aibridgedserver

package
v2.35.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2026 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (
	InterceptionLogMarker = "interception log"
	MetadataUserAgentKey  = "request_user_agent"
)

Variables

View Source
var (
	ErrExpiredOrInvalidOAuthToken = xerrors.New("expired or invalid OAuth2 token")
	ErrNoMCPConfigFound           = xerrors.New("no MCP config found")

	// These errors are returned by IsAuthorized. Since they're just returned as
	// a generic dRPC error, it's difficult to tell them apart without string
	// matching.
	// TODO: return these errors to the client in a more structured/comparable
	//       way.
	ErrInvalidKey    = xerrors.New("invalid key")
	ErrUnknownKey    = xerrors.New("unknown key")
	ErrExpired       = xerrors.New("expired")
	ErrUnknownUser   = xerrors.New("unknown user")
	ErrDeletedUser   = xerrors.New("deleted user")
	ErrInactiveUser  = xerrors.New("inactive user")
	ErrSystemUser    = xerrors.New("system user")
	ErrAmbiguousAuth = xerrors.New("both key and key_id set; exactly one required")

	ErrNoExternalAuthLinkFound = xerrors.New("no external auth link found")
)

Functions

func Register added in v2.35.0

func Register(mux *drpcmux.Mux, srv *Server) error

Register registers the Recorder, MCPConfigurator, Authorizer, and ProviderConfigurator DRPC services backed by srv onto mux. It is shared by the embedded in-memory server and the standalone /api/v2/ai-gateway/serve WebSocket handler so both expose an identical service set.

Types

type Server

type Server struct {
	// contains filtered or unexported fields
}

func NewServer

func NewServer(lifecycleCtx context.Context, store store, logger slog.Logger, accessURL string,
	bridgeCfg codersdk.AIBridgeConfig, externalAuthConfigs []*externalauth.Config, experiments codersdk.Experiments,
	aiSeatTracker aiseats.SeatTracker,
) (*Server, error)

func (*Server) GetAIProviders added in v2.35.0

GetAIProviders returns the full AI provider set (enabled and disabled) from the database, which is the single source of truth seeded from coderd's environment. Embedded and standalone AI Gateway daemons call this over DRPC to build their provider pool instead of reading the database directly.

The handler reads under a read-only transaction that first acquires LockIDAIProvidersEnvSeed, so it blocks until any in-flight env seed commits or rolls back. This guarantees the response is never a partial, mid-seed snapshot.

Keys are populated only for enabled providers; disabled providers never call upstream, so their secrets are withheld.

SECURITY: the response carries plaintext API keys and Bedrock credentials. Do not log the response struct.

func (*Server) IsAuthorized

IsAuthorized validates a given Coder API key and returns the user ID to which it belongs (if valid).

SECURITY: when in.KeyId is set (the "delegated" path), this method trusts the caller's claim of identity and skips the key-secret check. This DRPCServer is reachable both in-process via aibridged.MemTransportPipe and over the network via the /api/v2/ai-gateway/serve endpoint. That endpoint admits only holders of AI Gateway key, which are fully trusted. Standalone AI Gateway authenticates its own users and acts on their behalf, much like a provisioner daemon. A Gateway key holder can therefore act as any user without that user's secret. Per-user authorization on this surface is a known gap.

NOTE: this should really be using the code from httpmw.ExtractAPIKey. That function not only validates the key but handles many other cases like updating last used, expiry, etc. This code does not currently use it for a few reasons:

  1. httpmw.ExtractAPIKey relies on keys being given in specific headers httpmw.APITokenFromRequest which AI bridge requests will not conform to.
  2. The code mixes many different concerns, and handles HTTP responses too, which is undesirable here.
  3. The core logic would need to be extracted, but that will surely be a complex & time-consuming distraction right now.
  4. Once we have an Early Access release of AI Bridge, we need to return to this.

TODO: replace with logic from httpmw.ExtractAPIKey.

func (*Server) RecordTokenUsage

func (*Server) RecordToolUsage

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL