From e7d4a00f739057ff266659855b4e0496900e9e29 Mon Sep 17 00:00:00 2001
From: Guillem Arias <accounts@gariasf.com>
Date: Mon, 25 May 2026 20:39:27 +0200
Subject: [PATCH] fix(ai): valid Tailwind token + base_url URL validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Data-handling block in _llm_provider_selector swaps the invalid
  bg-surface-secondary token for bg-container-inset, matching the
  inset-card pattern used elsewhere in sure-design-system/components.css.
  bg-surface-secondary is not defined anywhere in the design system —
  Tailwind treated it as a no-op, so the block rendered with no
  background contrast.
- Settings::HostingsController validates anthropic_base_url as a
  URI::HTTP (catches https too) and raises Setting::ValidationError
  with a localized message when the input is not parseable.
  Previously any string was persisted, surfacing as an opaque
  connection error at request time instead of an immediate UX failure.
- Blank base_url now clears the setting (was already the case but
  exercised explicitly in tests now).
---
 .../settings/hostings_controller.rb           | 11 +++++++++-
 .../hostings/_llm_provider_selector.html.erb  |  2 +-
 config/locales/views/settings/hostings/en.yml |  1 +
 .../settings/hostings_controller_test.rb      | 22 +++++++++++++++++++
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/app/controllers/settings/hostings_controller.rb b/app/controllers/settings/hostings_controller.rb
index 68661eaee..3583f5fd5 100644
--- a/app/controllers/settings/hostings_controller.rb
+++ b/app/controllers/settings/hostings_controller.rb
@@ -174,7 +174,16 @@ class Settings::HostingsController < ApplicationController
     end
 
     if hosting_params.key?(:anthropic_base_url)
-      Setting.anthropic_base_url = hosting_params[:anthropic_base_url].presence
+      raw_base_url = hosting_params[:anthropic_base_url].to_s.strip
+      if raw_base_url.blank?
+        Setting.anthropic_base_url = nil
+      else
+        parsed = URI.parse(raw_base_url) rescue nil
+        unless parsed.is_a?(URI::HTTP)
+          raise Setting::ValidationError, t(".invalid_anthropic_base_url")
+        end
+        Setting.anthropic_base_url = raw_base_url
+      end
     end
 
     if hosting_params.key?(:anthropic_model)
diff --git a/app/views/settings/hostings/_llm_provider_selector.html.erb b/app/views/settings/hostings/_llm_provider_selector.html.erb
index 3b3406175..ddc8783f2 100644
--- a/app/views/settings/hostings/_llm_provider_selector.html.erb
+++ b/app/views/settings/hostings/_llm_provider_selector.html.erb
@@ -30,7 +30,7 @@
     <p class="text-xs text-secondary"><%= t(".provider_help") %></p>
   <% end %>
 
-  <div class="rounded-md border border-secondary p-3 bg-surface-secondary text-xs text-secondary space-y-2">
+  <div class="rounded-md border border-secondary p-3 bg-container-inset text-xs text-secondary space-y-2">
     <p class="font-medium text-primary"><%= t(".data_retention_heading") %></p>
     <p><%= t(".data_retention_openai") %></p>
     <p><%= t(".data_retention_anthropic") %></p>
diff --git a/config/locales/views/settings/hostings/en.yml b/config/locales/views/settings/hostings/en.yml
index 4917a0892..d0c872322 100644
--- a/config/locales/views/settings/hostings/en.yml
+++ b/config/locales/views/settings/hostings/en.yml
@@ -197,6 +197,7 @@ en:
         invalid_onboarding_state: Invalid onboarding state
         invalid_sync_time: Invalid sync time format. Please use HH:MM format (e.g., 02:30).
         invalid_llm_budget: "%{field} must be a whole number ≥ %{minimum}."
+        invalid_anthropic_base_url: Anthropic Base URL must be an http(s) URL.
         scheduler_sync_failed: Settings saved, but failed to update the sync schedule. Please try again or check the server logs.
       disconnect_external_assistant:
         external_assistant_disconnected: External assistant disconnected
diff --git a/test/controllers/settings/hostings_controller_test.rb b/test/controllers/settings/hostings_controller_test.rb
index 4c278b897..9ad32cc4a 100644
--- a/test/controllers/settings/hostings_controller_test.rb
+++ b/test/controllers/settings/hostings_controller_test.rb
@@ -101,6 +101,28 @@ class Settings::HostingsControllerTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test "rejects non-URL anthropic base_url" do
+    with_self_hosting do
+      Setting.anthropic_base_url = nil
+
+      patch settings_hosting_url, params: { setting: { anthropic_base_url: "not-a-url" } }
+
+      assert_response :unprocessable_entity
+      assert_match(/Anthropic Base URL must be an http/, flash[:alert])
+      assert_nil Setting.anthropic_base_url
+    end
+  end
+
+  test "clears anthropic base_url when blank value submitted" do
+    with_self_hosting do
+      Setting.anthropic_base_url = "https://bedrock.example.com"
+
+      patch settings_hosting_url, params: { setting: { anthropic_base_url: "" } }
+
+      assert_nil Setting.anthropic_base_url
+    end
+  end
+
   test "can update llm_provider to anthropic" do
     with_self_hosting do
       patch settings_hosting_url, params: { setting: { llm_provider: "anthropic" } }