fix(guardrails): refresh startup pipelines after executor swap

SantiagoDePolonia · SantiagoDePolonia · commit b29838c0c0a3 · 2026-04-05T20:50:27.000+02:00
diff --git a/internal/app/app.go b/internal/app/app.go
@@ -415,6 +415,13 @@ func New(ctx context.Context, cfg Config) (*App, error) {
 		}
 		return nil, fmt.Errorf("failed to wire internal guardrail executor: %w", err)
 	}
+	if err := executionPlanResult.Service.Refresh(ctx); err != nil {
+		closeErr := errors.Join(app.executionPlans.Close(), app.guardrails.Close(), app.authKeys.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())
+		if closeErr != nil {
+			return nil, fmt.Errorf("failed to refresh execution plans after wiring internal guardrail executor: %w (also: close error: %v)", err, closeErr)
+		}
+		return nil, fmt.Errorf("failed to refresh execution plans after wiring internal guardrail executor: %w", err)
+	}
 
 	app.server = server.New(provider, serverCfg)
 
diff --git a/internal/auditlog/entry_capture_test.go b/internal/auditlog/entry_capture_test.go
@@ -2,7 +2,9 @@ package auditlog
 
 import (
 	"context"
+	"fmt"
 	"net/http"
+	"strings"
 	"testing"
 
 	"gomodel/internal/core"
@@ -55,32 +57,110 @@ func TestCaptureInternalJSONExchange_PreservesHeadersWithoutBodies(t *testing.T)
 }
 
 func TestCaptureInternalJSONExchange_PreservesHeadersWhenBodyMarshalFails(t *testing.T) {
-	entry := &LogEntry{
-		RequestID: "req_456",
-		Data:      &LogData{},
-	}
-	ctx := core.WithEffectiveUserPath(context.Background(), "/team/beta")
+	t.Run("marshal failure preserves headers", func(t *testing.T) {
+		entry := &LogEntry{
+			RequestID: "req_456",
+			Data:      &LogData{},
+		}
+		ctx := core.WithEffectiveUserPath(context.Background(), "/team/beta")
 
-	CaptureInternalJSONExchange(entry, ctx, "POST", "/v1/chat/completions", func() {}, func() {}, nil, Config{
-		LogHeaders: true,
-		LogBodies:  true,
+		CaptureInternalJSONExchange(entry, ctx, "POST", "/v1/chat/completions", func() {}, func() {}, nil, Config{
+			LogHeaders: true,
+			LogBodies:  true,
+		})
+
+		if entry.Data == nil {
+			t.Fatal("Data = nil, want populated log data")
+		}
+		if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456" {
+			t.Fatalf("RequestHeaders[X-Request-ID] = %q, want req_456", got)
+		}
+		if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey(core.UserPathHeader)]; got != "/team/beta" {
+			t.Fatalf("RequestHeaders[%s] = %q, want /team/beta", core.UserPathHeader, got)
+		}
+		if got := entry.Data.ResponseHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456" {
+			t.Fatalf("ResponseHeaders[X-Request-ID] = %q, want req_456", got)
+		}
+		if entry.Data.RequestBody != nil || entry.Data.ResponseBody != nil {
+			t.Fatal("expected marshal failures to skip bodies while preserving headers")
+		}
 	})
 
-	if entry.Data == nil {
-		t.Fatal("Data = nil, want populated log data")
-	}
-	if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456" {
-		t.Fatalf("RequestHeaders[X-Request-ID] = %q, want req_456", got)
-	}
-	if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey(core.UserPathHeader)]; got != "/team/beta" {
-		t.Fatalf("RequestHeaders[%s] = %q, want /team/beta", core.UserPathHeader, got)
-	}
-	if got := entry.Data.ResponseHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456" {
-		t.Fatalf("ResponseHeaders[X-Request-ID] = %q, want req_456", got)
-	}
-	if entry.Data.RequestBody != nil || entry.Data.ResponseBody != nil {
-		t.Fatal("expected marshal failures to skip bodies while preserving headers")
-	}
+	t.Run("response error preserves headers and captures error body", func(t *testing.T) {
+		entry := &LogEntry{
+			RequestID: "req_456_err",
+			Data:      &LogData{},
+		}
+		ctx := core.WithEffectiveUserPath(context.Background(), "/team/beta")
+		responseErr := core.NewProviderError("openai", http.StatusBadGateway, "upstream failed", fmt.Errorf("boom"))
+
+		CaptureInternalJSONExchange(entry, ctx, "POST", "/v1/chat/completions", map[string]any{"ok": true}, nil, responseErr, Config{
+			LogHeaders: true,
+			LogBodies:  true,
+		})
+
+		if entry.Data == nil {
+			t.Fatal("Data = nil, want populated log data")
+		}
+		if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456_err" {
+			t.Fatalf("RequestHeaders[X-Request-ID] = %q, want req_456_err", got)
+		}
+		if got := entry.Data.ResponseHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456_err" {
+			t.Fatalf("ResponseHeaders[X-Request-ID] = %q, want req_456_err", got)
+		}
+		body, ok := entry.Data.ResponseBody.(map[string]any)
+		if !ok {
+			t.Fatalf("ResponseBody = %T, want synthesized error envelope", entry.Data.ResponseBody)
+		}
+		errorBody, ok := body["error"].(map[string]any)
+		if !ok {
+			t.Fatalf("ResponseBody[error] = %#v, want object", body["error"])
+		}
+		if got := errorBody["message"]; got != "upstream failed" {
+			t.Fatalf("ResponseBody.error.message = %#v, want upstream failed", got)
+		}
+	})
+
+	t.Run("oversized payload preserves headers and sets truncation flags", func(t *testing.T) {
+		entry := &LogEntry{
+			RequestID: "req_456_big",
+			Data:      &LogData{},
+		}
+		ctx := core.WithEffectiveUserPath(context.Background(), "/team/beta")
+		large := strings.Repeat("x", int(MaxBodyCapture)+1024)
+
+		CaptureInternalJSONExchange(entry, ctx, "POST", "/v1/chat/completions",
+			map[string]any{"payload": large},
+			map[string]any{"payload": large},
+			nil,
+			Config{
+				LogHeaders: true,
+				LogBodies:  true,
+			},
+		)
+
+		if entry.Data == nil {
+			t.Fatal("Data = nil, want populated log data")
+		}
+		if got := entry.Data.RequestHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456_big" {
+			t.Fatalf("RequestHeaders[X-Request-ID] = %q, want req_456_big", got)
+		}
+		if got := entry.Data.ResponseHeaders[http.CanonicalHeaderKey("X-Request-ID")]; got != "req_456_big" {
+			t.Fatalf("ResponseHeaders[X-Request-ID] = %q, want req_456_big", got)
+		}
+		if !entry.Data.RequestBodyTooBigToHandle {
+			t.Fatal("RequestBodyTooBigToHandle = false, want true")
+		}
+		if entry.Data.RequestBody != nil {
+			t.Fatalf("RequestBody = %#v, want omitted oversized request body", entry.Data.RequestBody)
+		}
+		if !entry.Data.ResponseBodyTooBigToHandle {
+			t.Fatal("ResponseBodyTooBigToHandle = false, want true")
+		}
+		if entry.Data.ResponseBody == nil {
+			t.Fatal("ResponseBody = nil, want truncated captured payload")
+		}
+	})
 }
 
 func TestCaptureInternalJSONExchange_DoesNotReuseIngressSnapshotOnMarshalFailure(t *testing.T) {
diff --git a/internal/executionplans/service_test.go b/internal/executionplans/service_test.go
@@ -2,13 +2,15 @@ package executionplans
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
 
 	"gomodel/internal/core"
+	"gomodel/internal/guardrails"
 )
 
 type staticStore struct {
@@ -614,6 +616,171 @@ func TestServiceEnsureDefaultGlobal_ValidatesBeforeStoreMutation(t *testing.T) {
 	}
 }
 
+func TestServiceRefresh_RebuildsCompiledGuardrailPipelinesAfterExecutorSwap(t *testing.T) {
+	guardrailStore := &guardrailTestStore{
+		definitions: map[string]guardrails.Definition{
+			"privacy": {
+				Name: "privacy",
+				Type: "llm_based_altering",
+				Config: mustMarshalJSON(t, map[string]any{
+					"model": "gpt-4o-mini",
+					"roles": []string{"user"},
+				}),
+			},
+		},
+	}
+	guardrailService, err := guardrails.NewService(guardrailStore, guardrailExecutorFunc(func(_ context.Context, _ *core.ChatRequest) (*core.ChatResponse, error) {
+		return &core.ChatResponse{
+			Choices: []core.Choice{
+				{Message: core.ResponseMessage{Role: "assistant", Content: "[|---|](PERSON_1)"}},
+			},
+		}, nil
+	}))
+	if err != nil {
+		t.Fatalf("guardrails.NewService() error = %v", err)
+	}
+	if err := guardrailService.Refresh(context.Background()); err != nil {
+		t.Fatalf("guardrailService.Refresh() error = %v", err)
+	}
+
+	store := &staticStore{
+		versions: []Version{
+			{
+				ID:       "global-v1",
+				Scope:    Scope{},
+				ScopeKey: "global",
+				Version:  1,
+				Active:   true,
+				Name:     "global",
+				Payload: Payload{
+					SchemaVersion: 1,
+					Features: FeatureFlags{
+						Cache:      false,
+						Audit:      true,
+						Usage:      true,
+						Guardrails: true,
+					},
+					Guardrails: []GuardrailStep{
+						{Ref: "privacy", Step: 10},
+					},
+				},
+			},
+		},
+	}
+	service, err := NewService(store, NewCompilerWithFeatureCaps(guardrailService, core.DefaultExecutionFeatures()))
+	if err != nil {
+		t.Fatalf("NewService() error = %v", err)
+	}
+	if err := service.Refresh(context.Background()); err != nil {
+		t.Fatalf("service.Refresh() error = %v", err)
+	}
+
+	selector := core.NewExecutionPlanSelector("", "", "/")
+	policy, err := service.Match(selector)
+	if err != nil {
+		t.Fatalf("service.Match() error = %v", err)
+	}
+	plan := &core.ExecutionPlan{Policy: policy}
+
+	assertPipelineRewrite(t, service.PipelineForExecutionPlan(plan), "[|---|](PERSON_1)")
+
+	if err := guardrailService.SetExecutor(context.Background(), guardrailExecutorFunc(func(_ context.Context, _ *core.ChatRequest) (*core.ChatResponse, error) {
+		return &core.ChatResponse{
+			Choices: []core.Choice{
+				{Message: core.ResponseMessage{Role: "assistant", Content: "[|---|](PERSON_2)"}},
+			},
+		}, nil
+	})); err != nil {
+		t.Fatalf("guardrailService.SetExecutor() error = %v", err)
+	}
+
+	assertPipelineRewrite(t, service.PipelineForExecutionPlan(plan), "[|---|](PERSON_1)")
+
+	if err := service.Refresh(context.Background()); err != nil {
+		t.Fatalf("service.Refresh() after SetExecutor error = %v", err)
+	}
+	assertPipelineRewrite(t, service.PipelineForExecutionPlan(plan), "[|---|](PERSON_2)")
+}
+
+type guardrailTestStore struct {
+	definitions map[string]guardrails.Definition
+}
+
+func (s *guardrailTestStore) List(context.Context) ([]guardrails.Definition, error) {
+	result := make([]guardrails.Definition, 0, len(s.definitions))
+	for _, definition := range s.definitions {
+		result = append(result, definition)
+	}
+	return result, nil
+}
+
+func (s *guardrailTestStore) Get(_ context.Context, name string) (*guardrails.Definition, error) {
+	definition, ok := s.definitions[name]
+	if !ok {
+		return nil, guardrails.ErrNotFound
+	}
+	copy := definition
+	return &copy, nil
+}
+
+func (s *guardrailTestStore) Upsert(_ context.Context, definition guardrails.Definition) error {
+	if s.definitions == nil {
+		s.definitions = make(map[string]guardrails.Definition)
+	}
+	s.definitions[definition.Name] = definition
+	return nil
+}
+
+func (s *guardrailTestStore) UpsertMany(_ context.Context, definitions []guardrails.Definition) error {
+	if s.definitions == nil {
+		s.definitions = make(map[string]guardrails.Definition)
+	}
+	for _, definition := range definitions {
+		s.definitions[definition.Name] = definition
+	}
+	return nil
+}
+
+func (s *guardrailTestStore) Delete(_ context.Context, name string) error {
+	delete(s.definitions, name)
+	return nil
+}
+
+func (s *guardrailTestStore) Close() error { return nil }
+
+type guardrailExecutorFunc func(context.Context, *core.ChatRequest) (*core.ChatResponse, error)
+
+func (f guardrailExecutorFunc) ChatCompletion(ctx context.Context, req *core.ChatRequest) (*core.ChatResponse, error) {
+	return f(ctx, req)
+}
+
+func mustMarshalJSON(t *testing.T, value any) []byte {
+	t.Helper()
+	raw, err := json.Marshal(value)
+	if err != nil {
+		t.Fatalf("json.Marshal() error = %v", err)
+	}
+	return raw
+}
+
+func assertPipelineRewrite(t *testing.T, pipeline *guardrails.Pipeline, want string) {
+	t.Helper()
+	if pipeline == nil {
+		t.Fatal("pipeline = nil, want non-nil")
+	}
+
+	msgs, err := pipeline.Process(context.Background(), []guardrails.Message{{Role: "user", Content: "John Smith"}})
+	if err != nil {
+		t.Fatalf("pipeline.Process() error = %v", err)
+	}
+	if len(msgs) != 1 {
+		t.Fatalf("len(msgs) = %d, want 1", len(msgs))
+	}
+	if msgs[0].Content != want {
+		t.Fatalf("msgs[0].Content = %q, want %q", msgs[0].Content, want)
+	}
+}
+
 func TestServiceCreate_RefreshesSnapshot(t *testing.T) {
 	store := &staticStore{
 		versions: []Version{
diff --git a/internal/guardrails/provider.go b/internal/guardrails/provider.go
@@ -997,7 +997,7 @@ func applyMessagesToResponses(req *core.ResponsesRequest, msgs []Message) (*core
 }
 
 func applyMessagesToResponsesInput(original any, msgs []Message) (any, error) {
-	switch typed := original.(type) {
+	switch original.(type) {
 	case nil:
 		if len(msgs) != 0 {
 			return nil, core.NewInvalidRequestError("guardrails cannot add or remove responses input items", nil)
@@ -1014,8 +1014,6 @@ func applyMessagesToResponsesInput(original any, msgs []Message) (any, error) {
 			return "", nil
 		}
 		return msgs[0].Content, nil
-	default:
-		_ = typed
 	}
 
 	elements, err := coerceResponsesInputElements(original)
diff --git a/internal/responsecache/handle_request_test.go b/internal/responsecache/handle_request_test.go
@@ -112,6 +112,28 @@ func TestHandleInternalRequest_RejectsNilContext(t *testing.T) {
 	}
 }
 
+func TestHandleInternalRequest_RejectsNilMiddleware(t *testing.T) {
+	var m *ResponseCacheMiddleware
+
+	_, err := m.HandleInternalRequest(context.Background(), http.MethodPost, "/v1/chat/completions", []byte(`{}`), func(c *echo.Context) error {
+		return c.JSON(http.StatusOK, map[string]string{"ok": "1"})
+	})
+	if err == nil {
+		t.Fatal("HandleInternalRequest() error = nil, want provider error")
+	}
+
+	gatewayErr, ok := err.(*core.GatewayError)
+	if !ok {
+		t.Fatalf("HandleInternalRequest() error = %T, want *core.GatewayError", err)
+	}
+	if gatewayErr.Type != core.ErrorTypeProvider {
+		t.Fatalf("error type = %q, want %q", gatewayErr.Type, core.ErrorTypeProvider)
+	}
+	if gatewayErr.HTTPStatusCode() != http.StatusInternalServerError {
+		t.Fatalf("status code = %d, want %d", gatewayErr.HTTPStatusCode(), http.StatusInternalServerError)
+	}
+}
+
 func TestHandleInternalRequest_RejectsUninitializedEcho(t *testing.T) {
 	m := &ResponseCacheMiddleware{}
 
diff --git a/internal/responsecache/responsecache.go b/internal/responsecache/responsecache.go

Original file line number	Diff line number	Diff line change
`@@ -415,6 +415,13 @@ func New(ctx context.Context, cfg Config) (*App, error) {`
`415`	`415`	`}`
`416`	`416`	`return nil, fmt.Errorf("failed to wire internal guardrail executor: %w", err)`
`417`	`417`	`}`
	`418`	`+ if err := executionPlanResult.Service.Refresh(ctx); err != nil {`
	`419`	`+ closeErr := errors.Join(app.executionPlans.Close(), app.guardrails.Close(), app.authKeys.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())`
	`420`	`+ if closeErr != nil {`
	`421`	`+ return nil, fmt.Errorf("failed to refresh execution plans after wiring internal guardrail executor: %w (also: close error: %v)", err, closeErr)`
	`422`	`+ }`
	`423`	`+ return nil, fmt.Errorf("failed to refresh execution plans after wiring internal guardrail executor: %w", err)`
	`424`	`+ }`
`418`	`425`
`419`	`426`	`app.server = server.New(provider, serverCfg)`
`420`	`427`
Original file line number	Diff line number	Diff line change
`@@ -997,7 +997,7 @@ func applyMessagesToResponses(req core.ResponsesRequest, msgs []Message) (core`
`997`	`997`	`}`
`998`	`998`
`999`	`999`	`func applyMessagesToResponsesInput(original any, msgs []Message) (any, error) {`
`1000`		`- switch typed := original.(type) {`
	`1000`	`+ switch original.(type) {`
`1001`	`1001`	`case nil:`
`1002`	`1002`	`if len(msgs) != 0 {`
`1003`	`1003`	`return nil, core.NewInvalidRequestError("guardrails cannot add or remove responses input items", nil)`
`@@ -1014,8 +1014,6 @@ func applyMessagesToResponsesInput(original any, msgs []Message) (any, error) {`
`1014`	`1014`	`return "", nil`
`1015`	`1015`	`}`
`1016`	`1016`	`return msgs[0].Content, nil`
`1017`		`- default:`
`1018`		`- _ = typed`
`1019`	`1017`	`}`
`1020`	`1018`
`1021`	`1019`	`elements, err := coerceResponsesInputElements(original)`