Origin
Pinned 2026-04-17 after a response-leakage analysis identified that a caller substituting a cheaper or older model could return responses attributable to the premium model. The fix centralizes the model identifier in a single constant so every caller uses the same value and upgrades happen in one place.
Rule Text
Every AI procedure imports the canonical ANTHROPIC_MODEL constant from packages/api/lib/anthropic.ts. Hardcoded model strings in router code are FORBIDDEN. Model aliases such as claude-latest are FORBIDDEN. The current value is pinned to the specific version identifier; upgrades happen by updating the constant.
Testable Assertion
import { ANTHROPIC_MODEL } from '@/lib/anthropic';
expect(typeof ANTHROPIC_MODEL).toBe('string');
expect(ANTHROPIC_MODEL).not.toMatch(/latest/i);
// Every procedure that calls Anthropic uses the imported constant:
expect(source).toContain('model: ANTHROPIC_MODEL');Enforcement
- Gate-time — Static-analysis rule forbids string literals matching
claude-*in procedure files outsidepackages/api/lib/anthropic.ts. Forbids literalmodel:assignments where the value is not the imported constant.
Violation Closed
Response-leakage attacks where a procedure substitutes a cheaper or less-capable model and returns output attributable to the premium version. Also closes the less-critical but still real failure mode of silent model drift across the codebase — where different procedures target different model versions because they were written at different times.