|
| 1 | +--- |
| 2 | +date: 2026-02-20 |
| 3 | +reviewer: codex |
| 4 | +branch: nm/overhaul-model-facade-guts |
| 5 | +sources: |
| 6 | + - plans/343/model-facade-overhaul-plan-review-codex.md |
| 7 | + - plans/343/model-facade-overhaul-plan-review-opus.md |
| 8 | +scope: |
| 9 | + - plans/343/model-facade-overhaul-plan-step-1.md |
| 10 | + - plans/343/model-facade-overhaul-plan-step-2-bedrock.md |
| 11 | +--- |
| 12 | + |
| 13 | +# Aggregated Plan Review (Agreed Feedback) |
| 14 | + |
| 15 | +## Verdict |
| 16 | + |
| 17 | +Request changes. The migration direction is solid, but several contradictions and missing contracts should be resolved before implementation. |
| 18 | + |
| 19 | +## Findings |
| 20 | + |
| 21 | +### HIGH: `completion`/`acompletion` response contract is not explicit enough for MCP compatibility |
| 22 | + |
| 23 | +Evidence: |
| 24 | +- Step 1 says keep methods/signatures and preserve MCP loop unchanged (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 25 | +- Step 1 also says ModelFacade will consume canonical response shapes and maps LiteLLM fields into canonical message fields (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 26 | +- Current MCP shape parity risk is explicitly called out (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 27 | + |
| 28 | +Recommendation: |
| 29 | +- Pick one explicit migration contract: |
| 30 | + 1. Refactor ModelFacade + MCP helpers to canonical response shape in PR-2, or |
| 31 | + 2. Keep LiteLLM-compatible response shape through bridge phase. |
| 32 | +- Add dedicated MCP parity tests (tool-call extraction/refusal/reasoning content) for the chosen contract. |
| 33 | + |
| 34 | +### HIGH: Adaptive throttling contract is internally inconsistent |
| 35 | + |
| 36 | +Evidence: |
| 37 | +- Shared hard cap is defined as `min(max_parallel_requests...)` across aliases (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 38 | +- Test plan also expects aliases on same provider/model to keep independent primary limits (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 39 | + |
| 40 | +Recommendation: |
| 41 | +- Choose one contract and align tests: |
| 42 | + 1. Shared hard cap across aliases (safest), or |
| 43 | + 2. Per-alias limits with optional shared pressure signal. |
| 44 | +- Remove contradictory assertions from the parity suite. |
| 45 | + |
| 46 | +### HIGH: Step 1 provider-type hardening conflicts with Step 2 Bedrock routing |
| 47 | + |
| 48 | +Evidence: |
| 49 | +- Step 1 Phase B constrains provider type enum to `openai` and `anthropic` (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 50 | +- Step 2 requires `provider_type == "bedrock"` factory routing (`plans/343/model-facade-overhaul-plan-step-2-bedrock.md`). |
| 51 | + |
| 52 | +Recommendation: |
| 53 | +- Keep `provider_type` extensible through Step 1 (or include `bedrock` in planned enum values). |
| 54 | +- Defer strict enum narrowing until after Bedrock support lands. |
| 55 | + |
| 56 | +### HIGH: Rollback safety is inconsistent with default-flip/removal sequencing |
| 57 | + |
| 58 | +Evidence: |
| 59 | +- PR slicing combines cutover default flip and LiteLLM removal in PR-6 (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 60 | +- Rollback guardrail promises backend flag toggle (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 61 | +- Phase 3 removes LiteLLM runtime path/dependency (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 62 | + |
| 63 | +Recommendation: |
| 64 | +- Separate default flip from dependency/path removal. |
| 65 | +- Keep bridge rollback path for at least one soak/release window after native default. |
| 66 | + |
| 67 | +### MEDIUM: Auth error mapping is ambiguous for `401/403` |
| 68 | + |
| 69 | +Evidence: |
| 70 | +- Step 1 maps `401/403` to `AUTHENTICATION | PERMISSION_DENIED` with no deterministic rule (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 71 | +- Step 2 has same ambiguity for STS failures (`plans/343/model-facade-overhaul-plan-step-2-bedrock.md`). |
| 72 | + |
| 73 | +Recommendation: |
| 74 | +- Define deterministic status/code mapping (default `401 -> AUTHENTICATION`, `403 -> PERMISSION_DENIED`) and document provider-specific exceptions. |
| 75 | +- Add explicit parity tests for this matrix. |
| 76 | + |
| 77 | +### MEDIUM: HTTP client lifecycle and pool sizing are underspecified |
| 78 | + |
| 79 | +Evidence: |
| 80 | +- HTTP adapter skeleton instantiates both sync/async httpx clients and exposes `close`/`aclose` (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 81 | +- Plan does not define owner/teardown integration or pool sizing policy. |
| 82 | + |
| 83 | +Recommendation: |
| 84 | +- Add lifecycle section specifying creation/ownership/teardown (factory, registry, or facade shutdown hook). |
| 85 | +- Define connection pool sizing relative to concurrency settings. |
| 86 | + |
| 87 | +### MEDIUM: `extra_body`/`extra_headers` precedence needs explicit contract |
| 88 | + |
| 89 | +Evidence: |
| 90 | +- Plan promises no precedence drift but does not state merge order (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 91 | +- Existing implementation has specific precedence rules (provider overrides for `extra_body`, provider replacement for `extra_headers`). |
| 92 | + |
| 93 | +Recommendation: |
| 94 | +- Document exact merge precedence and add regression tests for it. |
| 95 | + |
| 96 | +### MEDIUM: Anthropic capability statements conflict within Step 1 |
| 97 | + |
| 98 | +Evidence: |
| 99 | +- Anthropic adapter skeleton marks embeddings and image generation unsupported (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 100 | +- Capability matrix says Anthropic support is "Provider dependent" for those operations (`plans/343/model-facade-overhaul-plan-step-1.md`). |
| 101 | + |
| 102 | +Recommendation: |
| 103 | +- Align matrix with Step 1 implementation scope, or define exact conditions and gates for conditional support. |
0 commit comments