Support rejecting invalid requests (#57414)

* Only record prompt prefixes for .com actors

* Support blocking requests (behind a flag)

* Consistent cases

* Consistent naming

* Bad merge resolution

* Update cmd/cody-gateway/shared/config.go

Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>

* PR feedback

* Move flagging result, add GetModel()

* Export events about blocked requests

* Fix tests

* Minor fixes

---------

Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>

Author: rafax

cmd/cody-gateway/internal/httpapi/completions/anthropic.go

@@ -27,8 +27,11 @@ const anthropicAPIURL = "https://api.anthropic.com/v1/complete"
 const (
 	logPromptPrefixLength = 250
 
-	promptTokenLimit   = 18000
-	responseTokenLimit = 1000
+	promptTokenFlaggingLimit   = 18000
+	responseTokenFlaggingLimit = 1000
+
+	promptTokenBlockingLimit   = 20000
+	responseTokenBlockingLimit = 1000
 )
 
 func isFlaggedAnthropicRequest(tk *tokenizer.Tokenizer, ar anthropicRequest, promptRegexps []*regexp.Regexp) (*flaggingResult, error) {
@@ -44,7 +47,7 @@ func isFlaggedAnthropicRequest(tk *tokenizer.Tokenizer, ar anthropicRequest, pro
 	}
 
 	// If this request has a very high token count for responses, then flag it.
-	if ar.MaxTokensToSample > responseTokenLimit {
+	if ar.MaxTokensToSample > responseTokenFlaggingLimit {
 		reasons = append(reasons, "high_max_tokens_to_sample")
 	}
 
@@ -53,11 +56,16 @@ func isFlaggedAnthropicRequest(tk *tokenizer.Tokenizer, ar anthropicRequest, pro
 	if err != nil {
 		return &flaggingResult{}, errors.Wrap(err, "tokenize prompt")
 	}
-	if tokenCount > promptTokenLimit {
+	if tokenCount > promptTokenFlaggingLimit {
 		reasons = append(reasons, "high_prompt_token_count")
 	}
 
 	if len(reasons) > 0 {
+		blocked := false
+		if tokenCount > promptTokenBlockingLimit || ar.MaxTokensToSample > responseTokenBlockingLimit {
+			blocked = true
+		}
+
 		promptPrefix := ar.Prompt
 		if len(promptPrefix) > logPromptPrefixLength {
 			promptPrefix = promptPrefix[0:logPromptPrefixLength]
@@ -67,6 +75,7 @@ func isFlaggedAnthropicRequest(tk *tokenizer.Tokenizer, ar anthropicRequest, pro
 			maxTokensToSample: int(ar.MaxTokensToSample),
 			promptPrefix:      promptPrefix,
 			promptTokenCount:  tokenCount,
+			shouldBlock:       blocked,
 		}, nil
 	}
 
@@ -99,6 +108,7 @@ func NewAnthropicHandler(
 	maxTokensToSample int,
 	promptRecorder PromptRecorder,
 	allowedPromptPatterns []string,
+	requestBlockingEnabled bool,
 ) (http.Handler, error) {
 	// Tokenizer only needs to be initialized once, and can be shared globally.
 	anthropicTokenizer, err := tokenizer.NewAnthropicClaudeTokenizer()
@@ -132,6 +142,9 @@ func NewAnthropicHandler(
 					if err := promptRecorder.Record(ctx, ar.Prompt); err != nil {
 						logger.Warn("failed to record flagged prompt", log.Error(err))
 					}
+					if requestBlockingEnabled && result.shouldBlock {
+						return http.StatusBadRequest, result, errors.Errorf("request blocked - if you think this is a mistake, please contact support@sourcegraph.com")
+					}
 					return 0, result, nil
 				}
 
@@ -249,6 +262,10 @@ type anthropicRequest struct {
 	promptTokens *anthropicTokenCount
 }
 
+func (ar anthropicRequest) GetModel() string {
+	return ar.Model
+}
+
 type anthropicTokenCount struct {
 	count int
 	err   error
@@ -276,15 +293,3 @@ type anthropicResponse struct {
 	Completion string `json:"completion,omitempty"`
 	StopReason string `json:"stop_reason,omitempty"`
 }
-
-type flaggingResult struct {
-	blocked           bool
-	reasons           []string
-	promptPrefix      string
-	maxTokensToSample int
-	promptTokenCount  int
-}
-
-func (f *flaggingResult) IsFlagged() bool {
-	return f != nil
-}

cmd/cody-gateway/internal/httpapi/completions/anthropic_test.go

@@ -26,6 +26,7 @@ func TestIsFlaggedAnthropicRequest(t *testing.T) {
 		result, err := isFlaggedAnthropicRequest(tk, ar, []*regexp.Regexp{regexp.MustCompile(validPreamble)})
 		require.NoError(t, err)
 		require.True(t, result.IsFlagged())
+		require.False(t, result.shouldBlock)
 		require.Contains(t, result.reasons, "unknown_prompt")
 	})
 
@@ -41,21 +42,38 @@ func TestIsFlaggedAnthropicRequest(t *testing.T) {
 		result, err := isFlaggedAnthropicRequest(tk, ar, []*regexp.Regexp{})
 		require.NoError(t, err)
 		require.True(t, result.IsFlagged())
+		require.True(t, result.shouldBlock)
 		require.Contains(t, result.reasons, "high_max_tokens_to_sample")
 		require.Equal(t, int32(result.maxTokensToSample), ar.MaxTokensToSample)
 	})
-	t.Run("high prompt token count", func(t *testing.T) {
+	t.Run("high prompt token count (below block limit)", func(t *testing.T) {
 		tokenLengths, err := tk.Tokenize(validPreamble)
 		require.NoError(t, err)
 
 		validPreambleTokens := len(tokenLengths)
-		longPrompt := strings.Repeat("word ", promptTokenLimit+1)
+		longPrompt := strings.Repeat("word ", promptTokenFlaggingLimit+1)
 		ar := anthropicRequest{Model: "claude-2", Prompt: validPreamble + " " + longPrompt}
 		result, err := isFlaggedAnthropicRequest(tk, ar, []*regexp.Regexp{regexp.MustCompile(validPreamble)})
 		require.NoError(t, err)
 		require.True(t, result.IsFlagged())
+		require.False(t, result.shouldBlock)
 		require.Contains(t, result.reasons, "high_prompt_token_count")
-		require.Equal(t, result.promptTokenCount, validPreambleTokens+1+promptTokenLimit+1)
+		require.Equal(t, result.promptTokenCount, validPreambleTokens+1+promptTokenFlaggingLimit+1)
+	})
+
+	t.Run("high prompt token count (below block limit)", func(t *testing.T) {
+		tokenLengths, err := tk.Tokenize(validPreamble)
+		require.NoError(t, err)
+
+		validPreambleTokens := len(tokenLengths)
+		longPrompt := strings.Repeat("word ", promptTokenBlockingLimit+1)
+		ar := anthropicRequest{Model: "claude-2", Prompt: validPreamble + " " + longPrompt}
+		result, err := isFlaggedAnthropicRequest(tk, ar, []*regexp.Regexp{regexp.MustCompile(validPreamble)})
+		require.NoError(t, err)
+		require.True(t, result.IsFlagged())
+		require.True(t, result.shouldBlock)
+		require.Contains(t, result.reasons, "high_prompt_token_count")
+		require.Equal(t, result.promptTokenCount, validPreambleTokens+1+promptTokenBlockingLimit+1)
 	})
 }
 

cmd/cody-gateway/internal/httpapi/completions/fireworks.go

@@ -140,6 +140,10 @@ type fireworksRequest struct {
 	Stop        []string `json:"stop,omitempty"`
 }
 
+func (fr fireworksRequest) GetModel() string {
+	return fr.Model
+}
+
 type fireworksResponse struct {
 	Choices []struct {
 		Text         string `json:"text"`

cmd/cody-gateway/internal/httpapi/completions/openai.go

@@ -157,6 +157,10 @@ type openaiRequest struct {
 	User             string                 `json:"user,omitempty"`
 }
 
+func (r openaiRequest) GetModel() string {
+	return r.Model
+}
+
 type openaiUsage struct {
 	PromptTokens     int `json:"prompt_tokens"`
 	CompletionTokens int `json:"completion_tokens"`

cmd/cody-gateway/internal/httpapi/completions/upstream.go

@@ -73,7 +73,9 @@ type upstreamHandlerMethods[ReqT UpstreamRequest] struct {
 	parseResponseAndUsage func(log.Logger, ReqT, io.Reader) (promptUsage, completionUsage usageStats)
 }
 
-type UpstreamRequest interface{}
+type UpstreamRequest interface {
+	GetModel() string
+}
 
 func makeUpstreamHandler[ReqT UpstreamRequest](
 	baseLogger log.Logger,
@@ -167,6 +169,37 @@ func makeUpstreamHandler[ReqT UpstreamRequest](
 				if status == 0 {
 					response.JSONError(logger, w, http.StatusBadRequest, errors.Wrap(err, "invalid request"))
 				}
+				if flaggingResult.IsFlagged() && flaggingResult.shouldBlock {
+					requestMetadata := getFlaggingMetadata(flaggingResult, act)
+					err := eventLogger.LogEvent(
+						r.Context(),
+						events.Event{
+							Name:       codygateway.EventNameRequestBlocked,
+							Source:     act.Source.Name(),
+							Identifier: act.ID,
+							Metadata: mergeMaps(requestMetadata, map[string]any{
+								codygateway.CompletionsEventFeatureMetadataField: feature,
+								"model":    fmt.Sprintf("%s/%s", upstreamName, body.GetModel()),
+								"provider": upstreamName,
+
+								// Response details
+								"resolved_status_code": status,
+
+								// Request metadata
+								"prompt_token_count":   flaggingResult.promptTokenCount,
+								"max_tokens_to_sample": flaggingResult.maxTokensToSample,
+
+								// Actor details, specific to the actor Source
+								"sg_actor_id":            sgActorID,
+								"sg_actor_anonymous_uid": sgActorAnonymousUID,
+							}),
+						},
+					)
+					if err != nil {
+						logger.Error("failed to log event", log.Error(err))
+					}
+				}
+
 				response.JSONError(logger, w, status, err)
 				return
 			}
@@ -228,17 +261,7 @@ func makeUpstreamHandler[ReqT UpstreamRequest](
 						attribute.Int("resolvedStatusCode", resolvedStatusCode))
 				}
 				if flaggingResult.IsFlagged() {
-					// keep this for backwards-compatibility of abuse data
-					requestMetadata["flagged"] = true
-					flaggingMetadata := map[string]any{
-						"reason":  flaggingResult.reasons,
-						"blocked": flaggingResult.blocked,
-					}
-					// only record prompt prefixes for .com actors
-					if act.IsDotComActor() {
-						flaggingMetadata["promptPrefix"] = flaggingResult.promptPrefix
-					}
-					requestMetadata["flagging_result"] = flaggingMetadata
+					requestMetadata = mergeMaps(requestMetadata, getFlaggingMetadata(flaggingResult, act))
 				}
 				usageData := map[string]any{
 					"prompt_character_count":     promptUsage.characters,
@@ -357,6 +380,22 @@ func makeUpstreamHandler[ReqT UpstreamRequest](
 		}))
 }
 
+func getFlaggingMetadata(flaggingResult *flaggingResult, act *actor.Actor) map[string]any {
+	requestMetadata := map[string]any{}
+
+	requestMetadata["flagged"] = true
+	flaggingMetadata := map[string]any{
+		"reason":       flaggingResult.reasons,
+		"should_block": flaggingResult.shouldBlock,
+	}
+
+	if act.IsDotComActor() {
+		flaggingMetadata["prompt_prefix"] = flaggingResult.promptPrefix
+	}
+	requestMetadata["flagging_result"] = flaggingMetadata
+	return requestMetadata
+}
+
 func isAllowedModel(allowedModels []string, model string) bool {
 	for _, m := range allowedModels {
 		if strings.EqualFold(m, model) {
@@ -383,3 +422,15 @@ func mergeMaps(dst map[string]any, srcs ...map[string]any) map[string]any {
 	}
 	return dst
 }
+
+type flaggingResult struct {
+	shouldBlock       bool
+	reasons           []string
+	promptPrefix      string
+	maxTokensToSample int
+	promptTokenCount  int
+}
+
+func (f *flaggingResult) IsFlagged() bool {
+	return f != nil
+}

cmd/cody-gateway/internal/httpapi/handler.go

@@ -25,17 +25,18 @@ import (
 )
 
 type Config struct {
-	RateLimitNotifier              notify.RateLimitNotifier
-	AnthropicAccessToken           string
-	AnthropicAllowedModels         []string
-	AnthropicAllowedPromptPatterns []string
-	AnthropicMaxTokensToSample     int
-	OpenAIAccessToken              string
-	OpenAIOrgID                    string
-	OpenAIAllowedModels            []string
-	FireworksAccessToken           string
-	FireworksAllowedModels         []string
-	EmbeddingsAllowedModels        []string
+	RateLimitNotifier               notify.RateLimitNotifier
+	AnthropicAccessToken            string
+	AnthropicAllowedModels          []string
+	AnthropicAllowedPromptPatterns  []string
+	AnthropicRequestBlockingEnabled bool
+	AnthropicMaxTokensToSample      int
+	OpenAIAccessToken               string
+	OpenAIOrgID                     string
+	OpenAIAllowedModels             []string
+	FireworksAccessToken            string
+	FireworksAllowedModels          []string
+	EmbeddingsAllowedModels         []string
 }
 
 var meter = otel.GetMeterProvider().Meter("cody-gateway/internal/httpapi")
@@ -82,6 +83,7 @@ func NewHandler(
 			config.AnthropicMaxTokensToSample,
 			promptRecorder,
 			config.AnthropicAllowedPromptPatterns,
+			config.AnthropicRequestBlockingEnabled,
 		)
 		if err != nil {
 			return nil, errors.Wrap(err, "init Anthropic handler")

cmd/cody-gateway/shared/config.go

@@ -28,10 +28,11 @@ type Config struct {
 	}
 
 	Anthropic struct {
-		AllowedModels         []string
-		AccessToken           string
-		MaxTokensToSample     int
-		AllowedPromptPatterns []string
+		AllowedModels          []string
+		AccessToken            string
+		MaxTokensToSample      int
+		AllowedPromptPatterns  []string
+		RequestBlockingEnabled bool
 	}
 
 	OpenAI struct {
@@ -113,6 +114,7 @@ func (c *Config) Load() {
 	}
 	c.Anthropic.MaxTokensToSample = c.GetInt("CODY_GATEWAY_ANTHROPIC_MAX_TOKENS_TO_SAMPLE", "10000", "Maximum permitted value of maxTokensToSample")
 	c.Anthropic.AllowedPromptPatterns = splitMaybe(c.GetOptional("CODY_GATEWAY_ANTHROPIC_ALLOWED_PROMPT_PATTERNS", "Prompt patterns to allow."))
+	c.Anthropic.RequestBlockingEnabled = c.GetBool("CODY_GATEWAY_ANTHROPIC_REQUEST_BLOCKING_ENABLED", "false", "Whether we should block requests that match our blocking criteria.")
 
 	c.OpenAI.AccessToken = c.GetOptional("CODY_GATEWAY_OPENAI_ACCESS_TOKEN", "The OpenAI access token to be used.")
 	c.OpenAI.OrgID = c.GetOptional("CODY_GATEWAY_OPENAI_ORG_ID", "The OpenAI organization to count billing towards. Setting this ensures we always use the correct negotiated terms.")

cmd/cody-gateway/shared/main.go

@@ -149,17 +149,18 @@ func Main(ctx context.Context, obctx *observation.Context, ready service.ReadyFu
 			redis: redispool.Cache,
 		},
 		&httpapi.Config{
-			RateLimitNotifier:              rateLimitNotifier,
-			AnthropicAccessToken:           config.Anthropic.AccessToken,
-			AnthropicAllowedModels:         config.Anthropic.AllowedModels,
-			AnthropicMaxTokensToSample:     config.Anthropic.MaxTokensToSample,
-			AnthropicAllowedPromptPatterns: config.Anthropic.AllowedPromptPatterns,
-			OpenAIAccessToken:              config.OpenAI.AccessToken,
-			OpenAIOrgID:                    config.OpenAI.OrgID,
-			OpenAIAllowedModels:            config.OpenAI.AllowedModels,
-			FireworksAccessToken:           config.Fireworks.AccessToken,
-			FireworksAllowedModels:         config.Fireworks.AllowedModels,
-			EmbeddingsAllowedModels:        config.AllowedEmbeddingsModels,
+			RateLimitNotifier:               rateLimitNotifier,
+			AnthropicAccessToken:            config.Anthropic.AccessToken,
+			AnthropicAllowedModels:          config.Anthropic.AllowedModels,
+			AnthropicMaxTokensToSample:      config.Anthropic.MaxTokensToSample,
+			AnthropicAllowedPromptPatterns:  config.Anthropic.AllowedPromptPatterns,
+			AnthropicRequestBlockingEnabled: config.Anthropic.RequestBlockingEnabled,
+			OpenAIAccessToken:               config.OpenAI.AccessToken,
+			OpenAIOrgID:                     config.OpenAI.OrgID,
+			OpenAIAllowedModels:             config.OpenAI.AllowedModels,
+			FireworksAccessToken:            config.Fireworks.AccessToken,
+			FireworksAllowedModels:          config.Fireworks.AllowedModels,
+			EmbeddingsAllowedModels:         config.AllowedEmbeddingsModels,
 		})
 	if err != nil {
 		return errors.Wrap(err, "httpapi.NewHandler")

internal/codygateway/consts.go

@@ -20,6 +20,7 @@ const (
 	EventNameRateLimited         EventName = "RateLimited"
 	EventNameCompletionsFinished EventName = "CompletionsFinished"
 	EventNameEmbeddingsFinished  EventName = "EmbeddingsFinished"
+	EventNameRequestBlocked      EventName = "RequestBlocked"
 )
 
 const FeatureHeaderName = "X-Sourcegraph-Feature"