bedrock cli compatibility changes

[akshaydeo]

Summary

Briefly explain the purpose of this PR and the problem it solves.

Changes

• What was changed and why
• Any notable design decisions or trade-offs

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Describe the steps to validate this change. Include commands and expected outcomes.

# Core/Transports
go version
go test ./...

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

If adding new configs or environment variables, document them here.

Screenshots/Recordings

If UI changes, add before/after screenshots or short clips.

Breaking changes

• Yes
• No

If yes, describe impact and migration instructions.

Related issues

Link related issues and discussions. Example: Closes #123

Security considerations

Note any security implications (auth, secrets, PII, sandboxing, etc.).

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Warning

Rate limit exceeded

@akshaydeo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 39 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 21cb3a89-2ea8-4cbe-9240-8d280e8c17f8

📥 Commits

Reviewing files that changed from the base of the PR and between d9409e8 and 867280f.

📒 Files selected for processing (11)

• core/providers/anthropic/utils.go
• core/providers/bedrock/bedrock.go
• core/providers/bedrock/responses.go
• core/providers/bedrock/utils.go
• core/schemas/bifrost.go
• core/schemas/context.go
• plugins/governance/allowonallvirtualkeys_test.go
• plugins/governance/httptransportprehook_test.go
• plugins/governance/main.go
• plugins/governance/routing.go
• plugins/governance/storeconcurrency_test.go

📝 Walkthrough

Walkthrough

Exports Anthropic schema normalization, adjusts Bedrock streaming checksum error handling and structured-output signaling, adds LogLevel to routing engine logs and updates callers, and minor test and logging updates across governance plugin files.

Changes

Cohort / File(s)	Summary
Anthropic Schema Normalization core/providers/anthropic/utils.go	Added exported NormalizeSchemaForAnthropic(schema map[string]interface{}) map[string]interface{} wrapper around existing normalization logic.
Bedrock: transport & structured outputs core/providers/bedrock/bedrock.go, core/providers/bedrock/responses.go, core/providers/bedrock/utils.go	Treats eventstream.ChecksumError as a transport-level stream failure; ensures Anthropic structured-output beta is included in additionalModelRequestFields (merging/deduplicating per-tool values) and normalizes JSON schemas before building Bedrock validation payloads.
Routing engine logging / context schema core/schemas/bifrost.go, core/schemas/context.go	RoutingEngineLogEntry now uses JSON tags and includes new Level LogLevel field; AppendRoutingEngineLog signature updated to accept level LogLevel.
Governance plugin: logging callsites & routing logic plugins/governance/main.go, plugins/governance/routing.go	Updated governance plugin and routing engine to pass explicit LogLevel values for messages; enhanced "no match" logging to include a computed context of referenced variables; evaluateCELExpression now accepts map[string]any.
Tests / trivial cleanup plugins/governance/storeconcurrency_test.go	Removed an extraneous trailing blank line.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble at schemas, neat and spry,

I stitch Bedrock streams so they don't cry,
I stamp each log with level and light,
Routing paths now clearer in sight,
Hopping onward — PR approved with a bite!

🚥 Pre-merge checks | ✅ 1 | ❌ 4

❌ Failed checks (4 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'bedrock cli compatibility changes' but the actual changes span Anthropic schema normalization, Bedrock provider enhancements, governance plugin updates, and routing logic—not primarily CLI compatibility.	Revise the title to accurately reflect the main scope, such as 'Add Anthropic schema normalization and Bedrock structured output enhancements with routing log levels'
Description check	⚠️ Warning	The description is entirely an unfilled template with no concrete summary of changes, objectives, testing instructions, or other relevant details provided.	Fill in all required template sections with actual implementation details, affected areas, testing steps, type of change, and any breaking changes
Linked Issues check	⚠️ Warning	The linked issue #123 requests Files API support for providers, but the PR changes focus on schema normalization, Bedrock structured outputs, and routing log levels—no file upload or API endpoints are implemented.	Either add implementation of Files API support to address issue #123, or link issues that actually correspond to the schema, Bedrock, and logging changes made
Out of Scope Changes check	⚠️ Warning	Multiple significant changes are unrelated to the Files API issue: Anthropic schema export, Bedrock error handling, structured output headers, logging level additions, and routing enhancements are all out-of-scope for issue #123.	Remove unrelated changes, link appropriate issues for actual implementation, or clarify the PR objectives to justify including these scope changes

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 93.33% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 04-26-bedrock_cli_compatibility_changes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akshaydeo]

• guardrails helm chart upgrade #3062
• env var updates #3061
• vertex + anthropic fixes #3055
• adds message filter flow for log details messages #3054
• bedrock cli compatibility changes #3053 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #3053

[greptile-apps]

Confidence Score: 5/5

Safe to merge; only P2 suggestions remain around log-level classification.

No P0 or P1 findings. The two P2 comments are style-level log-level classifications (Info vs Warn) that do not affect correctness. Core Bedrock changes are well-guarded, the appendAnthropicBetaToFields helper handles all type variants without risk, and the schema normalisation path is gated on map[string]interface{}.

No files require special attention.

Important Files Changed

Filename	Overview
core/providers/bedrock/utils.go	Adds appendAnthropicBetaToFields helper to safely merge Bedrock beta headers into additionalModelRequestFields; replaces bulk-set of anthropic_beta with per-header appends to avoid clobbering existing entries; normalizes JSON schemas via NormalizeSchemaForAnthropic before Bedrock submission.
core/providers/bedrock/bedrock.go	Extends isStreamTransportError to treat eventstream.ChecksumError as a retryable transport error.
core/providers/anthropic/utils.go	Exports normalizeSchemaForAnthropic as NormalizeSchemaForAnthropic so the Bedrock provider can reuse it.
core/schemas/bifrost.go	Adds JSON tags to all fields of RoutingEngineLogEntry and adds the Level field (addressed per previous review comment).
core/schemas/context.go	Adds level LogLevel parameter to AppendRoutingEngineLog to propagate log severity.
plugins/governance/main.go	Updates all AppendRoutingEngineLog call-sites with appropriate log levels; error path now logs at LogLevelError; a few provider-exclusion entries are logged at LogLevelInfo that arguably deserve LogLevelWarn.
plugins/governance/routing.go	Adds per-level severity to all routing-engine log entries; adds buildNoMatchContext/extractMapKeysFromCEL helpers with sync.Map regex cache (previously reviewed and fixed per thread).

_{Reviews (3): Last reviewed commit: "bedrock cli compatibility changes" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core/schemas/context.go (1)

407-438: ⚠️ Potential issue | 🟠 Major

Reset and delegate scoped contexts before pooling them.

WithPluginScope aliases scoped.done to the root context, but the scoped instance keeps its own cancel state, and ReleasePluginScope only clears a subset of fields before pluginScopePool.Put. A plugin calling Cancel() on the scoped context can close the shared root channel through the wrong doneOnce, and reused scopes can retain stale state across requests. Delegate cancellation to valueDelegate for scoped contexts and zero the whole struct before returning it to the pool. As per coding guidelines "Reset all fields of pooled objects before calling pool.Put() to prevent data leakage between requests".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/schemas/context.go` around lines 407 - 438, WithPluginScope currently
aliases scoped.done to the root context and ReleasePluginScope only clears some
fields before returning the scoped context to pluginScopePool, which can leak
cancel state and other data; update WithPluginScope so scoped contexts delegate
cancellation to valueDelegate (do not reuse or alias done/doneOnce from the
root), and change ReleasePluginScope to fully zero out all fields on the scoped
BifrostContext (parent, done, doneOnce, pluginScope, pluginLogs, valueDelegate
and any other struct fields) before calling pluginScopePool.Put to ensure no
stale state is retained and cancellation is always routed through valueDelegate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/providers/bedrock/utils.go`:
- Around line 86-89: The current appendAnthropicBetaToFields call (using
anthropic.AnthropicStructuredOutputsBetaHeader and
bedrockReq.AdditionalModelRequestFields) adds the structured-output beta but
later code calls Set("anthropic_beta", betaHeaders) which overwrites any
existing anthropic_beta entries and can drop the structured-output beta when
server-tool betas are also added; change the logic where anthropic_beta is set
so you merge with any existing anthropic_beta entries in
bedrockReq.AdditionalModelRequestFields (read the existing value, combine
arrays/lists, deduplicate entries) and then write the merged list back via
Set("anthropic_beta", mergedBetaHeaders) so both structured-output and
server-tool betas are preserved (update code paths around
appendAnthropicBetaToFields and the Set("anthropic_beta", ...) call).

In `@plugins/governance/main.go`:
- Around line 903-906: The routing-rule evaluation failure is being logged to
the routing-engine logs at Info level; change the severity to an error level so
consumers can distinguish hard failures. Update the call to
ctx.AppendRoutingEngineLog in the error branch (where p.logger.Error is invoked)
to use schemas.LogLevelError (or the appropriate error enum) instead of
schemas.LogLevelInfo, keeping the same message (fmt.Sprintf("Routing rule
evaluation error: %v", err)) and the same routing key
schemas.RoutingEngineRoutingRule.

In `@plugins/governance/routing.go`:
- Around line 474-523: buildNoMatchContext currently writes raw header/param
values (from variables["headers"/"params"]) into logs; change it to never log
actual values — for each key found by extractMapKeysFromCEL, append only
presence/missing or a redacted placeholder (e.g., key=<present> or
key=<redacted> / key=<missing>) instead of fmt.Sprintf("%s=%q", k, v); update
the block that iterates m := variables[mapName].(map[string]string) to replace v
with a constant redaction string or a presence marker and keep the existing
"key=<missing>" for absent keys so logs contain no PII/secrets while still
showing which keys were referenced.

---

Outside diff comments:
In `@core/schemas/context.go`:
- Around line 407-438: WithPluginScope currently aliases scoped.done to the root
context and ReleasePluginScope only clears some fields before returning the
scoped context to pluginScopePool, which can leak cancel state and other data;
update WithPluginScope so scoped contexts delegate cancellation to valueDelegate
(do not reuse or alias done/doneOnce from the root), and change
ReleasePluginScope to fully zero out all fields on the scoped BifrostContext
(parent, done, doneOnce, pluginScope, pluginLogs, valueDelegate and any other
struct fields) before calling pluginScopePool.Put to ensure no stale state is
retained and cancellation is always routed through valueDelegate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2baa88dd-76de-4d75-bee9-49d652a6e215

📥 Commits

Reviewing files that changed from the base of the PR and between e40014b and 3198154.

📒 Files selected for processing (11)

• core/providers/anthropic/utils.go
• core/providers/bedrock/bedrock.go
• core/providers/bedrock/responses.go
• core/providers/bedrock/utils.go
• core/schemas/bifrost.go
• core/schemas/context.go
• plugins/governance/allowonallvirtualkeys_test.go
• plugins/governance/httptransportprehook_test.go
• plugins/governance/main.go
• plugins/governance/routing.go
• plugins/governance/storeconcurrency_test.go

💤 Files with no reviewable changes (1)

• plugins/governance/storeconcurrency_test.go

[coderabbitai]

🧹 Nitpick comments (1)

core/schemas/bifrost.go (1)

316-321: Update the RoutingEngineLogEntry format comment to include level.

The comment still describes [timestamp] [engine] - message, but Level is now part of the schema.

Proposed comment update

-// format: [timestamp] [engine] - message
+// format: [timestamp] [engine] [level] - message

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/schemas/bifrost.go` around lines 316 - 321, Update the top-of-struct
format comment for RoutingEngineLogEntry to reflect the added Level field —
change the example format from "[timestamp] [engine] - message" to include level
(for example "[timestamp] [engine] [level] - message") and ensure the comment
mentions that Level corresponds to the LogLevel field; locate the comment
immediately above the RoutingEngineLogEntry type declaration and adjust the
human-readable example and description to include `Level` alongside `Engine`,
`Timestamp`, and `Message`.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@core/schemas/bifrost.go`:
- Around line 316-321: Update the top-of-struct format comment for
RoutingEngineLogEntry to reflect the added Level field — change the example
format from "[timestamp] [engine] - message" to include level (for example
"[timestamp] [engine] [level] - message") and ensure the comment mentions that
Level corresponds to the LogLevel field; locate the comment immediately above
the RoutingEngineLogEntry type declaration and adjust the human-readable example
and description to include `Level` alongside `Engine`, `Timestamp`, and
`Message`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 069a3e1a-4907-4218-90e9-dfacee3041e8

📥 Commits

Reviewing files that changed from the base of the PR and between 3198154 and d9409e8.

📒 Files selected for processing (11)

• core/providers/anthropic/utils.go
• core/providers/bedrock/bedrock.go
• core/providers/bedrock/responses.go
• core/providers/bedrock/utils.go
• core/schemas/bifrost.go
• core/schemas/context.go
• plugins/governance/allowonallvirtualkeys_test.go
• plugins/governance/httptransportprehook_test.go
• plugins/governance/main.go
• plugins/governance/routing.go
• plugins/governance/storeconcurrency_test.go

💤 Files with no reviewable changes (1)

• plugins/governance/storeconcurrency_test.go

✅ Files skipped from review due to trivial changes (1)

• plugins/governance/main.go

🚧 Files skipped from review as they are similar to previous changes (5)

• core/providers/anthropic/utils.go
• core/providers/bedrock/bedrock.go
• core/schemas/context.go
• core/providers/bedrock/utils.go
• plugins/governance/routing.go

[akshaydeo]

Merge activity

• Apr 27, 8:08 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 27, 8:09 PM UTC: @akshaydeo merged this pull request with Graphite.