refactor(inference): applyAndMerge helper, fix local-path dispatch, checksum validation (phase 5)

Author: sozercan

pkg/aikit/config/validate.go

@@ -2,12 +2,16 @@ package config
 
 import (
 	"errors"
+	"regexp"
 	"slices"
 
 	"github.com/kaito-project/aikit/pkg/utils"
 	pkgerrors "github.com/pkg/errors"
 )
 
+// sha256HexPattern matches a bare 64-character lowercase hex SHA256 checksum.
+var sha256HexPattern = regexp.MustCompile(`^[a-f0-9]{64}$`)
+
 // Validate checks that the inference config is internally consistent and only
 // references supported backends and runtimes. Membership errors (unknown
 // backend / unknown runtime) are accumulated with errors.Join so that a config
@@ -71,6 +75,15 @@ func (c *InferenceConfig) Validate() error {
 		}
 	}
 
+	// Validate any provided model checksums up front so a malformed value fails
+	// the build immediately with a clear message rather than producing a broken
+	// digest deep in LLB construction.
+	for _, m := range c.Models {
+		if m.SHA256 != "" && !sha256HexPattern.MatchString(m.SHA256) {
+			return pkgerrors.Errorf("model %q has an invalid sha256 checksum %q: expected 64 lowercase hex characters", m.Name, m.SHA256)
+		}
+	}
+
 	return nil
 }
 

pkg/aikit/config/validate_test.go

@@ -0,0 +1,53 @@
+package config
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/kaito-project/aikit/pkg/utils"
+)
+
+func TestInferenceConfigValidateChecksum(t *testing.T) {
+	validSHA := strings.Repeat("a", 64)
+	tests := []struct {
+		name    string
+		sha     string
+		wantErr bool
+	}{
+		{name: "empty checksum is allowed", sha: "", wantErr: false},
+		{name: "valid 64-char hex", sha: validSHA, wantErr: false},
+		{name: "too short", sha: "abc123", wantErr: true},
+		{name: "uppercase rejected", sha: strings.Repeat("A", 64), wantErr: true},
+		{name: "algo-prefixed rejected", sha: "sha256:" + validSHA, wantErr: true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &InferenceConfig{
+				APIVersion: utils.APIv1alpha1,
+				Backends:   []string{utils.BackendLlamaCpp},
+				Models:     []Model{{Name: "m", Source: "http://x/m.gguf", SHA256: tt.sha}},
+			}
+			err := c.Validate()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestInferenceConfigValidateAggregatesMembershipErrors(t *testing.T) {
+	// Both an unknown backend and an unknown runtime should be reported together.
+	c := &InferenceConfig{
+		APIVersion: utils.APIv1alpha1,
+		Runtime:    "bogus-runtime",
+		Backends:   []string{"bogus-backend"},
+	}
+	err := c.Validate()
+	if err == nil {
+		t.Fatal("expected error for invalid backend and runtime")
+	}
+	msg := err.Error()
+	if !strings.Contains(msg, "bogus-backend") || !strings.Contains(msg, "bogus-runtime") {
+		t.Errorf("expected aggregated error to mention both backend and runtime, got: %s", msg)
+	}
+}

pkg/aikit2llb/inference/backend.go

@@ -163,51 +163,51 @@ func installBackend(backend string, c *config.InferenceConfig, platform specs.Pl
 	ociImage := fmt.Sprintf("%s:%s", utils.BackendOCIRegistry, tag)
 
 	// Create the backends directory
-	savedState := s
 	backendName := getBackendName(backend, c.Runtime, platform)
 	backendDir := fmt.Sprintf("/backends/%s", backendName)
 
 	// Download the backend from OCI registry and extract to specific backend directory
 	backendState := llb.Image(ociImage, llb.Platform(platform))
 
-	// Copy the backend files to the specific backend directory
-	s = s.File(
-		llb.Copy(backendState, "/", backendDir+"/", &llb.CopyInfo{
-			CreateDestPath: true,
-			AllowWildcard:  true,
-		}),
-		llb.WithCustomName(fmt.Sprintf("Installing backend %s from %s", backend, ociImage)),
-	)
-
-	// Ensure the directory exists and create metadata.json for the backend
-	backendAlias := getBackendAlias(backend)
-	metadataContent := fmt.Sprintf(`{
+	_, merge = applyAndMerge(s, merge, func(s llb.State) llb.State {
+		// Copy the backend files to the specific backend directory
+		s = s.File(
+			llb.Copy(backendState, "/", backendDir+"/", &llb.CopyInfo{
+				CreateDestPath: true,
+				AllowWildcard:  true,
+			}),
+			llb.WithCustomName(fmt.Sprintf("Installing backend %s from %s", backend, ociImage)),
+		)
+
+		// Ensure the directory exists and create metadata.json for the backend
+		backendAlias := getBackendAlias(backend)
+		metadataContent := fmt.Sprintf(`{
   "alias": "%s",
   "name": "%s",
   "gallery_url": "github:mudler/LocalAI/backend/index.yaml@master",
   "installed_at": "%s"
 }`, backendAlias, backendName, time.Now().UTC().Format(time.RFC3339))
 
-	s = s.File(
-		llb.Mkfile(fmt.Sprintf("%s/metadata.json", backendDir), 0o644, []byte(metadataContent)),
-		llb.WithCustomName(fmt.Sprintf("Creating metadata.json for backend %s", backendName)),
-	)
-
-	// Apply workarounds for the pre-built vLLM backend image.
-	if backend == utils.BackendVLLM {
-		// Remove broken flash_attn package (PyTorch ABI incompatibility).
-		// Patch backend.py to use the current vLLM AsyncLLM API
-		// (get_model_config() was replaced by the model_config property).
-		s = s.Run(utils.Shf(
-			"rm -rf %[1]s/venv/lib/python*/site-packages/flash_attn* && "+
-				"sed -i 's/await self.llm.get_model_config()/self.llm.model_config/' %[1]s/backend.py",
-			backendDir),
-			llb.WithCustomNamef("Patching vLLM backend %s for compatibility", backendName),
-		).Root()
-	}
-
-	diff := llb.Diff(savedState, s)
-	return llb.Merge([]llb.State{merge, diff})
+		s = s.File(
+			llb.Mkfile(fmt.Sprintf("%s/metadata.json", backendDir), 0o644, []byte(metadataContent)),
+			llb.WithCustomName(fmt.Sprintf("Creating metadata.json for backend %s", backendName)),
+		)
+
+		// Apply workarounds for the pre-built vLLM backend image.
+		if backend == utils.BackendVLLM {
+			// Remove broken flash_attn package (PyTorch ABI incompatibility).
+			// Patch backend.py to use the current vLLM AsyncLLM API
+			// (get_model_config() was replaced by the model_config property).
+			s = s.Run(utils.Shf(
+				"rm -rf %[1]s/venv/lib/python*/site-packages/flash_attn* && "+
+					"sed -i 's/await self.llm.get_model_config()/self.llm.model_config/' %[1]s/backend.py",
+				backendDir),
+				llb.WithCustomNamef("Patching vLLM backend %s for compatibility", backendName),
+			).Root()
+		}
+		return s
+	})
+	return merge
 }
 
 // getDefaultBackends returns the default backends based on runtime if no backends are specified.

pkg/aikit2llb/inference/convert.go

@@ -2,7 +2,6 @@ package inference
 
 import (
 	"fmt"
-	"net/url"
 	"slices"
 	"strings"
 
@@ -90,39 +89,37 @@ func getBaseImage(c *config.InferenceConfig, platform *specs.Platform) llb.State
 
 // writeConfig writes the /config.yaml file to the image when c.Config is set.
 func writeConfig(c *config.InferenceConfig, base llb.State, s llb.State, platform specs.Platform) (llb.State, llb.State) {
-	savedState := s
-	if c.Config != "" {
-		s = s.File(
-			llb.Mkfile("/config.yaml", 0o644, []byte(c.Config)),
-			llb.WithCustomName(fmt.Sprintf("Creating config for platform %s/%s", platform.OS, platform.Architecture)),
-		)
-	}
-	diff := llb.Diff(savedState, s)
-	merge := llb.Merge([]llb.State{base, diff})
-	return s, merge
+	return applyAndMerge(s, base, func(s llb.State) llb.State {
+		if c.Config != "" {
+			s = s.File(
+				llb.Mkfile("/config.yaml", 0o644, []byte(c.Config)),
+				llb.WithCustomName(fmt.Sprintf("Creating config for platform %s/%s", platform.OS, platform.Architecture)),
+			)
+		}
+		return s
+	})
 }
 
 // copyModels copies models to the image and writes the config.
 func copyModels(c *config.InferenceConfig, base llb.State, s llb.State, platform specs.Platform) (llb.State, llb.State, error) {
 	savedState := s
 	for _, model := range c.Models {
-		// Check if the model source is a URL
-		if _, err := url.ParseRequestURI(model.Source); err == nil {
-			switch {
-			case strings.HasPrefix(model.Source, "oci://"):
-				s = handleOCI(model.Source, s, platform)
-			case strings.HasPrefix(model.Source, "http://"), strings.HasPrefix(model.Source, "https://"):
-				s = handleHTTP(model.Source, model.Name, model.SHA256, s)
-			case strings.HasPrefix(model.Source, "huggingface://"):
-				s, err = handleHuggingFace(model.Source, s)
-				if err != nil {
-					return llb.State{}, llb.State{}, err
-				}
-			default:
-				return llb.State{}, llb.State{}, fmt.Errorf("unsupported URL scheme: %s", model.Source)
+		// Dispatch on the source's URI scheme. Anything without a recognized
+		// scheme (including absolute local paths like /models/foo.gguf) is treated
+		// as a local file. The previous url.ParseRequestURI guard incorrectly
+		// rejected absolute local paths, which parse as URIs with an empty scheme.
+		var err error
+		switch {
+		case strings.HasPrefix(model.Source, "oci://"):
+			s = handleOCI(model.Source, s, platform)
+		case strings.HasPrefix(model.Source, "http://"), strings.HasPrefix(model.Source, "https://"):
+			s = handleHTTP(model.Source, model.Name, model.SHA256, s)
+		case strings.HasPrefix(model.Source, "huggingface://"):
+			s, err = handleHuggingFace(model.Source, s)
+			if err != nil {
+				return llb.State{}, llb.State{}, err
 			}
-		} else {
-			// Handle local paths
+		default:
 			s = handleLocal(model.Source, s)
 		}
 
@@ -155,50 +152,47 @@ func installCuda(c *config.InferenceConfig, s llb.State, merge llb.State) (llb.S
 	)
 	s = s.Run(utils.Sh("dpkg -i cuda-keyring_1.1-1_all.deb && rm cuda-keyring_1.1-1_all.deb")).Root()
 
-	savedState := s
-	// running apt-get update twice due to nvidia repo
-	s = s.Run(utils.Sh("apt-get update && apt-get install --no-install-recommends -y ca-certificates && apt-get update"), llb.IgnoreCache).Root()
-
-	// install cuda libraries for llama-cpp (default) and vllm backends
-	if len(c.Backends) == 0 || slices.Contains(c.Backends, utils.BackendLlamaCpp) || slices.Contains(c.Backends, utils.BackendVLLM) {
-		// install cuda libraries and pciutils for gpu detection
-		s = s.Run(utils.Shf("apt-get install -y --no-install-recommends pciutils libcublas-%[1]s cuda-cudart-%[1]s && apt-get clean", cudaVersion)).Root()
-		// TODO: clean up /var/lib/dpkg/status
-	}
+	return applyAndMerge(s, merge, func(s llb.State) llb.State {
+		// running apt-get update twice due to nvidia repo
+		s = s.Run(utils.Sh("apt-get update && apt-get install --no-install-recommends -y ca-certificates && apt-get update"), llb.IgnoreCache).Root()
 
-	diff := llb.Diff(savedState, s)
-	return s, llb.Merge([]llb.State{merge, diff})
+		// install cuda libraries for llama-cpp (default) and vllm backends
+		if len(c.Backends) == 0 || slices.Contains(c.Backends, utils.BackendLlamaCpp) || slices.Contains(c.Backends, utils.BackendVLLM) {
+			// install cuda libraries and pciutils for gpu detection
+			s = s.Run(utils.Shf("apt-get install -y --no-install-recommends pciutils libcublas-%[1]s cuda-cudart-%[1]s && apt-get clean", cudaVersion)).Root()
+			// TODO: clean up /var/lib/dpkg/status
+		}
+		return s
+	})
 }
 
 func installRocm(c *config.InferenceConfig, s llb.State, merge llb.State) (llb.State, llb.State) {
-	savedState := s
-
-	// Set up ROCm repository
-	s = s.Run(utils.Sh("apt-get update && apt-get install --no-install-recommends -y ca-certificates curl gnupg"), llb.IgnoreCache).Root()
-
-	// Add ROCm GPG key and repository
-	s = s.Run(utils.Sh("curl -fsSL https://repo.radeon.com/rocm/rocm.gpg.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/rocm.gpg")).Root()
-	s = s.Run(utils.Shf("echo 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rocm.gpg] https://repo.radeon.com/rocm/apt/%s/ noble main' >> /etc/apt/sources.list.d/rocm.list", rocmVersion)).Root()
-	s = s.Run(utils.Shf("echo 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rocm.gpg] https://repo.radeon.com/graphics/%s/ubuntu noble main' >> /etc/apt/sources.list.d/rocm.list", rocmVersion)).Root()
-	rocmPinning := `
+	return applyAndMerge(s, merge, func(s llb.State) llb.State {
+		// Set up ROCm repository
+		s = s.Run(utils.Sh("apt-get update && apt-get install --no-install-recommends -y ca-certificates curl gnupg"), llb.IgnoreCache).Root()
+
+		// Add ROCm GPG key and repository
+		s = s.Run(utils.Sh("curl -fsSL https://repo.radeon.com/rocm/rocm.gpg.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/rocm.gpg")).Root()
+		s = s.Run(utils.Shf("echo 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rocm.gpg] https://repo.radeon.com/rocm/apt/%s/ noble main' >> /etc/apt/sources.list.d/rocm.list", rocmVersion)).Root()
+		s = s.Run(utils.Shf("echo 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/rocm.gpg] https://repo.radeon.com/graphics/%s/ubuntu noble main' >> /etc/apt/sources.list.d/rocm.list", rocmVersion)).Root()
+		rocmPinning := `
 Package: *
 Pin: release o=repo.radeon.com
 Pin-Priority: 600
 `
-	s = s.Run(utils.Shf("echo '%s' > /etc/apt/preferences.d/repo-radeon-pin-600", rocmPinning)).Root()
-	s = s.Run(utils.Sh("apt-get update"), llb.IgnoreCache).Root()
-
-	// install rocm libraries and pciutils for gpu detection when using the default
-	// llama-cpp backend or when it is configured explicitly
-	if len(c.Backends) == 0 || slices.Contains(c.Backends, utils.BackendLlamaCpp) {
-		s = s.Run(utils.Sh("apt-get install -y pciutils rocm && apt-get clean")).Root()
-	}
+		s = s.Run(utils.Shf("echo '%s' > /etc/apt/preferences.d/repo-radeon-pin-600", rocmPinning)).Root()
+		s = s.Run(utils.Sh("apt-get update"), llb.IgnoreCache).Root()
 
-	// hipblaslt soname compatibility: backend may be linked against .so.0 while ROCm 7.2 ships .so.1
-	s = s.Run(utils.Sh("set -e; cd /opt/rocm/lib; [ -e libhipblaslt.so.0 ] || ln -sf libhipblaslt.so.1 libhipblaslt.so.0")).Root()
+		// install rocm libraries and pciutils for gpu detection when using the default
+		// llama-cpp backend or when it is configured explicitly
+		if len(c.Backends) == 0 || slices.Contains(c.Backends, utils.BackendLlamaCpp) {
+			s = s.Run(utils.Sh("apt-get install -y pciutils rocm && apt-get clean")).Root()
+		}
 
-	diff := llb.Diff(savedState, s)
-	return s, llb.Merge([]llb.State{merge, diff})
+		// hipblaslt soname compatibility: backend may be linked against .so.0 while ROCm 7.2 ships .so.1
+		s = s.Run(utils.Sh("set -e; cd /opt/rocm/lib; [ -e libhipblaslt.so.0 ] || ln -sf libhipblaslt.so.1 libhipblaslt.so.0")).Root()
+		return s
+	})
 }
 
 // addLocalAI adds the LocalAI binary to the image.
@@ -218,20 +212,18 @@ func addLocalAI(c *config.InferenceConfig, s llb.State, merge llb.State, platfor
 		return s, merge, fmt.Errorf("unsupported architecture %s", platform.Architecture)
 	}
 
-	savedState := s
-
 	// Use the oras CLI image to pull the artifact containing the LocalAI binary
 	tooling := llb.Image(orasImage, llb.Platform(platform)).Run(
 		utils.Shf("set -e\noras pull %[1]s\nchmod +x local-ai\nchmod 755 local-ai", art.Ref),
 		llb.WithCustomName("Pulling LocalAI from OCI artifact "+art.Ref),
 	).Root()
 
 	// Copy the prepared binary into /usr/bin/local-ai
-	s = s.File(
-		llb.Copy(tooling, "local-ai", "/usr/bin/local-ai"),
-		llb.WithCustomName("Copying local-ai from OCI artifact to /usr/bin"),
-	)
-
-	diff := llb.Diff(savedState, s)
-	return s, llb.Merge([]llb.State{merge, diff}), nil
+	s, merge = applyAndMerge(s, merge, func(s llb.State) llb.State {
+		return s.File(
+			llb.Copy(tooling, "local-ai", "/usr/bin/local-ai"),
+			llb.WithCustomName("Copying local-ai from OCI artifact to /usr/bin"),
+		)
+	})
+	return s, merge, nil
 }

pkg/aikit2llb/inference/convert_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/kaito-project/aikit/pkg/aikit/config"
 	"github.com/kaito-project/aikit/pkg/utils"
 	"github.com/moby/buildkit/client/llb"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 func TestInstallRocmInstallsPciutilsForLlamaCpp(t *testing.T) {
@@ -61,3 +62,28 @@ func marshalDefinitionToString(def *llb.Definition) string {
 
 	return combined.String()
 }
+
+// TestCopyModelsAbsoluteLocalPath guards the scheme-dispatch fix: an absolute
+// local model path (no URI scheme) must be treated as a local file, not
+// rejected. The previous url.ParseRequestURI guard caused absolute paths to
+// fall through to a hard "unsupported URL scheme" error.
+func TestCopyModelsAbsoluteLocalPath(t *testing.T) {
+	cfg := &config.InferenceConfig{
+		Runtime: "",
+		Models: []config.Model{
+			{Name: "local", Source: "/models/local.gguf"},
+		},
+	}
+
+	platform := specs.Platform{OS: utils.PlatformLinux, Architecture: utils.PlatformAMD64}
+	base := llb.Image(utils.UbuntuBase)
+	state, merged, err := copyModels(cfg, base, base, platform)
+	if err != nil {
+		t.Fatalf("copyModels returned error for absolute local path: %v", err)
+	}
+
+	if _, err := merged.Marshal(context.Background()); err != nil {
+		t.Fatalf("marshal failed: %v", err)
+	}
+	_ = state
+}