GitHub - speedshop/openrouter-us-only-cached-guardrail: GitHub Action that updates an OpenRouter guardrail daily with US-only providers and cached models

3 min read Original article ↗

Speedshop OpenRouter Coding Agent Guardrail

Create and update opinionated OpenRouter guardrail for trying new models in coding agents.

What This Guardrail Enforces

  • Only thinking/reasoning models. Models must expose OpenRouter reasoning or include_reasoning support.
  • Only models with at least 128k context. Coding agents need room for large repositories and long-running sessions.
  • Only models with prompt cache. Coding agents become unusably expensive without this.
  • Only US-based inference. Rule of law and security concerns in other jurisdictions.
  • Minimum latency/throughput. No likes a slow coding agent.
  • No OpenAI-provided or Anthropic models by default. OpenAI OSS models can pass when served by an allowed non-OpenAI provider.

Important

This action does not attach API keys to a guardrail. You still need to do that in OpenRouter.

Use the shared workflow

Call this workflow from another repo:

name: Update OpenRouter Guardrail

on:
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:

concurrency:
  group: update-openrouter-guardrail
  cancel-in-progress: true

jobs:
  update:
    uses: speedshop/openrouter-us-only-cached-guardrail/.github/workflows/guardrail.yml@main
    with:
      guardrail_name: ${{ vars.OPENROUTER_GUARDRAIL_NAME }}
      include_openai: "false"
      include_google: "true"
      include_anthropic: "false"
      upload_artifacts: "false"
    secrets:
      OPENROUTER_PROVISIONING_KEY: ${{ secrets.OPENROUTER_PROVISIONING_KEY }}

Inputs

Input Required Default Description
guardrail_name No US Cached Models Only Guardrail name
min_throughput_p50 No 50 Minimum throughput (p50, tok/sec)
max_latency_p50 No 2000 Maximum latency (p50, ms)
include_openai No false Include the OpenAI provider
include_google No true Include Google models and providers
include_anthropic No false Include Anthropic models and provider
upload_artifacts No false Upload endpoint-report.csv

Secrets

Secret Required Description
OPENROUTER_PROVISIONING_KEY Yes OpenRouter key

Action inputs

Input Required Default Description
provisioning_key Yes OpenRouter key
guardrail_name No US Cached Models Only Guardrail name
include_openai No false Include the OpenAI provider
include_google No true Include Google models and providers
include_anthropic No false Include Anthropic models and provider
upload_artifacts No false Upload endpoint-report.csv

Secrets and vars

  1. Add OPENROUTER_PROVISIONING_KEY as a secret:
  2. (Optional) Add OPENROUTER_GUARDRAIL_NAME as a variable:
    • Settings > Secrets and variables > Actions

Local use

Run the scripts to test or debug:

./scripts/fetch-providers.sh
OPENROUTER_PROVISIONING_KEY="your-key-here" ./scripts/fetch-cached-models.sh

export OPENROUTER_PROVISIONING_KEY="your-key-here"
./scripts/update-guardrail.sh

Performance filter

The model list is also filtered by endpoint performance (p50 over the last 30 minutes). Only endpoints from US providers count, and endpoint tags with explicit non-US region suffixes, such as /eu, are excluded.

  • Minimum throughput: 50 tok/sec
  • Maximum latency: 2000 ms

Override with env vars:

  • OPENROUTER_MIN_THROUGHPUT_P50
  • OPENROUTER_MAX_LATENCY_P50

Available models output

If you are curious what this repo allows right now, check the artifacts from the scheduled workflow in this repo: Demo Update OpenRouter Guardrail.

Contributing

This is a personal tool. You can fork it.