[fix] Make credential resolution work for provider keys, bare models, and Bedrock#5057
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…odels-secrets-review-part-1 # Conflicts: # web/packages/agenta-entity-ui/src/DrillInView/SchemaControls/agentTemplate/useModelHarness.tsx
…log lag The provider/secrets resolver changes moved four things the tests still encoded the old way, and the OpenRouter model check fought the catalog. - connections: provider keys are addressed by their PROVIDER (header.name is display-only, never a slug), and a bare model id present in the catalog infers its provider instead of failing loud. Tests updated + a new test_bare_catalog_model_infers_provider. - default template: the runtime selection is provider-qualified, so the /inspect default parses to `provider/model`, not a bare `model`. - commit diff: agent templates key the model as `llm.model`; the summary builder now reads that alongside the legacy `model`. Tests updated. - supported_llm_models: OpenRouter's list intentionally tracks current top-used ids that the pinned litellm build hasn't indexed yet. For that provider a miss is expected lag, so it xfails (still catching a typo'd prefix structurally) instead of failing CI. The catalog is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Context
Three failures around model credentials, found by walking one scenario end to end (a fresh agent, then a Bedrock connection):
llm: {model: "gpt-5.5"}with no provider, and the resolver refuses bare model ids (F-017):model 'gpt-5.5' needs a provider prefix.slugon standard provider keys (fromheader.name, which standard keys never have), so every plain provider key was invisible:no connection resolved for provider 'openai'.provider: "bedrock", which the harness check rejects (provider 'bedrock' is not supported by harness 'claude') because bedrock is a deployment, not a provider family.Changes
Default template carries a provider.
build_agent_v0_defaultnow emitsllm: {provider: "openai", model: ...}. The provider constant derives from the default harness's reachable set, so the two defaults cannot drift apart.Provider keys resolve by provider, not by name.
_provider_key_candidateno longer requiresheader.name. A standard key is identified by its provider family;header.namewas never a slug.One provider inference for bare ids.
infer_provider_from(model)merges the Claude alias set, theclaude-*structural rule, and an invertedsupported_llm_modelscatalog (unambiguous ids only). Known bare ids likegpt-5.5resolve; unknown or cross-provider ids still fail loud.Bedrock, end to end.
PROVIDER_AUTH_REQUIREMENTS): bearer token OR access-key pair, validated as a group instead of hardcoded per-field checks.AWS_BEARER_TOKEN_BEDROCK(the one channel Pi and Claude Code both accept), and no longer leaks intoANTHROPIC_API_KEY.familyFromModelId:eu.anthropic.claude-haiku-4-5givesanthropic) and auto-fills the connection slug.Before, picking the Bedrock model produced a config that could not pass the harness gate:
After:
The resolver then injects
AWS_BEARER_TOKEN_BEDROCK+AWS_REGION, and the runner setsCLAUDE_CODE_USE_BEDROCK=1.Commit modal. The "Model & harness" diff section now shows
llm.modelandllm.providerrows (provider moved out of Advanced).Runner. One log line per run states the resolved model, provider, deployment, connection, and secret key names (never values). This is what located every failure above.
Tests / notes
tsc --noEmitclean on entity-ui/entities/shared; eslint clean.tsc --noEmitclean, vitest green.gpt-5.5as the default model id is a separate data question (it resolves and authenticates, but is not a real OpenAI id).What to QA