feat(bedrock): add AWS_BEARER_TOKEN_BEDROCK bearer token authentication#45152
Closed
DavidXArnold wants to merge 11 commits into
Closed
feat(bedrock): add AWS_BEARER_TOKEN_BEDROCK bearer token authentication#45152DavidXArnold wants to merge 11 commits into
DavidXArnold wants to merge 11 commits into
Conversation
Contributor
Greptile SummaryThis PR wires up the previously-scaffolded
Confidence Score: 3/5
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 69549fed38
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8d7dabe7e4
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
8d7dabe to
8b7fdd5
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8b7fdd5afd
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
a6ea960 to
fe7e6ff
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fe7e6ffa6b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Author
|
Re: provider alias normalization Fixed in |
There was a problem hiding this comment.
💡 Codex Review
https://github.com/openclaw/openclaw/blob/8968b82eb30ed7f036dcccfce9f257972003bb09/src/agents/model-auth.ts#L324-L325
Gate aws-sdk bearer fallback to Bedrock providers
When authOverride === "aws-sdk", this path always calls resolveAwsSdkAuthInfo() regardless of provider, and that helper now treats AWS_BEARER_TOKEN_BEDROCK as an API key source. In setups where a non-Bedrock provider is configured with auth: "aws-sdk", enabling Bedrock bearer auth will incorrectly inject/store that Bedrock token for the other provider, leading to auth failures and cross-provider credential leakage. Fresh evidence: in this commit, resolveApiKeyForProvider still returns resolveAwsSdkAuthInfo() here without any normalizeProviderId(provider) === "amazon-bedrock" guard.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
8968b82 to
cb40bdc
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cb40bdce3d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cce9127c5e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
cce9127 to
5e565ab
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 04433a2fe6
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
171d658 to
0c3a8e2
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 856788d5fb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Author
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 500ec794f7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…resolveModelAuthMode
…ectBedrockBearerWrapper
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7c8dc0b16b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
7c8dc0b to
5f7cf22
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f7cf22239
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
… profile presence
Author
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9ea1e2655d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+298
to
+301
| if (shouldInjectBedrockBearerWrapper(provider, cfg)) { | ||
| const bearerToken = resolveBedrockBearerToken(); | ||
| log.debug(`applying Bedrock bearer token auth header for ${provider}/${modelId}`); | ||
| agent.streamFn = createBedrockBearerTokenWrapper(agent.streamFn, bearerToken!); |
There was a problem hiding this comment.
Honor resolved Bedrock auth source before injecting bearer header
This wrapper is injected based only on provider + env + auth override, not on the credential source actually selected for the run. In resolveApiKeyForProvider, Bedrock auth profiles are resolved before the Bedrock AWS fallback path, so a configured Bedrock profile can legitimately win; however this branch still forces Authorization: Bearer ... whenever AWS_BEARER_TOKEN_BEDROCK is set, overriding the selected profile credential at request time. That creates a real mismatch (and possible auth failures) for users who keep both a Bedrock profile and bearer token in env; compaction already avoids this by checking apiKeyInfo.source.
Useful? React with 👍 / 👎.
vincentkoc
pushed a commit
that referenced
this pull request
Apr 6, 2026
…generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes #45152
jjjojoj
pushed a commit
to jjjojoj/openclaw-jjjojoj
that referenced
this pull request
Apr 6, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
justuseapen
added a commit
to justuseapen/else-core
that referenced
this pull request
Apr 6, 2026
* refactor: dedupe discord native command auth * docs: add discord native command changelog note * fix(video): queue fal provider jobs * feat(agents): track video generation tasks * fix(discord): short-circuit bound thread self-loop drops * refactor: harden plugin metadata and bundled channel entry seams * test: fold xai extra params coverage into hot lane * fix: ignore unsupported image generation overrides * docs: document channel persisted auth metadata * test(live): prefer google models over big-pickle * Lobster: run workflows in process (openclaw#61523) * Lobster: run workflows in process * docs: note in-process lobster runtime * docs: add lobster changelog attribution * Lobster: add managed TaskFlow mode (openclaw#61555) * test: split inline provider model coverage * docs: update Lobster in-process mode and REM preview tooling * test: speed up nodes camera coverage * fix: defer plugin sync after git switch * test: optimize macos release-to-dev smoke lane * fix(openai): avoid em dashes in gpt-5 overlay (openclaw#61560) * feat(agents): detach video generation completion * feat(video): add runway provider * docs(video): document runway support * fix: clarify dirty dev update error * fix: ignore unsupported video generation overrides * refactor: add metadata-first channel configured-state probes * fix(video): guard active async generation tasks * docs(providers): surface new video provider pages * feat(qa): add live suite runner and harness * feat(qa): improve qa lab debugger ui * fix: restore pnpm check type safety * test: trim slow agent web and lifecycle coverage * fix: restore green checks * fix(qa): stop embedded control ui reload loop * test: reset guest git root before dev update * test: speed up openai tool id preservation replay coverage * fix: restore qa lab config typing * matrix: align bundled channel metadata * docs: note Matrix persisted auth detection * docs: add changelog note for qa lab config fix * refactor(video): share async task status helpers * memory-core: checkpoint mode-first dreaming refactor * Dreaming: simplify sweep flow and add diary surface * docs: rewrite video generation docs for readability * docs(faq): add gpt-5.4 fast mode entry * feat(memory): add Bedrock embedding provider for memory search (openclaw#61547) * feat(memory): add Bedrock embedding provider for memory search Add Amazon Bedrock as a native embedding provider for memory search. Supports Titan Embed Text v1/v2 and Cohere Embed models via AWS SDK. - New embeddings-bedrock.ts: BedrockRuntimeClient + InvokeModel - Auth via AWS default credential chain (same as Bedrock inference) - Auto-selected in 'auto' mode when AWS credentials are detected - Titan V2: configurable dimensions (256/512/1024), normalization - Cohere: native batch support with search_query/search_document types - 16 new tests covering all model types, auth detection, edge cases Closes openclaw#26289 * fix(memory): harden bedrock embedding selection --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs(openai): clarify gpt-5.4 fast mode * test: speed up models config env provider coverage * test: speed up sanitize session history policy smoke * build: refresh lockfile for control ui deps * refactor: narrow bundled channel entry surfaces * test: speed up sanitize session history coverage * fix: skip old-process config writes after git switch * fix(update): bootstrap pnpm for dev preflight * fix(memory-qmd): restore qmd compatibility defaults * test: speed up image tool auth-heavy coverage * test: seed channel setup contract registry in helper tests * Dreaming: update multiphase stats and UI polish * test: add irc runtime api smoke coverage * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-… (openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * refactor(update): extract package manager bootstrap logic * feat: add comfy workflow media support * fix: stabilize line and feishu ci shards * feat: add music generation tooling * chore: remove stray finder metadata * docs: document music generation async flow * fix(memory-qmd): streamline compatibility coverage * test: speed up dispatch-from-config thread fallback coverage * docs: improve music generation docs * docs: reorder changelog highlights * fix: skip stale post-switch update follow-ups * test: harden macos release-to-dev smoke verification * fix: route comfy music through shared tool * refactor: remove comfy music tool shim * Gateway: bound websocket shutdown close (openclaw#61565) Merged via squash. Prepared head SHA: 9040dd5 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * Docs: clarify Matrix quiet push rules * memory: chunk daily dreaming ingestion (openclaw#61583) Merged via squash. Prepared head SHA: 88816a0 Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix: stop old cli after package-to-git switch * fix(gateway): accept music generation internal events * docs: update unreleased provider notes * fix(agents): keep large read tool results visible * feat: add vydra media provider * fix(agents): ignore unsupported music generation hints * fix(agents): preserve latest read output during compaction * docs: update changelog for read visibility fixes * test: fix current-main prep blockers (openclaw#61582) Merged via squash. Prepared head SHA: 49f7b12 Reviewed-by: @mbelinky * test: use explicit node entrypoint in macos update smoke * fix: exit after package-to-git handoff * fix: prune staged feishu sdk types from npm pack * fix(qa): harden new scenario suite * fix(agents): prefer overflow compaction for fresh reads * perf(auto-reply): lazy-load TTS helpers on demand * test(plugin-sdk): tighten ACP command dispatch guards * docs(web): clarify control ui language picker * test(auto-reply): split ACP and reply-dispatch regressions * memory: trim generic daily chunk headings (openclaw#61597) * memory: trim generic daily chunk headings * docs: tag dreaming heading cleanup changelog * docs: attribute dreaming heading cleanup changelog * fix(cli): narrow post-update root * fix(ui): localize control ui strings * Lobster: harden embedded runtime integration (openclaw#61566) Merged via squash. Prepared head SHA: a6f4830 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix(matrix): reuse raw default account key during onboarding promotion * fix: unblock comfy live plugin loading * fix(agents): extend subagent announce timeout * fix(agents): carry async media wake attachments structurally * fix(tasks): hide internal completion wake rows * test(auto-reply): isolate reply abort dispatch seams * test: fix reply dispatch mock contract * fix(ui): localize more control ui strings * fix: deliver async media generation results directly * perf(test): trim send-policy and abort hot paths * perf(agents): isolate subagent announce origin helper * fix(discord): raise default media cap * Matrix: recover from pinned dispatcher runtime failures (openclaw#61595) Merged via squash. Prepared head SHA: f9a2d9b Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * fix: harden async media completion delivery * fix: gate async media direct delivery behind config * docs: add changelog note for async media delivery flag * perf(test): trim announce and sessions tool imports * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) * fix(gateway): resolve globally-installed bundled plugins in facade-runtime * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * chore: prepare 2026.4.6-beta.1 release * style: trim facade fallback comment noise * test: stabilize browser and provider ci shards * fix: restore latest-main ci gates * (chore): delete dream-diary-preview file * perf(test): trim runReplyAgent misc mock imports * fix(ci): harden control ui locale refresh rebases * Matrix: clear undici test override after transport test * chore(ui): refresh zh-CN control ui locale * chore(ui): refresh pt-BR control ui locale * chore(ui): refresh zh-TW control ui locale * chore(ui): refresh de control ui locale * fix: support corepack cmd shim on windows * test: add windows dev-update smoke lanes * chore(ui): refresh es control ui locale * chore(ui): refresh ja-JP control ui locale * chore(ui): refresh ko control ui locale * chore(ui): refresh fr control ui locale * test: capture windows npm debug tails in smoke logs * chore(ui): refresh tr control ui locale * chore(ui): refresh uk control ui locale * chore(ui): refresh id control ui locale * chore(ui): refresh pl control ui locale * fix: restore plugin boundary and ui locale ci gates * fix(ci): stabilize control ui locale checks * chore: release 2026.4.5 * perf(test): split subagent command coverage * fix(ci): patch main regression surfaces * fix: install bun in npm release preflight * test: fix subagent command result assertions * perf(test): split allowlist and models command coverage * fix(openai): allow qa image generation mock routing * feat(qa): execute ten new repo-backed scenarios * fix(matrix): harden startup auth bootstrap (openclaw#61383) Merged via squash. Prepared head SHA: d8011a9 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * Docs: clarify Matrix autoJoin invite scope * fix(discord): narrow binding runtime imports * fix: stabilize contract loader seams * test: tighten allowlist fixture typing * fix(qa): support image understanding inputs * feat(qa): add attachment understanding scenario * docs(matrix): clarify historyLimit default * feat(memory-wiki): restore llm wiki stack * chore: update appcast for 2026.4.5 * perf(test): split reply command coverage * perf(reply): lazy load compact runtime * refactor(reply): extract subagent text helper * style(reply): normalize subagent import order * fix: restore protocol and extension ci * chore: bump version to 2026.4.6 * fix(config): normalize channel streaming config shape (openclaw#61381) * feat(config): add canonical streaming config helpers * refactor(runtime): prefer canonical streaming accessors * feat(config): normalize preview channel streaming shape * test(config): lock streaming normalization followups * fix(config): polish streaming migration edges * chore(config): refresh streaming baseline hash * docs(memory): add promote-explain and rem-harness CLI reference * build: refresh pnpm lockfile * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix(exec ): stop emitting tool updates after session is backgrounded When an exec session is backgrounded (background: true), the owning agent run resolves its tool-call promise and may finish. The stdout handler's emitUpdate() closure, however, kept invoking opts.onUpdate(), delivering tool_execution_update events to a listener whose active run had already ended. This surfaced as an unhandled rejection and crashed the gateway process. Guard emitUpdate() with a session.backgrounded || session.exited check so that post-background output is still captured via appendOutput() but no longer forwarded to the (now-stale) agent-loop callback. Fixes openclaw#61592 * style: trim exec backgrounding comments * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix: place exec changelog entry at end of fixes (openclaw#61627) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * test(memory-core): align dreaming expectations * test(memory-wiki): share plugin test helpers * test(memory-core): share workspace test helper * test(memory-core): reuse narrative workspace helper * test(plugin-sdk): share temp dir test helper * test(plugin-sdk): reuse temp dir helpers in facade tests * test(memory-core): reuse workspace helper in dreaming tests * perf(agents): add continuation-skip context injection (openclaw#61268) * test(agents): cover continuation bootstrap reuse * perf(agents): add continuation-skip context injection * docs(changelog): note context injection reuse * perf(agents): bound continuation bootstrap scan * fix(agents): require full bootstrap proof for continuation skip * fix(agents): decide continuation skip under lock * fix(commands): re-export subagent chat message type * fix(agents): clean continuation rebase leftovers * test(memory-core): reuse workspace helper in temp dir tests * docs: add contextInjection config key to reference * test(scripts): share temp dir helpers * test(scripts): reuse temp dir helpers in runtime tests * test(scripts): reuse temp dir helpers in repo fixtures * test(scripts): add async temp dir helper * fix: restore main ci type checks * test(root): reuse temp repo helper in clawhub release tests * test(root): clean up pre-commit temp repos * fix(matrix): pass deviceId through health probe to prevent storage-meta overwrite (openclaw#61317) (openclaw#61581) Merged via squash. Prepared head SHA: b0495dc Co-authored-by: MoerAI <26067127+MoerAI@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * test(root): share temp dir helper across root tests * test(root): reuse temp dir helper in scoped vitest config * test(root): reuse temp dir helper in launcher e2e * test(tooling): reuse temp dir helpers in script tests * test(unit): reuse temp dir helper in install-sh version tests * test: reset telegram dispatch mocks between cases * test(plugins): reuse tracked temp helpers in runtime staging tests * test(plugins): reuse tracked temp helpers in path resolution tests * test(plugins): reuse tracked temp helpers in fixture tests * test(plugins): share async temp helpers in marketplace tests * test(plugins): reuse tracked temp helpers in loader fixture tests * test(plugins): share suite temp root helper in install path tests * test(plugins): reuse suite temp root helper in install fixture tests * test(plugins): reuse tracked temp helpers in package contract tests * test(plugins): reuse suite temp helper in bundle contract test * test(infra): reuse shared temp dir helpers in small file tests * test(infra): reuse temp dir helper in utility file tests * test(infra): reuse temp dir helper in run-node tests * test(infra): reuse temp dir helpers in install source tests * test(infra): reuse temp dir helper in install path safety tests * perf(test): split reply command coverage * perf(test): trim subagent command imports * test: remove legacy commands monolith * test(infra): reuse temp dir helper in node path tests * test(infra): reuse temp dir helper in state and watch tests * test(infra): reuse temp dir helper in sentinel and provider tests * test(infra): share temp dir cleanup in git metadata tests * test(infra): share tracked temp dirs in apns tests * test(infra): reuse temp dir helper in fs safety tests * test(infra): reuse temp dir helper in update status tests * test(infra): share sync temp dir helper in approval tests * test(infra): share suite temp root tracker in infra tests * test(infra): reuse suite temp root tracker in update tests * test(infra): reuse suite temp root tracker in provider auth tests * test(infra): reuse suite temp root tracker in install tests * test(infra): reuse suite temp root tracker in startup checks * test(infra): reuse temp dir helper in global update tests * test(infra): reuse temp dir helper in clawhub tests * test(core): reuse shared temp dir helpers in utils tests * test(infra): reuse temp dir helper in node pairing tests * test(infra): reuse suite temp root tracker in device pairing tests * test(core): reuse shared temp dir helper in logger tests * test(e2e): reuse suite temp root tracker in docker setup tests * test(infra): reuse suite temp root tracker in session cost tests * test(config): reuse temp dir helper in config surface tests * test(config): reuse temp dir helper in disk budget tests * test(config): share session test fixture helper * test(config): reuse suite temp root tracker in session key normalization tests * test(config): reuse suite temp root tracker in store pruning integration tests * test(config): reuse shared temp dir helpers in sessions tests * test(config): reuse shared temp dir helper in store read tests * perf(test): split subagent command coverage * perf(test): trim secrets runtime coverage * perf(test): split extra params resolver coverage * fix(anthropic): restore OAuth guard in service-tier stream wrappers (openclaw#60356) Merged via squash. Prepared head SHA: 7d58bef Co-authored-by: openperf <80630709+openperf@users.noreply.github.com> Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com> Reviewed-by: @jalehman * perf(test): split extra params wrapper coverage * perf(secrets): trim runtime import walls * perf(test): split security audit coverage * refactor: dedupe plugin and outbound helpers * refactor: share gateway auth and approval helpers * refactor: share command config resolution * refactor: consolidate status reporting helpers * fix: resolve upstream sync conflicts (branding, firecrawl, lockfile) Resolve 7 merge conflicts from sync/upstream-2026-04-06 (v2026.4.5): - pnpm-lock.yaml: keep our platform-channel + upstream's qa-channel/qa-lab - app-render.ts: add upstream session-key imports, deduplicate agentLogoUrl - control-ui-bootstrap.ts: keep our branding (resolveUiBrand, title, agentId) - control-ui-bootstrap.test.ts: keep our test expectations + upstream null checks - schema.base.generated.ts: keep our Firecrawl + profile config entries - schema.labels.ts: keep our Firecrawl + profile labels Includes CVE-2026-33579 fix (callerScopes in /pair approve handler). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com> Co-authored-by: Mariano <132747814+mbelinky@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: Vignesh Natarajan <vignesh.natarajan92@gmail.com> Co-authored-by: wirjo <daniel@wirjo.com> Co-authored-by: Mariano <mbelinky@gmail.com> Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: Chunyue Wang <80630709+openperf@users.noreply.github.com> Co-authored-by: Ayaan Zaidi <hi@obviy.us> Co-authored-by: Vignesh <mailvgnsh@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: ToToKr <friendnt@g.skku.edu> Co-authored-by: MoerAI <26067127+MoerAI@users.noreply.github.com> Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Lianjinfeng123
pushed a commit
to Lianjinfeng123/openclaw
that referenced
this pull request
Apr 6, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Caocaoha
added a commit
to Caocaoha/openclaw
that referenced
this pull request
Apr 8, 2026
* feat(memory-wiki): add import gateway methods * feat(memory-wiki): add shared memory search bridge * feat(memory-wiki): add prompt supplement integration * feat(memory-wiki): surface imported source provenance * feat(memory-wiki): lint imported provenance gaps * feat(memory-wiki): allow per-call search corpus overrides * feat(memory-core): bridge wiki corpus into memory tools * feat(memory-wiki): compile related backlinks blocks * docs(memory-wiki): prefer shared corpus recall guidance * docs(memory-wiki): document shared recall and backlinks * feat(memory-wiki): generate dashboard report pages * test: isolate exec approval suite from bundled plugins * fix(sandbox): harden EXDEV rename fallback * Gateway: keep outbound session metadata in owner store * revert(memory-wiki): back out llm wiki stack * fix: align models status provider auth reporting * fix(ci): narrow control ui locale refresh push runs * style: format remaining local edits * fix: prevent duplicate block reply delivery for text_end channels (openclaw#61530) * fix(gateway): bound silent local pairing scopes * fix: resolve repo check drift * fix: clean rebase leftovers * test: isolate agent runtime seams * docs: refine unreleased changelog * feat(video): add xai and alibaba providers * Revert "fix(gateway): bound silent local pairing scopes" This reverts commit 7f1b159. * fix(build): correct node require typing * docs(security): clarify localhost shared-auth trust model * refactor: move browser runtime seams behind plugin metadata * test: speed up provider policy and auth suites * Memory: move dreaming trail to dreams.md (openclaw#61537) * Memory: move dreaming trail to dreams.md * docs(changelog): add dreams.md entry --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * fix(ci): stabilize ui i18n and gateway watch checks * docs(providers): add generation setup pages * docs(providers): link generation guides * feat: add qa channel foundation * refactor: hide qa channels with exposure metadata * feat: add qa lab extension * chore: polish qa lab follow-ups * feat(qa): recreate qa lab docker stack * fix(qa): restore embedded control ui gateway startup * fix(qa): stabilize docker gateway bootstrap * feat(qa): add repo-backed qa suite runner * fix(qa): stabilize hermetic suite runtime * fix(matrix): split partial and quiet preview streaming (openclaw#61450) Merged via squash. Prepared head SHA: 6a0d7d1 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * docs(providers): unify qwen docs * fix(matrix): honor canonical private-network opt-in * fix(matrix): restore cli metadata registrar * test(matrix): isolate migration snapshot seam * fix: prevent duplicate gateway watchers * feat(memory-core): add REM preview and safe promotion replay (openclaw#61540) * memory: add REM preview and safe promotion replay thanks @mbelinky * changelog: note REM preview and promotion replay --------- Co-authored-by: Vignesh <mailvgnsh@gmail.com> * test: fix abort cascade and workspace edit inputs * refactor: harden plugin metadata and browser sdk seams * fix(memory-core): preserve dated DREAMS trail * docs(memory): point dreaming trail docs to dreams.md * fix(memory): standardize DREAMS trail path * fix(google): restore gemini cli provider contract * test(contracts): drop removed claude cli auth export * test(config): align markdown tables with active registry * style(tests): normalize registry mock wrapping * fix: normalize video provider durations * fix: harden video provider transports * fix: honor discord allowlisted channels for native commands * fix: bootstrap pnpm for git updates * docs: add tahoe release-to-dev smoke lane * test: isolate openclaw plugin context coverage * test: stabilize subagent persistence registry coverage * test: isolate gateway tool coverage * fix: surface normalized video durations * fix(google): restore forward-compat provider hooks * test(config): fix markdown table mock typing * test: drop redundant openai extra params coverage * refactor: dedupe discord native command auth * docs: add discord native command changelog note * fix(video): queue fal provider jobs * feat(agents): track video generation tasks * fix(discord): short-circuit bound thread self-loop drops * refactor: harden plugin metadata and bundled channel entry seams * test: fold xai extra params coverage into hot lane * fix: ignore unsupported image generation overrides * docs: document channel persisted auth metadata * test(live): prefer google models over big-pickle * Lobster: run workflows in process (openclaw#61523) * Lobster: run workflows in process * docs: note in-process lobster runtime * docs: add lobster changelog attribution * Lobster: add managed TaskFlow mode (openclaw#61555) * test: split inline provider model coverage * docs: update Lobster in-process mode and REM preview tooling * test: speed up nodes camera coverage * fix: defer plugin sync after git switch * test: optimize macos release-to-dev smoke lane * fix(openai): avoid em dashes in gpt-5 overlay (openclaw#61560) * feat(agents): detach video generation completion * feat(video): add runway provider * docs(video): document runway support * fix: clarify dirty dev update error * fix: ignore unsupported video generation overrides * refactor: add metadata-first channel configured-state probes * fix(video): guard active async generation tasks * docs(providers): surface new video provider pages * feat(qa): add live suite runner and harness * feat(qa): improve qa lab debugger ui * fix: restore pnpm check type safety * test: trim slow agent web and lifecycle coverage * fix: restore green checks * fix(qa): stop embedded control ui reload loop * test: reset guest git root before dev update * test: speed up openai tool id preservation replay coverage * fix: restore qa lab config typing * matrix: align bundled channel metadata * docs: note Matrix persisted auth detection * docs: add changelog note for qa lab config fix * refactor(video): share async task status helpers * memory-core: checkpoint mode-first dreaming refactor * Dreaming: simplify sweep flow and add diary surface * docs: rewrite video generation docs for readability * docs(faq): add gpt-5.4 fast mode entry * feat(memory): add Bedrock embedding provider for memory search (openclaw#61547) * feat(memory): add Bedrock embedding provider for memory search Add Amazon Bedrock as a native embedding provider for memory search. Supports Titan Embed Text v1/v2 and Cohere Embed models via AWS SDK. - New embeddings-bedrock.ts: BedrockRuntimeClient + InvokeModel - Auth via AWS default credential chain (same as Bedrock inference) - Auto-selected in 'auto' mode when AWS credentials are detected - Titan V2: configurable dimensions (256/512/1024), normalization - Cohere: native batch support with search_query/search_document types - 16 new tests covering all model types, auth detection, edge cases Closes openclaw#26289 * fix(memory): harden bedrock embedding selection --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs(openai): clarify gpt-5.4 fast mode * test: speed up models config env provider coverage * test: speed up sanitize session history policy smoke * build: refresh lockfile for control ui deps * refactor: narrow bundled channel entry surfaces * test: speed up sanitize session history coverage * fix: skip old-process config writes after git switch * fix(update): bootstrap pnpm for dev preflight * fix(memory-qmd): restore qmd compatibility defaults * test: speed up image tool auth-heavy coverage * test: seed channel setup contract registry in helper tests * Dreaming: update multiphase stats and UI polish * test: add irc runtime api smoke coverage * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-… (openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * refactor(update): extract package manager bootstrap logic * feat: add comfy workflow media support * fix: stabilize line and feishu ci shards * feat: add music generation tooling * chore: remove stray finder metadata * docs: document music generation async flow * fix(memory-qmd): streamline compatibility coverage * test: speed up dispatch-from-config thread fallback coverage * docs: improve music generation docs * docs: reorder changelog highlights * fix: skip stale post-switch update follow-ups * test: harden macos release-to-dev smoke verification * fix: route comfy music through shared tool * refactor: remove comfy music tool shim * Gateway: bound websocket shutdown close (openclaw#61565) Merged via squash. Prepared head SHA: 9040dd5 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * Docs: clarify Matrix quiet push rules * memory: chunk daily dreaming ingestion (openclaw#61583) Merged via squash. Prepared head SHA: 88816a0 Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix: stop old cli after package-to-git switch * fix(gateway): accept music generation internal events * docs: update unreleased provider notes * fix(agents): keep large read tool results visible * feat: add vydra media provider * fix(agents): ignore unsupported music generation hints * fix(agents): preserve latest read output during compaction * docs: update changelog for read visibility fixes * test: fix current-main prep blockers (openclaw#61582) Merged via squash. Prepared head SHA: 49f7b12 Reviewed-by: @mbelinky * test: use explicit node entrypoint in macos update smoke * fix: exit after package-to-git handoff * fix: prune staged feishu sdk types from npm pack * fix(qa): harden new scenario suite * fix(agents): prefer overflow compaction for fresh reads * perf(auto-reply): lazy-load TTS helpers on demand * test(plugin-sdk): tighten ACP command dispatch guards * docs(web): clarify control ui language picker * test(auto-reply): split ACP and reply-dispatch regressions * memory: trim generic daily chunk headings (openclaw#61597) * memory: trim generic daily chunk headings * docs: tag dreaming heading cleanup changelog * docs: attribute dreaming heading cleanup changelog * fix(cli): narrow post-update root * fix(ui): localize control ui strings * Lobster: harden embedded runtime integration (openclaw#61566) Merged via squash. Prepared head SHA: a6f4830 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix(matrix): reuse raw default account key during onboarding promotion * fix: unblock comfy live plugin loading * fix(agents): extend subagent announce timeout * fix(agents): carry async media wake attachments structurally * fix(tasks): hide internal completion wake rows * test(auto-reply): isolate reply abort dispatch seams * test: fix reply dispatch mock contract * fix(ui): localize more control ui strings * fix: deliver async media generation results directly * perf(test): trim send-policy and abort hot paths * perf(agents): isolate subagent announce origin helper * fix(discord): raise default media cap * Matrix: recover from pinned dispatcher runtime failures (openclaw#61595) Merged via squash. Prepared head SHA: f9a2d9b Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * fix: harden async media completion delivery * fix: gate async media direct delivery behind config * docs: add changelog note for async media delivery flag * perf(test): trim announce and sessions tool imports * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) * fix(gateway): resolve globally-installed bundled plugins in facade-runtime * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * chore: prepare 2026.4.6-beta.1 release * style: trim facade fallback comment noise * test: stabilize browser and provider ci shards * fix: restore latest-main ci gates * (chore): delete dream-diary-preview file * perf(test): trim runReplyAgent misc mock imports * fix(ci): harden control ui locale refresh rebases * Matrix: clear undici test override after transport test * chore(ui): refresh zh-CN control ui locale * chore(ui): refresh pt-BR control ui locale * chore(ui): refresh zh-TW control ui locale * chore(ui): refresh de control ui locale * fix: support corepack cmd shim on windows * test: add windows dev-update smoke lanes * chore(ui): refresh es control ui locale * chore(ui): refresh ja-JP control ui locale * chore(ui): refresh ko control ui locale * chore(ui): refresh fr control ui locale * test: capture windows npm debug tails in smoke logs * chore(ui): refresh tr control ui locale * chore(ui): refresh uk control ui locale * chore(ui): refresh id control ui locale * chore(ui): refresh pl control ui locale * fix: restore plugin boundary and ui locale ci gates * fix(ci): stabilize control ui locale checks * chore: release 2026.4.5 * perf(test): split subagent command coverage * fix(ci): patch main regression surfaces * fix: install bun in npm release preflight * test: fix subagent command result assertions * perf(test): split allowlist and models command coverage * fix(openai): allow qa image generation mock routing * feat(qa): execute ten new repo-backed scenarios * fix(matrix): harden startup auth bootstrap (openclaw#61383) Merged via squash. Prepared head SHA: d8011a9 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * Docs: clarify Matrix autoJoin invite scope * fix(discord): narrow binding runtime imports * fix: stabilize contract loader seams * test: tighten allowlist fixture typing * fix(qa): support image understanding inputs * feat(qa): add attachment understanding scenario * docs(matrix): clarify historyLimit default * feat(memory-wiki): restore llm wiki stack * chore: update appcast for 2026.4.5 * perf(test): split reply command coverage * perf(reply): lazy load compact runtime * refactor(reply): extract subagent text helper * style(reply): normalize subagent import order * fix: restore protocol and extension ci * chore: bump version to 2026.4.6 * fix(config): normalize channel streaming config shape (openclaw#61381) * feat(config): add canonical streaming config helpers * refactor(runtime): prefer canonical streaming accessors * feat(config): normalize preview channel streaming shape * test(config): lock streaming normalization followups * fix(config): polish streaming migration edges * chore(config): refresh streaming baseline hash * docs(memory): add promote-explain and rem-harness CLI reference * build: refresh pnpm lockfile * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix(exec ): stop emitting tool updates after session is backgrounded When an exec session is backgrounded (background: true), the owning agent run resolves its tool-call promise and may finish. The stdout handler's emitUpdate() closure, however, kept invoking opts.onUpdate(), delivering tool_execution_update events to a listener whose active run had already ended. This surfaced as an unhandled rejection and crashed the gateway process. Guard emitUpdate() with a session.backgrounded || session.exited check so that post-background output is still captured via appendOutput() but no longer forwarded to the (now-stale) agent-loop callback. Fixes openclaw#61592 * style: trim exec backgrounding comments * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix: place exec changelog entry at end of fixes (openclaw#61627) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * test(memory-core): align dreaming expectations * test(memory-wiki): share plugin test helpers * test(memory-core): share workspace test helper * test(memory-core): reuse narrative workspace helper * test(plugin-sdk): share temp dir test helper * test(plugin-sdk): reuse temp dir helpers in facade tests * test(memory-core): reuse workspace helper in dreaming tests * perf(agents): add continuation-skip context injection (openclaw#61268) * test(agents): cover continuation bootstrap reuse * perf(agents): add continuation-skip context injection * docs(changelog): note context injection reuse * perf(agents): bound continuation bootstrap scan * fix(agents): require full bootstrap proof for continuation skip * fix(agents): decide continuation skip under lock * fix(commands): re-export subagent chat message type * fix(agents): clean continuation rebase leftovers * test(memory-core): reuse workspace helper in temp dir tests * docs: add contextInjection config key to reference * feat(gateway): preserve session history on /new command Backend changes for session sidebar feature: - session.ts: create compound key entry for old session when /new triggered - agent.ts: pass preserveHistory=true to session reset - session-reset-service.ts: add file reuse optimization for preserved sessions - types.ts: add previousSessionKey field to SessionEntry - session-utils.ts: add compound key support in session key resolution This enables the UI to show previous sessions in sidebar while preserving complete chat history for archived sessions. --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com> Co-authored-by: Tyler Yust <64381258+tyler6204@users.noreply.github.com> Co-authored-by: Dave Morin <dave@morin.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: Mariano <132747814+mbelinky@users.noreply.github.com> Co-authored-by: Vignesh <mailvgnsh@gmail.com> Co-authored-by: Vignesh Natarajan <vignesh.natarajan92@gmail.com> Co-authored-by: wirjo <daniel@wirjo.com> Co-authored-by: Mariano <mbelinky@gmail.com> Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: Chunyue Wang <80630709+openperf@users.noreply.github.com> Co-authored-by: Ayaan Zaidi <hi@obviy.us> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: OpenClaw Agent <caoha@openclaw.ai>
lovewanwan
pushed a commit
to lovewanwan/openclaw
that referenced
this pull request
Apr 28, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
ogt-redknie
pushed a commit
to ogt-redknie/OPENX
that referenced
this pull request
May 2, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
github-actions Bot
pushed a commit
to Desicool/openclaw
that referenced
this pull request
May 9, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
github-actions Bot
pushed a commit
to Desicool/openclaw
that referenced
this pull request
May 24, 2026
openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Authorization: Bearerheader in API requests.AWS_BEARER_TOKEN_BEDROCKis set, it is now used as aBearertoken in theAuthorizationheader, bypassing AWS SDK signing entirely. Auth mode resolves asapi-key, and the token takes precedence over SDK credential chains.AWS_BEARER_TOKEN_BEDROCKis absent, behavior is identical to before — falls back to the existing AWS SDK credential chain (access keys, profile, SSO, etc.).Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
User-visible / Behavior Changes
AWS_BEARER_TOKEN_BEDROCK: when set, Bedrock requests useAuthorization: Bearer <token>instead of AWS SigV4 signing.openclaw status/ auth mode display now showsapi-keywhen bearer token is active.Security Impact (required)
NoYes— new env var is read and injected as a Bearer header.Yes— the Authorization header is added to Bedrock HTTP requests when bearer token is set.NoNoRepro + Verification
Environment
AWS_BEARER_TOKEN_BEDROCKenv var setSteps
AWS_BEARER_TOKEN_BEDROCKto a valid Bedrock API Key.BEDROCK_LIVE_TEST=1 pnpm exec vitest run src/agents/bedrock-bearer.live.test.ts --config vitest.live.config.tsAuthorization: Bearerand receives a streamed response.Expected
Actual
Evidence
model-auth.test.ts,model-auth.profiles.test.ts,pi-embedded-runner-extraparams.test.ts)bedrock-bearer.live.test.ts) passes with realAWS_BEARER_TOKEN_BEDROCKcredentials — stream completes with assistant text.sawDone=trueand non-empty assistant text.Human Verification (required)
Review Conversations
Compatibility / Migration
Yes— no behavior change whenAWS_BEARER_TOKEN_BEDROCKis unset.Yes— new optional env varAWS_BEARER_TOKEN_BEDROCK.NoFailure Recovery (if this breaks)
AWS_BEARER_TOKEN_BEDROCKenv var — falls back to existing AWS SDK chain.Risks and Mitigations