Correctness: No model validation before forwarding to provider #121

New issue

Open

opened 2026-05-11 23:08:59 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 23:08:59 +00:00

Owner

Severity: Medium

Location

crates/hero_aibroker_lib/src/service/chat.rs — route()

Finding

The chat service forwards requests with the requested model name directly to the provider without validating it against the model registry first. Only after the provider rejects it does the broker return an error.

Impact

Requests for non-existent models waste provider API calls
Billing may still be charged for failed requests
No helpful error message about available models
Provider rate limits consumed by invalid requests

Recommendation

Validate model name against registry before routing
Return 400 with list of available models if not found
Add model alias resolution before forwarding
Track and expose model validation metrics

## Severity: Medium ## Location `crates/hero_aibroker_lib/src/service/chat.rs` — `route()` ## Finding The chat service forwards requests with the requested model name directly to the provider without validating it against the model registry first. Only after the provider rejects it does the broker return an error. ## Impact - Requests for non-existent models waste provider API calls - Billing may still be charged for failed requests - No helpful error message about available models - Provider rate limits consumed by invalid requests ## Recommendation - Validate model name against registry before routing - Return 400 with list of available models if not found - Add model alias resolution before forwarding - Track and expose model validation metrics