feat: use dropdown select for OpenAI endpoint and add validation

- Replace free-form text input with dropdown select for OpenAI endpoint
- Add predefined options: Default (api.openai.com) and US Data Residency (us.api.openai.com)
- Add server-side validation to only allow whitelisted OpenAI base URLs
- Invalid or unknown URLs fall back to the default api.openai.com endpoint

Author: claude

packages/cost/models/providers/openai.ts

@@ -1,25 +1,47 @@
 import { BaseProvider } from "./base";
 import type { Endpoint, RequestParams, RequestBodyContext } from "../types";
 
+// Allowed OpenAI base URLs for security
+const ALLOWED_OPENAI_BASE_URLS = [
+  "https://api.openai.com",
+  "https://us.api.openai.com", // US data residency
+] as const;
+
 export class OpenAIProvider extends BaseProvider {
   readonly displayName = "OpenAI";
   readonly baseUrl = "https://api.openai.com";
   readonly auth = "api-key" as const;
   readonly pricingPages = ["https://openai.com/api/pricing"];
   readonly modelPages = ["https://platform.openai.com/docs/models"];
 
+  private validateBaseUrl(baseUrl: string): string {
+    // Normalize the URL by removing trailing slash
+    const normalized = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+
+    // Check if the URL is in the allowed list
+    if (
+      !ALLOWED_OPENAI_BASE_URLS.includes(
+        normalized as (typeof ALLOWED_OPENAI_BASE_URLS)[number]
+      )
+    ) {
+      // Fall back to default if not allowed
+      return "https://api.openai.com";
+    }
+
+    return normalized;
+  }
+
   buildUrl(endpoint: Endpoint, requestParams: RequestParams): string {
-    // Use custom base URL if provided (e.g., for US data residency: us.api.openai.com)
-    const baseUrl = endpoint.userConfig.baseUri || "https://api.openai.com";
-    const normalizedBaseUrl = baseUrl.endsWith("/")
-      ? baseUrl.slice(0, -1)
-      : baseUrl;
+    // Use custom base URL if provided and valid, otherwise fall back to default
+    const baseUrl = this.validateBaseUrl(
+      endpoint.userConfig.baseUri || "https://api.openai.com"
+    );
 
     switch (requestParams.bodyMapping) {
       case "RESPONSES":
-        return `${normalizedBaseUrl}/v1/responses`;
+        return `${baseUrl}/v1/responses`;
       default:
-        return `${normalizedBaseUrl}/v1/chat/completions`;
+        return `${baseUrl}/v1/chat/completions`;
     }
   }
 

web/components/providers/ProviderCard.tsx

@@ -37,9 +37,22 @@ import useNotification from "@/components/shared/notification/useNotification";
 import { Small } from "@/components/ui/typography";
 import { Label } from "../ui/label";
 import { Checkbox } from "../ui/checkbox";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "../ui/select";
 import { cn } from "@/lib/utils";
 import { logger } from "@/lib/telemetry/logger";
 
+// Allowed OpenAI endpoints for data residency
+const OPENAI_ENDPOINTS = [
+  { value: "", label: "Default (api.openai.com)" },
+  { value: "https://us.api.openai.com", label: "US Data Residency (us.api.openai.com)" },
+] as const;
+
 // ====== Types ======
 interface ProviderCardProps {
   provider: Provider;
@@ -284,9 +297,11 @@ const ProviderInstance: React.FC<ProviderInstanceProps> = ({
   };
 
   const handleUpdateConfigField = (key: string, value: string) => {
+    // Convert "default" placeholder value to empty string for storage
+    const normalizedValue = value === "default" ? "" : value;
     setConfigValues((prev) => ({
       ...prev,
-      [key]: value,
+      [key]: normalizedValue,
     }));
   };
 
@@ -401,9 +416,10 @@ const ProviderInstance: React.FC<ProviderInstanceProps> = ({
     if (provider.id === "openai") {
       configFields = [
         {
-          label: "Base URL (optional)",
+          label: "Endpoint Region",
           key: "baseUri",
-          placeholder: "https://us.api.openai.com (for US data residency)",
+          placeholder: "",
+          type: "select",
         },
       ];
     } else if (provider.id === "azure") {
@@ -483,6 +499,28 @@ const ProviderInstance: React.FC<ProviderInstanceProps> = ({
                       : field.label}
                   </Label>
                 </div>
+              ) : field.type === "select" && provider.id === "openai" ? (
+                <Select
+                  value={configValues[field.key] || "default"}
+                  onValueChange={(value) =>
+                    handleUpdateConfigField(field.key, value)
+                  }
+                  disabled={isEditMode && !isEditingKey}
+                >
+                  <SelectTrigger className="h-7 text-xs">
+                    <SelectValue placeholder="Select endpoint region" />
+                  </SelectTrigger>
+                  <SelectContent>
+                    {OPENAI_ENDPOINTS.map((endpoint) => (
+                      <SelectItem
+                        key={endpoint.value || "default"}
+                        value={endpoint.value || "default"}
+                      >
+                        {endpoint.label}
+                      </SelectItem>
+                    ))}
+                  </SelectContent>
+                </Select>
               ) : (
                 <Input
                   type={field.type ?? "text"}