Gitpulse
Merged
Size
S
Change Breakdown
Bug Fix75%
Security20%
Docs5%
#66692fix(audio): restore allowPrivateNetwork for self-hosted STT endpoints (v2026.4.14 regression)

Private network access restored for STT endpoints

JH
jhsmith409
·Apr 15, 2026

Self-hosted speech-to-text endpoints on private or LAN IPs can be accessed again after a v2026.4.14 regression was silently dropping the allowPrivateNetwork configuration.

After upgrading to v2026.4.14, voice message transcription via self-hosted OpenAI-compatible STT endpoints on private or LAN IPs started failing with SSRF blocks — even when models.providers.*.request.allowPrivateNetwork: true was explicitly configured. Two separate code paths were independently dropping this setting: one when building the execution context for audio transcription, and another when resolving request policy configuration.

Two targeted changes restore the behavior. First, the execution context builder now properly includes provider-level request configuration using the correct merge and sanitize functions, so allowPrivateNetwork from models.providers.<id>.request flows through to the transcription call. Second, the policy resolver now checks the nested request.allowPrivateNetwork property as a fallback when the top-level parameter is absent, covering all configuration patterns.

Self-hosted speech-to-text deployments on private infrastructure — think Parakeet instances on a LAN, or internal transcription services behind a firewall — will work again without triggering security blocks.

View Original GitHub Description

Summary

Fixes #66691 — regression introduced in v2026.4.14 where models.providers.*.request.allowPrivateNetwork: true no longer takes effect for audio transcription, causing SSRF blocks for self-hosted STT endpoints on private/LAN IPs.

Two source-level bugs, both required to reproduce the failure:

Bug 1 — runner.entries.ts: resolveProviderExecutionContext built the request passed to transcribeAudio using only sanitizeConfiguredProviderRequest on tool-level config and entry config. This function strips allowPrivateNetwork. The provider-level request config (models.providers.<id>.request) was never included in the merge.

Bug 2 — provider-request-config.ts: resolveProviderRequestPolicyConfig only read allowPrivateNetwork from the explicit params.allowPrivateNetwork parameter; it ignored params.request?.allowPrivateNetwork even when present.

Changes

  • src/media-understanding/runner.entries.ts: use mergeModelProviderRequestOverrides with sanitizeConfiguredModelProviderRequest(providerConfig?.request) so models.providers.*.request.allowPrivateNetwork flows into the media execution context
  • src/agents/provider-request-config.ts: fall back to params.request?.allowPrivateNetwork when params.allowPrivateNetwork is undefined

Test plan

  • Configure a self-hosted OpenAI-compatible STT endpoint on a private IP with models.providers.<id>.request.allowPrivateNetwork: true
  • Send a voice message — transcription should succeed without SSRF block
  • Confirm no regression for public STT endpoints (OpenAI, Deepgram, Mistral)

🤖 Generated with Claude Code

© 2026 · via Gitpulse