Skip to content

Comments

Add AWS BYOK with naive approach only for anthropic models#548

Open
lambertjosh wants to merge 1 commit intomainfrom
aws-byok
Open

Add AWS BYOK with naive approach only for anthropic models#548
lambertjosh wants to merge 1 commit intomainfrom
aws-byok

Conversation

@lambertjosh
Copy link
Contributor

Adds AWS BYOK support but only for Anthropic models for now. We need full model list (separate PR) to add full support.

baseURL: 'https://api.z.ai/api/coding/paas/v4',
});
if (provider === VercelUserByokInferenceProviderIdSchema.enum.bedrock) {
const { accessKeyId, secretAccessKey, region } = JSON.parse(userByok.decryptedAPIKey) as {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: JSON.parse without error handling + as type assertion

Two issues here:

  1. Runtime crash risk: If a user saves malformed JSON as their Bedrock credentials (the backend CreateBYOKKeyInputSchema only validates z.string().min(1) — no JSON validation for bedrock), JSON.parse will throw an unhandled exception, crashing this request. Consider wrapping in a try-catch or, better, validating the JSON shape with a Zod schema (e.g. z.object({ accessKeyId: z.string(), secretAccessKey: z.string(), region: z.string().optional() }).parse(...)) which both validates and avoids the as cast.

  2. Coding style: Per project rules, as casts are strongly discouraged. Using z.object(...).parse(...) would satisfy both the validation need and the style rule.

export type VercelInferenceProviderConfig = { apiKey: string; baseURL?: string };
export type VercelInferenceProviderConfig =
| { apiKey: string; baseURL?: string }
| { accessKeyId: string; secretAccessKey: string; region?: string };
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Consider making the union discriminated

This union type has no discriminant property, which means TypeScript can't narrow it without manual checks. If Vercel's gateway API accepts it, consider adding a discriminant (e.g. type: 'apiKey' | 'bedrock') or at minimum adding a comment explaining how consumers should distinguish between the two shapes. As-is, code consuming VercelInferenceProviderConfig will need to use 'accessKeyId' in config checks to narrow.

@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 25, 2026

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 1
Issue Details (click to expand)

WARNING

File Line Issue
src/lib/providers/vercel.ts 142 JSON.parse without error handling + as type assertion on user-provided Bedrock credentials. Malformed JSON will crash the request. Use Zod schema parsing instead to validate and avoid as.

SUGGESTION

File Line Issue
src/lib/providers/openrouter/types.ts 18 VercelInferenceProviderConfig union has no discriminant property — consider adding one or documenting how consumers should narrow.
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
src/lib/byok/types.ts 24 CreateBYOKKeyInputSchema has no server-side validation that api_key is valid JSON when provider_id is bedrock. A user could save arbitrary text that will later fail at JSON.parse in vercel.ts. Consider adding a .refine() or conditional schema.
src/components/organizations/byok/BYOKKeysManager.tsx 148 handleSave sends the raw textarea value without client-side JSON validation for Bedrock. Users will get a confusing error if they submit malformed JSON.
Files Reviewed (5 files)
  • src/components/organizations/byok/BYOKKeysManager.tsx - 0 inline issues (1 observation outside diff)
  • src/lib/providers/index.ts - 0 issues
  • src/lib/providers/openrouter/inference-provider-id.ts - 0 issues
  • src/lib/providers/openrouter/types.ts - 1 suggestion
  • src/lib/providers/vercel.ts - 1 warning

Fix these issues in Kilo Cloud

@lambertjosh
Copy link
Contributor Author

@chrarnoldus - I had a hard time getting this to be fully tested locally, as it was giving me oauth code refresh errors when using our new extension and CLI. But... this is what I have so far. It's probably not the cleanest code (looking at you inferUserByokProvidersForModel) but may be a start.

If you have tips on how to test this locally let me know and I am happy to re-test and ensure this works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant