Gregor Martynus

This commit performs a significant **refactoring** within the **`@vercel/ai` package**, specifically in the **prompt preparation logic**. It splits the monolithic `prepareToolsAndToolChoice` function into two dedicated and more focused utilities: `prepareTools` and `prepareToolChoice`. This change enhances modularity by separating the concerns of tool definition preparation from tool choice normalization, which now independently defaults to `{ type: 'auto' }` when unspecified. Functions like `generateText`, `streamText`, `streamModelCall`, and `streamUI` are updated to leverage these new, distinct helpers, improving the maintainability and clarity of the **AI SDK's core model interaction functions**.

This commit **updates the build configuration** by adding `.claude` to the `.gitignore` file. This **maintenance change** ensures that any local files or directories named `.claude`, likely associated with an AI assistant or development tool, are explicitly excluded from version control. The primary impact is to keep the repository clean and prevent the accidental inclusion of developer-specific artifacts, thereby streamlining the development workflow.

This commit **adds new documentation** to the `contributing` guidelines, formally establishing a **noun-verb naming convention** for hyphenated identifiers. Specifically, it mandates this pattern for `stream event types`, `message parts`, and `UI chunks` to ensure consistency and clarity across the system. The new `contributing/naming-conventions.md` file provides examples like `text-start` and `tool-input-delta`, clarifying the preferred structure. This **documentation update** also highlights existing violations, such as `start-step` and `finish-step`, indicating areas for future migration to conform to the new standard.

This commit **updates the Continuous Integration (CI) workflow configuration** by increasing the maximum allowed average load time for the **`ai` module**. Specifically, the threshold defined in `.github/workflows/ci.yml` has been adjusted from 100ms to **105ms**. This **maintenance change** aims to provide a slightly more lenient performance check for the `ai` module, potentially reducing false-positive CI failures related to minor load time variations without compromising overall performance standards.

This commit **adds a new changeset file** (`.changeset/two-pens-teach.md`) to document a `README update` for the **`ai` package**. This is a **documentation update** and **maintenance** task, ensuring that the changes made to the `ai` module's `README` are properly recorded in the release notes. It primarily affects the **release process** and **documentation generation** for the `ai` subsystem, preparing it for an upcoming release.

This commit **updates 24 test files** across the `packages/ai/src` module to utilize the new **V4 mock models and interfaces**. This **test maintenance** effort migrates tests for various AI functionalities, including agents, embedding, image/object/speech/text/video generation, and middleware, from their V3 counterparts to `LanguageModelV4`, `EmbeddingModelV4`, `ImageModelV4`, and other V4-specific types. Specifically, it replaces V3 models and interfaces with `MockLanguageModelV4`, `EmbeddingModelV4`, `ImageModelV4`, `SpeechModelV4`, `VideoModelV4`, `RerankingModelV4`, `TranscriptionModelV4`, and related V4 call options and warning types. By aligning the testing suite with the latest API version, this work ensures the **correct validation of V4 features** and improves the overall reliability and future maintainability of the AI package. This is a continuation of the ongoing **V3 to V4 migration** within the project.

This commit continues the ongoing **V3 to V4 API migration** by performing essential **maintenance and refactoring** across several packages. It **updates API type imports and the middleware's specification version** within the `devToolsMiddleware` in the **DevTools module** (`packages/devtools`). Additionally, the `streamUI` function in the **RSC streaming UI** (`packages/rsc`) is refactored to align warning type imports and variable definitions with the V4 specification. Supporting this upgrade, tool type imports and definitions are also updated in tests within `packages/provider-utils`, ensuring full compatibility with the new API version.

This commit performs a **comprehensive documentation update** to align various guides and examples with the new **V4 specification** for AI models. It updates references from V3 to V4 across **LanguageModel**, **ImageModel**, **EmbeddingModel**, **SpeechModel**, **VideoModel**, and **TranscriptionModel** types. This **maintenance** work affects core documentation, cookbook examples, reference guides for functions like `generateText` and `streamText`, middleware, testing, and custom provider instructions. Specifically, it updates types like `LanguageModelV4Middleware`, `ImageModelV4Middleware`, and `MockLanguageModelV4` throughout the documentation. The update ensures that all relevant documentation accurately reflects the latest API specifications, facilitating correct usage and understanding of the SDK's capabilities.

This commit **refactors** numerous AI model integrations to align with the **V4 specification** for the `ai@7 beta`. It updates various `LanguageModel`, `ImageModel`, `EmbeddingModel`, `SpeechModel`, `TranscriptionModel`, and `VideoModel` implementations across packages like `cohere`, `deepseek`, `mistral`, `gateway`, and others. This widespread **API migration** involves updating interfaces, types (e.g., `LanguageModelV3Prompt` to `LanguageModelV4Prompt`), and `specificationVersion` properties to `V4`. The changes ensure compatibility and consistency with the latest `ai` library version, impacting core model functionalities and their respective provider integrations.

This commit **removes an unnecessary 6-second timeout** from the `should stream image generation tool results include` test within the **Azure OpenAI provider tests** (`azure-openai-provider.test.ts`). This **test maintenance** action reverts a temporary workaround that was previously added to prevent CI timeouts caused by a large image fixture. With the underlying issue resolved by replacing the large fixture with a minimal one, the test now runs efficiently, making the extended timeout redundant and improving the **test suite's accuracy and performance**.

This commit **upgrades the project's CI/CD pipeline and core configuration to support Node.js 24**, a significant **maintenance** effort to ensure compatibility with the latest runtime environment. This involved adding Node.js 24 to `.github/workflows/ci.yml` and `package.json` engines, alongside a major **Vitest upgrade from v2 to v4** across numerous packages such as `angular`, `svelte`, `anthropic`, and `amazon-bedrock`. The Vitest upgrade necessitated widespread **test adaptations** to address changes in mock function handling, assertion strictness, and `AbortSignal` behavior, while also fixing specific test issues related to `File` object snapshots in `openai` and `elevenlabs`, and a race condition in `mcp`. This comprehensive update ensures the project remains compatible with modern JavaScript runtimes and testing frameworks, improving overall stability and future-proofing.

This commit **updates the documentation** for the **ADR skill** to explicitly mark it as an internal component. By adding `'internal: true'` to the metadata section of `skills/adr-skill/SKILL.md`, this **configuration change** ensures the skill is not exposed or listed externally. This **maintenance task** effectively controls the public visibility and availability of the **ADR skill** within the system, preventing its discovery or use by external systems or users.

This commit performs a **dependency update** for the **`@vercel/oidc`** library, specifically **upgrading** its version within the `packages/gateway/package.json` from `3.1.0` to `3.2.0`. This **maintenance** task ensures the **`gateway`** module's **OpenID Connect (OIDC)** integration benefits from the latest improvements and fixes provided by the upstream library. A corresponding changeset entry, `.changeset/bump-oidc-version.md`, has been added to document this **minor version bump**, reflecting the updated dependency.

This commit **introduces Architecture Decision Records (ADRs)** to the project, establishing a formal process for documenting significant architectural decisions. It adds **new documentation** in `AGENTS.md` and `contributing/decisions/` explaining ADRs and their use, including the first ADR adopting this practice. Crucially, it delivers a **new `adr-skill` module** providing templates, conventions, and **utility scripts** (`bootstrap_adr.js`, `new_adr.js`, `set_adr_status.js`) to facilitate the creation, management, and review of ADRs. This **new capability** enhances decision transparency, consistency, and historical context across the project, particularly for agents interacting with the codebase.

This commit implements a **bug fix** for the **AI chat transport** by **removing the custom `User-Agent` header** from `HttpChatTransport`'s `sendMessages` and `reconnectToStream` methods. This change specifically addresses a **CORS preflight failure** encountered in Safari and Firefox, where the custom header would trigger an unhandled preflight request if the server did not explicitly allow it. By eliminating this header for chat communication, the commit ensures **reliable AI chat functionality** across all major browsers. This resolves a **cross-browser compatibility issue** that previously prevented successful AI chat interactions in certain environments.

This commit **enhances the CI backport workflow** by introducing intelligent logic to manage backport pull requests within `.github/workflows/backport.yml`. It now **checks for existing backport PRs**, automatically removing the `backport` label from issues when a corresponding PR is found, which prevents redundant work. Additionally, the workflow will **force-push updates to orphaned backport branches**, ensuring they remain synchronized and up-to-date. This **CI/CD improvement** streamlines the automated backporting process, reducing manual intervention and maintaining a cleaner repository state.

This commit **reverts** a previous change that prevented **streaming tool calls** from finalizing prematurely when partial, but parsable, JSON was received. It **re-enables early finalization** for tool calls across the **`alibaba`, `deepseek`, `groq`, `openai-compatible`, and `openai` chat language models** by rolling back the logic in their respective `doStream` methods. This **maintenance** action restores the prior behavior, potentially impacting applications that rely on immediate tool call execution upon receiving valid partial JSON during streaming. Additionally, `openai` test snapshots were updated to align with the re-enabled early finalization.

This commit delivers a crucial **security fix** for the **`verify-changesets` GitHub Action**, preventing the exposure of arbitrary runner file contents. It addresses a vulnerability (CWE-59, CWE-200) where symlinks within `.changeset/*.md` files could be followed, leading to sensitive system files being leaked via `$GITHUB_STEP_SUMMARY`. The fix involves **rejecting symlinked changeset files** using `lstat` and, as a defense-in-depth measure, **stopping the leakage of raw file content** by ensuring error objects only contain safe YAML frontmatter instead of full file contents. This prevents attackers from exploiting improper link resolution to access sensitive information.

This commit provides a **security fix** for **streaming tool calls** in the `openai`, `openai-compatible`, `groq`, `deepseek`, and `alibaba` providers. Previously, tool calls could finalize prematurely if partial JSON arguments were parsable, leading to the silent loss of critical parameters. The fix **removes inline `isParsableJson()` checks** and moves tool call finalization to the `flush()` handler, ensuring **all arguments are fully received** before execution. This significantly improves the **reliability and security** of tool execution by preventing incomplete tool calls. A **regression test** has been added to demonstrate and prevent this vulnerability from recurring.

This commit delivers a **critical security fix** to prevent a **Server-Side Request Forgery (SSRF) bypass vulnerability** within the project's download mechanisms. It enhances the `downloadBlob` function in `@ai-sdk/provider-utils` and the `download` function in `ai` to validate the *final* URL after HTTP redirects, not just the initial request URL. This addresses a flaw where attackers could use a seemingly safe public URL that redirects to internal endpoints, potentially leading to the exfiltration of sensitive data. The update ensures comprehensive URL validation throughout the redirect chain, significantly bolstering the security of external resource fetching.