Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 70b7aebd86 | |||
| 52bb910f4d | |||
| d71aca4c3a | |||
| aa25b2c334 | |||
| 2b35f1741c | |||
| 98a2164aba | |||
| de2b2f0f28 | |||
| b2487a1a37 | |||
| 64642c43c4 | |||
| 3ba2dbefae | |||
| 38b4e1a028 | |||
| 43eb155759 | |||
| 8dae9cc941 | |||
| a5adc6f4d1 |
@@ -0,0 +1,82 @@
|
||||
# Gadfly — agentic adversarial PR reviewer (https://gitea.stevedudenhoeffer.com/steve/gadfly).
|
||||
#
|
||||
# Runs the published Gadfly image (pinned to an immutable :sha- tag — act_runner
|
||||
# caches :latest, and this build is what carries foreman provider-type support)
|
||||
# as a specialist swarm and posts
|
||||
# ONE consolidated review comment as gitea-actions. Advisory only — never blocks a
|
||||
# merge. This reviews majordomo PRs with 6 ollama-cloud models (3-lens suite).
|
||||
# Gadfly is a simple system — findings are advisory; always double-check before
|
||||
# acting.
|
||||
|
||||
name: Adversarial Review (Gadfly)
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, reopened, ready_for_review]
|
||||
issue_comment:
|
||||
types: [created]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
pr_number:
|
||||
description: "PR number to review"
|
||||
required: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
issues: write
|
||||
pull-requests: write
|
||||
|
||||
concurrency:
|
||||
group: gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
|
||||
# GADFLY_ALLOWED_USERS, the in-container belt-and-suspenders check.
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| (github.event.issue.pull_request
|
||||
&& (github.actor == 'steve'
|
||||
|| github.actor == 'fizi'
|
||||
|| github.actor == 'dazed'))
|
||||
runs-on: ubuntu-latest
|
||||
# Fleet: 6 ollama-cloud models (lens fan-out), no local Macs. (Trimmed the
|
||||
# weakest reviewers by grade — m5/qwen3.6, gemma4, gpt-oss, kimi-k2.7 — plus
|
||||
# the earlier M1 drop.) Plenty of headroom for the cloud lanes.
|
||||
timeout-minutes: 45
|
||||
steps:
|
||||
- uses: docker://gitea.stevedudenhoeffer.com/steve/gadfly:sha-d7f364d
|
||||
env:
|
||||
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
|
||||
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
||||
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
||||
# Cloud-only fleet (no local Macs). Cloud concurrency lives in the
|
||||
# LENSES: models run a few at a time (ollama-cloud=3) with their 3 lenses
|
||||
# concurrent (LENS ollama-cloud=3) so comments land sooner.
|
||||
GADFLY_MODELS: "minimax-m3:cloud,glm-5.2:cloud,glm-5.1:cloud,deepseek-v4-pro:cloud,nemotron-3-super:cloud,qwen3-coder:480b-cloud"
|
||||
GADFLY_PROVIDER_CONCURRENCY: "ollama-cloud=3"
|
||||
GADFLY_PROVIDER_LENS_CONCURRENCY: "ollama-cloud=3"
|
||||
# Default => the 3-lens suite (security, correctness, error-handling).
|
||||
# Set the repo var GADFLY_SPECIALISTS to override (csv / "all" / "auto").
|
||||
GADFLY_SPECIALISTS: ${{ vars.GADFLY_SPECIALISTS || 'security,correctness,error-handling' }}
|
||||
# Per-lens deadline + bounded steps to keep each reviewer's run sane.
|
||||
GADFLY_TIMEOUT_SECS: "600"
|
||||
GADFLY_MAX_STEPS: "14"
|
||||
# Allow-list for the comment trigger (mirrors the job-level if: guard).
|
||||
GADFLY_ALLOWED_USERS: "steve,fizi,dazed"
|
||||
# --- findings telemetry: POST runs + findings to the gadfly-reports store ---
|
||||
# Advisory & off unless GADFLY_FINDINGS_URL is set; failures only log to
|
||||
# stderr and never affect the review. GADFLY_REPO / GADFLY_PR are derived
|
||||
# in-container; the URL + token are user-scope secrets.
|
||||
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
||||
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
||||
# --- event context (leave as-is) ---
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
|
||||
PR_BRANCH: ${{ github.head_ref }}
|
||||
IS_DRAFT: ${{ github.event.pull_request.draft }}
|
||||
COMMENT_BODY: ${{ github.event.comment.body }}
|
||||
COMMENT_ID: ${{ github.event.comment.id }}
|
||||
ACTOR: ${{ github.actor }}
|
||||
@@ -79,12 +79,13 @@ alias := bare token (no slash), expands INLINE, recursively, cycle-checked
|
||||
`LLM_<NAME>=scheme://[token@]host[/path]` — e.g.
|
||||
`LLM_M5=foreman://token@foreman-m5.example` defines provider `m5`; then
|
||||
`m5/qwen3:30b` works in Parse, chains, and aliases. Scheme ∈ {foreman,
|
||||
ollama, ollama-cloud, openai, anthropic, google, gemini, llama-swap} ∪
|
||||
RegisterScheme. Token = credential; base URL = `https://host` always —
|
||||
**except `llama-swap`, which builds `http://host` (local-first; ADR-0015).**
|
||||
`New()` scans the process env eagerly; unknown names also resolve lazily at
|
||||
Parse time (`my-prov` → `LLM_MY_PROV`). Malformed entries fail on use, not at
|
||||
startup.
|
||||
ollama, ollama-cloud, openai, anthropic, google, gemini, llama-swap,
|
||||
llama-swaps} ∪ RegisterScheme. Token = credential; base URL = `https://host`
|
||||
always — **except `llama-swap`, which builds `http://host` (local-first);
|
||||
`llama-swaps` is its TLS twin (`https://host`), mirroring redis/rediss
|
||||
(ADR-0015).** `New()` scans the process env eagerly; unknown names also resolve
|
||||
lazily at Parse time (`my-prov` → `LLM_MY_PROV`). Malformed entries fail on use,
|
||||
not at startup.
|
||||
|
||||
## Health & failover (ADR-0006, ADR-0008)
|
||||
|
||||
@@ -135,6 +136,27 @@ CI: `.gitea/workflows/ci.yaml` (Gitea Actions, mirrors foreman). README.md
|
||||
must match reality in the same commit that changes behavior — no
|
||||
aspirational docs; unbuilt features are marked pending in the matrix.
|
||||
|
||||
## Adversarial review loop (Gadfly)
|
||||
|
||||
Ship work through PRs and let Gadfly review it before merge:
|
||||
|
||||
- **Push to a PR, never straight to `main`.** Branch, push, open a PR.
|
||||
`.gitea/workflows/adversarial-review.yml` runs Gadfly (the standalone
|
||||
agentic adversarial reviewer) — a fleet of 6 ollama-cloud models, each
|
||||
running the 3-lens suite (security, correctness, error-handling). Advisory
|
||||
only; it never blocks the merge.
|
||||
- **Wait for Gadfly to finish, then read its output.** Don't merge while the
|
||||
review is still running. Each model posts one consolidated comment; weigh
|
||||
every finding on its merits and fix the real ones (Gadfly is a simple
|
||||
system — findings are advisory, so confirm before acting).
|
||||
- **Grade the findings back to the Gadfly MCP.** For each finding, call
|
||||
`mcp__gadfly__record_finding_grade`: `is_real=true` + a `severity`
|
||||
(trivial|small|medium|high|critical) for a genuine problem, or
|
||||
`is_real=false` for a false positive; add `notes`/`usefulness` when
|
||||
useful. Use `mcp__gadfly__list_findings` (`only_ungraded=true`) to find
|
||||
what still needs grading and `mcp__gadfly__scoreboard` for the per-model
|
||||
rollup. This telemetry is how we measure whether each model earns its keep.
|
||||
|
||||
## Out of scope (anti-creep)
|
||||
|
||||
No persistent store (health is in-memory behind the registry), no
|
||||
|
||||
@@ -159,15 +159,17 @@ m, _ := reg.Parse("m5/qwen3:30b,m1/qwen3:30b,thinking")
|
||||
```
|
||||
|
||||
DSN format: `scheme://[token@]host[/path]`, scheme ∈ `foreman`, `ollama`,
|
||||
`ollama-cloud`, `openai`, `anthropic`, `google`/`gemini`, `llama-swap`, or any
|
||||
scheme you add with `RegisterScheme`. The token is the credential (bearer token
|
||||
/ API key); the base URL is always `https://host[/path]` — except `llama-swap`,
|
||||
which builds `http://host[:port]` since it's local-first. `New()` loads `LLM_*`
|
||||
vars eagerly; unknown provider names also resolve lazily at Parse time
|
||||
(`my-prov/x` → `LLM_MY_PROV`).
|
||||
`ollama-cloud`, `openai`, `anthropic`, `google`/`gemini`, `llama-swap`,
|
||||
`llama-swaps`, or any scheme you add with `RegisterScheme`. The token is the
|
||||
credential (bearer token / API key); the base URL is always `https://host[/path]`
|
||||
— except `llama-swap`, which builds `http://host[:port]` since it's local-first
|
||||
(`llama-swaps` is the TLS twin → `https://host`, mirroring redis/rediss). `New()`
|
||||
loads `LLM_*` vars eagerly; unknown provider names also resolve lazily at Parse
|
||||
time (`my-prov/x` → `LLM_MY_PROV`).
|
||||
|
||||
```
|
||||
LLM_LS=llama-swap://token@box.local:8080 # then "ls/qwen3:14b" parses
|
||||
LLM_LS=llama-swap://token@box.local:8080 # http → "ls/qwen3:14b" parses
|
||||
LLM_LS=llama-swaps://token@swap.example.com # https → TLS-fronted instance
|
||||
```
|
||||
|
||||
[llama-swap](https://github.com/mostlygeek/llama-swap) is a model-swapping proxy
|
||||
|
||||
+21
-11
@@ -20,6 +20,12 @@ const (
|
||||
ProviderOllamaCloud = "ollama-cloud"
|
||||
ProviderForeman = "foreman"
|
||||
ProviderLlamaSwap = "llama-swap"
|
||||
// ProviderLlamaSwapTLS is the DSN scheme for a TLS-fronted llama-swap
|
||||
// (https base URL). It is a scheme only, not a default built-in provider
|
||||
// name. Why a separate scheme rather than auto-detecting: a DSN carries no
|
||||
// reliable signal for http vs https, so the choice is explicit
|
||||
// (llama-swap = http local-first, llama-swaps = https), mirroring rediss.
|
||||
ProviderLlamaSwapTLS = "llama-swaps"
|
||||
)
|
||||
|
||||
// registerBuiltins installs the built-in providers and env-DSN scheme
|
||||
@@ -70,24 +76,28 @@ func registerBuiltins(r *Registry, httpClient *http.Client) {
|
||||
|
||||
// llama-swap: OpenAI-compatible chat + image generation + management
|
||||
// endpoints over a model-swapping proxy. Chat reuses the openai client
|
||||
// (provider/llamaswap delegates); the DSN builds an http:// base URL
|
||||
// because llama-swap is local-first (TLS-fronted instances can use the
|
||||
// openai:// scheme for chat). The no-DSN built-in errors on use with a
|
||||
// clear message, mirroring foreman.
|
||||
// (provider/llamaswap delegates). Two schemes: "llama-swap" builds an
|
||||
// http:// base URL (local-first default), "llama-swaps" builds https://
|
||||
// for a TLS-fronted instance (mirrors redis/rediss). The no-DSN built-in
|
||||
// errors on use with a clear message, mirroring foreman.
|
||||
llamaSwapOpts := func(extra ...llamaswap.Option) []llamaswap.Option {
|
||||
if httpClient != nil {
|
||||
extra = append(extra, llamaswap.WithHTTPClient(httpClient))
|
||||
}
|
||||
return extra
|
||||
}
|
||||
r.providers[ProviderLlamaSwap] = llamaswap.New(llamaSwapOpts(llamaswap.WithName(ProviderLlamaSwap))...)
|
||||
r.schemes[ProviderLlamaSwap] = func(name string, dsn DSN) (llm.Provider, error) {
|
||||
return llamaswap.New(llamaSwapOpts(
|
||||
llamaswap.WithName(name),
|
||||
llamaswap.WithBaseURL("http://"+dsn.Host),
|
||||
llamaswap.WithToken(dsn.Token),
|
||||
)...), nil
|
||||
llamaSwapScheme := func(urlScheme string) SchemeFactory {
|
||||
return func(name string, dsn DSN) (llm.Provider, error) {
|
||||
return llamaswap.New(llamaSwapOpts(
|
||||
llamaswap.WithName(name),
|
||||
llamaswap.WithBaseURL(urlScheme+"://"+dsn.Host),
|
||||
llamaswap.WithToken(dsn.Token),
|
||||
)...), nil
|
||||
}
|
||||
}
|
||||
r.providers[ProviderLlamaSwap] = llamaswap.New(llamaSwapOpts(llamaswap.WithName(ProviderLlamaSwap))...)
|
||||
r.schemes[ProviderLlamaSwap] = llamaSwapScheme("http")
|
||||
r.schemes[ProviderLlamaSwapTLS] = llamaSwapScheme("https")
|
||||
|
||||
// Anthropic and Anthropic-compatible endpoints.
|
||||
anthropicOpts := func(extra ...anthropic.Option) []anthropic.Option {
|
||||
|
||||
@@ -51,6 +51,28 @@ func TestLlamaSwapScheme(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestLlamaSwapsScheme: the "llama-swaps" scheme builds an https base URL for a
|
||||
// TLS-fronted instance (vs "llama-swap" which is http local-first).
|
||||
func TestLlamaSwapsScheme(t *testing.T) {
|
||||
r := newTestRegistry(t)
|
||||
if err := r.LoadEnv(map[string]string{
|
||||
"LLM_LST": "llama-swaps://tok@swap.example.com",
|
||||
}); err != nil {
|
||||
t.Fatalf("LoadEnv: %v", err)
|
||||
}
|
||||
p, ok := r.Provider("lst")
|
||||
if !ok {
|
||||
t.Fatal("provider \"lst\" not registered")
|
||||
}
|
||||
lp, ok := p.(*llamaswap.Provider)
|
||||
if !ok {
|
||||
t.Fatalf("provider is %T, want *llamaswap.Provider", p)
|
||||
}
|
||||
if want := "https://swap.example.com"; lp.BaseURL() != want {
|
||||
t.Errorf("baseURL = %q, want %q", lp.BaseURL(), want)
|
||||
}
|
||||
}
|
||||
|
||||
// TestLlamaSwapBuiltinNoURL: the no-DSN built-in resolves but errors clearly on
|
||||
// use (mirrors foreman), rather than silently hitting a wrong host.
|
||||
func TestLlamaSwapBuiltinNoURL(t *testing.T) {
|
||||
|
||||
@@ -38,11 +38,13 @@ features leak into the canonical API).
|
||||
`Unload` (POST `/api/models/unload[/:model]`). A small `doJSON` helper shares
|
||||
bearer auth + error mapping; non-2xx → `*llm.APIError` (so `llm.Classify`
|
||||
applies), transport errors wrapped raw.
|
||||
- DSN: the `llama-swap` scheme builds an **http://** base URL from the host
|
||||
(llama-swap is local-first), deliberately *not* the DSN's https-always
|
||||
`BaseURL()`. A TLS-fronted instance can use the `openai://` scheme for chat.
|
||||
A no-DSN built-in `llama-swap` provider registers but errors on use (mirrors
|
||||
foreman).
|
||||
- DSN: two schemes share one factory. `llama-swap` builds an **http://** base
|
||||
URL from the host (llama-swap is local-first), deliberately *not* the DSN's
|
||||
https-always `BaseURL()`; `llama-swaps` builds **https://** for a TLS-fronted
|
||||
instance (mirrors redis/rediss). Why a second scheme rather than auto-detect:
|
||||
a DSN carries no reliable http-vs-https signal, so the choice stays explicit.
|
||||
Only `llama-swap` registers a no-DSN built-in provider (errors on use, mirrors
|
||||
foreman); `llama-swaps` is a scheme only.
|
||||
- Image generation is implemented here too, against the new `imagegen`
|
||||
interface (see ADR-0016).
|
||||
|
||||
|
||||
+41
-15
@@ -5,10 +5,16 @@
|
||||
// already satisfies the target's llm.Capabilities. Images that do not fit
|
||||
// are decoded, downscaled (never upscaled), and re-encoded into an allowed
|
||||
// format and byte budget. Anything that cannot honestly be made to fit —
|
||||
// undecodable formats, impossible byte budgets, too many images, images for
|
||||
// a text-only target — fails with an error wrapping llm.ErrUnsupported so a
|
||||
// failover chain can advance to a more capable target without a health
|
||||
// penalty.
|
||||
// undecodable formats, impossible byte budgets, images for a text-only
|
||||
// target — fails with an error wrapping llm.ErrUnsupported so a failover
|
||||
// chain can advance to a more capable target without a health penalty.
|
||||
//
|
||||
// Over-count is the exception: a request carrying more images than
|
||||
// MaxImagesPerReq does NOT fail — the oldest images are replaced with a short
|
||||
// text placeholder and the most-recent MaxImagesPerReq are kept, because a hard
|
||||
// refuse exhausts a chain whose targets share the same cap (e.g. an agent loop
|
||||
// accumulating a preview image per iteration). MaxImagesPerReq remains the
|
||||
// per-model knob (0 = no image support).
|
||||
//
|
||||
// Why a separate package: every provider would otherwise duplicate the same
|
||||
// decode/scale/encode pipeline. Providers keep only a cheap capability
|
||||
@@ -52,15 +58,21 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
|
||||
if !caps.SupportsImages() {
|
||||
return llm.Request{}, fmt.Errorf("media: %w: target does not accept image input (request carries %d image(s))", llm.ErrUnsupported, total)
|
||||
}
|
||||
// Why error instead of dropping the overflow: silently removing an image
|
||||
// changes the question the caller asked; the honest move is to refuse and
|
||||
// let a chain try a roomier target.
|
||||
// Over-cap images are elided in the same copy-on-write pass below: the
|
||||
// OLDEST excess are replaced with a placeholder and the most-recent
|
||||
// MaxImagesPerReq kept (see the package doc for why we elide rather than
|
||||
// refuse). toElide is how many of the first images, front-to-back, to drop.
|
||||
toElide := 0
|
||||
if total > caps.MaxImagesPerReq {
|
||||
return llm.Request{}, fmt.Errorf("media: %w: request carries %d images, target allows at most %d per request", llm.ErrUnsupported, total, caps.MaxImagesPerReq)
|
||||
toElide = total - caps.MaxImagesPerReq
|
||||
}
|
||||
|
||||
// Single copy-on-write pass: for each image, the first toElide become a text
|
||||
// placeholder; the rest are size-normalized against caps. The Messages slice
|
||||
// and an affected message's Parts slice are copied at most once.
|
||||
out := req
|
||||
copiedMessages := false
|
||||
seen := 0
|
||||
for mi := range req.Messages {
|
||||
copiedParts := false
|
||||
for pi, part := range req.Messages[mi].Parts {
|
||||
@@ -68,13 +80,22 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
norm, changed, err := normalizeImage(ip, caps)
|
||||
if err != nil {
|
||||
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
|
||||
}
|
||||
if !changed {
|
||||
continue
|
||||
seen++
|
||||
|
||||
var replacement llm.Part
|
||||
if seen <= toElide {
|
||||
replacement = llm.Text(imageOverflowPlaceholder)
|
||||
} else {
|
||||
norm, changed, err := normalizeImage(ip, caps)
|
||||
if err != nil {
|
||||
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
|
||||
}
|
||||
if !changed {
|
||||
continue
|
||||
}
|
||||
replacement = norm
|
||||
}
|
||||
|
||||
if !copiedMessages {
|
||||
out.Messages = make([]llm.Message, len(req.Messages))
|
||||
copy(out.Messages, req.Messages)
|
||||
@@ -86,12 +107,17 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
|
||||
out.Messages[mi].Parts = parts
|
||||
copiedParts = true
|
||||
}
|
||||
out.Messages[mi].Parts[pi] = norm
|
||||
out.Messages[mi].Parts[pi] = replacement
|
||||
}
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
// imageOverflowPlaceholder replaces an image elided to fit a target's
|
||||
// per-request image cap. It keeps the message turn intact and tells the model
|
||||
// an earlier image was omitted rather than silently changing the conversation.
|
||||
const imageOverflowPlaceholder = "[earlier image omitted to fit this model's per-request image limit]"
|
||||
|
||||
// Info reports an image part's sniffed format ("jpeg", "png", "gif", or
|
||||
// "webp") and pixel dimensions. It is a cheap metadata read — the pixels are
|
||||
// never decoded. webp is recognized by signature but not decodable with the
|
||||
|
||||
+39
-9
@@ -149,18 +149,48 @@ func TestNormalizeImagesUnsupported(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestNormalizeTooManyImages(t *testing.T) {
|
||||
img := llm.Image("image/png", encPNG(t, gradient(4, 4)))
|
||||
func TestNormalizeOverCount(t *testing.T) {
|
||||
// 3 distinguishable images across 2 messages; cap = 2. Over-count no longer
|
||||
// errors — the OLDEST image is replaced with a placeholder and the most-recent
|
||||
// two (the relevant ones in an iterative run) are kept, in order.
|
||||
a := llm.Image("image/png", encPNG(t, gradient(2, 2))).(llm.ImagePart)
|
||||
b := llm.Image("image/png", encPNG(t, gradient(4, 4))).(llm.ImagePart)
|
||||
c := llm.Image("image/png", encPNG(t, gradient(8, 8))).(llm.ImagePart)
|
||||
req := llm.Request{Messages: []llm.Message{
|
||||
llm.UserParts(img, img),
|
||||
llm.UserParts(img),
|
||||
llm.UserParts(a, b),
|
||||
llm.UserParts(c),
|
||||
}}
|
||||
_, err := Normalize(req, llm.Capabilities{MaxImagesPerReq: 2})
|
||||
if !errors.Is(err, llm.ErrUnsupported) {
|
||||
t.Fatalf("err = %v, want ErrUnsupported", err)
|
||||
caps := llm.Capabilities{MaxImagesPerReq: 2, MaxImageDimension: 64, MaxImageBytes: 1 << 20, AllowedImageMIME: []string{"image/png"}}
|
||||
out, err := Normalize(req, caps)
|
||||
if err != nil {
|
||||
t.Fatalf("over-count should not error: %v", err)
|
||||
}
|
||||
if !strings.Contains(err.Error(), "3 images") || !strings.Contains(err.Error(), "at most 2") {
|
||||
t.Errorf("err message %q lacks the counts", err)
|
||||
var imgs []llm.ImagePart
|
||||
placeholders := 0
|
||||
for _, m := range out.Messages {
|
||||
for _, p := range m.Parts {
|
||||
switch v := p.(type) {
|
||||
case llm.ImagePart:
|
||||
imgs = append(imgs, v)
|
||||
case llm.TextPart:
|
||||
if v.Text == imageOverflowPlaceholder {
|
||||
placeholders++
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
// The exact survivors are the most-recent two, in order: b then c (a elided).
|
||||
if len(imgs) != 2 || !bytes.Equal(imgs[0].Data, b.Data) || !bytes.Equal(imgs[1].Data, c.Data) {
|
||||
t.Fatalf("kept %d images; want exactly [b, c] (the most-recent two)", len(imgs))
|
||||
}
|
||||
if placeholders != 1 {
|
||||
t.Errorf("placeholders = %d, want 1 for the elided oldest image", placeholders)
|
||||
}
|
||||
// Input request untouched (copy-on-write): the first part is still image a,
|
||||
// not a placeholder — a len check alone wouldn't catch in-place substitution.
|
||||
first, ok := req.Messages[0].Parts[0].(llm.ImagePart)
|
||||
if !ok || !bytes.Equal(first.Data, a.Data) {
|
||||
t.Errorf("input request was mutated; first part = %+v", req.Messages[0].Parts[0])
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,5 +1,12 @@
|
||||
# progress
|
||||
|
||||
## 2026-06-27 — llama-swaps (TLS) DSN scheme
|
||||
|
||||
Follow-up to the llama-swap provider: added the `llama-swaps` DSN scheme (https
|
||||
base URL) alongside `llama-swap` (http, local-first), mirroring redis/rediss, so
|
||||
a TLS-fronted instance is first-class instead of being pushed to the `openai://`
|
||||
scheme. Scheme-only (no default built-in); shares one factory in builtin.go.
|
||||
|
||||
## 2026-06-27 — llama-swap provider + canonical image-gen interface
|
||||
|
||||
**Landed (ADR-0015, ADR-0016).** New `provider/llamaswap`: chat **delegates to
|
||||
|
||||
@@ -51,6 +51,9 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
|
||||
if strings.TrimSpace(req.Prompt) == "" {
|
||||
return nil, fmt.Errorf("%w: image generation requires a prompt", llm.ErrUnsupported)
|
||||
}
|
||||
if req.N < 0 {
|
||||
return nil, fmt.Errorf("%w: image count N must be >= 0, got %d", llm.ErrUnsupported, req.N)
|
||||
}
|
||||
|
||||
wire := imageRequest{
|
||||
Model: m.id,
|
||||
@@ -61,7 +64,7 @@ func (m *imageModel) Generate(ctx context.Context, req imagegen.Request, opts ..
|
||||
}
|
||||
|
||||
var resp imageResponse
|
||||
if err := m.p.doJSON(ctx, http.MethodPost, "/v1/images/generations", &wire, &resp); err != nil {
|
||||
if err := m.p.doJSON(ctx, http.MethodPost, "/v1/images/generations", m.id, &wire, &resp); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
||||
@@ -38,6 +38,11 @@ import (
|
||||
// DefaultName is the registry name used when WithName is not given.
|
||||
const DefaultName = "llama-swap"
|
||||
|
||||
// maxResponseBytes caps the JSON body read on the success path. Generous
|
||||
// enough for a multi-image b64 payload, bounded so a hostile/buggy upstream
|
||||
// can't make a decode allocate without limit.
|
||||
const maxResponseBytes = 64 << 20
|
||||
|
||||
// Provider is a llama-swap client. It satisfies llm.Provider (chat, delegated
|
||||
// to provider/openai) and imagegen.Provider (image generation), and exposes
|
||||
// llama-swap's management endpoints as concrete methods.
|
||||
@@ -136,7 +141,7 @@ func (p *Provider) ListModels(ctx context.Context) ([]ModelInfo, error) {
|
||||
var out struct {
|
||||
Data []ModelInfo `json:"data"`
|
||||
}
|
||||
if err := p.doJSON(ctx, http.MethodGet, "/v1/models", nil, &out); err != nil {
|
||||
if err := p.doJSON(ctx, http.MethodGet, "/v1/models", "", nil, &out); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out.Data, nil
|
||||
@@ -148,7 +153,7 @@ func (p *Provider) ListModels(ctx context.Context) ([]ModelInfo, error) {
|
||||
// would have to guess.
|
||||
func (p *Provider) Running(ctx context.Context) (json.RawMessage, error) {
|
||||
var out json.RawMessage
|
||||
if err := p.doJSON(ctx, http.MethodGet, "/running", nil, &out); err != nil {
|
||||
if err := p.doJSON(ctx, http.MethodGet, "/running", "", nil, &out); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
@@ -160,18 +165,30 @@ func (p *Provider) Running(ctx context.Context) (json.RawMessage, error) {
|
||||
func (p *Provider) Unload(ctx context.Context, model string) error {
|
||||
path := "/api/models/unload"
|
||||
if model != "" {
|
||||
// Why reject rather than percent-escape: llama-swap model ids legitimately
|
||||
// contain ":" (e.g. "qwen3:14b"), which is path-legal and must reach the
|
||||
// server verbatim; only path-structure characters are dangerous (they'd
|
||||
// redirect the request to another endpoint), and those never appear in a
|
||||
// real model id.
|
||||
if strings.ContainsAny(model, "/?#") {
|
||||
return fmt.Errorf("llama-swap: invalid model id %q for unload (contains a path separator)", model)
|
||||
}
|
||||
path += "/" + model
|
||||
}
|
||||
return p.doJSON(ctx, http.MethodPost, path, nil, nil)
|
||||
return p.doJSON(ctx, http.MethodPost, path, "", nil, nil)
|
||||
}
|
||||
|
||||
// --- shared HTTP helper for management + image endpoints ---
|
||||
|
||||
// doJSON performs a request to a llama-swap endpoint relative to baseURL,
|
||||
// optionally encoding body and decoding into out (either may be nil). Transport
|
||||
// failures are wrapped raw so llm.Classify still sees the underlying net error;
|
||||
// non-2xx responses become *llm.APIError.
|
||||
func (p *Provider) doJSON(ctx context.Context, method, path string, body, out any) error {
|
||||
// optionally encoding body and decoding into out (either may be nil). model
|
||||
// labels the failing target in any *llm.APIError ("" for endpoints that aren't
|
||||
// model-specific). Transport failures are wrapped raw so llm.Classify still
|
||||
// sees the underlying net error; non-2xx responses become *llm.APIError.
|
||||
func (p *Provider) doJSON(ctx context.Context, method, path, model string, body, out any) error {
|
||||
if p.baseURL == "" {
|
||||
return fmt.Errorf("llama-swap provider %q: no base URL configured (set one via WithBaseURL or an LLM_* env DSN)", p.name)
|
||||
}
|
||||
var rdr io.Reader
|
||||
if body != nil {
|
||||
b, err := json.Marshal(body)
|
||||
@@ -196,12 +213,15 @@ func (p *Provider) doJSON(ctx context.Context, method, path string, body, out an
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode/100 != 2 {
|
||||
return p.apiError(resp, "")
|
||||
return p.apiError(resp, model)
|
||||
}
|
||||
if out != nil {
|
||||
if err := json.NewDecoder(resp.Body).Decode(out); err != nil {
|
||||
if err := json.NewDecoder(io.LimitReader(resp.Body, maxResponseBytes)).Decode(out); err != nil {
|
||||
return fmt.Errorf("llama-swap: decode response: %w", err)
|
||||
}
|
||||
} else {
|
||||
// Drain (bounded) so the connection can be reused.
|
||||
_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, maxResponseBytes))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -127,6 +127,24 @@ func TestUnload(t *testing.T) {
|
||||
if gotPath != "/api/models/unload" {
|
||||
t.Errorf("unload-all path = %q", gotPath)
|
||||
}
|
||||
|
||||
// A model id with a path separator is rejected before any request.
|
||||
if err := p.Unload(context.Background(), "../admin"); err == nil {
|
||||
t.Error("expected error for model id with path separator")
|
||||
}
|
||||
}
|
||||
|
||||
func TestManagementNoBaseURL(t *testing.T) {
|
||||
p := New() // no base URL
|
||||
if _, err := p.ListModels(context.Background()); err == nil {
|
||||
t.Error("ListModels: expected error for missing base URL")
|
||||
}
|
||||
if _, err := p.Running(context.Background()); err == nil {
|
||||
t.Error("Running: expected error for missing base URL")
|
||||
}
|
||||
if err := p.Unload(context.Background(), "m"); err == nil {
|
||||
t.Error("Unload: expected error for missing base URL")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRunningRaw(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user