What version of eigent are you using?
0.0.90 (reproducible on main at c0a257f)
System information
- OS: Windows 11
- Node: 22.19.0
- Python: 3.12 (server)
Problem description
ProviderService.update() (server/app/domains/model_provider/service/provider_service.py:69) guards updates with a field whitelist that doesn't match the Provider ORM model:
_UPDATABLE_FIELDS = {"provider_name", "api_key", "api_base", "extra_config", "prefer", "is_vaild"}The real Provider fields are provider_name / model_type / api_key / endpoint_url / encrypted_config / prefer / is_vaild (server/app/model/provider/provider.py:30).
So the whitelist has:
| Whitelist entry |
Actual model field |
Result |
api_base |
doesn't exist (real field: endpoint_url) |
dead code |
extra_config |
doesn't exist (real field: encrypted_config) |
dead code |
| (missing) |
model_type |
silently rejected on update |
| (missing) |
endpoint_url |
silently rejected on update |
| (missing) |
encrypted_config |
silently rejected on update |
The loop uses setattr(model, key, value) without hasattr, so the typo'd entries silently no-op and the missing entries silently reject legitimate client updates.
Expected: editing model_type / endpoint_url / encrypted_config on an existing provider and clicking Save should persist the new values.
Actual: PUT /api/v1/provider/{id} returns 200 OK, but the DB row is unchanged for those three fields. Subsequent agent runs read the stale row.
Steps to reproduce:
- Go to Settings → Agent → Models → BYOK, pick any provider (e.g. OpenRouter).
- Save it with
model_type = claude-opus-4-6 and a valid API key. Set as default. Run a task — it uses Claude. ✅
- Edit the same card, change
model_type to gpt-4o, click Save. Validation passes, success toast appears.
- Run a task — it still uses Claude.
Same symptom for endpoint_url edits.
Workaround until fixed: delete the provider entry (Reset / Delete button on the card) and re-create it via POST /api/v1/provider (the create path uses Provider(**data) which populates all fields without a whitelist).
log
No specific log — the request returns 200 OK; the bug is silent data loss. No error in server logs.
Additional context
Root cause: introduced in PR #1509 (Feat: Server refactor v1) when the server/app/domains/... layout was first added. The H10 hardening intent (whitelist instead of blanket update) is correct; the field names just got out of sync with the ORM model.
Proposed fix: replace the whitelist with the actual Provider field names (which also match the ProviderIn request schema). The is_vaild typo is project-wide and kept as-is — out of scope for this fix.
Branch with the fix is ready: https://github.com/zhenjunchen-png/eigent/tree/fix/provider-update-allow-model-type — happy to open the PR once this is accepted.
What version of eigent are you using?
0.0.90 (reproducible on
mainat c0a257f)System information
Problem description
ProviderService.update()(server/app/domains/model_provider/service/provider_service.py:69) guards updates with a field whitelist that doesn't match theProviderORM model:The real
Providerfields areprovider_name / model_type / api_key / endpoint_url / encrypted_config / prefer / is_vaild(server/app/model/provider/provider.py:30).So the whitelist has:
api_baseendpoint_url)extra_configencrypted_config)model_typeendpoint_urlencrypted_configThe loop uses
setattr(model, key, value)withouthasattr, so the typo'd entries silently no-op and the missing entries silently reject legitimate client updates.Expected: editing
model_type/endpoint_url/encrypted_configon an existing provider and clicking Save should persist the new values.Actual: PUT
/api/v1/provider/{id}returns 200 OK, but the DB row is unchanged for those three fields. Subsequent agent runs read the stale row.Steps to reproduce:
model_type = claude-opus-4-6and a valid API key. Set as default. Run a task — it uses Claude. ✅model_typetogpt-4o, click Save. Validation passes, success toast appears.Same symptom for
endpoint_urledits.Workaround until fixed: delete the provider entry (Reset / Delete button on the card) and re-create it via POST
/api/v1/provider(the create path usesProvider(**data)which populates all fields without a whitelist).log
No specific log — the request returns 200 OK; the bug is silent data loss. No error in server logs.
Additional context
Root cause: introduced in PR #1509 (
Feat: Server refactor v1) when theserver/app/domains/...layout was first added. The H10 hardening intent (whitelist instead of blanket update) is correct; the field names just got out of sync with the ORM model.Proposed fix: replace the whitelist with the actual
Providerfield names (which also match theProviderInrequest schema). Theis_vaildtypo is project-wide and kept as-is — out of scope for this fix.Branch with the fix is ready: https://github.com/zhenjunchen-png/eigent/tree/fix/provider-update-allow-model-type — happy to open the PR once this is accepted.