feat: add support for OpenAI US data residency endpoint (us.api.openai.com)

[chitalian]

• Update OpenAI URL pattern to accept us.api.openai.com for US data residency
• Add custom base URL support in OpenAIProvider.buildUrl() via userConfig.baseUri
• Add UI configuration for OpenAI Base URL in provider key settings
• Enables BYOK customers to comply with OpenAI's January 12, 2026 deadline

Customers can now configure their OpenAI provider key with a custom base URL
(e.g., https://us.api.openai.com) to route requests to the US regional endpoint.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
helicone	Ready	Preview, Comment	Jan 21, 2026 8:15pm
helicone-eu	Ready	Preview, Comment	Jan 21, 2026 8:15pm

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
helicone-bifrost	Skipped		Jan 21, 2026 8:15pm

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[supabase]

This pull request has been ignored for the connected project bolqqmqbrciybnypvklh because there are no changes detected in supbase/supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[supabase]

This pull request has been ignored for the connected project lmahfbbnchpworytrrqk because there are no changes detected in .supabase/supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[claude]

Claude finished @chitalian's task —— View job

---

Code Review Completed

Reviewing PR #5537: OpenAI US data residency endpoint support

Todo List:

• Read and analyze all changed files
• Review OpenAI provider implementation changes
• Examine UI component changes for validation and UX
• Check for security issues in URL handling
• Verify type safety and error handling
• Provide comprehensive feedback with confidence score

---

Score: 8/10 - Well-implemented feature with solid security practices

Review Summary

This PR successfully implements OpenAI US data residency endpoint support with good security practices and clean implementation. The changes are well-structured across the cost calculation logic and UI components.

✅ Strengths

1. Security-First Approach: Excellent use of allowlisted URLs in ALLOWED_OPENAI_BASE_URLS preventing arbitrary endpoint injection
2. Defensive Programming: The validateBaseUrl() method gracefully falls back to default endpoint for invalid URLs
3. Clean API Design: Proper use of baseUri in UserEndpointConfig type for extensibility
4. User Experience: Nice dropdown selection UI with clear labels for endpoint choices
5. Backward Compatibility: Changes maintain existing functionality while adding new features
6. Pattern Consistency: The regex update in mappings.ts correctly handles both endpoints

🔧 Minor Suggestions

1. URL Normalization Edge Case (packages/cost/models/providers/openai.ts:18-19)

// Current implementation
const normalized = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;

// Suggestion: Handle multiple trailing slashes and whitespace
const normalized = baseUrl.trim().replace(/\/+$/, '');

2. Type Safety Enhancement (packages/cost/models/providers/openai.ts:23-25)

// Current implementation has redundant type assertion
if (!ALLOWED_OPENAI_BASE_URLS.includes(
  normalized as (typeof ALLOWED_OPENAI_BASE_URLS)[number]
))

// Suggestion: Use type predicate for cleaner check
private isAllowedUrl(url: string): url is typeof ALLOWED_OPENAI_BASE_URLS[number] {
  return ALLOWED_OPENAI_BASE_URLS.includes(url as any);
}

3. Default Value Handling (web/components/providers/ProviderCard.tsx:300-305)

The normalizedValue logic converting "default" to empty string is a bit implicit. Consider making this more explicit:

const handleUpdateConfigField = (key: string, value: string) => {
  const normalizedValue = value === "default" || value === "" ? "" : value;
  // Or use a constant: OPENAI_DEFAULT_ENDPOINT_VALUE
};

🚀 Performance & Best Practices

• Efficient Rendering: Good use of React.memo potential for OPENAI_ENDPOINTS
• State Management: Proper state updates with functional updates
• Error Handling: Fallback mechanisms work correctly

🔒 Security Assessment

✅ No Security Issues Found

• Allowlisted URLs prevent injection attacks
• No user input directly used in URL construction
• Proper validation and fallback mechanisms
• No secrets exposure in client code

📝 Code Quality

• Documentation: Good inline comments explaining business logic
• Naming: Clear, descriptive variable and function names
• Structure: Well-organized with proper separation of concerns
• Testing: Would benefit from unit tests for validateBaseUrl() method

🎯 Recommendation

Ready to merge with the minor suggestions considered for future iterations. This is a solid implementation that addresses the OpenAI data residency requirements effectively while maintaining security and code quality standards.

The feature correctly handles:

• ✅ URL validation and allowlisting
• ✅ User interface for endpoint selection
• ✅ Backward compatibility
• ✅ Configuration persistence
• ✅ Error handling and fallbacks

---