Add custom upstream headers and Kimi provider support#458
Closed
weselben wants to merge 2 commits into
Closed
Conversation
… header passthrough Every provider block gains two optional, mutually-exclusive header fields: custom_upstream_headers (static map) and passthrough_user_headers (forward inbound caller headers after a credential/transport skip list). Kimi defaults passthrough on; all other providers default off. Both modes together are rejected at config-load. Env vars <PROVIDER>_PASSTHROUGH_USER_HEADERS and <PROVIDER>_PASSTHROUGH_USER_HEADERS_SKIP override YAML; provider-set auth headers are never touched. - config: new RawProviderConfig/ProviderConfig fields + validation - providers: SkipPassthroughHeader floor + ApplyRequestHeaderOverrides - wired through openai compatible provider + anthropic/gemini/vertex setHeaders and every OpenAI-compatible provider constructor - docs: feature page + nav + configuration reference
Native kimi provider: thin wrapper over the shared OpenAI-compatible transport with standard Bearer auth and default base URL https://api.kimi.com/coding/v1. Kimi defaults passthrough_user_headers to true so an OpenAI-SDK caller is forwarded as-is; operators can disable passthrough and ship a static identity bundle instead. - providers/kimi: provider + tests - cmd/gomodel: register kimi - cmd/recordapi: kimi recording config, setKimiHeaders identity bundle - Makefile: record-api-kimi target - tests/contract/testdata/kimi: golden files - docs: provider page, overview matrix row, README supported list, config example
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Some upstreams expect a recognizable client identity on the outbound request —
notably Kimi's coding endpoint, which reads
User-Agent,X-Stainless-*, andX-Titlethe way an OpenAI SDK sends them. Today GoModel can neither forwardwhat the caller sent nor set those headers itself, so these providers either
reject the request or behave as an unrecognized client.
This adds two optional, mutually exclusive knobs to every provider block and
ships a native
kimiprovider as the first consumer:custom_upstream_headers— a static header map written on every outboundrequest (stable client identity, tracing, upstream-specific keys).
passthrough_user_headers— forward inbound caller headers onto the upstreamrequest after a credential/transport skip list.
Kimi defaults passthrough on; every other provider defaults off. Setting both
modes on one provider is rejected at config-load. Provider-set auth headers
(e.g.
Authorization) are written by the factory before any of this runs andare never overwritten.
Override precedence is env > YAML > provider-type default. Both knobs are
env-overridable (
<PROVIDER>_PASSTHROUGH_USER_HEADERS,<PROVIDER>_PASSTHROUGH_USER_HEADERS_SKIP); the static bundle is YAML-only sosecrets stay out of the environment.
Implementation notes
internal/providers/headers.go) drops credentials(
Authorization,X-Api-Key), hop-by-hop/transport headers (RFC 7230),cookies,
Forwarded, and everyX-Forwarded-*prefix, regardless ofprovider config — operators can only add to it via the skip list.
ApplyRequestHeaderOverridesis wired through the shared OpenAI-compatibleprovider and the native
setHeaderspaths (anthropic, gemini, vertex), soall providers get the feature from one place. In passthrough mode inbound
values overwrite provider defaults for that key (an empty slice deletes it);
keys not present inbound are left untouched.
Bearer auth, default base URL
https://api.kimi.com/coding/v1, noprovider-specific headers invented on its behalf.