feat: implement AWS Bedrock integration and update authentication han…

[tintnc]

Inspired by: #306

• Added AWS Bedrock configuration entries to .env.example to simplify initial setup.
• Updated the SDK to support asynchronous mapping of CLI options, with model aliases resolved via Bedrock configuration.
• Extended authentication validation to cover Bedrock mode and adjusted the CLI auth route response format.
• Updated state management to surface Bedrock authentication status consistently across components.

Summary by CodeRabbit

• New Features

  • Optional AWS Bedrock support for Claude authentication and model usage.
  • Configurable default and override options for Claude models.
  • Authentication status now indicates Bedrock usage; settings UI hides login prompts when Bedrock is active.

• Documentation

  • Added environment variable example and commented instructions for Bedrock configuration and model defaults.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b0cc1717-8602-4837-b215-e49640fff350

📥 Commits

Reviewing files that changed from the base of the PR and between 93079f7 and cd67122.

📒 Files selected for processing (1)

• .env.example

🚧 Files skipped from review as they are similar to previous changes (1)

• .env.example

---

📝 Walkthrough

Walkthrough

Adds optional AWS Bedrock configuration and Bedrock-aware Claude model resolution; introduces helpers to read ~/.claude/settings.json; propagates an isBedrock flag through server auth responses and frontend types/UI; makes mapCliOptionsToSDK async to await settings-driven resolution.

Changes

Cohort / File(s)	Summary
Env example \.env.example	Adds commented AWS Bedrock configuration block (CLAUDE_CODE_USE_BEDROCK, AWS_REGION/AWS_PROFILE/AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY) and Claude model override vars (ANTHROPIC_DEFAULT_*, ANTHROPIC_MODEL, ANTHROPIC_SMALL_FAST_MODEL).
Backend: SDK, Auth, Helpers server/claude-sdk.js, server/routes/cli-auth.js, server/utils/env-helpers.js	mapCliOptionsToSDK made async; added loadClaudeSettingsEnv and isTruthyValue; added resolveClaudeEnvValue/resolveClaudeModel logic to resolve Bedrock-enabled model aliases; propagate isBedrock in credential/status checks and add Bedrock bypass path.
Frontend: Types & Defaults src/components/settings/types/types.ts, src/components/settings/constants/constants.ts	Added optional isBedrock?: boolean to AuthStatus and set DEFAULT_AUTH_STATUS.isBedrock = false.
Frontend: Hooks & UI src/components/settings/hooks/useSettingsController.ts, src/components/settings/view/tabs/agents-settings/sections/content/AccountContent.tsx	Extended StatusApiResponse to include isBedrock; propagate isBedrock into auth status state and hide login/re-auth UI when isBedrock is true.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Server
  participant SettingsFile as "~/.claude/settings.json"
  participant Bedrock
  rect rgba(200,200,255,0.5)
    Client->>Server: request Claude status or operation
    Server->>SettingsFile: loadClaudeSettingsEnv()
    SettingsFile-->>Server: env object (may be {})
    alt Bedrock enabled (env or settings)
      Server->>Server: resolveClaudeModel(alias, settingsEnv)
      Server->>Bedrock: call Bedrock (no API key)
      Bedrock-->>Server: respond (method: bedrock)
      Server-->>Client: { authenticated: true, method: "bedrock", isBedrock: true }
    else Non-Bedrock
      Server->>Server: check API key / oauth / settings
      Server-->>Client: { authenticated:*, method:*, isBedrock: false }
    end
  end

Loading

Possibly related PRs

• feat: Multiple features, improvements, and bug fixes #208: Modifies Claude SDK integration and model selection logic — closely related to mapCliOptionsToSDK and model resolution changes.
• Add inline permission grant for Claude tool errors #289: Updates SDK option resolution and CLI→SDK mapping — related to making mapCliOptionsToSDK async and option handling.
• fix: detect Claude auth from settings env #527: Adds/loading ~/.claude/settings.json usage — directly related to loadClaudeSettingsEnv integration.

Suggested Reviewers

• viper151

Poem

🐰
I nibble configs in the night,
Bedrock paths now gleam with light,
Models found in file or air,
isBedrock hops here and there,
Claude and I weave settings bright.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly summarizes the main change: implementing AWS Bedrock integration and updating authentication handling, which aligns with the core objectives and changes throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/components/settings/hooks/useSettingsController.ts (1)

276-284: ⚠️ Potential issue | 🟡 Minor

Missing isBedrock: false in failed response path.

When !response.ok, the status object is missing the isBedrock field. Since setAuthStatusByProvider replaces the entire object (not merges), this could leave isBedrock undefined. Other paths at lines 287-294 and 297-303 correctly include it.

🔧 Proposed fix

       if (!response.ok) {
         setAuthStatusByProvider(provider, {
           authenticated: false,
           email: null,
           loading: false,
           error: 'Failed to check authentication status',
+          isBedrock: false,
         });
         return;
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/hooks/useSettingsController.ts` around lines 276 -
284, The failure branch that runs when response.ok is false calls
setAuthStatusByProvider(provider, {...}) but omits the isBedrock property;
update that object to include isBedrock: false (matching the other
failure/success branches) so setAuthStatusByProvider receives a complete status
shape for provider and won’t leave isBedrock undefined.

server/routes/cli-auth.js (1)

166-172: ⚠️ Potential issue | 🟡 Minor

Missing isBedrock: false in ANTHROPIC_API_KEY path.

This return path is missing the isBedrock field, while other api_key paths (lines 177-184, 186-193) include it. For consistency and to avoid potential undefined values, add the field.

🔧 Proposed fix

   if (process.env.ANTHROPIC_API_KEY && process.env.ANTHROPIC_API_KEY.trim()) {
     return {
       authenticated: true,
       email: 'API Key Auth',
-      method: 'api_key'
+      method: 'api_key',
+      isBedrock: false
     };
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/cli-auth.js` around lines 166 - 172, The ANTHROPIC_API_KEY
return path is missing the isBedrock property; update the object returned inside
the conditional that checks process.env.ANTHROPIC_API_KEY (the block returning
authenticated: true, email: 'API Key Auth', method: 'api_key') to include
isBedrock: false so it matches the other api_key return paths and avoids
undefined values.

🧹 Nitpick comments (2)

server/claude-sdk.js (2)

472-485: loadClaudeSettingsEnv is also duplicated in cli-auth.js.

Similar to isTruthyValue, this function is duplicated in server/routes/cli-auth.js (lines 111-125). Both implementations read from the same path and have identical logic. Consider extracting to a shared module.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/claude-sdk.js` around lines 472 - 485, Duplicate implementation of
loadClaudeSettingsEnv exists; extract it into a single shared module (e.g.,
create a new module that exports loadClaudeSettingsEnv) and replace both local
copies with imports. Preserve the original behavior (async function, reading
path.join(os.homedir(), '.claude', 'settings.json'), JSON.parse, returning
parsed.env when an object, catching errors and returning {}), export it as a
named function (loadClaudeSettingsEnv) from the new module, update the callers
(the implementations currently in claude-sdk.js and cli-auth.js) to import that
function and remove the duplicate code blocks.

---

463-470: Consider extracting isTruthyValue to a shared utility.

This helper is duplicated in server/routes/cli-auth.js (lines 9-16). Extracting it to a shared utility module would reduce duplication and ensure consistent behavior.

♻️ Suggested refactor

Create a shared utility file:

// server/utils/env-helpers.js
export function isTruthyValue(value) {
  if (typeof value !== 'string') {
    return false;
  }
  const normalized = value.trim().toLowerCase();
  return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
}

Then import in both files:

import { isTruthyValue } from './utils/env-helpers.js';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/claude-sdk.js` around lines 463 - 470, The helper isTruthyValue is
duplicated; extract it into a shared utility module (e.g., env-helpers) as a
named export isTruthyValue, remove the local definitions in the modules that
currently define it, and update those modules to import { isTruthyValue } from
the new utility; ensure the exported function preserves the same string-check
behavior and replace the local calls with the imported function everywhere the
duplicate existed (including the other module that currently contains lines
9-16).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@server/routes/cli-auth.js`:
- Around line 166-172: The ANTHROPIC_API_KEY return path is missing the
isBedrock property; update the object returned inside the conditional that
checks process.env.ANTHROPIC_API_KEY (the block returning authenticated: true,
email: 'API Key Auth', method: 'api_key') to include isBedrock: false so it
matches the other api_key return paths and avoids undefined values.

In `@src/components/settings/hooks/useSettingsController.ts`:
- Around line 276-284: The failure branch that runs when response.ok is false
calls setAuthStatusByProvider(provider, {...}) but omits the isBedrock property;
update that object to include isBedrock: false (matching the other
failure/success branches) so setAuthStatusByProvider receives a complete status
shape for provider and won’t leave isBedrock undefined.

---

Nitpick comments:
In `@server/claude-sdk.js`:
- Around line 472-485: Duplicate implementation of loadClaudeSettingsEnv exists;
extract it into a single shared module (e.g., create a new module that exports
loadClaudeSettingsEnv) and replace both local copies with imports. Preserve the
original behavior (async function, reading path.join(os.homedir(), '.claude',
'settings.json'), JSON.parse, returning parsed.env when an object, catching
errors and returning {}), export it as a named function (loadClaudeSettingsEnv)
from the new module, update the callers (the implementations currently in
claude-sdk.js and cli-auth.js) to import that function and remove the duplicate
code blocks.
- Around line 463-470: The helper isTruthyValue is duplicated; extract it into a
shared utility module (e.g., env-helpers) as a named export isTruthyValue,
remove the local definitions in the modules that currently define it, and update
those modules to import { isTruthyValue } from the new utility; ensure the
exported function preserves the same string-check behavior and replace the local
calls with the imported function everywhere the duplicate existed (including the
other module that currently contains lines 9-16).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 73fe83d1-5fe0-4878-b1bb-d84fbc8a59be

📥 Commits

Reviewing files that changed from the base of the PR and between 95bcee0 and 181cf5c.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• .env.example
• server/claude-sdk.js
• server/routes/cli-auth.js
• src/components/settings/constants/constants.ts
• src/components/settings/hooks/useSettingsController.ts
• src/components/settings/types/types.ts
• src/components/settings/view/tabs/agents-settings/sections/content/AccountContent.tsx

[tintnc]

Addressing CodeRabbit review feedback:

• Moved isTruthyValue and loadClaudeSettingsEnv from claude-sdk.js and cli-auth.js into a dedicated utils/env-helpers.js module to improve structure and reuse.
• Updated claude-sdk.js and cli-auth.js to import from the new helper module.

[coderabbitai]

🧹 Nitpick comments (1)

server/utils/env-helpers.js (1)

25-38: Consider caching to avoid redundant file reads during a single request.

Per context snippets, loadClaudeSettingsEnv() is called from both checkClaudeCredentials() (cli-auth.js:125) and mapCliOptionsToSDK() (claude-sdk.js:196). A single request flow that checks auth and then processes through the SDK will read ~/.claude/settings.json twice.

While the current implementation is correct and OS-level file caching mitigates most overhead, a simple module-level cache with TTL would reduce I/O and ensure consistent snapshots within a request.

💡 Optional: Add simple caching

+let cachedSettingsEnv = null;
+let cacheTimestamp = 0;
+const CACHE_TTL_MS = 5000; // 5 seconds
+
 export async function loadClaudeSettingsEnv() {
+  const now = Date.now();
+  if (cachedSettingsEnv && (now - cacheTimestamp) < CACHE_TTL_MS) {
+    return cachedSettingsEnv;
+  }
+
   try {
     const settingsPath = path.join(os.homedir(), '.claude', 'settings.json');
     const content = await fs.readFile(settingsPath, 'utf8');
     const settings = JSON.parse(content);
 
     if (settings?.env && typeof settings.env === 'object') {
+      cachedSettingsEnv = settings.env;
+      cacheTimestamp = now;
       return settings.env;
     }
   } catch {
     // Ignore missing or malformed settings and fall back to empty.
   }
 
+  cachedSettingsEnv = {};
+  cacheTimestamp = now;
   return {};
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/utils/env-helpers.js` around lines 25 - 38, loadClaudeSettingsEnv
currently rereads ~/.claude/settings.json on every call causing duplicate I/O
when invoked by checkClaudeCredentials and mapCliOptionsToSDK; add a simple
module-level cache (e.g., cachedEnv and cachedAt) and a TTL (e.g., 1–5 seconds)
so loadClaudeSettingsEnv returns the cached env if cachedAt is recent, otherwise
reads the file, updates cachedEnv and cachedAt, and returns the result; preserve
current error swallowing and fallback-to-empty behavior and ensure cache stores
the parsed settings.env object (or {}).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/utils/env-helpers.js`:
- Around line 25-38: loadClaudeSettingsEnv currently rereads
~/.claude/settings.json on every call causing duplicate I/O when invoked by
checkClaudeCredentials and mapCliOptionsToSDK; add a simple module-level cache
(e.g., cachedEnv and cachedAt) and a TTL (e.g., 1–5 seconds) so
loadClaudeSettingsEnv returns the cached env if cachedAt is recent, otherwise
reads the file, updates cachedEnv and cachedAt, and returns the result; preserve
current error swallowing and fallback-to-empty behavior and ensure cache stores
the parsed settings.env object (or {}).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9b153b0b-0d85-4f7b-8e2e-f789649eb8c5

📥 Commits

Reviewing files that changed from the base of the PR and between 181cf5c and 93079f7.

📒 Files selected for processing (4)

• server/claude-sdk.js
• server/routes/cli-auth.js
• server/utils/env-helpers.js
• src/components/settings/hooks/useSettingsController.ts

[viper151]

@tintnc can you look at the PR again and the claude agent sdk requirements for env variables?
There are some env variables you have added in the .env.example that are not needed at all
like for example the below. I'd suggest that you look first at the claude agent sdk docs and try to correct your implementation

AWS_ACCESS_KEY_ID=your-access-key-id

AWS_SECRET_ACCESS_KEY=your-secret-access-key

Once you are done, please put your PR back to open so we can have a look at it.