Skip to content

Add AWS BYOK with naive approach only for anthropic models#548

Draft
lambertjosh wants to merge 2 commits intomainfrom
aws-byok
Draft

Add AWS BYOK with naive approach only for anthropic models#548
lambertjosh wants to merge 2 commits intomainfrom
aws-byok

Conversation

@lambertjosh
Copy link
Contributor

Adds AWS BYOK support but only for Anthropic models for now. We need full model list (separate PR) to add full support.

baseURL: 'https://api.z.ai/api/coding/paas/v4',
});
if (provider === VercelUserByokInferenceProviderIdSchema.enum.bedrock) {
const { accessKeyId, secretAccessKey, region } = JSON.parse(userByok.decryptedAPIKey) as {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: JSON.parse without error handling + as type assertion

Two issues here:

  1. Runtime crash risk: If a user saves malformed JSON as their Bedrock credentials (the backend CreateBYOKKeyInputSchema only validates z.string().min(1) — no JSON validation for bedrock), JSON.parse will throw an unhandled exception, crashing this request. Consider wrapping in a try-catch or, better, validating the JSON shape with a Zod schema (e.g. z.object({ accessKeyId: z.string(), secretAccessKey: z.string(), region: z.string().optional() }).parse(...)) which both validates and avoids the as cast.

  2. Coding style: Per project rules, as casts are strongly discouraged. Using z.object(...).parse(...) would satisfy both the validation need and the style rule.

export type VercelInferenceProviderConfig = { apiKey: string; baseURL?: string };
export type VercelInferenceProviderConfig =
| { apiKey: string; baseURL?: string }
| { accessKeyId: string; secretAccessKey: string; region?: string };
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Consider making the union discriminated

This union type has no discriminant property, which means TypeScript can't narrow it without manual checks. If Vercel's gateway API accepts it, consider adding a discriminant (e.g. type: 'apiKey' | 'bedrock') or at minimum adding a comment explaining how consumers should distinguish between the two shapes. As-is, code consuming VercelInferenceProviderConfig will need to use 'accessKeyId' in config checks to narrow.

@kilo-code-bot
Copy link
Contributor

kilo-code-bot bot commented Feb 25, 2026

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

CRITICAL

File Line Issue
- - None

WARNING

File Line Issue
src/lib/providers/vercel/index.ts 141 Unvalidated JSON.parse with type assertion can throw on malformed BYOK data and allow invalid credential shapes through to runtime.

SUGGESTION

File Line Issue
- - None
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
- - None
Files Reviewed (4 files)
  • src/components/organizations/byok/BYOKKeysManager.tsx - 0 issues
  • src/lib/providers/openrouter/inference-provider-id.ts - 0 issues
  • src/lib/providers/openrouter/types.ts - 0 issues
  • src/lib/providers/vercel/index.ts - 1 issue

@lambertjosh
Copy link
Contributor Author

@chrarnoldus - I had a hard time getting this to be fully tested locally, as it was giving me oauth code refresh errors when using our new extension and CLI. But... this is what I have so far. It's probably not the cleanest code (looking at you inferUserByokProvidersForModel) but may be a start.

If you have tips on how to test this locally let me know and I am happy to re-test and ensure this works.

# Conflicts:
#	src/lib/providers/index.ts
#	src/lib/providers/openrouter/inference-provider-id.ts
#	src/lib/providers/vercel/index.ts
list.push({ apiKey: provider.decryptedAPIKey });

if (key === VercelUserByokInferenceProviderIdSchema.enum.bedrock) {
const { accessKeyId, secretAccessKey, region } = JSON.parse(provider.decryptedAPIKey) as {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Unvalidated JSON.parse can crash request handling and produce invalid credential objects

This parses user-provided BYOK credentials without a guarded parse or runtime schema validation. Malformed JSON will throw at runtime, and missing fields can flow through as undefined despite the type assertion, causing hard-to-debug failures when Bedrock calls are attempted.

@chrarnoldus chrarnoldus marked this pull request as draft February 25, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants