feat(bedrock): 新增 AWS Profile 认证方式

[loveklmn]

Summary / 概述

Add AWS Profile authentication support for the Bedrock provider. Users can now choose between static Access Keys or a named AWS Profile (~/.aws/credentials) for authentication.

为 AWS Bedrock provider 新增 Profile 认证模式。用户无需手动输入 Access Key，可以直接使用本地配置的 AWS Profile 进行认证。

Screenshots / 截图

authentication by profile

AWS Profile Mode configuration

Verification / 验证

Design / 设计

Authentication Modes / 认证模式

Mode	Description	Use Case
Access Keys	Static Access Key ID + Secret Access Key	Simple, personal use
AWS Profile	Named profile from local AWS config	SSO, temporary credentials, shared team config

Technical Approach / 技术方案

• Uses fromNodeProviderChain from @aws-sdk/credential-providers — resolves the full AWS credential chain (SSO, env vars, process credentials, IMDSv2, etc.)
• UI presents a radio toggle for mutually exclusive auth modes; only relevant fields are shown
• Verification strategy changed from generate-text to fetch-models (ListFoundationModels API) — no longer depends on a specific model ID being available

UI Design / UI 设计

Radio selector at the top of Bedrock settings:

• 访问密钥 / Access Keys → shows Access Key ID + Secret Access Key fields
• AWS Profile → shows Profile Name input
• Region is always visible in both modes

Changes / 变更

File	Change
package.json	Add @aws-sdk/credential-providers
src/shared/types/presenters/*.d.ts	Add authMode, profile to AwsBedrockCredential
src/shared/contracts/domainSchemas.ts	Zod schema update
src/main/.../providerFactory.ts	Use fromNodeProviderChain for profile mode
src/main/.../aiSdkProvider.ts	Validation + fetchBedrockModels profile support
src/main/.../providerRegistry.ts	checkStrategy: 'fetch-models'
BedrockProviderSettingsDetail.vue	Radio toggle + conditional fields
20 locale JSON files	Translated i18n keys for all supported languages

Test Plan / 测试

• pnpm run typecheck — pass
• pnpm run lint — pass
• pnpm run i18n — no missing keys
• Profile mode: verified with ada credentials update --profile bedrock-gw
• Access Keys mode: regression tested
• UI toggle switches correctly, values persist across mode changes

Summary by CodeRabbit

• New Features

  • AWS Bedrock provider now supports profile-based authentication in addition to access keys.
  • Settings UI lets users choose authentication mode and enter profile name or keys, with a Verify action.

• Chores

  • Localization added for the new authentication UI across many languages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bfe9247e-a93f-4d57-bacf-b17a062809b5

📥 Commits

Reviewing files that changed from the base of the PR and between f709bde and 2339607.

📒 Files selected for processing (2)

• src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts
• src/renderer/settings/components/BedrockProviderSettingsDetail.vue

🚧 Files skipped from review as they are similar to previous changes (2)

• src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts
• src/renderer/settings/components/BedrockProviderSettingsDetail.vue

---

📝 Walkthrough

Walkthrough

Adds profile-based AWS Bedrock authentication: extends credential schema/types with authMode/profile, adds @aws-sdk/credential-providers, wires profile resolution via fromNodeProviderChain in provider factory and model/validation paths, updates provider registry check strategy, refactors Bedrock settings UI with an auth-mode selector, and adds i18n entries across many locales.

Changes

AWS Bedrock Profile-Based Authentication

Layer / File(s)	Summary
Type contracts and runtime dependency src/shared/contracts/domainSchemas.ts, src/shared/types/presenters/legacy.presenters.d.ts, src/shared/types/presenters/llmprovider.presenter.d.ts, package.json	Updated Bedrock credential schema/types to include optional authMode: 'accessKeys' | 'profile' and optional profile; added @aws-sdk/credential-providers runtime dependency.
Bedrock provider factory with profile credentials src/main/presenter/llmProviderPresenter/aiSdk/providerFactory.ts	Imported fromNodeProviderChain and reworked Bedrock options to conditionally use credentialProvider: fromNodeProviderChain({ profile }) when authMode === 'profile', otherwise set accessKeyId/secretAccessKey from credential or environment.
Bedrock model fetching and credential validation src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts	fetchBedrockModels now branches on authMode === 'profile' to resolve credentials via fromNodeProviderChain or use explicit keys from env/credential; validateCredentials updated to require profile+region for profile mode, otherwise accessKeyId+secretAccessKey+region.
Provider registry check strategy update src/main/presenter/llmProviderPresenter/providerRegistry.ts	Changed aws-bedrock provider checkStrategy to fetch-models (replacing generate-text) and removed text-check-specific config fields.
Bedrock settings UI with auth mode selector src/renderer/settings/components/BedrockProviderSettingsDetail.vue	Added auth-mode radio selector and conditional inputs (access keys with visibility toggles vs profile name); introduced authMode/profile reactive state, buildCredential() helper, per-field handlers, updated onboarding readiness logic, and simplified Verify handler to use current credential state.
Localization strings for auth mode UI src/renderer/src/i18n/*/settings.json (20 files)	Added provider.authMode, authModeAccessKeys, authModeProfile, profileNameLabel, and profilePlaceholder keys across multiple locale files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ThinkInAIXYZ/deepchat#756: Touches the same Bedrock settings credential verification/handling paths in the renderer.
• ThinkInAIXYZ/deepchat#1449: Related AI SDK/provider wiring changes affecting Bedrock provider creation.
• ThinkInAIXYZ/deepchat#759: Also modifies Bedrock settings UI and verification behavior.

Suggested reviewers

• zerob13

Poem

🐰 Hopped to profiles, nose in the stack,

keys or a name — I fetch what you lack.
Radio selects, locales sing along,
Bedrock now listens, steady and strong.
A rabbit-approved auth-mode song.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(bedrock): 新增 AWS Profile 认证方式' clearly and accurately summarizes the main change: adding AWS Profile authentication support to the Bedrock provider. The title is concise, directly related to the changeset, and highlights the primary feature addition.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/renderer/src/i18n/de-DE/settings.json (1)

1146-1146: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

German verification hint no longer matches actual behavior.

Line 1146 still claims verification uses Claude 3.5 Sonnet. With fetch-models verification, this text is stale and can confuse troubleshooting.

Suggested fix

-    "bedrockVerifyTip": "DeepChat verwendet Claude 3.5 Sonnet zur Prüfung. Wenn Sie keine Aufrufberechtigung für dieses Modell haben, schlägt die Prüfung fehl. Dies wirkt sich nicht auf die Nutzung anderer Modelle aus.",
+    "bedrockVerifyTip": "DeepChat prüft die Konfiguration, indem die verfügbare Modellliste von AWS Bedrock abgerufen wird. Wenn die Prüfung fehlschlägt, prüfen Sie Zugangsdaten, Region und Berechtigungen.",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/renderer/src/i18n/de-DE/settings.json` at line 1146, The
"bedrockVerifyTip" localization string is outdated (mentions "Claude 3.5
Sonnet") and should be updated to reflect the current "fetch-models"
verification behavior; locate the "bedrockVerifyTip" entry in the German i18n
file and replace the message with a concise statement explaining that
verification uses the fetch-models method and that lacking model access will
cause verification to fail without affecting other models, keeping tone and
phrasing consistent with surrounding entries.

src/renderer/src/i18n/da-DK/settings.json (1)

1004-1004: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

bedrockVerifyTip is outdated after strategy change.

Line 1004 says verification uses Claude 3.5 Sonnet, but this PR switched verification to model fetching. The message will mislead users about failure causes.

Suggested fix

-    "bedrockVerifyTip": "DeepChat bruger Claude 3.5 Sonnet til verifikation. Hvis du ikke har adgang, mislykkes testen – dette påvirker ikke andre modeller.",
+    "bedrockVerifyTip": "DeepChat verificerer konfigurationen ved at hente den tilgængelige modelliste fra AWS Bedrock. Hvis forespørgslen mislykkes, skal du kontrollere legitimationsoplysninger, region og tilladelser.",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/renderer/src/i18n/da-DK/settings.json` at line 1004, The translation key
bedrockVerifyTip is outdated (mentions "Claude 3.5 Sonnet") and should be
updated to reflect that verification now uses model fetching; locate the
bedrockVerifyTip entry in src/renderer/src/i18n/da-DK/settings.json and replace
the message text so it accurately states that verification attempts to fetch or
probe the configured Bedrock model and that failures indicate model access/fetch
issues (not specifically Claude 3.5 Sonnet), keeping the Danish phrasing
consistent with surrounding entries.

src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts (1)

1745-1817: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Bedrock verification now succeeds on fallback data.

fetchBedrockModels() swallows missing/invalid Bedrock auth by returning provider-db Claude models, and the fetch-models branch in check() treats any returned list as a successful verification. After this PR’s strategy change, "Verify" can report success for a Bedrock config that still cannot authenticate.

Suggested direction

-  private async fetchBedrockModels(): Promise<MODEL_META[]> {
+  private async fetchBedrockModels(options?: { allowFallback?: boolean }): Promise<MODEL_META[]> {
+    const allowFallback = options?.allowFallback !== false
     const provider = this.provider as AWS_BEDROCK_PROVIDER
     const credential = provider.credential
     const region = credential?.region || process.env.BEDROCK_REGION
     const useProfile = credential?.authMode === 'profile' && credential?.profile

     if (!useProfile) {
       const accessKeyId = credential?.accessKeyId || process.env.BEDROCK_ACCESS_KEY_ID
       const secretAccessKey = credential?.secretAccessKey || process.env.BEDROCK_SECRET_ACCESS_KEY
       if (!accessKeyId || !secretAccessKey || !region) {
-        return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
-          model.id.startsWith('anthropic.')
-        )
+        if (allowFallback) {
+          return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
+            model.id.startsWith('anthropic.')
+          )
+        }
+        throw new Error('Missing AWS Bedrock credentials')
       }
     }

     if (!region) {
-      return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
-        model.id.startsWith('anthropic.')
-      )
+      if (allowFallback) {
+        return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
+          model.id.startsWith('anthropic.')
+        )
+      }
+      throw new Error('Missing AWS region')
     }

     try {
       // ...
     } catch (error) {
       console.error('获取AWS Bedrock Anthropic模型列表出错:', error)
-      return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
-        model.id.startsWith('anthropic.')
-      )
+      if (allowFallback) {
+        return this.mapConfigDbModels(this.definition.providerDbSourceId).filter((model) =>
+          model.id.startsWith('anthropic.')
+        )
+      }
+      throw error
     }
   }

       case 'fetch-models':
       default:
         try {
-          await this.fetchProviderModels()
+          if (this.definition.modelSource === 'bedrock') {
+            await this.fetchBedrockModels({ allowFallback: false })
+          } else {
+            await this.fetchProviderModels()
+          }
           return { isOk: true, errorMsg: null }
         } catch (error) {

Also applies to: 2285-2294

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts` around
lines 1745 - 1817, fetchBedrockModels currently masks missing/invalid Bedrock
credentials by returning provider-db Claude models, letting check() treat that
as a successful verification; change fetchBedrockModels (and the duplicate block
later) to throw a descriptive error when required Bedrock auth/region is missing
or invalid instead of returning the fallback mapConfigDbModels(...) list so
authentication failures surface. Locate the checks around
credential/accessKeyId/secretAccessKey/region in fetchBedrockModels and replace
the early-return fallback with: throw new Error('Missing Bedrock credentials or
region') (or similar), and ensure any calling check() code is ready to catch
this error and mark verification as failed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts`:
- Around line 1747-1754: The code that builds Bedrock credentials (variables
region, accessKeyId, secretAccessKey, and the useProfile branch in
aiSdkProvider.ts) only checks BEDROCK_* env vars, causing mismatch with runtime
which uses AWS_* vars; update the credential resolution to fall back to the
AWS_* equivalents (e.g., process.env.AWS_REGION, process.env.AWS_ACCESS_KEY_ID,
process.env.AWS_SECRET_ACCESS_KEY) when the BEDROCK_* vars are absent, and make
the same change in the other Bedrock credential blocks referenced (the blocks
around the useProfile/accessKeyId/secretAccessKey logic and the later repeated
sections) so validation/model refresh uses the same env var names as
providerFactory.

In `@src/renderer/settings/components/BedrockProviderSettingsDetail.vue`:
- Around line 301-304: The handler handleAuthModeChange currently force-casts
any string into authMode and persists it via
providerStore.updateAwsBedrockProviderConfig; change it to explicitly validate
that the incoming value is one of the allowed literals ('accessKeys' or
'profile') before assigning authMode.value and calling
providerStore.updateAwsBedrockProviderConfig(props.provider.id, ...); if the
value is not one of those two, bail out (or set a safe default) and do not
persist, optionally logging or emitting an error—this ensures only valid
authMode values are stored and used by auth branching.

---

Outside diff comments:
In `@src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts`:
- Around line 1745-1817: fetchBedrockModels currently masks missing/invalid
Bedrock credentials by returning provider-db Claude models, letting check()
treat that as a successful verification; change fetchBedrockModels (and the
duplicate block later) to throw a descriptive error when required Bedrock
auth/region is missing or invalid instead of returning the fallback
mapConfigDbModels(...) list so authentication failures surface. Locate the
checks around credential/accessKeyId/secretAccessKey/region in
fetchBedrockModels and replace the early-return fallback with: throw new
Error('Missing Bedrock credentials or region') (or similar), and ensure any
calling check() code is ready to catch this error and mark verification as
failed.

In `@src/renderer/src/i18n/da-DK/settings.json`:
- Line 1004: The translation key bedrockVerifyTip is outdated (mentions "Claude
3.5 Sonnet") and should be updated to reflect that verification now uses model
fetching; locate the bedrockVerifyTip entry in
src/renderer/src/i18n/da-DK/settings.json and replace the message text so it
accurately states that verification attempts to fetch or probe the configured
Bedrock model and that failures indicate model access/fetch issues (not
specifically Claude 3.5 Sonnet), keeping the Danish phrasing consistent with
surrounding entries.

In `@src/renderer/src/i18n/de-DE/settings.json`:
- Line 1146: The "bedrockVerifyTip" localization string is outdated (mentions
"Claude 3.5 Sonnet") and should be updated to reflect the current "fetch-models"
verification behavior; locate the "bedrockVerifyTip" entry in the German i18n
file and replace the message with a concise statement explaining that
verification uses the fetch-models method and that lacking model access will
cause verification to fail without affecting other models, keeping tone and
phrasing consistent with surrounding entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec849fb6-087c-4d9d-9207-757765a65390

📥 Commits

Reviewing files that changed from the base of the PR and between 3aa389c and f709bde.

📒 Files selected for processing (28)

• package.json
• src/main/presenter/llmProviderPresenter/aiSdk/providerFactory.ts
• src/main/presenter/llmProviderPresenter/providerRegistry.ts
• src/main/presenter/llmProviderPresenter/providers/aiSdkProvider.ts
• src/renderer/settings/components/BedrockProviderSettingsDetail.vue
• src/renderer/src/i18n/da-DK/settings.json
• src/renderer/src/i18n/de-DE/settings.json
• src/renderer/src/i18n/en-US/settings.json
• src/renderer/src/i18n/es-ES/settings.json
• src/renderer/src/i18n/fa-IR/settings.json
• src/renderer/src/i18n/fr-FR/settings.json
• src/renderer/src/i18n/he-IL/settings.json
• src/renderer/src/i18n/id-ID/settings.json
• src/renderer/src/i18n/it-IT/settings.json
• src/renderer/src/i18n/ja-JP/settings.json
• src/renderer/src/i18n/ko-KR/settings.json
• src/renderer/src/i18n/ms-MY/settings.json
• src/renderer/src/i18n/pl-PL/settings.json
• src/renderer/src/i18n/pt-BR/settings.json
• src/renderer/src/i18n/ru-RU/settings.json
• src/renderer/src/i18n/tr-TR/settings.json
• src/renderer/src/i18n/vi-VN/settings.json
• src/renderer/src/i18n/zh-CN/settings.json
• src/renderer/src/i18n/zh-HK/settings.json
• src/renderer/src/i18n/zh-TW/settings.json
• src/shared/contracts/domainSchemas.ts
• src/shared/types/presenters/legacy.presenters.d.ts
• src/shared/types/presenters/llmprovider.presenter.d.ts

[zerob13]

LGTM
Thank you