fix(native): narrow bridge canary defaults

Author: dwgx

docs/native-bridge-protocol-notes.md

@@ -3,6 +3,17 @@
 Status: reverse-engineering notes for the opt-in native bridge. Nothing here
 is a default production enablement decision.
 
+## Production Gate Status
+
+Default production canary scope is intentionally limited to
+`Bash` / `shell_command` / `run_command`.
+
+`Read`, `Grep`, and `Glob` stay in `TOOL_MAP` for protocol matrix testing, but
+they are not in the default native bridge tool allowlist. To test them, set
+`WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS=Read,Bash,Grep,Glob` or a narrower list
+for a gated account/API key/model. Do not treat successful protobuf
+encode/decode round-trips as production readiness.
+
 ## Confirmed Tool Config Fields
 
 `CascadeToolConfig`:

docs/releases/RELEASE_NOTES_2.0.123.md

@@ -0,0 +1,19 @@
+## v2.0.123 - Native bridge gate hardening and upstream deadline diagnostics
+
+- Native bridge default production canary scope is now limited to
+  `Bash` / `shell_command` / `run_command`. `Read`, `Grep`, and `Glob` remain
+  available for protocol matrix work, but require an explicit
+  `WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS=...` allowlist before they route through
+  native bridge.
+- Documented the distinction between protobuf encode/decode coverage and
+  production readiness in `docs/native-bridge-protocol-notes.md`.
+- `context deadline exceeded` / `Client.Timeout or context cancellation while
+  reading body` is now classified as `upstream_deadline_exceeded` with code
+  `windsurf_provider_deadline`, instead of being folded into generic transient
+  upstream errors.
+- Stream and non-stream paths both keep invalidating half-finished cascade reuse
+  entries after provider deadline failures.
+
+Verification:
+
+- `node --test test\*.test.js` passes: 1014/1014.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "windsurf-api",
-  "version": "2.0.122",
+  "version": "2.0.123",
   "description": "Windsurf to OpenAI + Anthropic compatible API proxy. Turns Windsurf's 107 AI models (Claude, GPT, Gemini, DeepSeek, Grok, Qwen, Kimi, GLM, SWE) into dual-protocol API endpoints. Zero npm deps.",
   "type": "module",
   "main": "src/index.js",

src/cascade-native-bridge.js

@@ -76,10 +76,12 @@ export const CASCADE_STEP = {
 export const CASCADE_STEP_STATUS_DONE = 3;
 
 const DEFAULT_NATIVE_BRIDGE_TOOLS = new Set([
-  'Read', 'read_file', 'view_file',
+  // Default scope is intentionally narrow: real smoke has only proven the
+  // command path stable enough for opt-in production canaries. Read/Grep/Glob
+  // translators remain in TOOL_MAP for protocol matrix work, but must be
+  // explicitly allowlisted with WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS before
+  // they are routed through the native bridge.
   'Bash', 'shell_command', 'run_command',
-  'Grep', 'grep_v2', 'grep_search', 'grep_search_v2',
-  'Glob', 'find', 'list_dir', 'list_directory',
 ]);
 
 // ─── argument translators ─────────────────────────────────────────

src/handlers/chat.js

@@ -99,6 +99,19 @@ async function internalErrorBackoff(retryIdx) {
   return ms;
 }
 
+const UPSTREAM_DEADLINE_RE = /context deadline exceeded|context cancellation while reading body|client\.timeout/i;
+
+export function isUpstreamDeadlineExceeded(errOrMessage) {
+  const msg = typeof errOrMessage === 'string'
+    ? errOrMessage
+    : String(errOrMessage?.message || '');
+  return UPSTREAM_DEADLINE_RE.test(msg);
+}
+
+function upstreamDeadlineExceededMessage(model) {
+  return `${model} hit the upstream Windsurf provider deadline (~240s): model thinking/output ran longer than the single Cascade stream window. This is not controlled by WindsurfAPI timeout env vars. Split the task, lower reasoning/max output, or use a faster model.`;
+}
+
 function upstreamTransientErrorMessage(model, triedCount, reason = 'internal_error') {
   const detail = reason === 'cascade_transport'
     ? 'Cascade/语言服务器 HTTP/2 流被取消'
@@ -2100,7 +2113,7 @@ async function _handleChatCompletionsInner(body, context = {}) {
     // rationale (cascade trajectory left half-broken, next reuse hits
     // it and the model "loses" the prior conversation).
     const _resultMsg = String(result.body?.error?.message || '');
-    if (/context deadline exceeded|context cancellation while reading body|client\.timeout/i.test(_resultMsg)) {
+    if (isUpstreamDeadlineExceeded(_resultMsg)) {
       reuseEntryDead = true;
     }
     lastErr = result;
@@ -2150,6 +2163,9 @@ async function _handleChatCompletionsInner(body, context = {}) {
       continue;
     }
     // Cascade transient 错误通常是上游或本地 LS 短暂抖动，先退避再切账号，避免连续打爆同一热窗口。
+    if (errType === 'upstream_deadline_exceeded') {
+      break;
+    }
     if (errType === 'upstream_internal_error' || errType === 'upstream_transient_error') {
       if (acct?._sticky && isExperimentalEnabled('stickyNoFallback')) {
         log.warn(`Chat[${reqId}]: ${acct.email} (sticky-bound) upstream transient error, stickyNoFallback enabled — not trying other accounts`);
@@ -2663,8 +2679,9 @@ async function nonStreamResponse(client, id, created, model, modelKey, messages,
     const isAuthFail = /unauthenticated|invalid api key|invalid_grant|permission_denied.*account/i.test(err.message);
     const isRateLimit = /rate limit|rate_limit|too many requests|quota/i.test(err.message);
     const isInternal = /internal error occurred.*error id/i.test(err.message);
+    const isDeadline = isUpstreamDeadlineExceeded(err);
     const isTransport = isCascadeTransportError(err);
-    const isTransient = isUpstreamTransientError(err, isInternal);
+    const isTransient = !isDeadline && isUpstreamTransientError(err, isInternal);
     // v2.0.61 (#113): Anthropic / OpenAI content-policy / verification
     // challenges are NOT transient — rotating accounts won't help and
     // wastes quota. Detect and short-circuit with a clean 451 + clear
@@ -2732,6 +2749,20 @@ async function nonStreamResponse(client, id, created, model, modelKey, messages,
         };
       }
     }
+    if (isDeadline) {
+      return {
+        status: 504,
+        reuseEntryInvalid: !!err.reuseEntryInvalid,
+        body: {
+          error: {
+            message: upstreamDeadlineExceededMessage(model),
+            type: 'upstream_deadline_exceeded',
+            code: 'windsurf_provider_deadline',
+            upstream_message: sanitizeText(err.message).slice(0, 240),
+          },
+        },
+      };
+    }
     return {
       status: isTransient ? 502 : (err.isModelError ? 403 : 502),
       reuseEntryInvalid: !!err.reuseEntryInvalid,
@@ -3452,14 +3483,15 @@ function streamResponse(id, created, model, modelKey, provider, messages, cascad
             // result with no earlier user prompts ("I can see the
             // content from a previous tool call ... but I don't have
             // the earlier conversation context").
-            if (/context deadline exceeded|context cancellation while reading body|client\.timeout/i.test(err.message || '')) {
+            const isDeadline = isUpstreamDeadlineExceeded(err);
+            if (isDeadline) {
               reuseEntryDead = true;
             }
             const isAuthFail = /unauthenticated|invalid api key|invalid_grant|permission_denied.*account/i.test(err.message);
             const isRateLimit = /rate limit|rate_limit|too many requests|quota/i.test(err.message);
             const isInternal = /internal error occurred.*error id/i.test(err.message);
             const isTransport = isCascadeTransportError(err);
-            const isTransient = isUpstreamTransientError(err, isInternal);
+            const isTransient = !isDeadline && isUpstreamTransientError(err, isInternal);
             // v2.0.61 (#113) — same policy detection as nonStreamResponse.
             const isPolicyBlocked = /cyber\s*verification|content[\s_-]+policy|policy[\s_-]+(?:violation|blocked|denied)|safety[\s_-]+(?:policy|blocked)|prompt[\s_-]+(?:rejected|blocked)\s+by[\s_-]+policy|usage[\s_-]+policy[\s_-]+violation/i.test(err.message);
             if (isAuthFail) reportError(currentApiKey);
@@ -3511,6 +3543,11 @@ function streamResponse(id, created, model, modelKey, provider, messages, cascad
               log.warn(`Chat[${reqId}] stream: policy_blocked on ${currentApiKey?.slice(0, 12)}..., not retrying`);
               break;
             }
+            if (isDeadline) {
+              err.type = 'upstream_deadline_exceeded';
+              err.code = 'windsurf_provider_deadline';
+              break;
+            }
             // Retry only if nothing has been streamed yet AND it's a retryable error
             if (!hadSuccess && (err.isModelError || isRateLimit)) {
               if (acct?._sticky && isExperimentalEnabled('stickyNoFallback')) {
@@ -3546,10 +3583,13 @@ function streamResponse(id, created, model, modelKey, provider, messages, cascad
           const rl = isAllRateLimited(modelKey);
           const allInternal = streamInternalCount > 0 && tried.length > 0 && streamInternalCount >= tried.length;
           const poolExhausted = isLsPoolExhausted(lastErr);
+          const deadlineExceeded = isUpstreamDeadlineExceeded(lastErr) || lastErr?.type === 'upstream_deadline_exceeded';
           // 优先暴露 upstream_transient，避免把 Cascade transport 抖动误报成账号限流。
           const lastIsTransport = isCascadeTransportError(lastErr);
           const errMsg = allInternal
             ? upstreamTransientErrorMessage(model, tried.length, lastIsTransport ? 'cascade_transport' : 'internal_error')
+            : deadlineExceeded
+            ? upstreamDeadlineExceededMessage(model)
             : poolExhausted
             ? sanitizeText(lastErr?.message || 'language server pool exhausted')
             : temporaryUnavailable.allUnavailable
@@ -3576,22 +3616,26 @@ function streamResponse(id, created, model, modelKey, provider, messages, cascad
             // go to the server log.
             const errType = allInternal
               ? 'upstream_transient_error'
+              : deadlineExceeded
+                ? 'upstream_deadline_exceeded'
               : poolExhausted
                 ? 'ls_pool_exhausted'
               : (temporaryUnavailable.allUnavailable || lastErr?.type === 'rate_limit_exceeded')
                 ? 'rate_limit_exceeded'
                 : 'upstream_error';
-            send(chatStreamError(errMsg, errType));
+            send(chatStreamError(errMsg, errType, deadlineExceeded ? 'windsurf_provider_deadline' : null));
             log.warn(`Stream: partial response delivered then failed (${errMsg})`);
           } else {
             const errType = allInternal
               ? 'upstream_transient_error'
+              : deadlineExceeded
+                ? 'upstream_deadline_exceeded'
               : poolExhausted
                 ? 'ls_pool_exhausted'
               : (temporaryUnavailable.allUnavailable || lastErr?.type === 'rate_limit_exceeded')
                 ? 'rate_limit_exceeded'
                 : 'upstream_error';
-            send(chatStreamError(errMsg, errType));
+            send(chatStreamError(errMsg, errType, deadlineExceeded ? 'windsurf_provider_deadline' : null));
           }
           res.write('data: [DONE]\n\n');
         } catch {}

test/cascade-native-bridge.test.js

@@ -34,8 +34,16 @@ import {
 const fnTool = (name) => ({ type: 'function', function: { name, parameters: { type: 'object' } } });
 
 describe('canMapAllTools', () => {
-  it('admits a homogeneous mapped set', () => {
-    assert.equal(canMapAllTools([fnTool('Read'), fnTool('Bash'), fnTool('Glob')]), true);
+  it('admits only mature default-native tools without an explicit tool allowlist', () => {
+    const prev = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+    delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+    try {
+      assert.equal(canMapAllTools([fnTool('Bash'), fnTool('shell_command'), fnTool('run_command')]), true);
+      assert.equal(canMapAllTools([fnTool('Read'), fnTool('Bash'), fnTool('Glob')]), false);
+    } finally {
+      if (prev === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+      else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = prev;
+    }
   });
 
   it('rejects when ANY tool is unmapped', () => {
@@ -48,12 +56,29 @@ describe('canMapAllTools', () => {
     assert.equal(canMapAllTools(undefined), false);
   });
 
-  it('admits Codex-style cascade-native names', () => {
-    assert.equal(canMapAllTools([fnTool('view_file'), fnTool('run_command'), fnTool('find')]), true);
+  it('admits Codex-style command names by default and other native names only when allowlisted', () => {
+    const prev = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+    delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+    try {
+      assert.equal(canMapAllTools([fnTool('run_command')]), true);
+      assert.equal(canMapAllTools([fnTool('view_file'), fnTool('run_command'), fnTool('find')]), false);
+      process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = 'view_file,run_command,find';
+      assert.equal(canMapAllTools([fnTool('view_file'), fnTool('run_command'), fnTool('find')]), true);
+    } finally {
+      if (prev === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+      else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = prev;
+    }
   });
 
-  it('admits mixed Claude Code + Codex names', () => {
-    assert.equal(canMapAllTools([fnTool('Read'), fnTool('run_command'), fnTool('Grep')]), true);
+  it('admits mixed Claude Code + Codex names when explicitly allowlisted', () => {
+    const prev = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+    process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = 'Read,run_command,Grep';
+    try {
+      assert.equal(canMapAllTools([fnTool('Read'), fnTool('run_command'), fnTool('Grep')]), true);
+    } finally {
+      if (prev === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+      else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = prev;
+    }
   });
 });
 
@@ -119,7 +144,9 @@ describe('shouldUseNativeBridge — auto-on heuristic', () => {
 
   it('explicit env override forces on for any mapped tool set (deployer opting into remote execution)', () => {
     const orig = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE;
+    const toolsOrig = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
     process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE = '1';
+    process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = 'Read,Bash';
     try {
       assert.equal(
         shouldUseNativeBridge(tools, { modelKey: 'claude-sonnet-4-6', provider: 'anthropic', route: 'chat' }),
@@ -133,12 +160,16 @@ describe('shouldUseNativeBridge — auto-on heuristic', () => {
     } finally {
       if (orig === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE;
       else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE = orig;
+      if (toolsOrig === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+      else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = toolsOrig;
     }
   });
 
   it('all_mapped mode enables only when every function tool maps', () => {
     const orig = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE;
+    const toolsOrig = process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
     process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE = 'all_mapped';
+    process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = 'Read,Bash,Grep,Glob';
     try {
       assert.equal(
         shouldUseNativeBridge([fnTool('Read'), fnTool('Bash'), fnTool('Grep'), fnTool('Glob')], {
@@ -155,6 +186,8 @@ describe('shouldUseNativeBridge — auto-on heuristic', () => {
     } finally {
       if (orig === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE;
       else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE = orig;
+      if (toolsOrig === undefined) delete process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS;
+      else process.env.WINDSURFAPI_NATIVE_TOOL_BRIDGE_TOOLS = toolsOrig;
     }
   });
 
@@ -639,10 +672,11 @@ describe('partitionTools — v2.0.66 mixed-mapping splitter', () => {
     assert.equal(part.unmapped.length, 2);
   });
 
-  it('Claude Code-style (all mapped) → unmapped is empty', () => {
+  it('Claude Code-style tools keep Read/Glob out of the default native scope', () => {
     const part = partitionTools([fnTool('Read'), fnTool('Bash'), fnTool('Glob')]);
     assert.equal(part.hasAny, true);
-    assert.equal(part.unmapped.length, 0);
+    assert.deepEqual(part.mapped.map(t => t.function.name), ['Bash']);
+    assert.deepEqual(part.unmapped.map(t => t.function.name), ['Read', 'Glob']);
   });
 
   it('skips non-function entries gracefully', () => {
@@ -652,8 +686,8 @@ describe('partitionTools — v2.0.66 mixed-mapping splitter', () => {
       { type: 'function' },                 // missing function.name
       { type: 'function', function: { name: '' } },
     ]);
-    assert.equal(part.mapped.length, 1);
-    assert.equal(part.unmapped.length, 0);
+    assert.equal(part.mapped.length, 0);
+    assert.equal(part.unmapped.length, 1);
   });
 });
 
@@ -689,7 +723,7 @@ describe('TOOL_MAP — codex CLI 0.128 shell_command mapping (v2.0.66)', () => {
 describe('canMapAllTools (legacy strict gate, kept for compat)', () => {
   it('still returns false when ANY tool is unmapped', () => {
     assert.equal(canMapAllTools([fnTool('Read'), fnTool('get_weather')]), false);
-    assert.equal(canMapAllTools([fnTool('Read'), fnTool('Bash'), fnTool('Glob')]), true);
+    assert.equal(canMapAllTools([fnTool('Read'), fnTool('Bash'), fnTool('Glob')]), false);
   });
 });
 

test/cascade-timeout-invalidation.test.js

@@ -37,12 +37,8 @@ describe('upstream-timeout cascade invalidation (#101)', () => {
     const m = CHAT_JS.match(/lastErr = err;\s+reuseEntry = null;[\s\S]{0,1500}?const isAuthFail = /);
     assert.ok(m, 'stream catch block region not found — refactor may have changed shape');
     const region = m[0];
-    assert.match(region, /context deadline exceeded/i,
-      'stream timeout regex must mention "context deadline exceeded"');
-    assert.match(region, /context cancellation while reading body/i,
-      'stream timeout regex must mention "context cancellation while reading body"');
-    assert.match(region, /client\\?\.timeout/i,
-      'stream timeout regex must include Client.Timeout fallback');
+    assert.match(region, /isUpstreamDeadlineExceeded\(err\)/,
+      'stream timeout branch must use the shared upstream deadline classifier');
     assert.match(region, /reuseEntryDead = true/,
       'stream timeout branch must set reuseEntryDead = true');
   });
@@ -56,12 +52,20 @@ describe('upstream-timeout cascade invalidation (#101)', () => {
     const m = CHAT_JS.match(/if \(result\.reuseEntryInvalid\) reuseEntryDead = true;[\s\S]{0,800}?lastErr = result;/);
     assert.ok(m, 'non-stream invalidation region not found — refactor may have changed shape');
     const region = m[0];
-    assert.match(region, /context deadline exceeded/i);
-    assert.match(region, /context cancellation while reading body/i);
-    assert.match(region, /client\\?\.timeout/i);
+    assert.match(region, /isUpstreamDeadlineExceeded\(_resultMsg\)/,
+      'non-stream timeout branch must use the shared upstream deadline classifier');
     assert.match(region, /reuseEntryDead = true/);
   });
 
+  test('shared classifier keeps all upstream deadline patterns', () => {
+    const m = CHAT_JS.match(/const UPSTREAM_DEADLINE_RE = ([^\n;]+);/);
+    assert.ok(m, 'shared upstream deadline regex not found');
+    const pattern = m[1];
+    assert.match(pattern, /context deadline exceeded/i);
+    assert.match(pattern, /context cancellation while reading body/i);
+    assert.match(pattern, /client\\?\.timeout/i);
+  });
+
   test('regex actually matches the user-reported error message verbatim', () => {
     // Real error from #101:
     //   "Encountered retryable error from model provider: context