Skip to content

fix(ai-lakera-guard): streaming alert mode honors fail_open on Lakera errors#13622

Merged
nic-6443 merged 1 commit into
apache:masterfrom
janiussyafiq:fix/13619-lakera-streaming-alert-failclosed
Jun 30, 2026
Merged

fix(ai-lakera-guard): streaming alert mode honors fail_open on Lakera errors#13622
nic-6443 merged 1 commit into
apache:masterfrom
janiussyafiq:fix/13619-lakera-streaming-alert-failclosed

Conversation

@janiussyafiq

@janiussyafiq janiussyafiq commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Description

Streaming action=alert discarded the response scan's deny result, so a Lakera error/timeout with fail_open=false leaked the streamed response instead of failing closed — contradicting the action contract that "Lakera API errors/timeouts stay governed by fail_open even in alert mode".

Alert mode now buffers the stream when fail_open=false so a Lakera error/timeout fails closed, while a flagged verdict is still released and only logged (shadow-mode semantics unchanged). With fail_open=true, alert keeps streaming live since nothing can block. Non-streaming and block paths are unchanged.

Which issue(s) this PR fixes:

Fixes #13619

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Jun 29, 2026
Comment thread apisix/plugins/ai-lakera-guard.lua

@membphis membphis left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review looks good to me. Please make sure CI is green before merging.

@nic-6443 nic-6443 merged commit 6333d93 into apache:master Jun 30, 2026
29 of 31 checks passed
@janiussyafiq janiussyafiq deleted the fix/13619-lakera-streaming-alert-failclosed branch June 30, 2026 07:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: ai-lakera-guard streaming action=alert ignores fail_open=false (fail-closed) on Lakera errors

4 participants