Add Kiro CLI provider with multi-credential support

[ItzMeAyben]

Summary

Add Kiro CLI (Amazon Q / Kiro) provider enabling access to Claude models via AWS Bedrock using Kiro CLI authentication.

Port Note: Uses 7777 (project default) vs reference's 8000.

Features

• Multi-credential authentication - Environment variables, JSON files, SQLite database with auto-detection
• Automatic token refresh - Refreshes expired tokens via AWS SSO OIDC/Kiro Desktop endpoints automatically
• Token persistence - Saves refreshed tokens back to source (JSON/SQLite)
• Dual authentication types - Kiro Desktop and AWS SSO OIDC (auto-detected)
• AWS Event Stream parsing - Proper handling of streaming responses with <thinking> block extraction
• Full OpenAI compatibility - Chat completions, streaming, tool calling, vision support
• Cross-platform - macOS and Linux path support

Supported Models

All Claude models available through Kiro API:

Model	Thinking Support	Context Limit
claude-sonnet-4-5	✅	200K
claude-opus-4-5	✅	200K
claude-sonnet-4	✅	200K
claude-haiku-4-5	✅	200K
claude-3-7-sonnet	✅	200K

Architecture

Authentication Flow

sequenceDiagram
    participant Client as API Client
    participant Proxy as LLM Proxy
    participant Auth as KiroAuthManager
    participant Store as Credential Store
    participant OIDC as AWS SSO/Kiro Auth
    participant API as Kiro Bedrock API

    Client->>Proxy: POST /v1/chat/completions
    Proxy->>Auth: get_access_token()
    Auth->>Store: Load credentials
    Store-->>Auth: Token + metadata
    
    alt Token valid (> 10min remaining)
        Auth-->>Proxy: Valid access_token
    else Token expired or expiring
        Auth->>OIDC: Refresh token request
        OIDC-->>Auth: New access_token (1hr)
        Auth->>Store: Save refreshed token
        Auth-->>Proxy: New access_token
    end
    
    Proxy->>API: Request with Bearer token
    API-->>Proxy: Event Stream response
    Proxy-->>Client: OpenAI SSE chunks

Loading

Token Management

Automatic Refresh

• Access tokens expire in 1 hour
• Tokens automatically refresh 10 minutes before expiry
• Refreshed tokens saved back to credential source
• Supports both Kiro Desktop and AWS SSO OIDC flows

Token Storage Locations

OS	Path
macOS	~/Library/Application Support/kiro-cli/data.sqlite3
macOS	~/.aws/sso/cache/kiro-auth-token.json
Linux	~/.local/share/kiro-cli/data.sqlite3
Linux	~/.aws/sso/cache/kiro-auth-token.json

Authentication Priority

1. KIRO_REFRESH_TOKEN / REFRESH_TOKEN environment variable
2. JSON credentials file (KIRO_CREDS_FILE)
3. SQLite database (KIRO_CLI_DB_FILE)
4. Auto-detected default paths

System Architecture

graph TB
    subgraph "LLM Proxy Server"
        A[FastAPI Router] --> B[KiroCliProvider]
        B --> C[Message Converters]
        B --> D[Stream Parser]
        B --> E[HTTP Client]
    end
    
    subgraph "Authentication Layer"
        F[KiroAuthManager] --> G[(JSON Files)]
        F --> H[(SQLite DB)]
        F --> I[Token Refresh]
        I --> J[AWS SSO OIDC]
        I --> K[Kiro Desktop Auth]
    end
    
    subgraph "External Services"
        L[Kiro Bedrock API]
    end
    
    B --> F
    E -->|Bearer Token| L
    F -->|Credentials| E
    L -->|AWS Event Stream| D
    D -->|OpenAI SSE| A
    C -->|Kiro Payload| E

Loading

Project Structure

src/
└── rotator_library/                    # Core library (LGPL-3.0-only)
    ├── credential_manager.py           # Modified: Kiro credential discovery
    └── providers/                      # LLM provider implementations
        ├── kiro_auth_base.py           # NEW: Token lifecycle & auth manager
        ├── kiro_cli_provider.py        # NEW: Provider implementation
        └── utilities/
            ├── kiro_converters.py      # NEW: Message/tool format conversion
            ├── kiro_http_client.py     # NEW: HTTP client with retry logic
            ├── kiro_streaming.py       # NEW: AWS Event Stream parser
            └── kiro_utils.py           # NEW: Configuration & utilities

src/proxy_app/                          # Proxy application (MIT)
├── launcher_tui.py                     # Modified: TUI credential detection
└── main.py                             # Modified: Skip JSON parsing for SQLite

docker/
├── docker-compose.dev.yml              # Modified: Kiro credential volume mounts
└── .env.example                        # Modified: Kiro auth documentation

Testing

Verified working across multiple scenarios:

• ✅ JSON credentials (Kiro IDE, macOS)
• ✅ SQLite credentials (kiro-cli, macOS)
• ✅ Environment variable authentication
• ✅ Auto-detection across credential types
• ✅ Token refresh and persistence
• ✅ Chat completions endpoint
• ✅ Streaming responses with thinking blocks
• ✅ Tool calling support
• ✅ Vision support
• ✅ Multi-turn conversations
• ✅ Model listing
• ✅ Docker deployment with volume mounts
• ✅ Cross-platform paths (macOS/Linux)

Implementation Notes

• Provider Interface: Follows ProviderInterface pattern from provider_interface.py
• Custom Logic: Implements has_custom_logic() for direct API handling
• Licensing: LGPL-3.0 headers on all new files (per CONTRIBUTING.md)
• Integration: Seamlessly integrated with existing credential system
• Documentation: Comprehensive setup guide in README.md & .env.example
• Error Handling: Exponential backoff for 403/429/5xx with automatic token refresh on 403

Checklist

• Code follows project's style guidelines
• LGPL-3.0 license headers added to all new files
• Follows ProviderInterface pattern
• Integrated with existing credential management
• Cross-platform support (macOS/Linux)
• Documentation added (README.md, .env.example)
• Docker deployment support
• Tested with multiple authentication methods

Acknowledgments

Implementation adapted from kiro-gateway by @Jwadow - reference for Kiro API flows, AWS Event Stream parsing, and message format conversions. Integrated into LLM-API-Key-Proxy's provider architecture with LGPL-3.0 licensing.

[mirrobot-agent]

I'm starting a comprehensive review of the new Kiro CLI provider implementation. I see a significant amount of work here, including multi-credential support and the global port transition to 7777. I'll dive into the authentication logic and streaming parser now and provide detailed feedback shortly.