feat: allow disabling run time cred check (#36031)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-06-07 16:32:01 +08:00 · 2026-05-14 15:12:10 +08:00 · 2026-05-14 15:12:10 +08:00 · a9bcec013f
commit a9bcec013f
parent aeb7687e2c
5 changed files with 27 additions and 10 deletions
--- a/api/configs/enterprise/init.py
+++ b/api/configs/enterprise/init.py
@ -23,6 +23,12 @@ class EnterpriseFeatureConfig(BaseSettings):
        ge=1, description="Maximum timeout in seconds for enterprise requests", default=5
    )

+    ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK: bool = Field(
+        default=False,
+        description="If disabled, credential policy check is only performed when saving workflows."
+        "This helps gain runtime performance by trading off consistency.",
+    )
+

 class EnterpriseTelemetryConfig(BaseSettings):
    """
--- a/api/core/entities/provider_configuration.py
+++ b/api/core/entities/provider_configuration.py
@ -171,9 +171,9 @@ class ProviderConfiguration(BaseModel):
                current_credential_id = self.custom_configuration.provider.current_credential_id

            if current_credential_id:
-                from core.helper.credential_utils import check_credential_policy_compliance
+                from core.helper.credential_utils import runtime_check_credential_policy_compliance

-                check_credential_policy_compliance(
+                runtime_check_credential_policy_compliance(
                    credential_id=current_credential_id,
                    provider=self.provider.provider,
                    credential_type=PluginCredentialType.MODEL,
@ -182,9 +182,9 @@ class ProviderConfiguration(BaseModel):
                # no current credential id, check all available credentials
                if self.custom_configuration.provider:
                    for credential_configuration in self.custom_configuration.provider.available_credentials:
-                        from core.helper.credential_utils import check_credential_policy_compliance
+                        from core.helper.credential_utils import runtime_check_credential_policy_compliance

-                        check_credential_policy_compliance(
+                        runtime_check_credential_policy_compliance(
                            credential_id=credential_configuration.credential_id,
                            provider=self.provider.provider,
                            credential_type=PluginCredentialType.MODEL,
--- a/api/core/helper/credential_utils.py
+++ b/api/core/helper/credential_utils.py
@ -2,6 +2,7 @@
 Credential utility functions for checking credential existence and policy compliance.
 """

+from configs import dify_config
 from core.entities import PluginCredentialType


@ -39,6 +40,16 @@ def is_credential_exists(credential_id: str, credential_type: "PluginCredentialT
        return False


+def runtime_check_credential_policy_compliance(
+    credential_id: str, provider: str, credential_type: "PluginCredentialType", check_existence: bool = True
+):
+    if dify_config.ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK:
+        return
+    check_credential_policy_compliance(
+        credential_id=credential_id, provider=provider, credential_type=credential_type, check_existence=check_existence
+    )
+
+
 def check_credential_policy_compliance(
    credential_id: str, provider: str, credential_type: "PluginCredentialType", check_existence: bool = True
 ) -> None:
--- a/api/core/model_manager.py
+++ b/api/core/model_manager.py
@ -391,10 +391,10 @@ class ModelInstance:

            # Additional policy compliance check as fallback (in case fetch_next didn't catch it)
            try:
-                from core.helper.credential_utils import check_credential_policy_compliance
+                from core.helper.credential_utils import runtime_check_credential_policy_compliance

                if lb_config.credential_id:
-                    check_credential_policy_compliance(
+                    runtime_check_credential_policy_compliance(
                        credential_id=lb_config.credential_id,
                        provider=self.provider,
                        credential_type=PluginCredentialType.MODEL,
@ -630,10 +630,10 @@ class LBModelManager:

            # Check policy compliance for the selected configuration
            try:
-                from core.helper.credential_utils import check_credential_policy_compliance
+                from core.helper.credential_utils import runtime_check_credential_policy_compliance

                if config.credential_id:
-                    check_credential_policy_compliance(
+                    runtime_check_credential_policy_compliance(
                        credential_id=config.credential_id,
                        provider=self._provider,
                        credential_type=PluginCredentialType.MODEL,
--- a/api/core/tools/tool_manager.py
+++ b/api/core/tools/tool_manager.py
@ -264,9 +264,9 @@ class ToolManager:
                    if builtin_provider is None:
                        raise ToolProviderNotFoundError(f"builtin provider {provider_id} not found")

-                from core.helper.credential_utils import check_credential_policy_compliance
+                from core.helper.credential_utils import runtime_check_credential_policy_compliance

-                check_credential_policy_compliance(
+                runtime_check_credential_policy_compliance(
                    credential_id=builtin_provider.id,
                    provider=provider_id,
                    credential_type=PluginCredentialType.TOOL,