feat: Support AWS Bedrock Embedding Models and LLM Models

[f4roukb]

Motivation

Many organizations using AWS want to leverage AWS-native AI services to:

• Keep data within AWS boundaries for compliance and security requirements
• Simplify infrastructure by avoiding multiple cloud provider integrations
• Reduce costs through AWS pricing models and reserved capacity
• Use IAM roles for seamless credential management in AWS deployments

This PR enables the Redis Agent Memory Server to use Amazon Bedrock for both embedding models and LLM generation, making it a first-class citizen in AWS environments while maintaining full backward compatibility with existing OpenAI/Anthropic configurations.

Additionally, the Docker setup was significantly improved to support multi-platform builds, reduce image sizes, and provide better development/production workflows.

---

Summary of Changes

🆕 Features Introduced

1. AWS Bedrock Integration

   • Support for Bedrock embedding models (Amazon Titan, Cohere)
   • Support for Bedrock LLM generation models (Claude via Converse API)
   • New [aws] optional dependency group for clean separation
   • Automatic model validation at startup with cached API calls

2. Filter-Only Memory Queries

   • New list_memories() method in vector store adapter
   • Enables metadata filtering without requiring embeddings
   • Improves performance for deduplication, ID lookups, and compaction operations

3. Comprehensive Documentation

   • New docs/aws-bedrock.md with setup guides, IAM policies, and troubleshooting

4. Unit Test Mock Dependencies

   • Mocked dependencies for some unit tests so that they do not require API keys to run when it's not necessary for the test

---

🐛 Bugs Fixed

1. Empty query full-scan issue - Fixed a bug where passing an empty query string to search_memories() would trigger expensive full-scan operations instead of using filter-only queries

2. Startup validation - Fixed loose model validation that allowed invalid configurations to pass silently; now fails fast with clear error messages

---

🐳 Docker & Infrastructure Improvements

1. Multi-stage Dockerfile

   • Separate builder and runtime stages for smaller final images
   • Removed build tools (gcc, g++) from runtime images
   • Two build targets: standard (basic image) and aws (with AWS Bedrock support on top)

2. Docker Compose Profiles

   • Profile-based service selection (standard vs aws)
   • Pre-configured AWS environment variable mappings
   • Proper networking and volume management

3. Docker Bake Support

   • New docker-bake.json for multi-platform builds (linux/amd64, linux/arm64)
   • Simplified CI/CD integration

4. New .dockerignore

   • Comprehensive ignore patterns to reduce build context size
   • Excludes tests, docs, IDE files, and build artifacts

5. Dependency Cleanup

   • Removed unused heavy dependencies (accelerate, numba, sentence-transformers, bertopic)
   • Reduces base image size (2.52GB -> 1.06GB, effective container size less than 0.7GB) and installation time (approx. 20s).

---

Detailed Changes

New Files

File	Description
agent_memory_server/_aws/__init__.py	AWS module init
agent_memory_server/_aws/clients.py	AWS session and Bedrock client factories
agent_memory_server/_aws/utils.py	Model validation utilities with TTL caching
docs/aws-bedrock.md	Comprehensive AWS Bedrock documentation
docker-bake.json	Multi-platform build configuration
.dockerignore	Docker build context exclusions
tests/test_aws_clients.py	Unit tests for AWS client factories
tests/test_aws_config.py	Unit tests for AWS configuration
tests/test_aws_utils.py	Unit tests for AWS utility functions

Modified Files

File	Changes
agent_memory_server/config.py	Added ModelProvider.AWS_BEDROCK, Bedrock model configs, AWS credential properties
agent_memory_server/llms.py	Added BedrockClientWrapper using ChatBedrockConverse
agent_memory_server/main.py	Refactored startup validation for multi-provider support
agent_memory_server/vectorstore_adapter.py	Added list_memories() for filter-only queries
agent_memory_server/long_term_memory.py	Updated to use list_memories() where appropriate
Dockerfile	Multi-stage build with standard and aws targets
docker-compose.yml	Added AWS service profiles and improved configuration
docker-compose-task-workers.yml	Added AWS worker profiles
pyproject.toml	Added [aws] extras, removed unused dependencies
mkdocs.yml	Added AWS Bedrock docs to navigation

---

Configuration

New Environment Variables

# AWS Region (required for Bedrock)
REGION_NAME=us-east-1

# AWS Credentials (choose one method)
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
AWS_SESSION_TOKEN=your-token  # optional, for temporary credentials

Supported Bedrock Models

Embedding:

• amazon.titan-embed-text-v2:0 (1024 dims)
• amazon.titan-embed-text-v1 (1536 dims)
• cohere.embed-english-v3 (1024 dims)
• cohere.embed-multilingual-v3 (1024 dims)

LLM Generation:

• anthropic.claude-sonnet-4-5-20250929-v1:0
• anthropic.claude-haiku-4-5-20251001-v1:0
• anthropic.claude-opus-4-5-20251101-v1:0

Feel free to add more models.

---

Usage

Installation

# Standard (OpenAI/Anthropic only)
pip install agent-memory-server

# With AWS Bedrock support
pip install agent-memory-server[aws]

Docker

# Build standard image (multiplatform, with Bake)
docker buildx bake standard

# Build AWS image (multiplatform, with Bake)
docker buildx bake aws

# Using Docker Compose
docker-compose up                      # Standard stack
docker-compose --profile aws up        # AWS Bedrock stack

---

Testing

All existing tests pass. New tests added for AWS functionality:

# Run all tests
pytest

# Run AWS-specific tests
pytest tests/test_aws_*.py tests/test_llms.py -v

---

Breaking Changes

None. All changes are backward compatible. Existing configurations using OpenAI or Anthropic continue to work without modification.

---

Checklist

• Code follows project style guidelines
• Tests added for new functionality
• Documentation updated
• All tests passing
• Type hints added/updated
• No breaking changes to existing API

[jit-ci]

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed below as a comment.
It’s highly recommended that you fix this security issue before merge.

Repository Risks:

• Internally Accessible: Accessible only within the internal network, reducing exposure to external threats but still requiring proper controls.
• Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
• High Severity Findings: Indicates that the resource has high severity security findings that need attention.
• Production: Critical as it operates in a live production environment, directly impacting users and business operations.

Repository Context:

graph LR
    GitHub$Repository_U23_redis/agent_U2D_memory_U2D_server["GitHub Repository<br/>redis/agent-memory-server"]:::GitHub$Repository
    Team_U23_applied_U2D_ai["Team<br/>applied-ai"]:::Team
    DBIntegration_U23_redis["DBIntegration<br/>redis"]:::DBIntegration
    GitHub$Actions_U23_agent_U2D_memory_U2D_client_U2E_yml["GitHub Actions<br/>agent-memory-client.yml"]:::GitHub$Actions
    Team_U23_applied_U2D_ai -- "Owns" --> GitHub$Repository_U23_redis/agent_U2D_memory_U2D_server
    GitHub$Repository_U23_redis/agent_U2D_memory_U2D_server -- "Is accessible to" --> DBIntegration_U23_redis
    GitHub$Repository_U23_redis/agent_U2D_memory_U2D_server -- "Has" --> GitHub$Actions_U23_agent_U2D_memory_U2D_client_U2E_yml

Loading

[jit-ci]

Security control: Docker Scan

Secrets Passed Via Build-Args Or Envs Or Copied Secret Files

Passing secrets via build-args or envs or copying secret files can leak them out

Severity: CRITICAL

Learn more about this issue

---

Why should you fix this issue?
This Dockerfile introduces a container vulnerability. In a production environment, using insecure container configurations or outdated base images can lead to significant security risks. If an attacker exploits a vulnerability in the container, it could compromise the entire application or lead to unauthorized access.

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_ignore_type_in_file Ignore any finding of type "Secrets passed via build-args or envs or copied secret files" in Dockerfile; future occurrences will also be ignored.
• #jit_undo_ignore Undo ignore command

[abrookins]

#jit_ignore_fp

[Copilot]

Pull request overview

This PR adds comprehensive AWS Bedrock support to the Redis Agent Memory Server, enabling organizations to use AWS-native AI services for both embedding and LLM generation. The implementation introduces a new model provider type, AWS client factories, model validation utilities, and extensive documentation while maintaining backward compatibility.

Key Changes:

• AWS Bedrock integration for embeddings (Titan, Cohere) and LLM generation (Claude via Converse API)
• New list_memories() method for filter-only queries without requiring embeddings
• Multi-stage Docker builds with separate standard and aws targets
• Comprehensive test mocking to avoid API key requirements

Reviewed changes

Copilot reviewed 44 out of 46 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
agent_memory_server/_aws/	New AWS module with client factories and model validation utilities
agent_memory_server/config.py	Added AWS_BEDROCK provider, Bedrock model configs, and AWS credential properties
agent_memory_server/llms.py	Added BedrockClientWrapper using ChatBedrockConverse for LLM generation
agent_memory_server/vectorstore_factory.py	Integrated BedrockEmbeddings with model validation
agent_memory_server/vectorstore_adapter.py	Added list_memories() for filter-only queries without embeddings
agent_memory_server/long_term_memory.py	Updated to use list_memories() for hash/ID deduplication
Dockerfile	Multi-stage builds with standard and AWS targets
docker-compose.yml	Added AWS service profiles with environment configuration
docs/aws-bedrock.md	Comprehensive AWS Bedrock documentation with setup guides
pyproject.toml	Added [aws] extras, removed unused dependencies, added cachetools
tests/	Added AWS unit tests and mocked dependencies for existing tests

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 1 finding.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 1 finding.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 1 finding.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 2 findings.

[jit-ci]

Security control: Docker Scan

Secrets Passed Via Build-Args Or Envs Or Copied Secret Files

Passing secrets via build-args or envs or copying secret files can leak them out

Severity: CRITICAL

Learn more about this issue

---

Why should you fix this issue?
This Dockerfile introduces a container vulnerability. In a production environment, using insecure container configurations or outdated base images can lead to significant security risks. If an attacker exploits a vulnerability in the container, it could compromise the entire application or lead to unauthorized access.

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_ignore_type_in_file Ignore any finding of type "Secrets passed via build-args or envs or copied secret files" in Dockerfile; future occurrences will also be ignored.
• #jit_undo_ignore Undo ignore command

[abrookins]

#jit_ignore_fp

[abrookins]

Truly epic, @f4roukb! 💯

And thanks for diving in with Copilot. That thing can be pedantic, but I agreed with some of its comments.

We won't get a clean test run from this PR because it can't use our credentials properly, so I'm going to merge and will sort out any irregularities that happen in CI on main.