🐛 fix(agent): honor base URL overrides in Groq/OpenRouter validation + list local LLM providers in API keys settings

clubanderson · clubanderson · commit 7a18c29267a2 · 2026-04-15T20:01:39.000-04:00
Two small follow-ups on the local-LLM registration work in the
preceding commit:

1. Groq and OpenRouter key validation were hard-coded to hit the
   public hostnames (api.groq.com, openrouter.ai) even when
   GROQ_BASE_URL or OPENROUTER_BASE_URL redirected the runtime chat
   path at a local runner. That produced a false negative on the
   settings page for operators pointing Groq at a local Ollama or
   an internal corporate gateway. The validator now resolves the
   validation URL from the same base URL resolution helper the Chat
   method uses, so self-hosted and enterprise gateways validate
   correctly.

2. The APIKeySettings modal's PROVIDER_INFO map and
   providerToIconMap now include entries for the six local LLM
   runners (ollama, llamacpp, localai, vllm, lm-studio, rhaiis).
   The placeholder copy tells the operator which URL env var to
   set, since local runners typically run unauthenticated. A
   dedicated Base URL input field per provider is tracked as a
   follow-up issue.

Signed-off-by: Andrew Anderson &lt;andy@clubanderson.com&gt;
diff --git a/pkg/agent/provider_groq.go b/pkg/agent/provider_groq.go
@@ -33,12 +33,35 @@ const (
 	// via the GROQ_MODEL env var or the settings UI.
 	groqDefaultModel = "llama-3.3-70b-versatile"
 
-	// groqValidationURL is the Groq models listing endpoint. It returns
-	// 200 for any valid API key and 401 otherwise, so it's a cheap way to
-	// check credentials without spending tokens on a chat completion.
-	groqValidationURL = "https://api.groq.com/openai/v1/models"
+	// groqModelsPath is appended to the base URL to form the validation
+	// endpoint. Together with groqResolveBaseURL it lets the validator
+	// honor GROQ_BASE_URL so an operator pointing Groq at a local Ollama
+	// or an internal gateway does not get a false negative from a hit
+	// against the real Groq hostname (see groqValidationURL below).
+	groqModelsPath = "/models"
 )
 
+// groqResolveBaseURL returns the effective base URL for the Groq provider,
+// honoring the GROQ_BASE_URL override. Kept separate from NewGroqProvider so
+// package-level helpers (validation, tests) can consult the same resolution
+// without constructing a provider.
+func groqResolveBaseURL() string {
+	if v := os.Getenv("GROQ_BASE_URL"); v != "" {
+		return v
+	}
+	return groqDefaultBaseURL
+}
+
+// groqValidationURL returns the models listing endpoint relative to whatever
+// base URL the operator has configured. It returns 200 for any valid API key
+// and 401 otherwise, so it's a cheap way to check credentials without spending
+// tokens on a chat completion. When GROQ_BASE_URL points at a local runner,
+// the validator hits that runner's /models endpoint instead — so self-hosted
+// and enterprise gateways validate correctly (#tracking-validation-urls).
+func groqValidationURL() string {
+	return groqResolveBaseURL() + groqModelsPath
+}
+
 // GroqProvider implements AIProvider for Groq (https://groq.com).
 type GroqProvider struct {
 	baseURL string
diff --git a/pkg/agent/server_operations.go b/pkg/agent/server_operations.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"os"
 	"os/exec"
 	"strings"
 	"sync"
@@ -525,17 +526,29 @@ func validateOpenAIKey(ctx context.Context, apiKey string) (bool, error) {
 	return false, fmt.Errorf("API error: %s", string(body))
 }
 
-// openRouterValidationURL is the OpenRouter models listing endpoint. It
-// returns 200 for any valid API key and 401 otherwise, so it's a cheap way
-// to check credentials without spending tokens on a chat completion.
-const openRouterValidationURL = "https://openrouter.ai/api/v1/models"
+// openRouterDefaultValidationURL is the public OpenRouter models listing
+// endpoint. It returns 200 for any valid API key and 401 otherwise, so it's a
+// cheap way to check credentials without spending tokens on a chat completion.
+// When OPENROUTER_BASE_URL is set, the validation request is redirected to
+// that base URL's /models endpoint so operators with a self-hosted or corporate
+// OpenRouter proxy validate against their own endpoint, not the public one.
+const openRouterDefaultValidationURL = "https://openrouter.ai/api/v1/models"
+
+// openRouterValidationURL resolves the validation URL at call time so a
+// runtime OPENROUTER_BASE_URL override is honored.
+func openRouterValidationURL() string {
+	if base := os.Getenv("OPENROUTER_BASE_URL"); base != "" {
+		return strings.TrimRight(base, "/") + "/models"
+	}
+	return openRouterDefaultValidationURL
+}
 
 // validateOpenRouterKey tests an OpenRouter API key by hitting the models
 // listing endpoint. Mirrors validateOpenAIKey semantics: a 200 means valid,
 // 401 means invalid (cached as (false, nil) so we don't re-fire on every
 // startup — see #7923).
 func validateOpenRouterKey(ctx context.Context, apiKey string) (bool, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", openRouterValidationURL, nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", openRouterValidationURL(), nil)
 	if err != nil {
 		return false, err
 	}
@@ -565,7 +578,7 @@ func validateOpenRouterKey(ctx context.Context, apiKey string) (bool, error) {
 // valid, 401 means invalid (cached as (false, nil) so we don't re-fire on
 // every startup — see #7923).
 func validateGroqKey(ctx context.Context, apiKey string) (bool, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", groqValidationURL, nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", groqValidationURL(), nil)
 	if err != nil {
 		return false, err
 	}
diff --git a/web/src/components/agent/APIKeySettings.tsx b/web/src/components/agent/APIKeySettings.tsx
@@ -90,6 +90,34 @@ const PROVIDER_INFO: Record<string, { docsUrl: string; placeholder: string }> =
     docsUrl: AI_PROVIDER_DOCS.groq,
     placeholder: 'gsk_...',
   },
+  // Local LLM runners. Most do not require an API key — set the
+  // corresponding URL env var instead (see SECURITY-MODEL.md §3). The
+  // placeholder advises the operator how to configure the runner today;
+  // full UI support for base URL overrides is tracked as a follow-up.
+  ollama: {
+    docsUrl: 'https://ollama.com',
+    placeholder: 'Set OLLAMA_URL env var (no key needed)',
+  },
+  llamacpp: {
+    docsUrl: 'https://github.com/ggml-org/llama.cpp',
+    placeholder: 'Set LLAMACPP_URL env var (no key needed)',
+  },
+  localai: {
+    docsUrl: 'https://localai.io',
+    placeholder: 'Set LOCALAI_URL env var (no key needed)',
+  },
+  vllm: {
+    docsUrl: 'https://docs.vllm.ai',
+    placeholder: 'Set VLLM_URL env var (no key needed)',
+  },
+  'lm-studio': {
+    docsUrl: 'https://lmstudio.ai',
+    placeholder: 'Set LM_STUDIO_URL env var (no key needed)',
+  },
+  rhaiis: {
+    docsUrl: 'https://docs.redhat.com/en/documentation/red_hat_ai_inference_server/',
+    placeholder: 'Set RHAIIS_URL env var (no key needed)',
+  },
 }
 
 // Map backend provider key names to AgentIcon provider values
@@ -109,6 +137,13 @@ function providerToIconMap(provider: string): string {
     'open-webui': 'open-webui',
     openrouter: 'openrouter',
     groq: 'groq',
+    // Local LLM runners — provider key matches the icon key 1:1
+    ollama: 'ollama',
+    llamacpp: 'llamacpp',
+    localai: 'localai',
+    vllm: 'vllm',
+    'lm-studio': 'lm-studio',
+    rhaiis: 'rhaiis',
   }
   return map[provider] || provider
 }
