feat(routing): pre-content failover, error cooldowns, tool-schema normalization, capability floors

[Gajesh2007]

Incident

An OpenRouter partner reported Gemma vision requests returning a role delta then {"error":{"message":"provider disconnected"}} with zero completion tokens. Root cause analysis (prod logs + live repro) found two compounding failure classes:

1. Deterministic template crash: requests carrying OpenAI tool schemas with nullable types ("type":["string","null"]) crashed Gemma's chat_template.jinja (Runtime error: upper filter requires string) on providers running pre-0.6.3 binaries. The coordinator retried 3×, but every retry landed on an identically-buggy provider — 6/6 partner requests failed after burning all attempts (42 errors in 42s in prod logs).
2. Premature commit: the dispatch loop committed to a provider on its first chunk — but that chunk is boilerplate (role-only delta) emitted before any failure-prone work. A provider dying during prefill surfaced an unretried in-band error even though zero bytes had been written to the client.

Fixes

• Deferred commit + pre-content failover (api/consumer.go): dispatch commits only on the first content-bearing chunk. Boilerplate (role-only delta, response.created/in_progress) buffers in a held-chunks queue; provider error/disconnect before content → invisible retry on another provider (status:retry_precontent). Side effects: the speculative TTFT race now measures real first tokens (boilerplate no longer falsely wins and cancels the backup), and a role-then-stall zombie is bounded by a 90s preamble→content budget (preambleContentTimeout) instead of the full 600s. Genuine AcceptedCh model-load waits keep the full window. In-band SSE errors remain possible only after real content has flowed — now alertable via inference.in_band_error.
• Inference-error circuit breaker (registry/error_cooldown.go): 2× sickness-shaped errors (500 = provider bug, 502 = disconnect flush, 504 = accepted-then-silent; 503 capacity/lifecycle signals exempt) per (provider, model) within 60s → 5-min routing cooldown; success clears. Accepted-then-silent timeout arms feed the breaker too.
• Capability version floors + render gate (registry/request_traits.go): tool-bearing requests route only to providers ≥ 0.6.3 (provider-side schema normalization, fix(provider): gemma-4 tool calls 500 on nullable (array-typed) schema fields #310) whose model doesn't advertise template_render_ok=false. Tools fail-fast mirrors the vision fail-fast: clean immediate 503 instead of a 120s queue stall when no capable provider exists. Retries soft-prefer a different provider binary version (Traits.AvoidVersion, never fail-closed).
• Coordinator-side tool-schema normalization (api/toolschema.go): Go port of the Swift ToolSchemaNormalization, extended to all three wire shapes — chat function.parameters, Responses-API flat parameters, Anthropic input_schema (broader than the provider-side normalizer, which covers only chat shape as of 0.6.4). Wired pre-parse in both handleChatCompletions and handleGenericInference, so lagging providers never see template-crashing shapes the moment the coordinator deploys.
• Provider template render self-check (Swift, ProviderCoreFoundation/TemplateRenderCheck.swift): at scan time, renders each model's chat template(s) against canonical fixtures (multimodal parts for vision models, post-normalization tools, tool-call/response flows) and advertises tri-state template_render_ok on the wire (false MUST encode — it is the routing signal). Protocol field mirrored in Go protocol/messages.go. Fences off future bad template publishes before they serve traffic.

Protocol changes

ModelInfo.template_render_ok (*bool, omitempty) added symmetrically to coordinator/protocol/messages.go and provider-swift/.../Protocol/Types.swift. Absent = pre-0.6.5 provider (no opinion); merge paths verified to preserve it.

Verification

• go test ./... — 19 packages green (incl. e2e testbed module); -race clean on api + registry; linux/amd64 cross-compile OK
• Swift: full non-live suite green (695 swift-testing + all XCTest, 18 new tests); swift-jinja 2.3.5 pinned as direct dep, Package.resolved unchanged
• New integration tests (fake WS providers): pre-content failover on error AND disconnect (the partner's exact case), post-content errors still surfaced (correctness boundary), boilerplate-then-clean-close, cooldown exclusion, tools version floor, template_render_ok gate, tools fail-fast latency, decrypted-body assertion proving normalized schemas reach providers
• Reviewed by two independent passes (Codex + Claude); all findings fixed: stranded provider-extra refunds on pre-commit errors, trait-blind capacity preflight, /v1/messages+/v1/completions bypass, 503-as-sickness breaker miscount, 504 stall arms not feeding the breaker

Follow-ups (not in this PR)

• Swift inbound normalizer parity for Responses-flat + Anthropic input_schema shapes (needs provider release)
• TTFT deadline estimation ignores image tokens (vision requests lean on the liveness extension)
• Mid-stream continuation failover for post-content provider deaths
• DD monitors/dashboards for inference.in_band_error, routing.cooldown_entered
• Provider version constants intentionally NOT bumped — no release cut here

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
d-inference	Ready	Preview	Jun 12, 2026 1:16am
d-inference-console-ui-dev	Ready	Preview	Jun 12, 2026 1:16am
d-inference-landing	Ready	Preview	Jun 12, 2026 1:16am

[github-actions]

This PR introduces shape-keyed inference error circuit-breaking and a serial-constrained vision-provider check; neither change weakens any existing mitigation, and the key-collision fix in inferenceErrorKey is a minor positive for T-034's integrity assumptions.

---

Trust Boundaries Touched

• TB-002 — coordinator-to-provider WebSocket (registry routing logic)
• TB-007 — provider inference engine (error circuit-breaker gating provider selection)

---

Threat Analysis

Threat	Assessment	Notes
T-034 — Provider runs modified code while advertising a trusted identity	ℹ️ Neutral	The CodeAttested gate in providerSupportsPrivateTextLocked is not touched by this diff. The routing chokepoint is unmodified. The comment in inferenceErrorStrikes that closes the "colon-collision" key note is defensive housekeeping — it does not alter the attestation path.
T-006 — Unauthenticated WebSocket connection floods provider registry	ℹ️ Neutral	New inferenceErrorStrikes and inferenceErrorCooldowns maps are guarded by r.mu (same as dispatchLoadCooldowns). No new unauthenticated entry points are opened.
T-007 / T-027 — Provider serves manipulated outputs / weight substitution	ℹ️ Neutral	Error circuit-breaker operates on 5xx routing failures, not on weight-hash mismatches. Fail-open weight-hash enforcement (SEC-007) is unchanged.

---

New Attack Surface

HasVisionProviderForModel variadic allowedSerials parameter (registry.go, new signature at line ~1706):

The function now builds an allowedSet map from caller-supplied serial strings and filters provider candidates against it. This is a net improvement (prevents false-positive capacity reports for constrained requests), but introduces one thing worth verifying in follow-on code review:

• Callers that pass zero serials still get the old unrestricted behavior (the len(allowedSet) > 0 guard at line ~1726). Confirm every call site that should be serial-constrained actually passes the serials — an omission silently falls back to the unconstrained check, which the commit message identifies as a "latent gap." This is not a threat-model violation on its own, but a mis-call would re-introduce the false-serviceable reporting the fix targets.

• RequestTraits{} zero value passed to QuickCapacityCheck at the RejectUnservableQueuedRequests call site (line ~2669): the comment explicitly documents this as the intended base-shape check. Acceptable, but worth confirming that downstream callers of RejectUnservableQueuedRequests for tool-heavy workloads don't rely on this to gate tool-capable routing (they should not — this path is only for fast-fail of clearly unservable queued requests).

Neither item is an exploitable vulnerability under the current threat model; both are correctness concerns that could become security-relevant if the routing logic evolves.

---

SEC-* Findings Resolved

None claimed by this PR. No open findings from the threat model are resolved by this diff.

---

🔐 Threat model: docs/threat-model.yaml · Updates on each push to this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ea3c34b01d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Honor routing constraints in tool capability checks

When a tool request is constrained to a provider allowlist or exclusive self-route, this global capability check can be satisfied by an unrelated public provider while every allowed/owned provider is still rejected later by Traits.HasTools. The subsequent QuickCapacityCheck/selfRouteUnavailable paths are trait-blind, so those constrained requests can queue until timeout instead of failing fast with the intended tool-capability error. Please apply the same allowlist/self-route constraints when checking for a tool-capable provider, or make the preflight capacity check trait-aware.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Parse Responses boilerplate before matching by substring

If a chat-completion content delta contains the literal string response.created or response.in_progress, this returns true before parsing the chunk and the dispatcher treats real output as pre-content boilerplate. When that provider then errors or stalls before another content chunk, the held chunk is discarded/retried or timed out even though user-visible content had already been generated. Please identify Responses lifecycle events from their parsed event/type fields rather than a raw substring match.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Apply template-render failures beyond tools

When a 0.6.5+ provider advertises template_render_ok=false because the scan failed a plain-chat or multimodal fixture, this check still allows non-tool text/vision requests to route to that provider. Since renderOK folds all canonical fixture failures into the same boolean, a bad model publish that cannot render ordinary or image/video prompts is not fenced off unless the consumer also sends tools; either split the advertised result by capability or gate every request shape represented by the failed check.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep cooled pairs out of capacity preflight

When all otherwise-eligible providers for a model are in the new inference-error cooldown, ReserveProviderEx skips them here but QuickCapacityCheck and the queue preflight still count them as admissible because they do not consult inferenceErrorCooldowns. A fresh public request can therefore pass capacity preflight, fail to reserve any provider, and sit in the 120s queue until timeout instead of failing/retrying immediately. Mirror this cooldown in the capacity/queue admission path as well as in scheduler snapshots.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Feed preamble race timeouts into the breaker

In the speculative race path, if either provider emits only held boilerplate and then both racers miss the extended preamble-to-content deadline, this timeout arm cancels both attempts without calling noteInferenceError with the 504 that the single-provider acceptedWait path records. Repeated role-then-stall failures during speculative dispatch therefore never trip the new provider/model cooldown, so the same zombie pair can keep soaking retries. Record a 504 for any racer with held preamble before canceling it here.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not clear shape-specific cooldowns on any success

A clean non-tool request to the same provider/model reaches RecordInferenceSuccess and deletes the entire cooldown, even when the strikes came from a deterministic tool/template failure that the non-tool path never exercised. In mixed traffic this lets ordinary completions immediately re-enable routing of tool requests to the same broken provider before the TTL expires, causing the original failure loop to recur. Key the breaker by the failing request traits or only clear it on a success for the same shape that generated the strikes.

Useful? React with 👍 / 👎.

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: REQUEST_CHANGES

Security — ⚠️ SKIPPED

Error: Expecting property name enclosed in double quotes: line 2 column 2 (char 3)

Performance — 6 finding(s) (5 blocking)

• 🔵 [INFO] coordinator/api/consumer.go:1664 — Potential unbounded growth of heldChunks slice in dispatch loop
  • Suggestion: The heldChunks slice could grow without bounds if a provider sends many boilerplate chunks. Consider adding a size limit or timeout to prevent memory exhaustion.
• 🟡 [MEDIUM] coordinator/api/consumer.go:1943 — Repeated calls to isBoilerplateChunk() for each chunk
  • Suggestion: The isBoilerplateChunk() function performs JSON parsing on every chunk. Consider caching results or optimizing the parsing logic to avoid redundant work.
• 🔴 [CRITICAL] coordinator/api/toolschema.go:93-114 — JSON parsing and normalization on request hot path
  • Suggestion: NormalizeToolSchemas performs full JSON decode/encode on every request with tools. This blocks the request handler. Consider async processing or caching normalized schemas.
• 🟡 [MEDIUM] coordinator/api/toolschema.go:156-200 — Recursive traversal of tool schemas without depth limits
  • Suggestion: The injectDefaultTypes function recursively traverses nested schemas without depth limits, potentially causing stack overflow or excessive CPU usage on deeply nested schemas.
• 🟡 [MEDIUM] coordinator/registry/error_cooldown.go:95-105 — O(n) map cleanup operations in hot path
  • Suggestion: The opportunistic cleanup of expired entries iterates through all map entries when size exceeds 1024. Consider using a more efficient data structure like a time-ordered queue for cleanup.
• 🟡 [MEDIUM] coordinator/api/consumer.go:3855-3968 — JSON parsing in isBoilerplateChunk for every streaming chunk
  • Suggestion: The function parses JSON for every chunk to determine if it's boilerplate. Consider using string matching for common patterns before falling back to JSON parsing.

Type_diligence — ✅ No issues found

Additive_complexity — 8 finding(s) (5 blocking)

• 🟡 [MEDIUM] coordinator/api/consumer.go:1307-1316 — Tool schema normalization duplicated across endpoints
  • Suggestion: Extract NormalizeToolSchemas call to a shared middleware or helper function since it's identical in handleChatCompletions and handleGenericInference
• 🟡 [MEDIUM] coordinator/api/consumer.go:5224-5233 — Identical tool schema normalization in handleGenericInference
  • Suggestion: Consolidate with the identical block in handleChatCompletions - this is the same 10-line pattern repeated
• 🔵 [INFO] coordinator/api/consumer.go:162-175 — Inference error recording mixed with refund logic
  • Suggestion: Split noteDispatchProviderError into separate error recording and refund operations - the function does too many unrelated things
• 🔴 [CRITICAL] coordinator/api/consumer.go:1928-2818 — 890-line nested state machine in dispatch loop
  • Suggestion: Extract the speculative dispatch racing logic into separate functions - this single block handles too many scenarios and is hard to follow
• 🟡 [MEDIUM] coordinator/api/toolschema.go:1-317 — Complex tool schema normalization for simple fix
  • Suggestion: Consider if a simpler approach could handle the core issue - 317 lines to fix template crashes seems heavy for the problem scope
• 🔵 [INFO] coordinator/registry/error_cooldown.go:78-130 — Multiple cooldown parameters and complex sliding window
  • Suggestion: Consider if simpler exponential backoff or fixed cooldown would suffice - the sliding window adds complexity
• 🔵 [INFO] coordinator/registry/request_traits.go:47-59 — The capabilityVersionFloors map has only one entry ('tools': '0.6.3') - consider a simpler constant until more floors are needed
• 🟡 [MEDIUM] provider-swift/Sources/ProviderCoreFoundation/TemplateRenderCheck.swift:1-387 — 387-line template validation for startup check
  • Suggestion: Consider if a smaller subset of fixtures could catch the same issues - this adds significant startup overhead

14 finding(s) total, 10 blocking. Verdict: REQUEST_CHANGES.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

🔵 [INFO] ⚡ Potential unbounded growth of heldChunks slice in dispatch loop

💡 Suggestion: The heldChunks slice could grow without bounds if a provider sends many boilerplate chunks. Consider adding a size limit or timeout to prevent memory exhaustion.

📊 Score: 2×3 = 6 · Category: unbounded_allocation

[ethenotethan]

🟡 [MEDIUM] ⚡ Repeated calls to isBoilerplateChunk() for each chunk

💡 Suggestion: The isBoilerplateChunk() function performs JSON parsing on every chunk. Consider caching results or optimizing the parsing logic to avoid redundant work.

📊 Score: 3×4 = 12 · Category: repeated_work

[ethenotethan]

🔴 [CRITICAL] ⚡ JSON parsing and normalization on request hot path

💡 Suggestion: NormalizeToolSchemas performs full JSON decode/encode on every request with tools. This blocks the request handler. Consider async processing or caching normalized schemas.

📊 Score: 4×5 = 20 · Category: blocking_io

[ethenotethan]

🟡 [MEDIUM] ⚡ Recursive traversal of tool schemas without depth limits

💡 Suggestion: The injectDefaultTypes function recursively traverses nested schemas without depth limits, potentially causing stack overflow or excessive CPU usage on deeply nested schemas.

📊 Score: 3×4 = 12 · Category: inefficient_data_structures

[ethenotethan]

🟡 [MEDIUM] ⚡ O(n) map cleanup operations in hot path

💡 Suggestion: The opportunistic cleanup of expired entries iterates through all map entries when size exceeds 1024. Consider using a more efficient data structure like a time-ordered queue for cleanup.

📊 Score: 3×3 = 9 · Category: inefficient_data_structures

[ethenotethan]

🔴 [CRITICAL] 🧩 890-line nested state machine in dispatch loop

💡 Suggestion: Extract the speculative dispatch racing logic into separate functions - this single block handles too many scenarios and is hard to follow

📊 Score: 4×5 = 20 · Category: over-complexity

[ethenotethan]

🟡 [MEDIUM] 🧩 Complex tool schema normalization for simple fix

💡 Suggestion: Consider if a simpler approach could handle the core issue - 317 lines to fix template crashes seems heavy for the problem scope

📊 Score: 3×3 = 9 · Category: over-abstraction

[ethenotethan]

🔵 [INFO] 🧩 Multiple cooldown parameters and complex sliding window

💡 Suggestion: Consider if simpler exponential backoff or fixed cooldown would suffice - the sliding window adds complexity

📊 Score: 2×3 = 6 · Category: over-configuration

[ethenotethan]

🔵 [INFO] 🧩 The capabilityVersionFloors map has only one entry ('tools': '0.6.3') - consider a simpler constant until more floors are needed

📊 Score: 2×3 = 6 · Category: over-configuration

[ethenotethan]

🟡 [MEDIUM] 🧩 387-line template validation for startup check

💡 Suggestion: Consider if a smaller subset of fixtures could catch the same issues - this adds significant startup overhead

📊 Score: 3×3 = 9 · Category: over-complexity

[blacksmith-sh]

Found 1 test failure on Blacksmith runners:

Failure

Test	View Logs
github.com/eigeninference/d-inference/e2e/TestIntegration_ConcurrentRequests	View Logs

^{Need help on this PR? Tag /codesmith with what you need.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b9cc6769a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Clear inference cooldowns for fresh provider sessions

This new breaker state assumes provider IDs are per-session and only expires entries opportunistically, but Register already treats the same provider ID as reusable by clearing dispatchLoadCooldowns on re-registration. If a provider trips the inference breaker, restarts or updates to a fixed binary, and reconnects with the same ID, the stale (provider, model, shape) cooldown/strikes remain and routing will keep skipping that fresh session until the 5-minute TTL or strike window expires; clear these maps on re-registration/disconnect just like the dispatch-load cooldowns.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not floor out providers after central tool normalization

For tool requests when the available fleet is still on pre-0.6.3 binaries, this floor rejects every older provider before dispatch even though NormalizeToolSchemas now rewrites the exact nullable/missing type schemas that made those binaries crash. That makes the coordinator-side normalizer ineffective for its stated lagging-provider case and turns otherwise serviceable normalized tool calls into model_unavailable; either remove/relax this floor for centrally-normalized requests or gate on a capability those older providers truly lack.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Feed committed stream timeouts into the breaker

When a provider starts a Responses stream and then stalls until inferenceTimeout, this timeout path only refunds/emits an SSE error and never records the 504 with noteInferenceError. Repeated post-commit stalls from the same provider/model therefore never enter the new cooldown, so subsequent requests keep routing to the zombie pair; record a 504 here as the accepted/pre-content timeout paths do.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not clear cooldowns on incomplete zero-cost streams

If a stream closes without CompleteCh or ErrorCh on a zero-reservation request (exclusive self-route/free path, or billing disabled), refundReservedBalance returns false and this falls through to noteInferenceSuccess, clearing the provider/model cooldown even though the provider ended incompletely. That lets broken owned/free streams erase strikes and be routed again; treat missing completion as an error independent of whether there was money to refund.

Useful? React with 👍 / 👎.

[Gajesh2007]

Addressed the review (commit 757d9031)

Thanks @ethenotethan — went through every finding. Summary of what changed and the few I'm pushing back on with evidence.

Fixed (the substantive ones)

• CRITICAL "890-line nested state machine" → extracted into a focused coordinator/api/dispatch.go: a dispatchState struct + dispatchOutcome enum, with each former labeled wait-loop (firstChunkWait, noBackupWait, race + sub-waits, acceptedWait) now its own method orchestrated by run(). consumer.go shrank 5889 → 4475 lines. The extraction is purely structural — verified behavior-equivalent by two independent reviews (line-by-line old→new mapping + exact-count invariants: timers 9 NewTimer/35 Stop, refunds 11/5, cancelDispatch 36) and by the full failover/breaker/race suite + -race staying green and the passing-test set being byte-identical to before.
• MEDIUM "duplicated tool-schema normalization / preprocessing across endpoints" → de-duplicated into coordinator/api/inference_preprocess.go: parseInferencePrelude (read → normalize → parse → model-required → key allowlist) and visionToolsFailFast, both called by handleChatCompletions and handleGenericInference. Handler-specific bits (Responses-media reject, n>1, alias re-marshal, stripProviderRoutingFields, the capacity/503 ladder) stay per-handler — parameterized, not flattened.
• MEDIUM "recursive traversal without depth limits" (injectDefaultTypes) → added a maxToolSchemaDepth recursion ceiling (pathological/deeply-nested schemas can't blow the stack).
• CRITICAL "JSON re-encode on the request hot path" → NormalizeToolSchemas now returns the input bytes unchanged (no decode/re-encode) when nothing needs normalizing.

Respectfully pushing back (with evidence)

• "Potential unbounded growth of heldChunks" — there's already a hard cap: maxHeldBoilerplate = 8, enforced at all 8 append sites (len(heldChunks) < maxHeldBoilerplate). Bounded by design.
• "JSON parse on every streaming chunk" (isBoilerplateChunk) — it has a cheap pre-gate (only parses chunks containing "role" / a response. event prefix) and runs pre-commit only, not per content chunk. Negligible.
• "toolschema blocking_io on hot path → async/cache" — it's a CPU transform on KB-sized tool defs, gated by a "tools" byte-check and a 4 MiB cap; it's microseconds, not blocking I/O, and can't be async (it must complete before dispatch). The skip-re-encode above removes the no-op cost; depth-limit removes the pathological case.
• "O(n) cooldown cleanup" — only runs when the map exceeds 1024 entries (fleet ≈ 100) and mirrors the long-standing dispatchLoadCooldowns pattern.

go test ./... green (16 pkgs), -race clean on api+registry, linux/amd64 build OK, 49 named contract tests pass. Re-requesting your review.

[ethenotethan]

Automated Code Review — Layr-Labs/d-inference#

Verdict: REQUEST_CHANGES

Security — ✅ No issues found

Performance — 5 finding(s) (3 blocking)

• 🟡 [MEDIUM] coordinator/api/consumer.go:1575 — excludeProviders map allocated without size hint in hot dispatch path
  • Suggestion: Pre-allocate excludeProviders with estimated capacity based on maxDispatchAttempts: make(map[string]struct{}, maxDispatchAttempts)
• 🔵 [INFO] coordinator/api/dispatch.go:158-160 — backupExclude map grows without size hint during speculative dispatch
  • Suggestion: Pre-allocate backupExclude with known size: make(map[string]struct{}, len(excludeProviders)+1)
• 🟡 [MEDIUM] coordinator/registry/error_cooldown.go:115-118 — Sliding window filtering creates new slice on every error record
  • Suggestion: Reuse the existing slice by reslicing in-place: strikes = strikes[:kept_count] instead of creating new slice
• 🟡 [MEDIUM] coordinator/api/toolschema.go:139-141 — JSON re-encoding allocates new buffer without size hint
  • Suggestion: Pre-allocate buffer with input size hint: buf.Grow(len(body)) to reduce allocations during normalization
• 🔵 [INFO] coordinator/registry/scheduler.go:407-413 — Version-diverse retry creates new slice without capacity hint
  • Suggestion: Pre-allocate diverse slice with pool capacity: make([]*routingCandidate, 0, len(pool))

Type_diligence — 3 finding(s)

• 🔵 [INFO] coordinator/api/consumer.go:507 — Potential nil pointer dereference on pr.Timing without nil check
  • Suggestion: The nil check was added but should be consistent - either always check or ensure pr.Timing is never nil during construction
• 🔵 [INFO] coordinator/api/toolschema.go:282 — Function parameter uses bare any type
  • Suggestion: Consider using a more specific type like map[string]any or create a proper struct type for the node parameter
• 🔵 [INFO] coordinator/api/toolschema.go:295 — Function parameter uses bare any type
  • Suggestion: Consider using a more specific type like map[string]any or create a proper struct type for the node parameter

Additive_complexity — 7 finding(s) (4 blocking)

• 🔴 [CRITICAL] coordinator/api/dispatch.go:1-1553 — 1553-line dispatch.go file extracts inline dispatch loop into complex state machine
  • Suggestion: Consider keeping the dispatch logic inline or breaking into smaller, focused modules rather than one massive state machine file
• 🟡 [MEDIUM] coordinator/api/toolschema.go:1-361 — 361-line custom JSON schema normalization reimplements JSON processing
  • Suggestion: Evaluate if existing JSON schema libraries could handle this normalization instead of custom implementation
• 🔵 [INFO] coordinator/api/toolschema_test.go:1-1118 — 1118-line test file with repetitive test helper patterns
  • Suggestion: Extract common test setup patterns into shared helpers to reduce duplication
• 🟡 [MEDIUM] coordinator/api/failover_integration_test.go:1-786 — Large integration test file duplicates provider setup patterns
  • Suggestion: Extract fake provider harness into reusable test utilities shared across test files
• 🔵 [INFO] coordinator/registry/request_traits.go:27-48 — RequestTraits struct with multiple capability flags could grow complex
  • Suggestion: Consider a more extensible trait system if more request attributes will be added
• 🟡 [MEDIUM] coordinator/api/consumer.go:1575-1600 — Consumer handler delegates entire dispatch logic to external state machine
  • Suggestion: Keep core dispatch logic in the consumer handler and extract only reusable components
• 🔵 [INFO] coordinator/registry/error_cooldown.go:47-57 — Complex struct key for circuit breaker when string key might suffice
  • Suggestion: Consider if a well-formatted string key could replace the struct key while avoiding collisions

15 finding(s) total, 7 blocking. Verdict: REQUEST_CHANGES.

🤖 Automated review by Centaur · DAR-186

[ethenotethan]

🟡 [MEDIUM] ⚡ excludeProviders map allocated without size hint in hot dispatch path

💡 Suggestion: Pre-allocate excludeProviders with estimated capacity based on maxDispatchAttempts: make(map[string]struct{}, maxDispatchAttempts)

📊 Score: 2×4 = 8 · Category: unbounded allocations

[ethenotethan]

🔵 [INFO] ⚡ backupExclude map grows without size hint during speculative dispatch

💡 Suggestion: Pre-allocate backupExclude with known size: make(map[string]struct{}, len(excludeProviders)+1)

📊 Score: 2×3 = 6 · Category: unbounded allocations

[ethenotethan]

🟡 [MEDIUM] ⚡ Sliding window filtering creates new slice on every error record

💡 Suggestion: Reuse the existing slice by reslicing in-place: strikes = strikes[:kept_count] instead of creating new slice

📊 Score: 3×3 = 9 · Category: repeated work

[ethenotethan]

🟡 [MEDIUM] ⚡ JSON re-encoding allocates new buffer without size hint

💡 Suggestion: Pre-allocate buffer with input size hint: buf.Grow(len(body)) to reduce allocations during normalization

📊 Score: 2×4 = 8 · Category: unbounded allocations

[ethenotethan]

🔵 [INFO] ⚡ Version-diverse retry creates new slice without capacity hint

💡 Suggestion: Pre-allocate diverse slice with pool capacity: make([]*routingCandidate, 0, len(pool))

📊 Score: 2×3 = 6 · Category: unbounded allocations

[ethenotethan]

🔵 [INFO] 🧩 1118-line test file with repetitive test helper patterns

💡 Suggestion: Extract common test setup patterns into shared helpers to reduce duplication

📊 Score: 2×2 = 4 · Category: duplicate logic

[ethenotethan]

🟡 [MEDIUM] 🧩 Large integration test file duplicates provider setup patterns

💡 Suggestion: Extract fake provider harness into reusable test utilities shared across test files

📊 Score: 3×3 = 9 · Category: duplicate logic

[ethenotethan]

🔵 [INFO] 🧩 RequestTraits struct with multiple capability flags could grow complex

💡 Suggestion: Consider a more extensible trait system if more request attributes will be added

📊 Score: 2×3 = 6 · Category: over-configuration

[ethenotethan]

🟡 [MEDIUM] 🧩 Consumer handler delegates entire dispatch logic to external state machine

💡 Suggestion: Keep core dispatch logic in the consumer handler and extract only reusable components

📊 Score: 3×4 = 12 · Category: misplaced responsibility

[ethenotethan]

🔵 [INFO] 🧩 Complex struct key for circuit breaker when string key might suffice

💡 Suggestion: Consider if a well-formatted string key could replace the struct key while avoiding collisions

📊 Score: 2×2 = 4 · Category: over-abstraction

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 757d90313a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Try previous alias build before no-eligible 503

When an alias resolves to its Desired build, this new no-eligible branch now returns 503 for trait/cooldown rejections without first checking the alias Previous build. ResolveModel/ResolveModelConstrained are trait-blind for unconstrained requests, so a tool request can pick a Desired build that has base-routable providers but zero tool-eligible providers, while maybeFallbackAliasCapacity would find immediate capacity on Previous; because that helper is only called in the capacity-rejection branch above, the request fails even though the alias has a usable fallback. The same preflight pattern in handleGenericInference needs the same fallback check.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Key vision failures separately from base traffic

For image/video requests, RequiresVision is not part of RequestTraits, so CooldownShape() returns base for multimodal traffic. If a provider/model repeatedly 500s or 504s only on the VLM path (media decode, multimodal template, or vision prefill), the new breaker quarantines that provider for ordinary non-tool text too, and a clean text success also clears the vision strikes; that defeats the shape-keying this breaker relies on for deterministic request-shape failures. Please carry the vision trait into the cooldown key separately from base text.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep offline-capable requests queueable

This new no-eligible branch also catches the case where the model exists but all providers are currently offline/unregistered, because QuickCapacityCheck reports 0/0/0 for that state. Before this change the request reached the existing 120s queue and could be drained by DrainQueuedRequestsForProvider when a provider reconnected or re-attested; now it fails immediately with 503 even though the queue is specifically wired to be drained on provider availability. Please distinguish transiently offline providers from trait/cooldown-ineligible providers before bypassing the queue.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Bump provider version for template-render capability

This starts advertising the new template_render_ok capability, but the provider and coordinator fallback release versions still report 0.6.4, so old 0.6.4 binaries that never run this scan are indistinguishable from binaries with the new field. In rollout/update paths that compare provider versions, the fleet will not be forced onto the build that emits false for broken templates, while the coordinator continues treating nil as allowed; please bump the provider/coordinator release version with this protocol capability.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Gate self-route media on owned vision support

For exclusive self-route image/video requests, this condition skips the only vision-capability preflight, but the self-route preflight it relies on only checks that an owned provider serves the model, not that the owned build advertises is_vision. If a user routes media to their own text-only Mac, dispatch rejects the provider on RequiresVision and then queues until timeout as machine_busy instead of failing immediately with the vision-specific error; the owned-provider check needs to include the same vision gate before skipping the global fail-fast.

Useful? React with 👍 / 👎.