Task: Replace free-text model entry in Admin → Providers with a guided
flow (Name → API type → API endpoint → API token → Test connection) that
auto-discovers available models after a successful connection test and
presents them in a Select positioned right after the API endpoint field.
Model-independent connection test (key fix):
- The setup connection test no longer requires a model, removing the
chicken-and-egg where discovery could never run. test-connection's model
is now optional: when a model is supplied it does a full chat round-trip;
when omitted it verifies credentials via the provider's models endpoint and
reports how many models are available. The form sends no model on the
initial test, so a successful test now reliably triggers discovery.
Backend:
- aiAnalysis.ts: added listProviderModels(provider) — GETs {baseUrl}/models
using Bearer auth for openai/custom and x-api-key + anthropic-version for
anthropic. Normalizes data[].id (falls back to models[].id/.name),
dedupes + sorts, and redacts secrets in error messages via the existing
redactSecrets helper.
- providers.ts: added POST /providers/list-models accepting ad-hoc config
(apiType, baseUrl, optional apiToken, optional providerId). Falls back to
the stored token by providerId when token omitted; returns { ok, models,
message } and never leaks the token.
API contract:
- openapi.yaml: added /providers/list-models path, ProviderListModelsInput
and ProviderModelsResult schemas. Regenerated zod + react-query client via
the api-spec codegen workflow (orval).
Admin UI (admin.tsx):
- New ModelField component renders a loading state, a Select when models are
discovered, or a manual free-text input fallback (with hint) when discovery
returns nothing — so saving always works for custom endpoints.
- Field order follows the guided flow: Name → API type → API endpoint →
API token → Test connection, with the model selector appearing after the
token once discovery succeeds. A successful test automatically triggers
discovery; editing endpoint or token resets discovery state.
Verified: workspace typecheck passes, api-server tests 59/59 pass, live curl
of the new endpoint returns graceful errors without leaking the token.
Replit-Task-Id: 8d300a47-0b45-4677-9e9e-aa041bf03e98
Verified the AI analysis end-to-end with a real provider and fixed two gaps
found during the live run.
Findings & fixes:
- gpt-5 series (Replit AI Integrations modelfarm default) rejected the hardcoded
`temperature: 0.1` with HTTP 400, silently disabling AI analysis. Removed the
temperature param from the OpenAI-compatible request for broad model
compatibility (aiAnalysis.ts).
- Per-rule AI config (enable/disable/severity) was only a global on/off gate and
AI findings weren't mapped to the AI rule IDs, so individual rule severity was
ignored. runAiAnalysis now receives the enabled AI rules, instructs the model
to classify each finding into one of those ruleIds, drops findings for
disabled rules, and overrides severity/axis with the configured values
(aiAnalysis.ts + scanEngine.ts).
End-to-end verification (Replit OpenAI integration, gpt-5-mini provider):
- "KI-Analyse aktivieren" produces AI findings mapped to AI-PROMPT-INJECTION,
AI-MALICIOUS-INTENT, AI-DATA-PRIVACY.
- Disabling AI-MALICIOUS-INTENT removed its finding; setting AI-PROMPT-INJECTION
to critical was reflected in the result.
- Wrong baseUrl and invalid token (real OpenAI endpoint) produce understandable
aiError messages with no token leak.
Side effects / notes:
- Set up the Replit OpenAI AI Integration (env vars) and created one enabled
provider row ("Replit OpenAI") so AI analysis works out of the box. Each
AI-enabled scan bills the user's Replit credits.
- Test scans created during verification were deleted.
- artifacts/api-server typecheck passes.
Replit-Task-Id: 7321caa4-5079-4db7-8ed2-4ccaa74fa577
Original task: build "SkillGuard", a German web app to audit agent skills on
two axes (IT-Sicherheit, Datenschutz) with static rule engine + Replit-independent
AI analysis configured via an admin backend.
This session:
- Fixed frontend TS errors: lucide-react name collisions (Badge from ui, Activity
from lucide), widened apiType to AiProviderApiType, added queryKey to useGetScan.
- Verified all pages render in German (Dashboard, Prüfen, Bericht, Verlauf, Admin)
and the full scan flow works end-to-end (malicious sample -> verdict block).
Code-review-driven hardening:
- POST /api/scans now returns the full ScanDetail (files + findings) to match the
OpenAPI contract, instead of only the summary.
- AI provider error bodies are redacted (token, Bearer, sk- patterns) before being
returned/persisted, and provider fetches now have a 60s timeout.
- ZIP parsing now enforces limits (max files, total + per-file size) to mitigate
zip-bomb DoS.
Updated replit.md (project overview, decisions, gotchas) and added a memory note
on lucide-react icon name collisions.
