* feat(bedrock): add Bedrock Mantle (OpenAI-compatible) provider
New amazon-bedrock-mantle extension that provides auto-discovery and
authentication for Amazon Bedrock Mantle endpoints.
Mantle (bedrock-mantle.<region>.api.aws) is Amazon Bedrock's OpenAI-
compatible API surface, separate from the existing bedrock-runtime
(ConverseStream) endpoint. It has its own model catalog including
models not available via ConverseStream (e.g. openai.gpt-oss-120b,
mistral.devstral-2-123b).
Extension structure:
- discovery.ts: Model discovery via GET /v1/models (OpenAI format),
bearer token resolution, implicit provider configuration
- register.sync.runtime.ts: Provider registration with catalog,
error classification (rate limits, context overflow)
- openclaw.plugin.json: Plugin manifest, enabledByDefault
Auth support:
- Long-lived Bedrock API key (AWS_BEARER_TOKEN_BEDROCK env var)
created from the AWS Console → used directly as Bearer token
- Pre-generated SigV4-derived tokens (via aws-bedrock-token-generator)
set in AWS_BEARER_TOKEN_BEDROCK → works transparently
Provider config (auto-resolved when AWS_BEARER_TOKEN_BEDROCK is set):
api: "openai-completions"
baseUrl: "https://bedrock-mantle.<region>.api.aws/v1"
auth: "api-key" (bearer token)
Available in 12 regions: us-east-1, us-east-2, us-west-2,
ap-northeast-1, ap-south-1, ap-southeast-3, eu-central-1,
eu-west-1, eu-west-2, eu-south-1, eu-north-1, sa-east-1
Tests: 15 passing (13 discovery + 2 plugin registration)
* chore(bedrock): clarify mantle bearer auth scope
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* feat(bedrock): add inference profile discovery and region injection
Inference profiles (cross-region and application) work with ConverseStream
but require the SDK client region to match the profile region. Without
this, users get "The provided model identifier is invalid" errors when
using cross-region profiles like us.anthropic.claude-sonnet-4-6.
Changes:
1. Inference profile discovery (discovery.ts):
- Call ListInferenceProfiles alongside ListFoundationModels (parallel)
- Inference profiles INHERIT capabilities from their underlying
foundation model (modalities, reasoning, context window, cost)
- resolveBaseModelId() maps profile → foundation model:
"us.anthropic.claude-sonnet-4-6" → "anthropic.claude-sonnet-4-6"
Application ARNs → extract model ID from models[].modelArn
- Graceful degradation if IAM lacks bedrock:ListInferenceProfiles
- Provider filter applies to profiles via underlying model ARNs
2. Region injection (register.sync.runtime.ts):
- Extract region from provider baseUrl or bedrockDiscovery.region
- Pass through to pi-ai options.region in wrapStreamFn
- Ensures SDK client connects to correct regional endpoint
3. Inference profile model detection (anthropic-family-cache-semantics.ts):
- isAnthropicBedrockModel() now recognizes application inference
profile ARNs (arn:aws:bedrock:...:application-inference-profile/*)
4. Tests (discovery.test.ts):
- New: inference profile inheritance test (4 models: 1 foundation +
3 profiles, verifies capability inheritance, inactive filtering)
- New: graceful AccessDeniedException handling test
- Updated: all existing tests for dual-API discovery pattern
Fixes#55642
* fix(bedrock): preserve inference profile model lookup
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(acpx): store agent session ID when session/load fails
When an ACP agent (e.g. Gemini CLI) rejects the acpx-generated session
ID via session/load and falls back to session/new, the agent-returned
session ID was previously discarded. This caused identity stuck at
pending forever, multi-turn failures, lost completion events, and
persistent reconcile warnings.
- Parse ACP protocol stream in runTurn() to capture agent session IDs
- Flip resolveRuntimeResumeSessionId() to prefer agentSessionId
- Add createIdentityFromHandleEvent() for handle-sourced identity
- Layer handle event identity before status in reconcile
- Add regression tests for load fallback and restart resume
Closes#52182
* ACPX: prefer decoded session ids
* ACPX: refresh runtime handle state from status
---------
Co-authored-by: Wesley <imwyvern@users.noreply.github.com>
* fix(bedrock): stop injecting fake apiKey marker for aws-sdk auth when no env vars exist
When the Bedrock provider uses auth: "aws-sdk" and no AWS environment
variables are set (EC2 instance roles, ECS task roles, etc.),
resolveAwsSdkApiKeyVarName() fell back to "AWS_PROFILE" unconditionally.
This string was injected as apiKey in the provider config during
normalisation, which poisoned the downstream auth resolver — it treated
the marker as a literal key and failed with "No API key found".
The fix:
- resolveAwsSdkApiKeyVarName() now returns undefined (not "AWS_PROFILE")
when no AWS env vars are present
- resolveBedrockConfigApiKey() (extension) gets the same fix
- resolveMissingProviderApiKey() guards both the providerApiKeyResolver
and direct aws-sdk branches: if the resolver returns nothing, the
provider config is returned unchanged (no apiKey injected)
- The aws-sdk credential chain then resolves credentials at request time
via IMDS/ECS task role/etc. as intended
When AWS env vars ARE present (AWS_ACCESS_KEY_ID, AWS_PROFILE,
AWS_BEARER_TOKEN_BEDROCK), the marker is still injected correctly.
Closes#49891Closes#50699Fixes#54274
* test(bedrock): update resolveBedrockConfigApiKey test for undefined return on empty env
The test previously expected "AWS_PROFILE" when no env vars are set.
Now expects undefined (matching the fix), and adds a separate assertion
that AWS_PROFILE is returned when the env var is actually present.
* fix(bedrock): lock aws-sdk env marker behavior
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(google): restore proxy-safe image generation (#59873)
* fix(ssrf): preserve transport policy without pinned dns
* fix(ssrf): use undici fetch for dispatcher requests
* fix(ssrf): type dispatcher fetch path
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
