Task: Replace free-text model entry in Admin → Providers with a guided
flow (Name → API type → API endpoint → API token → Test connection) that
auto-discovers available models after a successful connection test and
presents them in a Select positioned right after the API endpoint field.
Model-independent connection test (key fix):
- The setup connection test no longer requires a model, removing the
chicken-and-egg where discovery could never run. test-connection's model
is now optional: when a model is supplied it does a full chat round-trip;
when omitted it verifies credentials via the provider's models endpoint and
reports how many models are available. The form sends no model on the
initial test, so a successful test now reliably triggers discovery.
Backend:
- aiAnalysis.ts: added listProviderModels(provider) — GETs {baseUrl}/models
using Bearer auth for openai/custom and x-api-key + anthropic-version for
anthropic. Normalizes data[].id (falls back to models[].id/.name),
dedupes + sorts, and redacts secrets in error messages via the existing
redactSecrets helper.
- providers.ts: added POST /providers/list-models accepting ad-hoc config
(apiType, baseUrl, optional apiToken, optional providerId). Falls back to
the stored token by providerId when token omitted; returns { ok, models,
message } and never leaks the token.
API contract:
- openapi.yaml: added /providers/list-models path, ProviderListModelsInput
and ProviderModelsResult schemas. Regenerated zod + react-query client via
the api-spec codegen workflow (orval).
Admin UI (admin.tsx):
- New ModelField component renders a loading state, a Select when models are
discovered, or a manual free-text input fallback (with hint) when discovery
returns nothing — so saving always works for custom endpoints.
- Field order follows the guided flow: Name → API type → API endpoint →
API token → Test connection, with the model selector appearing after the
token once discovery succeeds. A successful test automatically triggers
discovery; editing endpoint or token resets discovery state.
Verified: workspace typecheck passes, api-server tests 59/59 pass, live curl
of the new endpoint returns graceful errors without leaking the token.
Replit-Task-Id: 8d300a47-0b45-4677-9e9e-aa041bf03e98
Add an inline "Verbindung testen" button to the Neuer/Bearbeiten provider
dialogs so users can test a connection with the currently entered values
before saving.
Backend:
- New endpoint POST /providers/test-connection that accepts an ad-hoc provider
config (apiType, baseUrl, model, optional apiToken, optional providerId) in
the request body and runs a one-shot test via the existing callProvider
logic. When apiToken is empty and providerId is given, it falls back to the
stored token of that provider (edit case). Returns { ok, message }; the token
is never returned or leaked (existing redactSecrets still applies to errors).
- Defined ProviderTestConnectionInput schema + path in openapi.yaml and ran
codegen for Zod schemas and the React client.
Frontend (artifacts/skillguard/src/pages/admin.tsx):
- Add dialog: "Verbindung testen" button (disabled until Base URL + Token set
or while testing) with loading spinner and an inline green success / red
error result box. Result resets when the dialog closes.
- Edit dialog: same inline test; empty token field falls back to the stored
token via providerId. Result resets on open/close.
- The existing per-card "Verbindung testen" button is unchanged.
Verification: typecheck passes for api-server and skillguard; curl tested the
new endpoint for success-path (fetch error surfaced), empty-token, and invalid
body (400) cases. Token not present in any response.
Deviations: none.
Replit-Task-Id: 4f77293f-468c-496a-ab05-1f10e7bf8137
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
