From ea22dc8b479fe3e66a94dd2ec47206eddd76f37b Mon Sep 17 00:00:00 2001 From: pyr0ball Date: Tue, 31 Mar 2026 12:52:10 -0700 Subject: [PATCH] =?UTF-8?q?fix:=20recipes=20endpoint=20=E2=80=94=20inject?= =?UTF-8?q?=20session=20tier=20before=20all=20gate=20checks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/api/endpoints/recipes.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/api/endpoints/recipes.py b/app/api/endpoints/recipes.py index d74cbe8..fedeabd 100644 --- a/app/api/endpoints/recipes.py +++ b/app/api/endpoints/recipes.py @@ -21,19 +21,20 @@ async def suggest_recipes( session: CloudUser = Depends(get_session), store: Store = Depends(get_store), ) -> RecipeResult: + # Inject session-authoritative tier/byok immediately — client-supplied values are ignored. + req = req.model_copy(update={"tier": session.tier, "has_byok": session.has_byok}) if req.level == 4 and not req.wildcard_confirmed: raise HTTPException( status_code=400, detail="Level 4 (Wildcard) requires wildcard_confirmed=true.", ) - if req.level in (3, 4) and not can_use("recipe_suggestions", session.tier, session.has_byok): + if req.level in (3, 4) and not can_use("recipe_suggestions", req.tier, req.has_byok): raise HTTPException( status_code=403, detail="LLM recipe levels require Paid tier or a configured LLM backend.", ) - if req.style_id and not can_use("style_picker", session.tier): + if req.style_id and not can_use("style_picker", req.tier): raise HTTPException(status_code=403, detail="Style picker requires Paid tier.") - req = req.model_copy(update={"tier": session.tier, "has_byok": session.has_byok}) engine = RecipeEngine(store) return await asyncio.to_thread(engine.suggest, req)