Correctness: Model name not validated against registry before routing #106

New issue

Open

opened 2026-05-11 13:50:39 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:50:39 +00:00

Owner

Severity: Medium

Location

crates/hero_aibroker_lib/src/service/chat.rs — routing logic

Finding

The chat service forwards requests with the requested model name directly to the provider without validating it against the model registry:

// If a client requests model "nonexistent-model", the broker:
// 1. Looks it up in the registry (fails to find it)
// 2. Falls back to 'auto' routing
// 3. Sends to a provider that doesn't support it\n// 4. Provider returns an error\n```

## Impact
- Requests for unknown models fail at the provider level, not the broker
- No clear error message to the client about valid model names
- Wastes provider API calls on invalid requests
- Billing may still be charged for failed requests

## Recommendation
- Validate model name against registry before routing
- Return 400 with list of available models if not found
- Add model alias resolution before forwarding

## Severity: Medium ## Location `crates/hero_aibroker_lib/src/service/chat.rs` — routing logic ## Finding The chat service forwards requests with the requested model name directly to the provider without validating it against the model registry: ```rust // If a client requests model "nonexistent-model", the broker: // 1. Looks it up in the registry (fails to find it) // 2. Falls back to 'auto' routing // 3. Sends to a provider that doesn't support it\n// 4. Provider returns an error\n``` ## Impact - Requests for unknown models fail at the provider level, not the broker - No clear error message to the client about valid model names - Wastes provider API calls on invalid requests - Billing may still be charged for failed requests ## Recommendation - Validate model name against registry before routing - Return 400 with list of available models if not found - Add model alias resolution before forwarding