Enable per-employee custom third-party LLM endpoint configuration (with CI version-gate fix)

[Copilot]

Background

• Issue/Motivation: User feedback called out unclear/incomplete support for “custom third-party” providers. In practice, employee-level configuration could not fully represent custom provider endpoints/modes beyond company-wide defaults.
• Root Cause (if bug fix): Employee auth apply flow dropped custom provider endpoint/class inputs at employee scope, and runtime LLM construction only used global custom endpoint/class settings. In addition, CI enforces PR version > main version, and this branch initially had the same version as main.

What Changed

• Summary: Added first-class per-employee custom provider endpoint support for company-hosted employees, while preserving existing company-level defaults and provider registry behavior.
• CI follow-up fix: Bumped package version in pyproject.toml from 0.7.77 to 0.7.78 so the CI “Version bump check” passes.

Key Design Decisions

• Persist per-employee custom endpoint metadata in profile.yaml (api_base_url, custom_chat_class) instead of introducing a parallel config store.
• Runtime precedence for provider=custom: employee override → company default.
• Non-destructive updates: omitted employee custom fields are not overwritten.
• Strict chat-class validation for custom provider (openai/anthropic) at apply time.
• Minimal CI remediation: only bump version metadata to satisfy repository version policy; no runtime behavior changes in the CI fix commit.

# custom provider runtime precedence
if api_provider == "custom":
    effective_chat_class = employee_custom_chat_class or settings.custom_chat_class or effective_chat_class
    base_url = employee_api_base_url or settings.default_api_base_url

Files Changed (annotated)

File	Change
src/onemancompany/core/config.py	Extended EmployeeConfig with api_base_url and custom_chat_class for employee-scoped custom provider config.
src/onemancompany/core/auth_apply/__init__.py	Passed employee-scope base_url/chat_class through auth dispatch.
src/onemancompany/core/auth_apply/api_key.py	Persisted custom endpoint fields for employee custom provider, added chat_class validation, and made omitted fields non-destructive.
src/onemancompany/agents/base.py	Updated make_llm to honor employee-level custom base_url and chat_class overrides ahead of company defaults.
src/onemancompany/api/routes.py	Exposed api_base_url and custom_chat_class in employee detail API response.
tests/unit/core/test_auth_apply.py	Added tests for custom endpoint persistence, invalid chat class handling, and omitted-field behavior.
tests/unit/agents/test_base_coverage.py	Added coverage for employee custom-provider override path (including selecting Anthropic path over provider default class).
pyproject.toml	Bumped package version to satisfy CI version-gate check (0.7.77 → 0.7.78).

Type

• Bug fix
• New feature
• Refactor
• Visualization / Theme
• Talent package
• Documentation
• Other

Review Checklist

Phase 1 — Bug Hunt

• No off-by-one, null-ref, or race conditions introduced
• Error paths tested (what happens when it fails?)
• Edge cases covered (empty input, duplicates, concurrent access)

Phase 2 — Design Principles (docs/design-principles.md)

• Single Source of Truth — No duplicated state; data has one owner, one write function
• Systematic Design — Structural fix, not a patch (would a second similar request need the same code touched?)
• Modular & General-Purpose — New capability addable without modifying existing code
• Complete Data Package — New state is serializable, recoverable, registered, terminable
• No Silent Exceptions — No except: pass; errors logged, CancelledError re-raised
• Registry/Dispatch — No if-elif chains for type dispatch
• Status via transition() — No direct node.status = ... assignment
• Minimal Complexity — No premature abstractions; minimum code for current requirements

Phase 3 — Side Effects

• No unintended behavioral changes to existing features
• Serialization/persistence formats are backward-compatible (or migration provided)
• No new circular imports introduced

Test Plan

• Unit tests pass (.venv/bin/python -m pytest tests/unit/ -x)
• Compilation check (.venv/bin/python -c "from onemancompany.api.routes import router; print('OK')")
• Frontend syntax check (node -c frontend/app.js)
• New tests written for new/changed behavior
• Manual testing (describe below)

Manual Test Steps

1. N/A (backend-only change; no UI behavior modified in this PR)

Screenshots

N/A (no UI changes)

[zhengxuyu]

@copilot ci/cd没过

[Copilot]

@copilot ci/cd没过

已定位并修复这次 CI 失败原因：CI 的 Version bump check 要求 PR 版本号大于 main，之前两边都是 0.7.77。我已在提交 5af0015 将 pyproject.toml 版本升级到 0.7.78 并完成本地校验。请看这次新提交触发的检查结果；若仍显示 action_required，通常是工作流需要仓库侧手动批准后才会继续跑。

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• console.anthropic.com
  • Triggering command: /usr/bin/curl curl -s -X POST REDACTED -H Content-Type: application/x-www-form-urlencoded -d grant_type=authorization_code&code=code&client_id=9d1c250a-e61b-44d9-88ed-5944d1962f5e&code_verifier=v&redirect_uri=http%3A%2F%2Flocalhost -L (dns block)
• openrouter.ai
  • Triggering command: /usr/bin/python python -m pytest tests/unit/ -x -q (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)