Add AWS BYOK with naive approach only for anthropic models

[lambertjosh]

Adds AWS BYOK support but only for Anthropic models for now. We need full model list (separate PR) to add full support.

[kiloconnect]

WARNING: JSON.parse without error handling + as type assertion

Two issues here:

1. Runtime crash risk: If a user saves malformed JSON as their Bedrock credentials (the backend CreateBYOKKeyInputSchema only validates z.string().min(1) — no JSON validation for bedrock), JSON.parse will throw an unhandled exception, crashing this request. Consider wrapping in a try-catch or, better, validating the JSON shape with a Zod schema (e.g. z.object({ accessKeyId: z.string(), secretAccessKey: z.string(), region: z.string().optional() }).parse(...)) which both validates and avoids the as cast.

2. Coding style: Per project rules, as casts are strongly discouraged. Using z.object(...).parse(...) would satisfy both the validation need and the style rule.

[kiloconnect]

SUGGESTION: Consider making the union discriminated

This union type has no discriminant property, which means TypeScript can't narrow it without manual checks. If Vercel's gateway API accepts it, consider adding a discriminant (e.g. type: 'apiKey' | 'bedrock') or at minimum adding a comment explaining how consumers should distinguish between the two shapes. As-is, code consuming VercelInferenceProviderConfig will need to use 'accessKeyId' in config checks to narrow.

[kiloconnect]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	1

Issue Details (click to expand)

WARNING

File	Line	Issue
src/lib/providers/vercel.ts	142	JSON.parse without error handling + as type assertion on user-provided Bedrock credentials. Malformed JSON will crash the request. Use Zod schema parsing instead to validate and avoid as.

SUGGESTION

File	Line	Issue
src/lib/providers/openrouter/types.ts	18	VercelInferenceProviderConfig union has no discriminant property — consider adding one or documenting how consumers should narrow.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
src/lib/byok/types.ts	24	CreateBYOKKeyInputSchema has no server-side validation that api_key is valid JSON when provider_id is bedrock. A user could save arbitrary text that will later fail at JSON.parse in vercel.ts. Consider adding a .refine() or conditional schema.
src/components/organizations/byok/BYOKKeysManager.tsx	148	handleSave sends the raw textarea value without client-side JSON validation for Bedrock. Users will get a confusing error if they submit malformed JSON.

Files Reviewed (5 files)

• src/components/organizations/byok/BYOKKeysManager.tsx - 0 inline issues (1 observation outside diff)
• src/lib/providers/index.ts - 0 issues
• src/lib/providers/openrouter/inference-provider-id.ts - 0 issues
• src/lib/providers/openrouter/types.ts - 1 suggestion
• src/lib/providers/vercel.ts - 1 warning

Fix these issues in Kilo Cloud

[lambertjosh]

@chrarnoldus - I had a hard time getting this to be fully tested locally, as it was giving me oauth code refresh errors when using our new extension and CLI. But... this is what I have so far. It's probably not the cleanest code (looking at you inferUserByokProvidersForModel) but may be a start.

If you have tips on how to test this locally let me know and I am happy to re-test and ensure this works.