Add support for AWS Bedrock in MI Copilot#1499
Conversation
📝 WalkthroughWalkthroughAdds AWS Bedrock as a new authentication method: extends state types and events, implements Bedrock credential validation and storage, adds regional client mapping and provider cache handling, wires the flow into the AI state machine and services, and surfaces UI for entering AWS credentials. Changes
Sequence DiagramsequenceDiagram
participant User as User (UI)
participant StateMachine as State Machine
participant AuthSvc as Auth Service
participant Bedrock as AWS Bedrock API
User->>StateMachine: AUTH_WITH_AWS_BEDROCK
StateMachine->>StateMachine: transition -> awsBedrockFlow
User->>StateMachine: SUBMIT_AWS_CREDENTIALS (accessKeyId, secretKey, region, sessionToken?)
StateMachine->>StateMachine: transition -> validatingAwsCredentials
StateMachine->>AuthSvc: validateAwsCredentials(credentials)
AuthSvc->>Bedrock: Initialize client with region & keys
AuthSvc->>Bedrock: Minimal generateText call
alt credentials valid
Bedrock-->>AuthSvc: Success
AuthSvc->>AuthSvc: store credentials
AuthSvc-->>StateMachine: return token
StateMachine->>StateMachine: transition -> Authenticated
StateMachine-->>User: Authentication complete
else invalid
Bedrock-->>AuthSvc: Error
AuthSvc-->>StateMachine: error
StateMachine->>StateMachine: transition -> awsBedrockFlow (show error)
StateMachine-->>User: Display error
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (7)
workspaces/mi/mi-core/src/state-machine-types.ts (1)
194-199: Consider exportingAwsBedrockSecretsfor external use.
AwsBedrockSecretsis used as thesecretstype inAuthCredentialsbut isn't exported, unlikeAuthCredentialsitself. If consumers need to type-narrow or reference these secrets directly (asauth.tsdoes ingetAwsBedrockCredentialsreturn type), exporting it avoids inline re-declaration.Proposed fix
-interface AwsBedrockSecrets { +export interface AwsBedrockSecrets { accessKeyId: string; secretAccessKey: string; region: string; sessionToken?: string; }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-core/src/state-machine-types.ts` around lines 194 - 199, Export the AwsBedrockSecrets interface so external modules can import and reference it (change the declaration of AwsBedrockSecrets to an exported interface); update any places that previously relied on inline types to import AwsBedrockSecrets (e.g., the AuthCredentials type and the getAwsBedrockCredentials return signature) to use the exported symbol.workspaces/mi/mi-extension/src/ai-panel/aiMachine.ts (1)
254-269:awsBedrockFlowmissingCANCELevent handler (present inapiKeyFlow).The
apiKeyFlowstate (lines 227-233) handles bothCANCEL_LOGINandCANCELevents, butawsBedrockFlowonly handlesCANCEL_LOGIN. While the UI currently only sendsCANCEL_LOGIN, the inconsistency could cause the machine to ignore aCANCELevent if sent programmatically.Add CANCEL handler for consistency
awsBedrockFlow: { on: { [AI_EVENT_TYPE.SUBMIT_AWS_CREDENTIALS]: { target: 'validatingAwsCredentials', actions: assign({ errorMessage: (_ctx) => undefined }) }, [AI_EVENT_TYPE.CANCEL_LOGIN]: { target: '#mi-ai.Unauthenticated', actions: assign({ loginMethod: (_ctx) => undefined, errorMessage: (_ctx) => undefined, }) - } + }, + [AI_EVENT_TYPE.CANCEL]: { + target: '#mi-ai.Unauthenticated', + actions: assign({ + loginMethod: (_ctx) => undefined, + errorMessage: (_ctx) => undefined, + }) + } } },🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-extension/src/ai-panel/aiMachine.ts` around lines 254 - 269, The awsBedrockFlow state handlers are missing the AI_EVENT_TYPE.CANCEL event (apiKeyFlow handles both CANCEL_LOGIN and CANCEL), so add a CANCEL handler in awsBedrockFlow that mirrors the CANCEL behavior in apiKeyFlow: transition to '#mi-ai.Unauthenticated' and assign loginMethod and errorMessage to undefined (use the same actions: assign({ loginMethod: (_ctx) => undefined, errorMessage: (_ctx) => undefined })); ensure the event key uses AI_EVENT_TYPE.CANCEL to keep behavior consistent with apiKeyFlow.workspaces/mi/mi-visualizer/src/views/AIPanel/component/WaitingForLoginSection.tsx (2)
264-269:handleAwsCredentialChangereadse.target.valuewithout null guard, unlikehandleApiKeyChange.The Anthropic handler at line 256 uses
e.target?.value ?? ''for safety. This handler accessese.target.valuedirectly, which could throw if the event shape differs.Proposed fix
const handleAwsCredentialChange = (field: keyof typeof awsCredentials) => (e: any) => { setAwsCredentials(prev => ({ ...prev, - [field]: e.target.value + [field]: e.target?.value ?? '' })); };🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-visualizer/src/views/AIPanel/component/WaitingForLoginSection.tsx` around lines 264 - 269, The handler handleAwsCredentialChange reads e.target.value directly which can throw if event.target is undefined; update it to mirror handleApiKeyChange by using a safe null-guard (e.g. use e.target?.value ?? ''), then call setAwsCredentials(prev => ({ ...prev, [field]: safeValue })) so awsCredentials updates safely; ensure you reference handleAwsCredentialChange, awsCredentials, and setAwsCredentials when making the change.
362-412: Inconsistent event handler:onInput(AWS fields) vsonChange(Anthropic field).The Anthropic API key field at line 306 uses
onChange, while all AWS credential fields useonInput. ForVSCodeTextField, these fire at different times (onInputon every keystroke,onChangeon commit/blur in some implementations). Use the same event for consistency and to avoid subtle input-handling differences.Proposed fix: use onChange consistently
<StyledTextField type={showAccessKey ? "text" : "password"} placeholder="AWS Access Key ID" value={awsCredentials.accessKeyId} - onInput={handleAwsCredentialChange('accessKeyId')} + onChange={handleAwsCredentialChange('accessKeyId')} {...(isValidating ? { disabled: true } : {})} />Apply the same change to
secretAccessKey,region, andsessionTokenfields.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-visualizer/src/views/AIPanel/component/WaitingForLoginSection.tsx` around lines 362 - 412, The AWS credential fields (StyledTextField instances for accessKeyId, secretAccessKey, region, and sessionToken) use onInput while the Anthropic API key uses onChange; make them consistent by replacing onInput with onChange on all AWS fields and ensure they call the existing handler handleAwsCredentialChange('<fieldName>') so behavior matches the Anthropic field's event timing.workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts (1)
177-210: AWS Bedrock client is never cached — new client + credential fetch on every call.The
AWS_BEDROCKbranch returns early at line 205, bypassing thecachedAnthropic/cachedAuthMethodassignments at lines 210. This means every invocation ofgetAnthropicClientfor Bedrock will:
- Fetch credentials from the secret store
- Create a new
AmazonBedrockclient instance- Re-derive the regional model ID
For MI_INTEL and ANTHROPIC_KEY, clients are cached. Consider caching the Bedrock provider similarly.
Sketch: cache the Bedrock provider
+let cachedBedrock: ReturnType<typeof createAmazonBedrock> | null = null; + // Inside the AWS_BEDROCK branch: } else if (loginMethod === LoginMethod.AWS_BEDROCK) { - const awsCredentials = await getAwsBedrockCredentials(); - if (!awsCredentials) { - throw new Error('AWS Bedrock credentials not found'); - } - - const bedrock = createAmazonBedrock({ - region: awsCredentials.region, - accessKeyId: awsCredentials.accessKeyId, - secretAccessKey: awsCredentials.secretAccessKey, - sessionToken: awsCredentials.sessionToken, - }); + if (!cachedBedrock || cachedAuthMethod !== loginMethod) { + const awsCredentials = await getAwsBedrockCredentials(); + if (!awsCredentials) { + throw new Error('AWS Bedrock credentials not found'); + } + cachedBedrock = createAmazonBedrock({ + region: awsCredentials.region, + accessKeyId: awsCredentials.accessKeyId, + secretAccessKey: awsCredentials.secretAccessKey, + sessionToken: awsCredentials.sessionToken, + }); + cachedAuthMethod = loginMethod; + } // ... model mapping ... - return bedrock(bedrockModelId); + return cachedBedrock(bedrockModelId); }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts` around lines 177 - 210, The AWS Bedrock branch creates a new client and returns early, so cachedAnthropic and cachedAuthMethod are never set causing repeated credential fetches; modify the AWS_BEDROCK branch (symbols: getAwsBedrockCredentials, createAmazonBedrock, bedrock, bedrockModelId) to construct the Bedrock provider once, assign it to cachedAnthropic and set cachedAuthMethod = LoginMethod.AWS_BEDROCK (or equivalent), then return the cachedAnthropic instance (ensuring the returned object shape matches other cached clients) so subsequent getAnthropicClient calls reuse the cached Bedrock provider and avoid repeated credential retrieval and client creation.workspaces/mi/mi-extension/src/ai-panel/auth.ts (2)
436-445: Static region list is a maintenance liability and doesn't accurately reflect Bedrock availability.The hardcoded
validRegionslist has two problems:
- Staleness: AWS routinely adds new regions. Any region added after this code ships will be incorrectly rejected even if it fully supports Bedrock.
- Inaccuracy: Not all listed regions support Bedrock inference (e.g.,
ap-east-1,me-south-1,af-south-1,ap-southeast-3have limited or no Bedrock availability). A user with valid credentials in an un-supported Bedrock region will get a misleading "invalid region" error rather than a clear "Bedrock not available in this region" message.The most reliable approach is to remove the pre-validation and let the actual
generateTextcall surface the region error. Alternatively, maintain a Bedrock-specific allowlist (not a general AWS allowlist) and document it as Bedrock-specific.♻️ Suggested approach: remove region pre-validation, surface error from the actual call
- // List of valid AWS regions - const validRegions = [ - 'us-east-1', 'us-west-2', 'us-west-1', 'eu-west-1', 'eu-central-1', - 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'ap-northeast-2', - 'ap-south-1', 'ca-central-1', 'sa-east-1', 'eu-west-2', 'eu-west-3', - 'eu-north-1', 'ap-east-1', 'me-south-1', 'af-south-1', 'ap-southeast-3' - ]; - - if (!validRegions.includes(region)) { - throw new Error(`Invalid AWS region. Please select a valid region like us-east-1, us-west-2, etc.`); - } - try {Region errors will then be surfaced with context-aware messaging in the catch block (see companion comment on the catch block).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts` around lines 436 - 445, Remove the hardcoded AWS region pre-validation: delete the validRegions array and the if (!validRegions.includes(region)) throw new Error(...) check so region validation is not done via a stale general AWS allowlist; instead pass the provided region through to the actual Bedrock call (e.g., generateText) and let that call surface region-specific errors (or replace with a Bedrock-specific allowlist if you intentionally want pre-validation). Ensure the variable region remains passed into generateText and that no other code paths rely on validRegions.
456-458: Hardcoded validation model ID couples credential validation to a specific model's availability.
claude-3-5-haiku-20241022-v1:0is used purely to verify credentials, not for actual inference. If this model is deprecated by Anthropic/AWS, becomes unavailable in a given cross-region inference profile, or isn't enabled on a customer's Bedrock account, the validation will fail even for perfectly valid credentials — producing a confusing UX.Consider using the cheapest/most-available model constant defined centrally (or the actual model used by the copilot) so that credential validation and real usage are always aligned.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts` around lines 456 - 458, The validation currently hardcodes "claude-3-5-haiku-20241022-v1:0" when building modelId (see getBedrockRegionalPrefix and bedrock(modelId)), which couples credential checks to a single model; change this to use a centrally-defined model constant or the actual runtime model selection instead of a magic string: import or reference the shared/central BEDROCK_VALIDATION_MODEL (or the copilot's configured model constant) and build modelId = `${regionalPrefix}.${BEDROCK_VALIDATION_MODEL}` (or derive the model from the copilot config) so credential validation uses an aligned, supported model that can be updated in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workspaces/mi/mi-extension/package.json`:
- Around line 1106-1108: Remove the duplicate "@ai-sdk/amazon-bedrock" entry in
package.json so the dependency appears only once; locate the repeated key in the
dependencies block (the two "@ai-sdk/amazon-bedrock" lines) and delete the
redundant line, ensure the remaining entry has the intended version "~3.0.56"
and that package.json remains valid JSON, then re-run your package manager
(npm/yarn/pnpm) to update lockfiles if needed.
In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts`:
- Around line 461-465: The Bedrock validation call using generateText (with
bedrockClient) currently omits maxRetries and inherits the SDK default retries,
causing slow retry loops on 401/403/400 credential failures; update the
generateText invocation that validates the key to pass maxRetries: 0 (mirroring
validateApiKey) so credential errors fail fast and avoid unnecessary latency.
- Around line 481-484: The catch block currently uses console.error and throws a
generic Error; replace console.error(...) with the project's logError(...) and
surface AWS error details and classification like validateApiKey does: inspect
the caught error in the catch (e) block (look for the same scope as
validateApiKey) and map known Bedrock/AWS error types (e.g.,
AccessDeniedException, ExpiredTokenException,
UnrecognizedClientException/UnrecognizedException,
region-not-supported/model-not-enabled, Throttling/RateExceeded, network errors)
into specific user-facing messages, include the original error details in the
logError call, and throw a new Error with an actionable message (preserving
enough context for users to act) instead of the opaque "Validation failed" text.
- Around line 37-40: auth.ts currently creates a circular import by using
getBedrockRegionalPrefix from copilot/connection while connection.ts imports
credential functions from auth.ts; move the getBedrockRegionalPrefix call (used
around the Bedrock client construction) out of validateAwsCredentials in auth.ts
into copilot/connection.ts where the Bedrock client is built (keep
getAccessToken/getLoginMethod/getRefreshedAccessToken/getAwsBedrockCredentials
in auth.ts). In validateAwsCredentials update the AI SDK client/options to
include maxRetries: 0 (same pattern as validateApiKey), replace console.error
with the module-level logError and extend the catch handling to surface
AWS-specific error codes (e.g., AccessDeniedException, ExpiredTokenException)
similar to how validateApiKey surfaces HTTP status codes. Finally, remove the
hardcoded model ID and static validRegions list from auth.ts by reading
model/region configuration from a central config or passing them in as
parameters (or referencing a maintained constants module) so validation doesn’t
fail due to model deprecation or regional availability.
In `@workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts`:
- Around line 37-54: Update the region whitelist/validation to reject AWS
regions that are unsupported by Bedrock Claude 3: remove 'me-south-1' and
'af-south-1' from the validRegions array in auth.ts (both MI and Ballerina
variants) or add explicit validation that throws a clear, user-facing error when
those regions are selected; ensure any callers (e.g., the function
getBedrockRegionalPrefix) won't silently fallback for those regions by
validating input early and returning/throwing a descriptive message like "Region
X is not supported for Bedrock Claude 3."
---
Nitpick comments:
In `@workspaces/mi/mi-core/src/state-machine-types.ts`:
- Around line 194-199: Export the AwsBedrockSecrets interface so external
modules can import and reference it (change the declaration of AwsBedrockSecrets
to an exported interface); update any places that previously relied on inline
types to import AwsBedrockSecrets (e.g., the AuthCredentials type and the
getAwsBedrockCredentials return signature) to use the exported symbol.
In `@workspaces/mi/mi-extension/src/ai-panel/aiMachine.ts`:
- Around line 254-269: The awsBedrockFlow state handlers are missing the
AI_EVENT_TYPE.CANCEL event (apiKeyFlow handles both CANCEL_LOGIN and CANCEL), so
add a CANCEL handler in awsBedrockFlow that mirrors the CANCEL behavior in
apiKeyFlow: transition to '#mi-ai.Unauthenticated' and assign loginMethod and
errorMessage to undefined (use the same actions: assign({ loginMethod: (_ctx) =>
undefined, errorMessage: (_ctx) => undefined })); ensure the event key uses
AI_EVENT_TYPE.CANCEL to keep behavior consistent with apiKeyFlow.
In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts`:
- Around line 436-445: Remove the hardcoded AWS region pre-validation: delete
the validRegions array and the if (!validRegions.includes(region)) throw new
Error(...) check so region validation is not done via a stale general AWS
allowlist; instead pass the provided region through to the actual Bedrock call
(e.g., generateText) and let that call surface region-specific errors (or
replace with a Bedrock-specific allowlist if you intentionally want
pre-validation). Ensure the variable region remains passed into generateText and
that no other code paths rely on validRegions.
- Around line 456-458: The validation currently hardcodes
"claude-3-5-haiku-20241022-v1:0" when building modelId (see
getBedrockRegionalPrefix and bedrock(modelId)), which couples credential checks
to a single model; change this to use a centrally-defined model constant or the
actual runtime model selection instead of a magic string: import or reference
the shared/central BEDROCK_VALIDATION_MODEL (or the copilot's configured model
constant) and build modelId = `${regionalPrefix}.${BEDROCK_VALIDATION_MODEL}`
(or derive the model from the copilot config) so credential validation uses an
aligned, supported model that can be updated in one place.
In `@workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts`:
- Around line 177-210: The AWS Bedrock branch creates a new client and returns
early, so cachedAnthropic and cachedAuthMethod are never set causing repeated
credential fetches; modify the AWS_BEDROCK branch (symbols:
getAwsBedrockCredentials, createAmazonBedrock, bedrock, bedrockModelId) to
construct the Bedrock provider once, assign it to cachedAnthropic and set
cachedAuthMethod = LoginMethod.AWS_BEDROCK (or equivalent), then return the
cachedAnthropic instance (ensuring the returned object shape matches other
cached clients) so subsequent getAnthropicClient calls reuse the cached Bedrock
provider and avoid repeated credential retrieval and client creation.
In
`@workspaces/mi/mi-visualizer/src/views/AIPanel/component/WaitingForLoginSection.tsx`:
- Around line 264-269: The handler handleAwsCredentialChange reads
e.target.value directly which can throw if event.target is undefined; update it
to mirror handleApiKeyChange by using a safe null-guard (e.g. use
e.target?.value ?? ''), then call setAwsCredentials(prev => ({ ...prev, [field]:
safeValue })) so awsCredentials updates safely; ensure you reference
handleAwsCredentialChange, awsCredentials, and setAwsCredentials when making the
change.
- Around line 362-412: The AWS credential fields (StyledTextField instances for
accessKeyId, secretAccessKey, region, and sessionToken) use onInput while the
Anthropic API key uses onChange; make them consistent by replacing onInput with
onChange on all AWS fields and ensure they call the existing handler
handleAwsCredentialChange('<fieldName>') so behavior matches the Anthropic
field's event timing.
| "zod": "4.1.11", | ||
| "@ai-sdk/amazon-bedrock": "~3.0.56", | ||
| "@ai-sdk/amazon-bedrock": "~3.0.56" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's locate and verify the package.json file
find . -path "*/workspaces/mi/mi-extension/package.json" -type fRepository: wso2/vscode-extensions
Length of output: 107
🏁 Script executed:
# Read the relevant lines from package.json to confirm the duplicate
sed -n '1106,1110p' workspaces/mi/mi-extension/package.jsonRepository: wso2/vscode-extensions
Length of output: 173
🌐 Web query:
latest version @ai-sdk/amazon-bedrock npm package
💡 Result:
As of Feb 19, 2026, the latest published version of the @ai-sdk/amazon-bedrock npm package is 4.0.59. [1]
Install:
npm i `@ai-sdk/amazon-bedrock`@latestSources: [1] (security.snyk.io)
Citations:
Remove duplicate @ai-sdk/amazon-bedrock dependency entry.
Lines 1107–1108 contain duplicate declarations for @ai-sdk/amazon-bedrock. Duplicate keys in JSON have undefined behavior per spec; most parsers silently use the last value, but this creates ambiguity and should be removed immediately.
Fix
"zod": "4.1.11",
"@ai-sdk/amazon-bedrock": "~3.0.56",
- "@ai-sdk/amazon-bedrock": "~3.0.56"
}
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "zod": "4.1.11", | |
| "@ai-sdk/amazon-bedrock": "~3.0.56", | |
| "@ai-sdk/amazon-bedrock": "~3.0.56" | |
| "zod": "4.1.11", | |
| "@ai-sdk/amazon-bedrock": "~3.0.56", | |
| } | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/package.json` around lines 1106 - 1108, Remove the
duplicate "@ai-sdk/amazon-bedrock" entry in package.json so the dependency
appears only once; locate the repeated key in the dependencies block (the two
"@ai-sdk/amazon-bedrock" lines) and delete the redundant line, ensure the
remaining entry has the intended version "~3.0.56" and that package.json remains
valid JSON, then re-run your package manager (npm/yarn/pnpm) to update lockfiles
if needed.
| import { createAmazonBedrock } from '@ai-sdk/amazon-bedrock'; | ||
| import { generateText } from 'ai'; | ||
| import { logInfo, logWarn, logError } from './copilot/logger'; | ||
| import { getBedrockRegionalPrefix } from './copilot/connection'; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check what connection.ts imports from auth.ts (to confirm circular dependency)
echo "=== Checking connection.ts imports from auth.ts ==="
rg -n "from.*auth" --type=ts -C2 workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts 2>/dev/null || echo "No imports found or file not found"
# Show what auth.ts imports from connection.ts
echo -e "\n=== Checking auth.ts imports from connection.ts ==="
rg -n "from.*connection" --type=ts workspaces/mi/mi-extension/src/ai-panel/auth.ts 2>/dev/null || echo "No imports found or file not found"
# Verify getBedrockRegionalPrefix is actually used in auth.ts
echo -e "\n=== Checking usage of getBedrockRegionalPrefix in auth.ts ==="
rg -n "getBedrockRegionalPrefix" --type=ts workspaces/mi/mi-extension/src/ai-panel/auth.ts 2>/dev/null || echo "Not used"
# List files in the copilot directory to understand structure
echo -e "\n=== Files in copilot directory ==="
find workspaces/mi/mi-extension/src/ai-panel/copilot -type f -name "*.ts" 2>/dev/null | head -20Repository: wso2/vscode-extensions
Length of output: 2253
🏁 Script executed:
#!/bin/bash
# Read validateAwsCredentials function around lines 415-485 to check maxRetries and error handling
echo "=== validateAwsCredentials function (lines 415-490) ==="
sed -n '415,490p' workspaces/mi/mi-extension/src/ai-panel/auth.ts
# Compare with validateApiKey to see error handling pattern
echo -e "\n=== validateApiKey error handling excerpt ==="
sed -n '350,382p' workspaces/mi/mi-extension/src/ai-panel/auth.tsRepository: wso2/vscode-extensions
Length of output: 4148
🏁 Script executed:
#!/bin/bash
# Find validateApiKey function to see the generateText call and check for maxRetries
echo "=== Searching for validateApiKey generateText call ==="
rg -n "generateText" --type=ts -B5 -A3 workspaces/mi/mi-extension/src/ai-panel/auth.ts | head -50
# Check how many times console.error is used vs logError in auth.ts
echo -e "\n=== Usage count: console.error vs logError ==="
echo "console.error occurrences:"
rg -c "console\.error" workspaces/mi/mi-extension/src/ai-panel/auth.ts || echo "0"
echo "logError occurrences:"
rg -c "logError" workspaces/mi/mi-extension/src/ai-panel/auth.ts || echo "0"Repository: wso2/vscode-extensions
Length of output: 1481
🏁 Script executed:
#!/bin/bash
# Get full context around validateApiKey generateText call
echo "=== validateApiKey generateText call (lines 340-355) ==="
sed -n '340,355p' workspaces/mi/mi-extension/src/ai-panel/auth.tsRepository: wso2/vscode-extensions
Length of output: 680
Circular dependency between auth.ts and copilot/connection.ts creates architectural layering violation.
auth.ts imports getBedrockRegionalPrefix from ./copilot/connection (line 40), and connection.ts imports credential functions from auth.ts (line 20: getAccessToken, getLoginMethod, getRefreshedAccessToken, getAwsBedrockCredentials). This circular import can surface as undefined references at runtime, particularly with dynamic module initialization patterns.
More fundamentally, this violates layering: auth.ts is the credential storage layer; connection/client logic belongs in connection.ts. The getBedrockRegionalPrefix call at line 456 should be moved into connection.ts where the Bedrock client is actually constructed, not pulled into the validation layer.
validateAwsCredentials is missing maxRetries: 0 and has inconsistent error handling.
validateApiKey (line 350) explicitly sets maxRetries: 0 with a comment explaining it prevents retry loops on quota errors. validateAwsCredentials (lines 461–465) omits this, so the AI SDK will retry ~2x on 401/403/429 errors, making failed validation slow and unpredictable. Additionally, validateAwsCredentials uses a generic catch block with console.error instead of the logError function used throughout the file; it should also surface specific AWS error codes (e.g., AccessDeniedException, ExpiredTokenException) like validateApiKey does for HTTP status codes.
Hardcoded model ID and region list reduce maintainability.
The model ID anthropic.claude-3-5-haiku-20241022-v1:0 (line 457) is hardcoded for validation; model deprecation or regional unavailability causes valid credentials to fail. The validRegions list (lines 436–441) is static and doesn't account for Bedrock availability; it should be fetched or maintained separately to stay in sync with AWS service availability.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts` around lines 37 - 40,
auth.ts currently creates a circular import by using getBedrockRegionalPrefix
from copilot/connection while connection.ts imports credential functions from
auth.ts; move the getBedrockRegionalPrefix call (used around the Bedrock client
construction) out of validateAwsCredentials in auth.ts into
copilot/connection.ts where the Bedrock client is built (keep
getAccessToken/getLoginMethod/getRefreshedAccessToken/getAwsBedrockCredentials
in auth.ts). In validateAwsCredentials update the AI SDK client/options to
include maxRetries: 0 (same pattern as validateApiKey), replace console.error
with the module-level logError and extend the catch handling to surface
AWS-specific error codes (e.g., AccessDeniedException, ExpiredTokenException)
similar to how validateApiKey surfaces HTTP status codes. Finally, remove the
hardcoded model ID and static validRegions list from auth.ts by reading
model/region configuration from a central config or passing them in as
parameters (or referencing a maintained constants module) so validation doesn’t
fail due to model deprecation or regional availability.
| await generateText({ | ||
| model: bedrockClient, | ||
| maxOutputTokens: 1, | ||
| messages: [{ role: 'user', content: 'Hi' }] | ||
| }); |
There was a problem hiding this comment.
Missing maxRetries: 0 — retry loop on credential-validation failures.
validateApiKey (line 349) explicitly sets maxRetries: 0 with a comment about preventing retry loops on quota errors. The Bedrock generateText call has no such guard. The AI SDK default is ~2 retries, meaning a 401/403/400 response (wrong key, wrong region, no Bedrock access) will be retried before throwing, adding several seconds of unnecessary latency to every failed validation attempt.
🐛 Proposed fix
await generateText({
model: bedrockClient,
maxOutputTokens: 1,
- messages: [{ role: 'user', content: 'Hi' }]
+ messages: [{ role: 'user', content: 'Hi' }],
+ maxRetries: 0, // Disable retries to prevent retry loops on auth/quota errors
});🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts` around lines 461 - 465, The
Bedrock validation call using generateText (with bedrockClient) currently omits
maxRetries and inherits the SDK default retries, causing slow retry loops on
401/403/400 credential failures; update the generateText invocation that
validates the key to pass maxRetries: 0 (mirroring validateApiKey) so credential
errors fail fast and avoid unnecessary latency.
| } catch (error) { | ||
| console.error('AWS Bedrock validation failed:', error); | ||
| throw new Error('Validation failed. Please check the log for more details.'); | ||
| } |
There was a problem hiding this comment.
console.error instead of logError, and error details are completely swallowed.
Two issues in the catch block:
-
Inconsistent logging: The rest of the file uses
logError(imported at line 39).console.errorbypasses whatever logging infrastructure the extension uses (e.g., structured output channel, log level filtering). -
Generic error message: Unlike
validateApiKey(lines 368–380) which classifies 401, 403, rate-limit, and network errors into actionable messages, this catch block discards all AWS-specific error context (AccessDeniedException,ExpiredTokenException,UnrecognizedException, region-not-supported, model-not-enabled, etc.) and throws a single opaque message. Users won't know whether their key is wrong, their session token is expired, the region lacks Bedrock, or the model isn't enabled on their account.
🐛 Proposed fix
} catch (error) {
- console.error('AWS Bedrock validation failed:', error);
- throw new Error('Validation failed. Please check the log for more details.');
+ logError('AWS Bedrock validation failed', error);
+ if (error instanceof Error) {
+ if (error.message.includes('AccessDeniedException') || error.message.includes('401') || error.message.includes('403')) {
+ throw new Error('Invalid AWS credentials. Please check your access key ID and secret access key.');
+ } else if (error.message.includes('ExpiredTokenException')) {
+ throw new Error('Session token has expired. Please provide a fresh session token.');
+ } else if (error.message.includes('UnrecognizedException') || error.message.includes('ResourceNotFoundException')) {
+ throw new Error('This region may not support AWS Bedrock or the selected model is not enabled. Please check your region and Bedrock model access.');
+ } else if (error.message.includes('network') || error.message.includes('ENOTFOUND')) {
+ throw new Error('Connection failed. Please check your internet connection.');
+ }
+ }
+ throw new Error('AWS credential validation failed. Please verify your credentials and ensure Bedrock access is enabled in your account.');
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| } catch (error) { | |
| console.error('AWS Bedrock validation failed:', error); | |
| throw new Error('Validation failed. Please check the log for more details.'); | |
| } | |
| } catch (error) { | |
| logError('AWS Bedrock validation failed', error); | |
| if (error instanceof Error) { | |
| if (error.message.includes('AccessDeniedException') || error.message.includes('401') || error.message.includes('403')) { | |
| throw new Error('Invalid AWS credentials. Please check your access key ID and secret access key.'); | |
| } else if (error.message.includes('ExpiredTokenException')) { | |
| throw new Error('Session token has expired. Please provide a fresh session token.'); | |
| } else if (error.message.includes('UnrecognizedException') || error.message.includes('ResourceNotFoundException')) { | |
| throw new Error('This region may not support AWS Bedrock or the selected model is not enabled. Please check your region and Bedrock model access.'); | |
| } else if (error.message.includes('network') || error.message.includes('ENOTFOUND')) { | |
| throw new Error('Connection failed. Please check your internet connection.'); | |
| } | |
| } | |
| throw new Error('AWS credential validation failed. Please verify your credentials and ensure Bedrock access is enabled in your account.'); | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/src/ai-panel/auth.ts` around lines 481 - 484, The
catch block currently uses console.error and throws a generic Error; replace
console.error(...) with the project's logError(...) and surface AWS error
details and classification like validateApiKey does: inspect the caught error in
the catch (e) block (look for the same scope as validateApiKey) and map known
Bedrock/AWS error types (e.g., AccessDeniedException, ExpiredTokenException,
UnrecognizedClientException/UnrecognizedException,
region-not-supported/model-not-enabled, Throttling/RateExceeded, network errors)
into specific user-facing messages, include the original error details in the
logError call, and throw a new Error with an actionable message (preserving
enough context for users to act) instead of the opaque "Validation failed" text.
| export function getBedrockRegionalPrefix(region: string): string { | ||
| const regionPrefix = region.split('-')[0].toLowerCase(); | ||
|
|
||
| switch (regionPrefix) { | ||
| case 'us': | ||
| return region.startsWith('us-gov-') ? 'us-gov' : 'us'; | ||
| case 'eu': | ||
| return 'eu'; | ||
| case 'ap': | ||
| return 'apac'; | ||
| case 'ca': | ||
| case 'sa': | ||
| return 'us'; // Canada and South America regions use US prefix | ||
| default: | ||
| console.warn(`Unknown region prefix: ${regionPrefix}, defaulting to 'us'`); | ||
| return 'us'; | ||
| } | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Find validateAwsCredentials and see what regions it accepts
echo "=== Looking for validateAwsCredentials in auth.ts ==="
fd auth.ts --type ts | head -5Repository: wso2/vscode-extensions
Length of output: 306
🏁 Script executed:
#!/bin/bash
# First, locate the auth.ts file
fd auth.tsRepository: wso2/vscode-extensions
Length of output: 243
🏁 Script executed:
#!/bin/bash
# Search for valid regions in the codebase
rg 'validRegions|me-south|af-south|Valid AWS regions' --type ts -B 2 -A 10Repository: wso2/vscode-extensions
Length of output: 3929
🏁 Script executed:
#!/bin/bash
# Look at the complete getBedrockRegionalPrefix function to confirm region handling
rg 'getBedrockRegionalPrefix' -A 30 --type tsRepository: wso2/vscode-extensions
Length of output: 24381
🏁 Script executed:
#!/bin/bash
# Search for any mention of me-south-1 or af-south-1 in the codebase
rg '(me-south-1|af-south-1)' --type tsRepository: wso2/vscode-extensions
Length of output: 342
🏁 Script executed:
#!/bin/bash
# Search for any AWS Bedrock documentation or comments about regional inference profiles
rg 'inference.*profile|me-south|af-south|bedrock.*region' --type-add 'ts:*.ts' -t ts -i -B 2 -A 2Repository: wso2/vscode-extensions
Length of output: 8499
🏁 Script executed:
#!/bin/bash
# Check if there are any TODOs or FIXMEs related to region handling
rg 'TODO|FIXME|XXX' --type-add 'ts:*.ts' -t ts | grep -i 'region\|bedrock'Repository: wso2/vscode-extensions
Length of output: 48
🌐 Web query:
AWS Bedrock Claude 3 regional inference profile me-south-1 af-south-1
💡 Result:
For Amazon Bedrock cross‑Region (system-defined) inference profiles for Anthropic Claude 3, you can’t invoke them from me-south-1 (Middle East—Bahrain) or af-south-1 (Africa—Cape Town), because those Regions are not listed as supported source Regions for the Claude 3 US / EU / APAC inference profiles. The Claude 3 inference profile IDs are: us.anthropic.claude-3-*-..., eu.anthropic.claude-3-*-..., and apac.anthropic.claude-3-*-..., each restricted to their respective source-Region sets (US, EU, or APAC). [1], [2], [3]
Also, Claude 3 (example: Claude 3 Haiku) is not available as a single‑Region model in me-south-1 or af-south-1 (it lists me-central-1 but not me-south-1, and does not list af-south-1). [4]
What to do instead
- Call Claude 3 from a supported US/EU/APAC source Region (depending on the profile you choose). [1], [2], [3]
- Or use a newer Claude model that supports
me-south-1/af-south-1(availability varies by model). [4]
Sources
[1] https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html
[2] https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html
[3] https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html
[4] https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html
🏁 Script executed:
#!/bin/bash
# Confirm the function behavior with me-south-1 example
echo "Example: User selects me-south-1 region"
echo "1. Code accepts it (in validRegions)"
echo "2. getBedrockRegionalPrefix('me-south-1') returns 'us' (default case)"
echo "3. Model ID becomes: us.anthropic.claude-3-5-haiku-20241022-v1:0"
echo "4. Attempt to invoke US inference profile FROM me-south-1 = RUNTIME FAILURE"
echo ""
echo "AWS documentation confirms: me-south-1 and af-south-1 are NOT supported"
echo "source regions for Claude 3 inference profiles."Repository: wso2/vscode-extensions
Length of output: 474
Remove or reject me-south-1 and af-south-1 from valid AWS regions.
These regions are not supported for AWS Bedrock's Claude 3 models. According to AWS documentation, me-south-1 and af-south-1 are not valid source regions for Bedrock's cross-region inference profiles (US, EU, APAC), and Claude 3 is not available as a single-region model in these regions. The code currently allows users to select these regions in auth.ts, but they will fail at runtime with confusing errors because the fallback to the us prefix cannot be invoked from unsupported source regions.
Remove 'me-south-1' and 'af-south-1' from the validRegions array in auth.ts (both MI and Ballerina variants), or add explicit validation that rejects these regions with a clear error message.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts` around lines
37 - 54, Update the region whitelist/validation to reject AWS regions that are
unsupported by Bedrock Claude 3: remove 'me-south-1' and 'af-south-1' from the
validRegions array in auth.ts (both MI and Ballerina variants) or add explicit
validation that throws a clear, user-facing error when those regions are
selected; ensure any callers (e.g., the function getBedrockRegionalPrefix) won't
silently fallback for those regions by validating input early and
returning/throwing a descriptive message like "Region X is not supported for
Bedrock Claude 3."
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workspaces/mi/mi-extension/package.json`:
- Line 1107: The dependency "@ai-sdk/amazon-bedrock" is pinned to an old exact
version "4.0.4"; update the package.json entry for "@ai-sdk/amazon-bedrock" to
the latest patch release and allow patch updates (e.g., change the version
string to "~4.0.61" instead of "4.0.4"), then regenerate your lockfile
(npm/yarn/pnpm install) so the lockfile reflects the new version.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
workspaces/mi/mi-extension/package.json (1)
1052-1052: No breaking API changes expected from major version bumps; consider using version ranges for automatic security updates.The
ai6.0.94 and@ai-sdk/anthropic3.0.46 versions are compatible. Both implement theLanguageModelV2specification, with v6 of theaipackage explicitly designed to work with v3.x providers. Similarly,@ai-sdk/amazon-bedrock4.0.4 to the latest 4.0.58 involves only patch-level changes, which are non-breaking per SemVer.However, all three packages use exact version pins. Consider using semantic ranges (e.g.,
^3.0.46) to permit patch and minor updates while maintaining stability and ensuring automatic security fixes are applied.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workspaces/mi/mi-extension/package.json` at line 1052, The package.json currently pins dependencies exactly (e.g., "ai": "6.0.94", "@ai-sdk/anthropic": "3.0.46", "@ai-sdk/amazon-bedrock": "4.0.4"); change these exact pins to semantic version ranges (for example "^6.0.94", "^3.0.46", "^4.0.4") so patch/minor updates and security fixes are allowed, then regenerate the lockfile (npm/yarn/pnpm install) and run the test suite to ensure nothing breaks; update any CI caching or dependency audit workflows if needed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workspaces/mi/mi-extension/package.json`:
- Line 1107: The package versions for `@ai-sdk/amazon-bedrock` (4.x) and
`@ai-sdk/anthropic` (3.x) are mismatched and getAnthropicClient() in connection.ts
currently returns Promise<any>, hiding incompatible model types passed to
ai.streamText(); fix by standardizing SDK major versions (either bump
`@ai-sdk/anthropic` to 4.x or downgrade `@ai-sdk/amazon-bedrock` to 3.x) and then
replace Promise<any> in getAnthropicClient() with a precise return type (either
a union of the two concrete client/model interfaces or a shared adapter
interface) so the value passed into streamText() from ai has proper compile-time
typing; update any necessary type imports and/or create a small adapter type to
normalize model methods used by streamText().
---
Duplicate comments:
In `@workspaces/mi/mi-extension/package.json`:
- Line 1107: Update the pinned dependency "@ai-sdk/amazon-bedrock" in
package.json from the exact stale version "4.0.4" to a non-exact range that
allows patch updates (for example "^4.0.58" or the latest published version) to
pick up fixes; after changing the version string in package.json, run your
package manager to update the lockfile (npm install / yarn install), commit the
updated lockfile, and run the test/build scripts to verify nothing breaks.
---
Nitpick comments:
In `@workspaces/mi/mi-extension/package.json`:
- Line 1052: The package.json currently pins dependencies exactly (e.g., "ai":
"6.0.94", "@ai-sdk/anthropic": "3.0.46", "@ai-sdk/amazon-bedrock": "4.0.4");
change these exact pins to semantic version ranges (for example "^6.0.94",
"^3.0.46", "^4.0.4") so patch/minor updates and security fixes are allowed, then
regenerate the lockfile (npm/yarn/pnpm install) and run the test suite to ensure
nothing breaks; update any CI caching or dependency audit workflows if needed.
| "xstate": "4.38.3", | ||
| "zod": "4.1.11" | ||
| "zod": "4.1.11", | ||
| "@ai-sdk/amazon-bedrock": "4.0.4" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# First, locate the package.json file and check versions of both packages
find . -name "package.json" -path "*/workspaces/mi/mi-extension/*" | head -1 | xargs grep -A 2 -B 2 "@ai-sdk/"Repository: wso2/vscode-extensions
Length of output: 299
🏁 Script executed:
# Find all imports of `@ai-sdk/amazon-bedrock` and `@ai-sdk/anthropic`
rg -n --type ts \
-e "from '@ai-sdk/amazon-bedrock'" \
-e 'from "@ai-sdk/amazon-bedrock"' \
-e "from '@ai-sdk/anthropic'" \
-e 'from "@ai-sdk/anthropic"' \
-A 3 -B 1Repository: wso2/vscode-extensions
Length of output: 4487
🏁 Script executed:
# Check the specific package.json file location and content
find . -path "*/workspaces/mi/mi-extension/package.json" -exec cat {} \; | grep -A 20 -B 5 "amazon-bedrock\|anthropic"Repository: wso2/vscode-extensions
Length of output: 1107
🏁 Script executed:
# Examine auth.ts to see how both providers are used
sed -n '30,100p' workspaces/mi/mi-extension/src/ai-panel/auth.tsRepository: wso2/vscode-extensions
Length of output: 2572
🏁 Script executed:
# Examine connection.ts to see how models are created and used
sed -n '1,150p' workspaces/mi/mi-extension/src/ai-panel/copilot/connection.tsRepository: wso2/vscode-extensions
Length of output: 5754
🏁 Script executed:
# Look for actual usage of models created from bedrock and anthropic
rg -n "createAnthropic\|createAmazonBedrock" workspaces/mi/mi-extension/src/ai-panel/ -A 5 -B 2Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Search for where createAnthropic is called and its result is used
rg -n "getAnthropicClient\|const.*createAnthropic" workspaces/mi/mi-extension/src/ai-panel/ -A 10Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Search for Bedrock client creation and usage
rg -n "createAmazonBedrock" workspaces/mi/mi-extension/src/ai-panel/ -A 10 -B 2Repository: wso2/vscode-extensions
Length of output: 5564
🏁 Script executed:
# Look at how generateText is called with these models
rg -n "generateText\|streamText" workspaces/mi/mi-extension/src/ai-panel/ -B 5 -A 5Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Search for all generateText and streamText calls more broadly
rg -n "generateText\|streamText" workspaces/mi/mi-extension/ -B 3 -A 3Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Check if getAwsBedrockCredentials or similar functions pass bedrock models to generateText
rg -n "getAwsBedrockCredentials\|testBedrockConnection\|validateBedrockConnection" workspaces/mi/mi-extension/ -A 15Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Look at the auth.ts file more thoroughly around the bedrock usage
sed -n '440,500p' workspaces/mi/mi-extension/src/ai-panel/auth.tsRepository: wso2/vscode-extensions
Length of output: 2073
🏁 Script executed:
# Check if there are any TypeScript errors or compilation issues in the codebase
find . -name "tsconfig.json" -path "*/workspaces/mi/mi-extension/*" -exec cat {} \;Repository: wso2/vscode-extensions
Length of output: 796
🏁 Script executed:
# Look at the full bedrock usage in connection.ts to see how the model is returned
sed -n '175,220p' workspaces/mi/mi-extension/src/ai-panel/copilot/connection.tsRepository: wso2/vscode-extensions
Length of output: 1898
🏁 Script executed:
# Search for any type annotations or error handling related to model compatibility
rg -n "LanguageModel\|LanguageModelV2\|@ai-sdk" workspaces/mi/mi-extension/src/ -A 2 -B 2 | head -100Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Check if there are any build/compilation errors or type issues documented
find . -name "*.ts" -path "*/workspaces/mi/mi-extension/*" -type f | head -20 | xargs -I {} sh -c 'echo "=== {} ===" && head -5 {}'Repository: wso2/vscode-extensions
Length of output: 5811
🏁 Script executed:
# Look for any known issues or comments in the code about version compatibility
rg -n "LanguageModel\|version\|compatibility\|V2\|bedrock.*anthropic\|anthropic.*bedrock" workspaces/mi/mi-extension/src/ai-panel/ -i -A 2 -B 2Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Check the actual return type from bedrock() call - see the full function signature
sed -n '150,230p' workspaces/mi/mi-extension/src/ai-panel/copilot/connection.tsRepository: wso2/vscode-extensions
Length of output: 3291
🏁 Script executed:
# Check if the function signature for model parameter has any type assertions or 'any' casts
rg -n "model.*any\|as LanguageModel\|@ts-ignore" workspaces/mi/mi-extension/src/ai-panel/ -B 2 -A 2Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Look at the generation.ts file to see how getAnthropicClient is used
sed -n '1,100p' workspaces/mi/mi-extension/src/ai-panel/copilot/generation/generations.tsRepository: wso2/vscode-extensions
Length of output: 4187
🏁 Script executed:
# Check streamText usage with the model from getAnthropicClient
rg -n "streamText\|getAnthropicClient" workspaces/mi/mi-extension/src/ai-panel/copilot/generation/generations.ts -A 5 -B 2Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Find where streamText is called and how the model is passed
rg -n "streamText\(" workspaces/mi/mi-extension/src/ai-panel/copilot/generation/ -A 10Repository: wso2/vscode-extensions
Length of output: 1295
🏁 Script executed:
# Check the specific line where model is used in generation
sed -n '80,200p' workspaces/mi/mi-extension/src/ai-panel/copilot/generation/generations.tsRepository: wso2/vscode-extensions
Length of output: 4773
🏁 Script executed:
# Check the full return type signature of getAnthropicClient
rg -n "export.*getAnthropicClient\|Promise.*LanguageModel" workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts -B 2 -A 5Repository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Search for any package.json lockfile to see actual resolved versions
find . -name "package-lock.json" -o -name "yarn.lock" | head -1 | xargs ls -lhRepository: wso2/vscode-extensions
Length of output: 133
🏁 Script executed:
# Check if there are any GitHub issue references or TODOs about SDK version compatibility
rg -n "11431\|bedrock.*anthropic\|anthropic.*bedrock\|TODO\|FIXME" workspaces/mi/mi-extension/ -iRepository: wso2/vscode-extensions
Length of output: 48
🏁 Script executed:
# Check the actual typescript compilation to see if there are any type errors
find . -name ".eslintrc*" -o -name "tsconfig.json" | xargs grep -l "strict\|noImplicitAny" 2>/dev/null | head -3Repository: wso2/vscode-extensions
Length of output: 250
🏁 Script executed:
# Look at the return type annotation of getAnthropicClient more carefully
sed -n '145,160p' workspaces/mi/mi-extension/src/ai-panel/copilot/connection.tsRepository: wso2/vscode-extensions
Length of output: 584
🏁 Script executed:
# Search for any type narrowing or conditional returns that might reveal the issue
sed -n '140,220p' workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts | grep -n "return\|Promise\|any\|LanguageModel"Repository: wso2/vscode-extensions
Length of output: 364
Version mismatch between @ai-sdk/amazon-bedrock (4.x) and @ai-sdk/anthropic (3.x) — consider standardizing SDK versions.
Both packages are part of the Vercel AI SDK family but use incompatible major versions. The getAnthropicClient() function in connection.ts returns Promise<any>, which masks the underlying type incompatibility: it returns different model types depending on the login method (bedrock 4.x vs. anthropic 3.x), both of which are passed to streamText() from ai 6.x. While the any return type prevents compile-time errors, this defeats type safety and creates technical debt. Either upgrade @ai-sdk/anthropic to 4.x or downgrade @ai-sdk/amazon-bedrock to 3.x, then replace the any return type with a proper union or shared type contract.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/package.json` at line 1107, The package versions
for `@ai-sdk/amazon-bedrock` (4.x) and `@ai-sdk/anthropic` (3.x) are mismatched and
getAnthropicClient() in connection.ts currently returns Promise<any>, hiding
incompatible model types passed to ai.streamText(); fix by standardizing SDK
major versions (either bump `@ai-sdk/anthropic` to 4.x or downgrade
`@ai-sdk/amazon-bedrock` to 3.x) and then replace Promise<any> in
getAnthropicClient() with a precise return type (either a union of the two
concrete client/model interfaces or a shared adapter interface) so the value
passed into streamText() from ai has proper compile-time typing; update any
necessary type imports and/or create a small adapter type to normalize model
methods used by streamText().
There was a problem hiding this comment.
Pull request overview
Adds AWS Bedrock as an additional authentication/provider option for MI Copilot, extending the existing MI Intelligence SSO + Anthropic API-key flows across the webview UI, state machine, and extension-side AI provider setup.
Changes:
- Adds AWS Bedrock as a login method (new state-machine events, login method enum, and credential shape).
- Implements an AWS credential entry UI (access key, secret, region, optional session token) and wires it into the AI auth state machine.
- Adds Bedrock provider wiring in the extension and upgrades
ai/@ai-sdk/anthropic, plus adds@ai-sdk/amazon-bedrock.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| workspaces/mi/mi-visualizer/src/views/LoggedOutWindow/index.tsx | Adds AWS Bedrock as a new login option in the logged-out UI. |
| workspaces/mi/mi-visualizer/src/views/AIPanel/index.tsx | Extends authenticating substates to include AWS credential validation flow. |
| workspaces/mi/mi-visualizer/src/views/AIPanel/component/WaitingForLoginSection.tsx | Implements the AWS Bedrock credential form and submit/cancel actions. |
| workspaces/mi/mi-extension/src/ai-panel/copilot/suggestions/suggestions.ts | Adjusts provider options typing to accommodate provider-aware cache options. |
| workspaces/mi/mi-extension/src/ai-panel/copilot/connection.ts | Adds Bedrock client creation and provider-aware cache-control selection. |
| workspaces/mi/mi-extension/src/ai-panel/auth.ts | Adds Bedrock credential retrieval + validation and stores credentials in SecretStorage. |
| workspaces/mi/mi-extension/src/ai-panel/aiMachine.ts | Adds AWS Bedrock auth/validation events and substates to the XState machine. |
| workspaces/mi/mi-extension/package.json | Upgrades ai / @ai-sdk/anthropic and adds @ai-sdk/amazon-bedrock. |
| workspaces/mi/mi-core/src/state-machine-types.ts | Adds new AI events, login method enum value, and Bedrock credential type. |
| common/config/rush/pnpm-lock.yaml | Locks updated AI SDK deps and new Bedrock provider dependency. |
Files not reviewed (1)
- common/config/rush/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| case 'sa': | ||
| return 'us'; // Canada and South America regions use US prefix | ||
| default: | ||
| console.warn(`Unknown region prefix: ${regionPrefix}, defaulting to 'us'`); |
There was a problem hiding this comment.
This module already uses the copilot logger (logInfo/logDebug/logError), but this branch logs via console.warn. Use the shared logger here as well so warnings are routed consistently in the extension logs.
| console.warn(`Unknown region prefix: ${regionPrefix}, defaulting to 'us'`); | |
| logInfo(`Unknown region prefix: ${regionPrefix}, defaulting to 'us'`); |
| // List of valid AWS regions | ||
| const validRegions = [ | ||
| 'us-east-1', 'us-west-2', 'us-west-1', 'eu-west-1', 'eu-central-1', | ||
| 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'ap-northeast-2', | ||
| 'ap-south-1', 'ca-central-1', 'sa-east-1', 'eu-west-2', 'eu-west-3', | ||
| 'eu-north-1', 'ap-east-1', 'me-south-1', 'af-south-1', 'ap-southeast-3' | ||
| ]; | ||
|
|
||
| if (!validRegions.includes(region)) { | ||
| throw new Error(`Invalid AWS region. Please select a valid region like us-east-1, us-west-2, etc.`); | ||
| } | ||
|
|
There was a problem hiding this comment.
validRegions is hard-coded, which risks rejecting legitimate regions (or newly added Bedrock-supported regions) and forces manual maintenance. Consider removing the allowlist and relying on the Bedrock call for validation (surface a friendly error), or at least centralize the list and document that it represents the Bedrock-supported regions (kept in sync).
| // List of valid AWS regions | |
| const validRegions = [ | |
| 'us-east-1', 'us-west-2', 'us-west-1', 'eu-west-1', 'eu-central-1', | |
| 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'ap-northeast-2', | |
| 'ap-south-1', 'ca-central-1', 'sa-east-1', 'eu-west-2', 'eu-west-3', | |
| 'eu-north-1', 'ap-east-1', 'me-south-1', 'af-south-1', 'ap-southeast-3' | |
| ]; | |
| if (!validRegions.includes(region)) { | |
| throw new Error(`Invalid AWS region. Please select a valid region like us-east-1, us-west-2, etc.`); | |
| } |
| await generateText({ | ||
| model: bedrockClient, | ||
| maxOutputTokens: 1, | ||
| messages: [{ role: 'user', content: 'Hi' }] |
There was a problem hiding this comment.
The Bedrock validation call uses generateText without disabling retries. This can trigger multiple paid requests on transient failures. Consider setting maxRetries: 0 (as done for API-key validation) or otherwise bounding retries explicitly for credential validation.
| messages: [{ role: 'user', content: 'Hi' }] | |
| messages: [{ role: 'user', content: 'Hi' }], | |
| maxRetries: 0 |
| return { token: accessKeyId }; | ||
|
|
||
| } catch (error) { | ||
| console.error('AWS Bedrock validation failed:', error); |
There was a problem hiding this comment.
This catch block logs with console.error even though the module uses logError elsewhere, and then throws a message telling the user to check the log. Prefer logging via logError (including the original error) so the information reliably lands in the extension's logging pipeline.
| console.error('AWS Bedrock validation failed:', error); | |
| logError('AWS Bedrock validation failed', error); |
| const isFormValid = awsCredentials.accessKeyId.trim() && | ||
| awsCredentials.secretAccessKey.trim() && | ||
| awsCredentials.region.trim(); |
There was a problem hiding this comment.
isFormValid is computed via chained &&, which returns a string (the last truthy operand) rather than a boolean. This works at runtime but is easy to misread and can cause type/prop issues when passed to disabled. Convert it to an explicit boolean (e.g., const isFormValid = Boolean(...) / !!(...)).
| const isFormValid = awsCredentials.accessKeyId.trim() && | |
| awsCredentials.secretAccessKey.trim() && | |
| awsCredentials.region.trim(); | |
| const isFormValid = Boolean( | |
| awsCredentials.accessKeyId.trim() && | |
| awsCredentials.secretAccessKey.trim() && | |
| awsCredentials.region.trim() | |
| ); |
| role: "system" as const, | ||
| content: systemPrompt, | ||
| providerOptions: cacheOptions, // Cache system prompt only | ||
| providerOptions: cacheOptions as any, // Cache system prompt only |
There was a problem hiding this comment.
Casting cacheOptions to any removes type safety for provider-specific options and can hide mismatches introduced by the ai/@ai-sdk/* major upgrades. Prefer aligning the messages typing with the ai SDK message types (or explicitly typing providerOptions as unknown/a provider-options type) rather than as any.
| providerOptions: cacheOptions as any, // Cache system prompt only | |
| providerOptions: cacheOptions as unknown, // Cache system prompt only |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workspaces/mi/mi-extension/package.json`:
- Around line 1125-1126: package.json currently pins "zod": "4.1.11" and
"@ai-sdk/amazon-bedrock": "4.0.4"; verify Zod 4 compatibility by searching for
callers using legacy Zod APIs (e.g., custom error handling patterns and any
z.number() usages that may rely on accepting Infinity) and update those call
sites or revert to a 3.x pin if incompatible; for `@ai-sdk/amazon-bedrock`, bump
to the latest 4.0.x patch (e.g., 4.0.62) or run your package manager update,
then run unit/integration tests and review the library changelog for any
behavior changes to adapt code in modules that import `@ai-sdk/amazon-bedrock`.
- Line 1071: The package.json dependency entry for "@ai-sdk/anthropic": "3.0.46"
references a non-existent npm version and will break installs; update that
dependency in workspaces/mi/mi-extension's package.json by changing the version
string for "@ai-sdk/anthropic" (the exact dependency key in the file) to a
published version such as "3.0.41" or the actual latest available release and
then run pnpm install to verify resolution.
---
Duplicate comments:
In `@workspaces/mi/mi-extension/package.json`:
- Line 1071: The package.json still lists "@ai-sdk/anthropic" at 3.x while
"@ai-sdk/amazon-bedrock" is 4.x—update the dependency so both SDK providers
align (e.g., bump "@ai-sdk/anthropic" to the 4.x release that pairs with the 6.x
AI SDK) or add a clear compatibility note if intentionally kept separate;
additionally, address the related typing gap by changing getAnthropicClient() in
connection.ts from Promise<any> to a proper typed Promise (e.g.,
Promise<AnthropicClient> or the library's client type) so callers have concrete
types.
| }, | ||
| "dependencies": { | ||
| "@ai-sdk/anthropic": "2.0.35", | ||
| "@ai-sdk/anthropic": "3.0.46", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
@ai-sdk/anthropic 3.0.46 npm package version
💡 Result:
@ai-sdk/anthropic does not have an npm version 3.0.46.
The most recently published version shown for @ai-sdk/anthropic is 2.0.17 (published “4 days ago” at the time of the npm search snapshot). [1]
Version 3.0.46 appears to belong to other @ai-sdk/* packages (e.g., @ai-sdk/svelte), not @ai-sdk/anthropic. [1]
Sources:
[1] npmjs.com search results page (shows @ai-sdk/anthropic latest as 2.0.17 and @ai-sdk/svelte as 3.0.46) – https://www.npmjs.com/search?q=Chen%20Liangbin%F0%9F%91%A8%E2%80%8D%E2%9A%96%EF%B8%8FAI%20Specialist
🌐 Web query:
@ai-sdk/anthropic latest version npm 2026
💡 Result:
As of Feb 20, 2026, the newest published version of @ai-sdk/anthropic on npm appears to be 3.0.41 (published Feb 10, 2026). [1]
If you’re pinned to the v2 major line, the latest v2 shown is 2.0.61 (also Feb 10, 2026). [1]
🌐 Web query:
zod 4.1.11 npm package
💡 Result:
zod@4.1.11 is a published npm version of Zod (TypeScript-first schema declaration/validation with static type inference). It corresponds to a release dated Sep 20, 2025 (v4.1.11). [1]
Install that exact version:
npm i zod@4.1.11
# or: yarn add zod@4.1.11
# or: pnpm add zod@4.1.11
# or: bun add zod@4.1.11Notes:
- Snyk lists
zod@4.1.11and reports no direct vulnerabilities found for that version in their database. [2] - Snyk also shows newer versions exist (e.g.,
4.3.6listed as latest there). [2]
Sources: [1] [2]
@ai-sdk/anthropic@3.0.46 does not exist on npm.
The latest published version is 3.0.41 (Feb 10, 2026). Pinning to a non-existent version 3.0.46 will cause pnpm install to fail with a package resolution error. Update to 3.0.41 or the latest available version.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/package.json` at line 1071, The package.json
dependency entry for "@ai-sdk/anthropic": "3.0.46" references a non-existent npm
version and will break installs; update that dependency in
workspaces/mi/mi-extension's package.json by changing the version string for
"@ai-sdk/anthropic" (the exact dependency key in the file) to a published
version such as "3.0.41" or the actual latest available release and then run
pnpm install to verify resolution.
| "zod": "4.1.11", | ||
| "@ai-sdk/amazon-bedrock": "4.0.4" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify zod@4.1.11 exists on npm
echo "=== Check if zod@4.1.11 exists ==="
npm view zod@4.1.11 version 2>&1 || echo "Version 4.1.11 NOT found on registry"
echo ""
echo "=== `@ai-sdk/amazon-bedrock` latest ==="
npm view `@ai-sdk/amazon-bedrock` version 2>&1
echo ""
echo "=== `@ai-sdk/amazon-bedrock`@4.0.4 check ==="
npm view `@ai-sdk/amazon-bedrock`@4.0.4 version 2>&1 || echo "Version 4.0.4 NOT found on registry"Repository: wso2/vscode-extensions
Length of output: 203
Verify zod@4.1.11 is compatible; @ai-sdk/amazon-bedrock@4.0.4 is 58 patch releases behind latest.
Two hygiene issues:
-
zod@4.1.11is a major-version bump. Zod 4 includes breaking changes such as unified error customization andz.number()no longer accepting infinite values. Ensure callers in this workspace are compatible. -
@ai-sdk/amazon-bedrock@4.0.4is significantly outdated; the latest published version is4.0.62, meaning this PR misses 58 patch releases that may include important bug fixes and improvements.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workspaces/mi/mi-extension/package.json` around lines 1125 - 1126,
package.json currently pins "zod": "4.1.11" and "@ai-sdk/amazon-bedrock":
"4.0.4"; verify Zod 4 compatibility by searching for callers using legacy Zod
APIs (e.g., custom error handling patterns and any z.number() usages that may
rely on accepting Infinity) and update those call sites or revert to a 3.x pin
if incompatible; for `@ai-sdk/amazon-bedrock`, bump to the latest 4.0.x patch
(e.g., 4.0.62) or run your package manager update, then run unit/integration
tests and review the library changelog for any behavior changes to adapt code in
modules that import `@ai-sdk/amazon-bedrock`.
2 participants
Implements: wso2/mi-vscode#1350
Summary by CodeRabbit