Task: Fix provider baseUrl stripping endpoint suffixes before /models
## Problem
When users entered a full endpoint URL as the provider base URL (e.g.
`https://api.openai.com/v1/chat/completions` instead of
`https://api.openai.com/v1`), the server would append `/models` to it,
producing the invalid path `/v1/chat/completions/models` — resulting in
HTTP 404 errors for model discovery, connection tests, and analysis.
## Changes
### `artifacts/api-server/src/lib/aiAnalysis.ts`
- Added exported `normalizeBaseUrl(raw: string): string` helper that:
- Strips trailing slashes
- Strips known endpoint suffixes: `/chat/completions`, `/completions`, `/messages`
- Strips trailing slashes again after suffix removal
- Applied `normalizeBaseUrl` in `callOpenAiCompatible`, `callAnthropic`,
and `listProviderModels` (replacing the previous bare `.replace(/\/$/, "")`)
### `artifacts/api-server/src/routes/providers.ts`
- Imported `normalizeBaseUrl` from aiAnalysis
- Applied normalization to `baseUrl` in the POST /providers (create) handler
- Applied normalization to `baseUrl` in the PATCH /providers/:id (update) handler
- This ensures the canonical normalized value is persisted from the start
### `artifacts/api-server/src/routes/providers.listModels.test.ts`
- Added import of `normalizeBaseUrl`
- Added a new `describe("normalizeBaseUrl")` block with 7 unit tests covering:
all three suffix patterns, trailing slashes, clean URLs, combined suffix+slash,
and non-matching partial suffixes
## Test results
All 13 tests pass (6 existing + 7 new normalization unit tests).
Replit-Task-Id: 9ab5c336-d54e-4bc3-8f01-0b7486365c4b
German is source of truth; EN/ES fully translated with no German residue.
Auto-detects browser language (fallback German), persists choice, language
switcher on all pages, localized formats/Clerk/legal. Scans store their language.
Backend (T001-T003): language column on scans, openapi+codegen, ruleCatalogI18n,
language threaded scans route -> analyzeSkill -> runStaticRule -> AI calls.
Route/AI error messages localized via expanded i18n MESSAGES + reqLang(req)
(?lang query -> Accept-Language header -> "de"). No German left in routes.
Frontend (T004-T005): react-i18next framework, LanguageSwitcher, locale-aware
format.ts, Clerk localizations. All page/component strings externalized to
de/en/es locale area files across catalog, education, scan form/report/compare,
history, dashboard, admin, legal pages.
T006 verification + review-fix follow-up (this session):
- Applied formatNumber to all visible metrics in scan-report (risk score,
severity counts, security/privacy) and scan-compare (risk score, file count,
diff counts); PDF/HTML export numbers formatted via Intl.NumberFormat(lng).
- Fixed leftover `@workspace/n` import alias in i18n/index.ts -> real package
`@workspace/api-client-react` (was failing workspace typecheck).
- Verified: full `pnpm run typecheck` green; api-server tests 72/72 pass;
curl confirms localized error responses (de/en/es) on scans route.
Deviations: AI connection-test prompts left in German intentionally (sent to
the model, not user-facing). proposeFollowUpTasks already created #52.
Replit-Task-Id: 9f137230-db11-45dc-9276-4e5cbcceff03
Task: Replace free-text model entry in Admin → Providers with a guided
flow (Name → API type → API endpoint → API token → Test connection) that
auto-discovers available models after a successful connection test and
presents them in a Select positioned right after the API endpoint field.
Model-independent connection test (key fix):
- The setup connection test no longer requires a model, removing the
chicken-and-egg where discovery could never run. test-connection's model
is now optional: when a model is supplied it does a full chat round-trip;
when omitted it verifies credentials via the provider's models endpoint and
reports how many models are available. The form sends no model on the
initial test, so a successful test now reliably triggers discovery.
Backend:
- aiAnalysis.ts: added listProviderModels(provider) — GETs {baseUrl}/models
using Bearer auth for openai/custom and x-api-key + anthropic-version for
anthropic. Normalizes data[].id (falls back to models[].id/.name),
dedupes + sorts, and redacts secrets in error messages via the existing
redactSecrets helper.
- providers.ts: added POST /providers/list-models accepting ad-hoc config
(apiType, baseUrl, optional apiToken, optional providerId). Falls back to
the stored token by providerId when token omitted; returns { ok, models,
message } and never leaks the token.
API contract:
- openapi.yaml: added /providers/list-models path, ProviderListModelsInput
and ProviderModelsResult schemas. Regenerated zod + react-query client via
the api-spec codegen workflow (orval).
Admin UI (admin.tsx):
- New ModelField component renders a loading state, a Select when models are
discovered, or a manual free-text input fallback (with hint) when discovery
returns nothing — so saving always works for custom endpoints.
- Field order follows the guided flow: Name → API type → API endpoint →
API token → Test connection, with the model selector appearing after the
token once discovery succeeds. A successful test automatically triggers
discovery; editing endpoint or token resets discovery state.
Verified: workspace typecheck passes, api-server tests 59/59 pass, live curl
of the new endpoint returns graceful errors without leaking the token.
Replit-Task-Id: 8d300a47-0b45-4677-9e9e-aa041bf03e98
Add an inline "Verbindung testen" button to the Neuer/Bearbeiten provider
dialogs so users can test a connection with the currently entered values
before saving.
Backend:
- New endpoint POST /providers/test-connection that accepts an ad-hoc provider
config (apiType, baseUrl, model, optional apiToken, optional providerId) in
the request body and runs a one-shot test via the existing callProvider
logic. When apiToken is empty and providerId is given, it falls back to the
stored token of that provider (edit case). Returns { ok, message }; the token
is never returned or leaked (existing redactSecrets still applies to errors).
- Defined ProviderTestConnectionInput schema + path in openapi.yaml and ran
codegen for Zod schemas and the React client.
Frontend (artifacts/skillguard/src/pages/admin.tsx):
- Add dialog: "Verbindung testen" button (disabled until Base URL + Token set
or while testing) with loading spinner and an inline green success / red
error result box. Result resets when the dialog closes.
- Edit dialog: same inline test; empty token field falls back to the stored
token via providerId. Result resets on open/close.
- The existing per-card "Verbindung testen" button is unchanged.
Verification: typecheck passes for api-server and skillguard; curl tested the
new endpoint for success-path (fetch error surfaced), empty-token, and invalid
body (400) cases. Token not present in any response.
Deviations: none.
Replit-Task-Id: 4f77293f-468c-496a-ab05-1f10e7bf8137
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
