySettingsFromContext),
  WS 长会话入口预取一次后所有帧复用,避免每帧打到 settingService。

HTTP 入口(4 个)
- Chat Completions、Anthropic 兼容(Messages,含 BetaFastMode→priority 二次
  命中)、原生 Responses、Passthrough Responses 全部接入
  applyOpenAIFastPolicyToBody,filter 走 sjson 顶层删除 service_tier,block
  返回 403 forbidden_error JSON。
- 4 入口统一使用 upstream 视角的 model(GetMappedModel +
  normalizeOpenAIModelForUpstream + Codex OAuth normalize 后的 slug),
  避免 chat/messages/native /responses/passthrough 因为 model 维度不同
  造成 whitelist 命中差异。
- 在 pass 路径也把客户端 "fast" 别名归一化为 "priority" 写回 body,
  否则 native /responses 与 passthrough 入口会把 "fast" 原样透传给上游
  导致 400/拒绝(chat-completions 入口的 normalizeResponsesBodyServiceTier
  此前已具备同等行为)。

WebSocket 入口
- 新增 applyOpenAIFastPolicyToWSResponseCreate:严格匹配
  type="response.create",仅处理顶层 service_tier;filter 用 sjson 删字段,
  block 返回 typed *OpenAIFastBlockedError。
- ingress 路径在 parseClientPayload 内调用,block 命中先 Write Realtime
  风格 error event 再返回 OpenAIWSClientCloseError(StatusPolicyViolation
  =1008),依赖底层 WebSocket Conn.Write 的同步 flush 保证 error 先于
  close。
- passthrough 路径在 RunEntry 前对 firstClientMessage 应用策略,并通过
  openAIWSPolicyEnforcingFrameConn 包装 ReadFrame 对每个 client→upstream
  帧执行策略;后续帧无 model 字段时回退到 capturedSessionModel。
  filter 闭包内同时侦测 session.update / session.created 帧的 session.model
  字段刷新 capturedSessionModel,封堵"首帧 model=gpt-4o(pass)→
  session.update 改为 gpt-5.5 → 不带 model 的 response.create fallback
  到 gpt-4o"的 mid-session 绕过路径。
- passthrough billing:requestServiceTier 在策略 filter 之后再从
  firstClientMessage 提取,filter 命中时 OpenAIForwardResult.ServiceTier
  上报 nil(default tier),与 HTTP 入口(reqBody 来自 post-filter map)
  / WS ingress(payload 来自 post-filter bytes)的语义一致。
- 错误事件 schema:{event_id: "evt_<32hex>", type: "error",
  error: {type: "forbidden_error", code: "policy_violation", message}},
  与 OpenAI codex 客户端 error event 解析兼容。

Admin / Frontend
- dto.SystemSettings / UpdateSettingsRequest 新增
  openai_fast_policy_settings 字段(omitempty),bulk GET/PUT 接入。
- Settings 页 Gateway 页签新增 Fast/Flex Policy 表单卡片:
  service_tier × action × scope × 模型白名单 × fallback action 全字段配置。
- 前端守门:openaiFastPolicyLoaded 标志仅在 GET 真带回字段时才允许回写,
  避免 rollout/错误把默认规则覆盖成空;saveSettings 回写循环 skip 该字段,
  由专用刷新逻辑处理;仅 action=block 时发送 error_message,匹配后端
  omitempty 行为。

测试
- HTTP 路径:openai_fast_policy_test.go 覆盖默认配置(whitelist=[],所有
  模型 priority filter)/ block 自定义错误 / scope 区分 / filter 删字段 /
  block 不改 body / block 短路上游 / Anthropic BetaFastMode 触发 OpenAI
  fast policy 等场景。
- WebSocket 路径:openai_fast_policy_ws_test.go 覆盖
    helper 单元(filter / fast→priority 归一化 / flex 透传 / block typed
    error / 无 service_tier 字节不变 / 非 response.create 帧不动 / 空 type
    帧不动 / event_id+code 字段断言 / 非字符串 service_tier 容错)+
    pass 路径 fast 别名归一化回归 +
    ingress 端到端(filter 后上游不含 service_tier / block 后客户端先收
    error event 再收 close 1008 且上游 0 写)+
    passthrough capturedSessionModel fallback 用例(whitelist 策略下首帧
    建立、缺 model 命中 fallback、缺少 fallback 时的 leak 文档化)+
    passthrough session.update / session.created 旋转 capturedSessionModel
    的 mid-session 绕过回归 +
    passthrough billing post-filter ServiceTier 与 idempotent filter 回归。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
DaydreamCoding
2026-04-28 00:34:23 +08:00
parent c92b88e34a
commit 30f55a1f72
23 changed files with 2820 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
frontend/src/views/admin/SettingsView.vue
+403
View File
@@ -949,6 +949,285 @@
</template>
</div>
</div>
<!-- OpenAI Fast/Flex Policy Settings -->
<div class="card">
<div
class="border-b border-gray-100 px-6 py-4 dark:border-dark-700"
>
<h2 class="text-lg font-semibold text-gray-900 dark:text-white">
{{ t("admin.settings.openaiFastPolicy.title") }}
</h2>
<p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
{{ t("admin.settings.openaiFastPolicy.description") }}
</p>
</div>
<div class="space-y-5 p-6">
<!-- Empty state -->
<div
v-if="openaiFastPolicyForm.rules.length === 0"
class="rounded-lg border border-dashed border-gray-200 p-6 text-center text-sm text-gray-500 dark:border-dark-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.empty") }}
</div>
<!-- Rule Cards -->
<div
v-for="(rule, ruleIndex) in openaiFastPolicyForm.rules"
:key="ruleIndex"
class="rounded-lg border border-gray-200 p-4 dark:border-dark-600"
>
<div class="mb-3 flex items-center justify-between">
<span
class="text-sm font-medium text-gray-900 dark:text-white"
>
{{
t("admin.settings.openaiFastPolicy.ruleHeader", {
index: ruleIndex + 1,
})
}}
</span>
<button
type="button"
@click="removeOpenAIFastPolicyRule(ruleIndex)"
class="rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
:title="t('admin.settings.openaiFastPolicy.removeRule')"
>
<svg
class="h-4 w-4"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
stroke-width="2"
>
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M6 18L18 6M6 6l12 12"
/>
</svg>
</button>
</div>
<div class="grid grid-cols-1 gap-4 md:grid-cols-3">
<!-- Service Tier -->
<div>
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.serviceTier") }}
</label>
<Select
:modelValue="rule.service_tier"
@update:modelValue="
rule.service_tier = $event as
| 'all'
| 'priority'
| 'flex'
"
:options="openaiFastPolicyTierOptions"
/>
</div>
<!-- Action -->
<div>
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.action") }}
</label>
<Select
:modelValue="rule.action"
@update:modelValue="
rule.action = $event as 'pass' | 'filter' | 'block'
"
:options="openaiFastPolicyActionOptions"
/>
</div>
<!-- Scope -->
<div>
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.scope") }}
</label>
<Select
:modelValue="rule.scope"
@update:modelValue="
rule.scope = $event as
| 'all'
| 'oauth'
| 'apikey'
| 'bedrock'
"
:options="openaiFastPolicyScopeOptions"
/>
</div>
</div>
<!-- Error Message (only when action=block) -->
<div v-if="rule.action === 'block'" class="mt-3">
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.errorMessage") }}
</label>
<input
v-model="rule.error_message"
type="text"
class="input"
:placeholder="
t(
'admin.settings.openaiFastPolicy.errorMessagePlaceholder',
)
"
/>
<p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
{{ t("admin.settings.openaiFastPolicy.errorMessageHint") }}
</p>
</div>
<!-- Model Whitelist -->
<div class="mt-3">
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.modelWhitelist") }}
</label>
<p class="mb-2 text-xs text-gray-400 dark:text-gray-500">
{{
t("admin.settings.openaiFastPolicy.modelWhitelistHint")
}}
</p>
<div
v-for="(_, patternIdx) in rule.model_whitelist || []"
:key="patternIdx"
class="mb-1.5 flex items-center gap-2"
>
<input
v-model="rule.model_whitelist![patternIdx]"
type="text"
class="input input-sm flex-1"
:placeholder="
t(
'admin.settings.openaiFastPolicy.modelPatternPlaceholder',
)
"
/>
<button
type="button"
@click="
removeOpenAIFastPolicyModelPattern(rule, patternIdx)
"
class="shrink-0 rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
>
<svg
class="h-4 w-4"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
stroke-width="2"
>
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M6 18L18 6M6 6l12 12"
/>
</svg>
</button>
</div>
<button
type="button"
@click="addOpenAIFastPolicyModelPattern(rule)"
class="mb-2 inline-flex items-center gap-1 text-xs text-primary-600 transition-colors hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300"
>
<svg
class="h-3.5 w-3.5"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
stroke-width="2"
>
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M12 4v16m8-8H4"
/>
</svg>
{{ t("admin.settings.openaiFastPolicy.addModelPattern") }}
</button>
</div>
<!-- Fallback Action (only when model_whitelist is non-empty) -->
<div
v-if="
rule.model_whitelist && rule.model_whitelist.length > 0
"
class="mt-3"
>
<label
class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
>
{{ t("admin.settings.openaiFastPolicy.fallbackAction") }}
</label>
<Select
:modelValue="rule.fallback_action || 'pass'"
@update:modelValue="
rule.fallback_action = $event as
| 'pass'
| 'filter'
| 'block'
"
:options="openaiFastPolicyActionOptions"
/>
<p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
{{
t("admin.settings.openaiFastPolicy.fallbackActionHint")
}}
</p>
<div v-if="rule.fallback_action === 'block'" class="mt-2">
<input
v-model="rule.fallback_error_message"
type="text"
class="input"
:placeholder="
t(
'admin.settings.openaiFastPolicy.fallbackErrorMessagePlaceholder',
)
"
/>
</div>
</div>
</div>
<!-- Add Rule Button -->
<div>
<button
type="button"
@click="addOpenAIFastPolicyRule"
class="btn btn-secondary btn-sm inline-flex items-center gap-1"
>
<svg
class="h-4 w-4"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
stroke-width="2"
>
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M12 4v16m8-8H4"
/>
</svg>
{{ t("admin.settings.openaiFastPolicy.addRule") }}
</button>
<p class="mt-2 text-xs text-gray-400 dark:text-gray-500">
{{ t("admin.settings.openaiFastPolicy.saveHint") }}
</p>
</div>
</div>
</div>
</div>
<!-- /Tab: Gateway -->
@@ -5199,6 +5478,7 @@ import type {
SystemSettings,
UpdateSettingsRequest,
DefaultSubscriptionSetting,
OpenAIFastPolicyRule,
WeChatConnectMode,
WebSearchEmulationConfig,
WebSearchProviderConfig,
@@ -5337,6 +5617,14 @@ const betaPolicyForm = reactive({
}>,
});
// OpenAI Fast/Flex Policy
const openaiFastPolicyForm = reactive({
rules: [] as OpenAIFastPolicyRule[],
});
// openai_fast_policy_settings
// GET
const openaiFastPolicyLoaded = ref(false);
const tablePageSizeMin = 5;
const tablePageSizeMax = 1000;
const tablePageSizeDefault = 20;
@@ -6116,6 +6404,23 @@ async function loadSettings() {
);
form.oidc_connect_client_secret = "";
// Load OpenAI fast/flex policy rules from bulk settings.
// payload
// saveSettings
if (
settings.openai_fast_policy_settings &&
Array.isArray(settings.openai_fast_policy_settings.rules)
) {
openaiFastPolicyForm.rules =
settings.openai_fast_policy_settings.rules.map((rule) => ({
...rule,
model_whitelist: rule.model_whitelist
? [...rule.model_whitelist]
: [],
}));
openaiFastPolicyLoaded.value = true;
}
// Load web search emulation config separately
await loadWebSearchConfig();
} catch (error: unknown) {
@@ -6460,10 +6765,39 @@ async function saveSettings() {
affiliate_enabled: form.affiliate_enabled,
};
// openai_fast_policy_settings
//
if (openaiFastPolicyLoaded.value) {
payload.openai_fast_policy_settings = {
rules: openaiFastPolicyForm.rules.map((rule) => {
const whitelist = (rule.model_whitelist || [])
.map((p) => p.trim())
.filter((p) => p !== "");
const hasWhitelist = whitelist.length > 0;
return {
service_tier: rule.service_tier,
action: rule.action,
scope: rule.scope,
error_message:
rule.action === "block" ? rule.error_message : undefined,
model_whitelist: hasWhitelist ? whitelist : undefined,
fallback_action: hasWhitelist
? rule.fallback_action || "pass"
: undefined,
fallback_error_message:
hasWhitelist && rule.fallback_action === "block"
? rule.fallback_error_message
: undefined,
};
}),
};
}
appendAuthSourceDefaultsToUpdateRequest(payload, authSourceDefaults);
const updated = await adminAPI.settings.updateSettings(payload);
for (const [key, value] of Object.entries(updated)) {
if (key === "openai_fast_policy_settings") continue;
if (value !== null && value !== undefined) {
(form as Record<string, unknown>)[key] = value;
}
@@ -6507,6 +6841,20 @@ async function saveSettings() {
form.wechat_connect_mode,
);
form.oidc_connect_client_secret = "";
// Refresh OpenAI fast/flex policy from server response
if (
updated.openai_fast_policy_settings &&
Array.isArray(updated.openai_fast_policy_settings.rules)
) {
openaiFastPolicyForm.rules =
updated.openai_fast_policy_settings.rules.map((rule) => ({
...rule,
model_whitelist: rule.model_whitelist
? [...rule.model_whitelist]
: [],
}));
openaiFastPolicyLoaded.value = true;
}
// Save web search emulation config separately (errors handled internally)
const wsOk = await saveWebSearchConfig();
// Refresh cached settings so sidebar/header update immediately
@@ -6846,6 +7194,61 @@ async function loadBetaPolicySettings() {
}
}
// ==================== OpenAI Fast/Flex Policy ====================
const openaiFastPolicyTierOptions = computed(() => [
{ value: "all", label: t("admin.settings.openaiFastPolicy.tierAll") },
{
value: "priority",
label: t("admin.settings.openaiFastPolicy.tierPriority"),
},
{ value: "flex", label: t("admin.settings.openaiFastPolicy.tierFlex") },
]);
const openaiFastPolicyActionOptions = computed(() => [
{ value: "pass", label: t("admin.settings.openaiFastPolicy.actionPass") },
{ value: "filter", label: t("admin.settings.openaiFastPolicy.actionFilter") },
{ value: "block", label: t("admin.settings.openaiFastPolicy.actionBlock") },
]);
const openaiFastPolicyScopeOptions = computed(() => [
{ value: "all", label: t("admin.settings.openaiFastPolicy.scopeAll") },
{ value: "oauth", label: t("admin.settings.openaiFastPolicy.scopeOAuth") },
{ value: "apikey", label: t("admin.settings.openaiFastPolicy.scopeAPIKey") },
{
value: "bedrock",
label: t("admin.settings.openaiFastPolicy.scopeBedrock"),
},
]);
function addOpenAIFastPolicyRule() {
openaiFastPolicyForm.rules.push({
service_tier: "priority",
action: "filter",
scope: "all",
error_message: "",
model_whitelist: [],
fallback_action: "pass",
fallback_error_message: "",
});
}
function removeOpenAIFastPolicyRule(index: number) {
openaiFastPolicyForm.rules.splice(index, 1);
}
function addOpenAIFastPolicyModelPattern(rule: OpenAIFastPolicyRule) {
if (!rule.model_whitelist) rule.model_whitelist = [];
rule.model_whitelist.push("");
}
function removeOpenAIFastPolicyModelPattern(
rule: OpenAIFastPolicyRule,
idx: number,
) {
rule.model_whitelist?.splice(idx, 1);
}
async function saveBetaPolicySettings() {
betaPolicySaving.value = true;
try {