AlinsRan opened a new pull request, #13489: URL: https://github.com/apache/apisix/pull/13489
### Description When a content-security AI plugin is bound at the **Consumer** or **Service** level, it can receive requests it cannot inspect — plain HTTP traffic, non-JSON bodies, or requests that never passed through `ai-proxy`. Today the three plugins behave inconsistently in that situation: | Plugin | Behavior on an unrecognized / non-AI request | |--------|----------------------------------------------| | `ai-aliyun-content-moderation` | returns `500 no ai instance picked` | | `ai-prompt-guard` | silently allows the request (a security gap) | | `ai-aws-content-moderation` | moderates the raw body | This PR adds a shared helper `apisix/plugins/ai-protocols/binding.lua` exposing a `fail_mode` attribute (`skip` \| `warn` \| `error`, default `skip`) and a unified handler, and wires it into the three plugins: - **`skip`** (default): the request passes through unchecked, logged at info level. - **`warn`**: same as `skip`, plus a warning log. - **`error`**: the request is rejected (fail-closed) — for bindings where every request must be an AI request. With the default `skip`, a Consumer-bound AI plugin no longer breaks plain-HTTP / `multipart/form-data` traffic. The log reason is sanitized (control characters stripped, length capped) to avoid log forging, and Content-Type matching is case-insensitive. #### Compatibility note `fail_mode` is a new optional attribute, but its default (`skip`) intentionally changes the behavior on non-AI requests so the three plugins become consistent: - `ai-aliyun-content-moderation`: previously `500` → now passes through (fixes the reported breakage). - `ai-prompt-guard`: previously allowed → unchanged. - `ai-aws-content-moderation`: previously moderated the raw body → now passes through. Operators who need the old fail-closed behavior can set `"fail_mode": "error"`. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (new optional attribute; default-behavior change is documented above) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
