Module: Legion::Extensions::Llm::Bedrock

Extended by:

Core, AutoRegistration, Logging::Helper

Defined in:

lib/legion/extensions/llm/bedrock.rb,
lib/legion/extensions/llm/bedrock/version.rb,
lib/legion/extensions/llm/bedrock/provider.rb,
lib/legion/extensions/llm/bedrock/translator.rb,
lib/legion/extensions/llm/bedrock/actors/fleet_worker.rb,
lib/legion/extensions/llm/bedrock/runners/fleet_worker.rb,
lib/legion/extensions/llm/bedrock/actors/discovery_refresh.rb

Overview

Amazon Bedrock provider extension namespace.

Defined Under Namespace

Modules: Actor, Runners Classes: Provider, StaticCredentialsBlockedError, Translator

Constant Summary

PROVIDER_FAMILY =

:bedrock

DEFAULT_REGION =

'us-east-2'

DEFAULT_MODEL =

Provider’s preferred default when the operator configures none. Used only as a fallback and only when the configured model policy permits it (see resolve_default_model) — a whitelist/blacklist is never overridden.

'anthropic.claude-sonnet-4'

DEFAULT_CAPABILITIES =

%i[completion streaming embedding].freeze

VERSION =

'0.4.4'

Class Method Summary

• .broker_aws_credentials ⇒ Object

  Fetch AWS credentials from the Legion Identity Broker.

• .claude_env_pattern_match ⇒ Object

  Scan Claude config env hash for any key containing all of AWS, BEARER, TOKEN, and BEDROCK fragments (case-insensitive).

• .dedup_config(config) ⇒ Object
• .default_settings ⇒ Object
• .discover_broker(candidates) ⇒ Object
• .discover_claude_bearer(candidates) ⇒ Object
• .discover_env_bearer(candidates) ⇒ Object
• .discover_env_sigv4(candidates) ⇒ Object
• .discover_instances ⇒ Object
• .discover_settings(candidates) ⇒ Object
• .normalize_instance_config(config) ⇒ Object
• .provider_class ⇒ Object
• .registry_publisher ⇒ Object
• .resolve_default_model(config) ⇒ Object

  Resolve a default_model that never violates the configured model policy (whitelist/blacklist stays authoritative over the DEFAULT_MODEL fallback).

• .sanitize_instance_config(config) ⇒ Object
• .settings_instances(config) ⇒ Object
• .unresolved_credential?(config) ⇒ Boolean

Class Method Details

.broker_aws_credentials ⇒ Object

Fetch AWS credentials from the Legion Identity Broker.

# File 'lib/legion/extensions/llm/bedrock.rb', line 192

def self.broker_aws_credentials
  return nil unless defined?(Legion::Identity::Broker)

  creds = Legion::Identity::Broker.credentials_for(:aws)
  return nil unless creds.is_a?(Hash)

  akid = creds[:access_key_id] || creds['access_key_id']
  return nil unless akid

  { api_key: akid, bedrock_access_key_id: akid,
    bedrock_secret_access_key: creds[:secret_access_key] || creds['secret_access_key'],
    bedrock_session_token: creds[:session_token] || creds['session_token'],
    bedrock_region: creds[:region] || creds['region'] || DEFAULT_REGION }.compact
end

.claude_env_pattern_match ⇒ Object

Scan Claude config env hash for any key containing all of AWS, BEARER, TOKEN, and BEDROCK fragments (case-insensitive).

# File 'lib/legion/extensions/llm/bedrock.rb', line 179

def self.claude_env_pattern_match
  env_hash = CredentialSources.claude_config_value(:env)
  return nil unless env_hash.is_a?(Hash)

  fragments = %w[AWS BEARER TOKEN BEDROCK]
  _key, value = env_hash.find do |k, _v|
    upper = k.to_s.upcase
    fragments.all? { |frag| upper.include?(frag) }
  end
  value
end

.dedup_config(config) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 228

def self.dedup_config(config)
  key = config[:bedrock_access_key_id]
  key ? config.merge(api_key: key) : config
end

.default_settings ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 27

def self.default_settings
  ::Legion::Extensions::Llm.provider_settings(
    family: PROVIDER_FAMILY,
    instance: {
      default_model: DEFAULT_MODEL,
      region: 'us-east-1',
      tier: :cloud,
      transport: :aws_sdk,
      credentials: {
        bearer_token: nil,
        access_key_id: nil,
        secret_access_key: nil,
        session_token: nil,
        profile: nil
      },
      provider: {
        region: DEFAULT_REGION,
        endpoint: nil,
        stub_responses: false
      },
      usage: { inference: true, embedding: true, image: false },
      limits: { concurrency: 4 },
      fleet: {
        enabled: false,
        respond_to_requests: false,
        capabilities: %i[chat stream_chat embed tools]
      }
    }
  )
end

.discover_broker(candidates) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 166

def self.discover_broker(candidates)
  return unless defined?(Legion::Identity::Broker)

  broker_creds = broker_aws_credentials
  return unless broker_creds

  broker_creds[:source] = CredentialSources.source_tag(:broker, 'identity', 'aws')
  broker_creds[:credential_fingerprint] = CredentialSources.config_fingerprint(broker_creds)
  candidates[:broker] = broker_creds.merge(tier: :cloud)
end

.discover_claude_bearer(candidates) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 116

def self.discover_claude_bearer(candidates)
  claude_bearer = CredentialSources.claude_env_value('AWS_BEARER_TOKEN_BEDROCK')
  claude_bearer ||= claude_env_pattern_match
  return unless claude_bearer

  candidates[:claude] = {
    bearer_token: claude_bearer,
    bedrock_region: CredentialSources.claude_env_value('AWS_DEFAULT_REGION') || DEFAULT_REGION,
    tier: :cloud,
    source: CredentialSources.source_tag(:file, '~/.claude/settings.json', 'AWS_BEARER_TOKEN_BEDROCK'),
    credential_fingerprint: CredentialSources.credential_fingerprint(claude_bearer)
  }
end

.discover_env_bearer(candidates) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 103

def self.discover_env_bearer(candidates)
  bearer = CredentialSources.env('AWS_BEARER_TOKEN_BEDROCK')
  return unless bearer

  candidates[:env_bearer] = {
    bearer_token: bearer,
    bedrock_region: CredentialSources.env('AWS_DEFAULT_REGION') || DEFAULT_REGION,
    tier: :cloud,
    source: CredentialSources.source_tag(:env, 'AWS_BEARER_TOKEN_BEDROCK'),
    credential_fingerprint: CredentialSources.credential_fingerprint(bearer)
  }
end

.discover_env_sigv4(candidates) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 130

def self.discover_env_sigv4(candidates)
  akid = CredentialSources.env('AWS_ACCESS_KEY_ID')
  skey = CredentialSources.env('AWS_SECRET_ACCESS_KEY')
  return unless akid && skey

  candidates[:env_sigv4] = {
    api_key: akid, bedrock_access_key_id: akid, bedrock_secret_access_key: skey,
    bedrock_session_token: CredentialSources.env('AWS_SESSION_TOKEN'),
    bedrock_region: CredentialSources.env('AWS_DEFAULT_REGION') || DEFAULT_REGION,
    tier: :cloud,
    source: CredentialSources.source_tag(:env, 'AWS_ACCESS_KEY_ID'),
    credential_fingerprint: CredentialSources.credential_fingerprint(akid)
  }.compact
end

.discover_instances ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 68

def self.discover_instances
  candidates = {}
  discover_env_bearer(candidates)
  discover_claude_bearer(candidates)
  discover_env_sigv4(candidates)
  discover_settings(candidates)
  discover_broker(candidates)
  CredentialSources.dedup_credentials(candidates)
                   .reject { |_, config| unresolved_credential?(config) }
                   .transform_values do |config|
    sanitized = sanitize_instance_config(config)
    sanitized[:capabilities] ||= DEFAULT_CAPABILITIES.dup
    sanitized[:default_model] = resolve_default_model(sanitized)
    sanitized
  end
end

.discover_settings(candidates) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 145

def self.discover_settings(candidates)
  settings = CredentialSources.setting(:extensions, :llm, :bedrock)
  return unless settings.is_a?(Hash) && !settings.empty?

  default_config = dedup_config(normalize_instance_config(settings))
  unless default_config.empty?
    default_config[:source] = CredentialSources.source_tag(:settings, 'extensions.llm.bedrock')
    default_config[:credential_fingerprint] = CredentialSources.config_fingerprint(default_config)
    candidates[:settings] = default_config.merge(tier: :cloud)
  end

  settings_instances(settings).each do |name, config|
    next unless config.is_a?(Hash)

    normalized = dedup_config(normalize_instance_config(config))
    normalized[:source] = CredentialSources.source_tag(:settings, "extensions.llm.bedrock.instances.#{name}")
    normalized[:credential_fingerprint] = CredentialSources.config_fingerprint(normalized)
    candidates[name.to_sym] = normalized.merge(tier: :cloud)
  end
end

.normalize_instance_config(config) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 212

def self.normalize_instance_config(config)
  return {} if config.nil?

  normalized = config.to_h.transform_keys { |key| key.respond_to?(:to_sym) ? key.to_sym : key }
  normalized[:bedrock_region] ||= normalized.delete(:region)
  normalized[:bedrock_endpoint] ||= normalized.delete(:endpoint)
  normalized[:bedrock_endpoint] ||= normalized.delete(:base_url)
  normalized[:bedrock_endpoint] ||= normalized.delete(:api_base)
  normalized[:bedrock_access_key_id] ||= normalized.delete(:api_key) || normalized.delete(:access_key_id)
  normalized[:bedrock_secret_access_key] ||= normalized.delete(:secret_key)
  normalized[:bedrock_secret_access_key] ||= normalized.delete(:secret_access_key)
  normalized[:bedrock_session_token] ||= normalized.delete(:session_token)
  normalized[:bedrock_profile] ||= normalized.delete(:profile)
  normalized.compact.except(:instances)
end

.provider_class ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 58

def self.provider_class
  Provider
end

.registry_publisher ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 62

def self.registry_publisher
  @registry_publisher ||= Legion::Extensions::Llm::RegistryPublisher.new(provider_family: PROVIDER_FAMILY)
end

.resolve_default_model(config) ⇒ Object

Resolve a default_model that never violates the configured model policy (whitelist/blacklist stays authoritative over the DEFAULT_MODEL fallback).

# File 'lib/legion/extensions/llm/bedrock.rb', line 87

def self.resolve_default_model(config)
  provider_class.policy_safe_default_model(
    configured: config[:default_model], fallback: DEFAULT_MODEL,
    **provider_class.model_policy(config, PROVIDER_FAMILY)
  )
end

.sanitize_instance_config(config) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 233

def self.sanitize_instance_config(config)
  config.except(:api_key)
end

.settings_instances(config) ⇒ Object

# File 'lib/legion/extensions/llm/bedrock.rb', line 207

def self.settings_instances(config)
  instances = config[:instances] || config['instances']
  instances.is_a?(Hash) ? instances : {}
end

.unresolved_credential?(config) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/extensions/llm/bedrock.rb', line 94

def self.unresolved_credential?(config)
  return false if config[:bedrock_profile]

  cred = config[:bearer_token] || config[:bedrock_access_key_id] || config[:api_key]
  return true if cred.nil?

  cred.to_s.match?(%r{\A(vault|env)://})
end