Module: Legion::Extensions::Llm::Bedrock
- Extended by:
- Core, AutoRegistration, Logging::Helper
- Defined in:
- lib/legion/extensions/llm/bedrock.rb,
lib/legion/extensions/llm/bedrock/version.rb,
lib/legion/extensions/llm/bedrock/provider.rb,
lib/legion/extensions/llm/bedrock/translator.rb,
lib/legion/extensions/llm/bedrock/actors/fleet_worker.rb,
lib/legion/extensions/llm/bedrock/runners/fleet_worker.rb,
lib/legion/extensions/llm/bedrock/actors/discovery_refresh.rb
Overview
Amazon Bedrock provider extension namespace.
Defined Under Namespace
Modules: Actor, Runners Classes: Provider, StaticCredentialsBlockedError, Translator
Constant Summary collapse
- PROVIDER_FAMILY =
:bedrock- DEFAULT_REGION =
'us-east-2'- DEFAULT_MODEL =
Provider’s preferred default when the operator configures none. Used only as a fallback and only when the configured model policy permits it (see resolve_default_model) — a whitelist/blacklist is never overridden.
'anthropic.claude-sonnet-4'- DEFAULT_CAPABILITIES =
%i[completion streaming embedding].freeze
- VERSION =
'0.4.9'
Class Method Summary collapse
-
.broker_aws_credentials ⇒ Object
Fetch AWS credentials from the Legion Identity Broker.
-
.claude_env_pattern_match ⇒ Object
Scan Claude config env hash for any key containing all of AWS, BEARER, TOKEN, and BEDROCK fragments (case-insensitive).
- .dedup_config(config) ⇒ Object
- .default_settings ⇒ Object
- .discover_broker(candidates) ⇒ Object
- .discover_claude_bearer(candidates) ⇒ Object
- .discover_env_bearer(candidates) ⇒ Object
- .discover_env_sigv4(candidates) ⇒ Object
- .discover_instances ⇒ Object
- .discover_settings(candidates) ⇒ Object
- .normalize_instance_config(config) ⇒ Object
- .provider_class ⇒ Object
- .registry_publisher ⇒ Object
-
.resolve_default_model(config) ⇒ Object
Resolve a default_model that never violates the configured model policy (whitelist/blacklist stays authoritative over the DEFAULT_MODEL fallback).
- .sanitize_instance_config(config) ⇒ Object
- .settings_instances(config) ⇒ Object
- .unresolved_credential?(config) ⇒ Boolean
Class Method Details
.broker_aws_credentials ⇒ Object
Fetch AWS credentials from the Legion Identity Broker.
202 203 204 205 206 207 208 209 210 211 212 213 214 215 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 202 def self.broker_aws_credentials return nil unless defined?(Legion::Identity::Broker) creds = Legion::Identity::Broker.credentials_for(:aws) return nil unless creds.is_a?(Hash) akid = creds[:access_key_id] || creds['access_key_id'] return nil unless akid { api_key: akid, bedrock_access_key_id: akid, bedrock_secret_access_key: creds[:secret_access_key] || creds['secret_access_key'], bedrock_session_token: creds[:session_token] || creds['session_token'], bedrock_region: creds[:region] || creds['region'] || DEFAULT_REGION }.compact end |
.claude_env_pattern_match ⇒ Object
Scan Claude config env hash for any key containing all of AWS, BEARER, TOKEN, and BEDROCK fragments (case-insensitive).
189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 189 def self.claude_env_pattern_match env_hash = CredentialSources.claude_config_value(:env) return nil unless env_hash.is_a?(Hash) fragments = %w[AWS BEARER TOKEN BEDROCK] _key, value = env_hash.find do |k, _v| upper = k.to_s.upcase fragments.all? { |frag| upper.include?(frag) } end value end |
.dedup_config(config) ⇒ Object
239 240 241 242 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 239 def self.dedup_config(config) key = config[:bedrock_access_key_id] key ? config.merge(api_key: key) : config end |
.default_settings ⇒ Object
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 27 def self.default_settings ::Legion::Extensions::Llm.provider_settings( family: PROVIDER_FAMILY, instance: { default_model: DEFAULT_MODEL, region: 'us-east-1', geo_prefix: 'us', tier: :cloud, transport: :aws_sdk, credentials: { bearer_token: nil, access_key_id: nil, secret_access_key: nil, session_token: nil, profile: nil }, provider: { region: DEFAULT_REGION, geo_prefix: 'us', endpoint: nil, stub_responses: false }, usage: { inference: true, embedding: true, image: false }, limits: { concurrency: 4 }, fleet: { enabled: false, respond_to_requests: false, capabilities: %i[chat stream_chat embed tools] } } ) end |
.discover_broker(candidates) ⇒ Object
176 177 178 179 180 181 182 183 184 185 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 176 def self.discover_broker(candidates) return unless defined?(Legion::Identity::Broker) broker_creds = broker_aws_credentials return unless broker_creds broker_creds[:source] = CredentialSources.source_tag(:broker, 'identity', 'aws') broker_creds[:credential_fingerprint] = CredentialSources.config_fingerprint(broker_creds) candidates[:broker] = broker_creds.merge(tier: :cloud) end |
.discover_claude_bearer(candidates) ⇒ Object
126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 126 def self.discover_claude_bearer(candidates) claude_bearer = CredentialSources.claude_env_value('AWS_BEARER_TOKEN_BEDROCK') claude_bearer ||= claude_env_pattern_match return unless claude_bearer candidates[:claude] = { bearer_token: claude_bearer, bedrock_region: CredentialSources.claude_env_value('AWS_DEFAULT_REGION') || DEFAULT_REGION, tier: :cloud, source: CredentialSources.source_tag(:file, '~/.claude/settings.json', 'AWS_BEARER_TOKEN_BEDROCK'), credential_fingerprint: CredentialSources.credential_fingerprint(claude_bearer) } end |
.discover_env_bearer(candidates) ⇒ Object
113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 113 def self.discover_env_bearer(candidates) bearer = CredentialSources.env('AWS_BEARER_TOKEN_BEDROCK') return unless bearer candidates[:env_bearer] = { bearer_token: bearer, bedrock_region: CredentialSources.env('AWS_DEFAULT_REGION') || DEFAULT_REGION, tier: :cloud, source: CredentialSources.source_tag(:env, 'AWS_BEARER_TOKEN_BEDROCK'), credential_fingerprint: CredentialSources.credential_fingerprint(bearer) } end |
.discover_env_sigv4(candidates) ⇒ Object
140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 140 def self.discover_env_sigv4(candidates) akid = CredentialSources.env('AWS_ACCESS_KEY_ID') skey = CredentialSources.env('AWS_SECRET_ACCESS_KEY') return unless akid && skey candidates[:env_sigv4] = { api_key: akid, bedrock_access_key_id: akid, bedrock_secret_access_key: skey, bedrock_session_token: CredentialSources.env('AWS_SESSION_TOKEN'), bedrock_region: CredentialSources.env('AWS_DEFAULT_REGION') || DEFAULT_REGION, tier: :cloud, source: CredentialSources.source_tag(:env, 'AWS_ACCESS_KEY_ID'), credential_fingerprint: CredentialSources.credential_fingerprint(akid) }.compact end |
.discover_instances ⇒ Object
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 70 def self.discover_instances candidates = {} discover_env_bearer(candidates) discover_claude_bearer(candidates) discover_env_sigv4(candidates) discover_settings(candidates) discover_broker(candidates) CredentialSources.dedup_credentials(candidates) .reject { |_, config| unresolved_credential?(config) } .transform_values do |config| sanitized = sanitize_instance_config(config) sanitized[:capabilities] ||= DEFAULT_CAPABILITIES.dup sanitized[:default_model] = resolve_default_model(sanitized) sanitized end end |
.discover_settings(candidates) ⇒ Object
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 155 def self.discover_settings(candidates) settings = CredentialSources.setting(:extensions, :llm, :bedrock) return unless settings.is_a?(Hash) && !settings.empty? default_config = dedup_config(normalize_instance_config(settings)) unless default_config.empty? default_config[:source] = CredentialSources.source_tag(:settings, 'extensions.llm.bedrock') default_config[:credential_fingerprint] = CredentialSources.config_fingerprint(default_config) candidates[:settings] = default_config.merge(tier: :cloud) end settings_instances(settings).each do |name, config| next unless config.is_a?(Hash) normalized = dedup_config(normalize_instance_config(config)) normalized[:source] = CredentialSources.source_tag(:settings, "extensions.llm.bedrock.instances.#{name}") normalized[:credential_fingerprint] = CredentialSources.config_fingerprint(normalized) candidates[name.to_sym] = normalized.merge(tier: :cloud) end end |
.normalize_instance_config(config) ⇒ Object
222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 222 def self.normalize_instance_config(config) return {} if config.nil? normalized = config.to_h.transform_keys { |key| key.respond_to?(:to_sym) ? key.to_sym : key } normalized[:bedrock_region] ||= normalized.delete(:region) normalized[:bedrock_geo_prefix] ||= normalized.delete(:geo_prefix) normalized[:bedrock_endpoint] ||= normalized.delete(:endpoint) normalized[:bedrock_endpoint] ||= normalized.delete(:base_url) normalized[:bedrock_endpoint] ||= normalized.delete(:api_base) normalized[:bedrock_access_key_id] ||= normalized.delete(:api_key) || normalized.delete(:access_key_id) normalized[:bedrock_secret_access_key] ||= normalized.delete(:secret_key) normalized[:bedrock_secret_access_key] ||= normalized.delete(:secret_access_key) normalized[:bedrock_session_token] ||= normalized.delete(:session_token) normalized[:bedrock_profile] ||= normalized.delete(:profile) normalized.compact.except(:instances) end |
.provider_class ⇒ Object
60 61 62 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 60 def self.provider_class Provider end |
.registry_publisher ⇒ Object
64 65 66 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 64 def self.registry_publisher @registry_publisher ||= Legion::Extensions::Llm::RegistryPublisher.new(provider_family: PROVIDER_FAMILY) end |
.resolve_default_model(config) ⇒ Object
Resolve a default_model that never violates the configured model policy (whitelist/blacklist stays authoritative over the DEFAULT_MODEL fallback).
89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 89 def self.resolve_default_model(config) cfg = config.is_a?(Hash) ? config : {} provider_conf = CredentialSources.setting(:extensions, :llm, PROVIDER_FAMILY) provider_conf = {} unless provider_conf.is_a?(Hash) global_conf = (::Legion::Settings.dig(:extensions, :llm) if defined?(::Legion::Settings)) global_conf = {} unless global_conf.is_a?(Hash) provider_class.policy_safe_default_model( configured: cfg[:default_model], fallback: DEFAULT_MODEL, whitelist: provider_class.resolve_policy_value(cfg, provider_conf, global_conf, :model_whitelist), blacklist: provider_class.resolve_policy_value(cfg, provider_conf, global_conf, :model_blacklist) ) end |
.sanitize_instance_config(config) ⇒ Object
244 245 246 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 244 def self.sanitize_instance_config(config) config.except(:api_key) end |
.settings_instances(config) ⇒ Object
217 218 219 220 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 217 def self.settings_instances(config) instances = config[:instances] || config['instances'] instances.is_a?(Hash) ? instances : {} end |
.unresolved_credential?(config) ⇒ Boolean
104 105 106 107 108 109 110 111 |
# File 'lib/legion/extensions/llm/bedrock.rb', line 104 def self.unresolved_credential?(config) return false if config[:bedrock_profile] cred = config[:bearer_token] || config[:bedrock_access_key_id] || config[:api_key] return true if cred.nil? cred.to_s.match?(%r{\A(vault|env)://}) end |