feat(providers): server-side credential hiding for Azure and Bedrock

[waleedlatif1]

Summary

• Adds NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS flag — when set, hides the AWS access key/secret fields in the Agent block UI and lets the deployment use the default AWS credential chain (IAM roles, IRSA, ECS task roles, etc.)
• Adds NEXT_PUBLIC_AZURE_CONFIGURED flag — when set, hides the Azure endpoint, API version, and API key fields so users just pick a model and run; credentials are resolved from server-side env vars (AZURE_OPENAI_* / AZURE_ANTHROPIC_*)
• Adds Azure OpenAI and Azure Anthropic handling in BYOK layer with proper separation: infra providers (Bedrock, Azure, vLLM, Ollama) resolved before the hosted-only BYOK DB path
• Unifies isSubBlockHiddenByHostedKey + isSubBlockHiddenByEnvVar into single isSubBlockHidden() — also fixes two call sites (workflow-block.tsx, copilot/vfs/serializers.ts) that were missing the env var check
• Renames requiresFeature → showWhenEnvSet on SubBlockConfig for symmetry with hideWhenEnvSet
• Replaces 'bedrock-uses-own-credentials' magic string with exported PROVIDER_PLACEHOLDER_KEY constant
• Consolidates VERTEX_MODELS, BEDROCK_MODELS, AZURE_MODELS as single source of truth in blocks/utils.ts
• Updates Helm charts (values.yaml, values-azure.yaml, values-aws.yaml) and .env.example with all new env vars

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 1, 2026 11:06pm

[cursor]

PR Summary

Medium Risk
Medium risk due to changes in credential resolution/validation for Azure and Bedrock providers plus broad updates to subblock visibility that affect editor rendering, serialization, and tool parameter schemas.

Overview
Adds env-var–driven UI credential hiding by extending subblock visibility rules: requiresFeature is replaced with showWhenEnvSet, and a unified isSubBlockHidden() now hides fields when hosted (hideWhenHosted) or when a specified NEXT_PUBLIC_ env var is set (hideWhenEnvSet). This new logic is wired through the editor layout, workflow block preview, serializer/VFS schema export, and tool param generation.

Refactors the Agent block to use shared getProviderCredentialSubBlocks() and introduces new deployment flags NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS and NEXT_PUBLIC_AZURE_CONFIGURED to hide Bedrock/Azure credential inputs when credentials are provided server-side.

Updates provider execution and key plumbing: Bedrock now supports AWS default credential chain (with validation that access key + secret must be provided together) and adds tests; Azure OpenAI/Anthropic providers and the BYOK key resolver now allow API keys/endpoints to come from server env (AZURE_OPENAI_*, AZURE_ANTHROPIC_*), and replaces Bedrock’s magic placeholder key with PROVIDER_PLACEHOLDER_KEY. Docs and Helm/.env examples are updated to reflect the new env vars.

^{Written by Cursor Bugbot for commit 2ee6cba. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds server-side credential hiding for Azure OpenAI, Azure Anthropic, and AWS Bedrock deployments, letting operators pre-configure credentials via env vars so users only need to pick a model.

Key changes:

• NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS — hides bedrockAccessKeyId / bedrockSecretKey subblocks; the Bedrock provider already falls back to the AWS default credential chain when both fields are absent.
• NEXT_PUBLIC_AZURE_CONFIGURED — hides azureEndpoint, azureApiVersion, and the apiKey field for all Azure models; server-side AZURE_OPENAI_* / AZURE_ANTHROPIC_* env vars are resolved in byok.ts.
• Unifies isSubBlockHiddenByHostedKey + isSubBlockHiddenByEnvVar → isSubBlockHidden(), fixing two previously incomplete call sites in workflow-block.tsx and copilot/vfs/serializers.ts.
• Renames requiresFeature → showWhenEnvSet on SubBlockConfig for symmetry.
• Replaces the 'bedrock-uses-own-credentials' magic string with the exported PROVIDER_PLACEHOLDER_KEY constant.
• Consolidates VERTEX_MODELS, BEDROCK_MODELS, AZURE_MODELS as single-source constants in blocks/utils.ts.
• Adds Bedrock credential-handling tests and updates Helm/env documentation.

Confidence Score: 5/5

• Safe to merge; all remaining findings are P2 style suggestions that do not affect runtime correctness.
• The core credential-hiding logic is sound: hidden subblocks are correctly excluded from both the UI (use-editor-subblock-layout) and serialization (serializer/index.ts), so no credential fields are inadvertently sent to providers. The BYOK routing for Azure and Bedrock is correct and placed before the hosted BYOK DB path as intended. The two previously incomplete call sites that were missing the env-var check are now fixed. No P0/P1 issues were found.
• apps/sim/lib/api-key/byok.ts — the Azure paths return an empty string when no key is available rather than throwing early; apps/sim/blocks/utils.ts — new Bedrock credential subblocks missing paramVisibility: 'user-only'.

Important Files Changed

Filename	Overview
apps/sim/lib/api-key/byok.ts	Adds azure-openai and azure-anthropic early-exit paths before the hosted BYOK DB; returns empty string when no key is found, relying on provider-level throw rather than failing fast here.
apps/sim/blocks/utils.ts	Centralises VERTEX_MODELS / BEDROCK_MODELS / AZURE_MODELS constants; adds hideWhenEnvSet to Azure and Bedrock credential subblocks; new fields lack paramVisibility: 'user-only' per custom rule.
apps/sim/lib/workflows/subblocks/visibility.ts	Renames isSubBlockHiddenByHostedKey + isSubBlockHiddenByEnvVar into a single isSubBlockHidden(); cleanly handles both hideWhenHosted and hideWhenEnvSet cases.
apps/sim/providers/azure-anthropic/index.ts	New provider wiring Azure Anthropic (AI Foundry) to the existing Anthropic core executor; correctly strips the azure-anthropic/ prefix and resolves endpoint/apiKey from env vars.
apps/sim/providers/bedrock/index.ts	Credential handling updated to accept either explicit key pair or no credentials (default AWS chain); validation correctly rejects mismatched partial credentials.
apps/sim/providers/bedrock/index.test.ts	New test suite covering explicit credentials, default credential chain fallback, and mismatched partial credential rejection for the Bedrock provider.
apps/sim/serializer/index.ts	Adds isSubBlockHidden() check in shouldSerializeSubBlock so env-var-hidden credential fields are excluded from serialized params, preventing them from being passed to providers unnecessarily.
apps/sim/lib/core/config/feature-flags.ts	Adds isAzureConfigured constant (NEXT_PUBLIC_AZURE_CONFIGURED); well-isolated alongside other feature flags.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Agent Block - model selected] --> B{Provider type?}
    B -->|Ollama / vLLM| C[Return empty / vLLM key]
    B -->|Fireworks| D[Check BYOK DB → env var → throw]
    B -->|bedrock / bedrock/*| E[Return PROVIDER_PLACEHOLDER_KEY]
    B -->|azure-openai| F{userProvidedKey set?}
    B -->|azure-anthropic| G{userProvidedKey set?}
    B -->|openai / anthropic / google / mistral| H{isHosted + workspace?}

    E --> E1[BedrockProvider: credentials in request?]
    E1 -->|both present| E2[Use explicit key pair]
    E1 -->|neither present| E3[Fall back to AWS default chain]
    E1 -->|only one present| E4[Throw: must provide both or neither]

    F -->|yes| F1[Use user key]
    F -->|no| F2[env.AZURE_OPENAI_API_KEY or empty string]
    F2 --> F3[AzureOpenAIProvider: throw if empty]

    G -->|yes| G1[Use user key]
    G -->|no| G2[env.AZURE_ANTHROPIC_API_KEY or empty string]
    G2 --> G3[AzureAnthropicProvider: throw if empty]

    H -->|yes| I[Check BYOK DB]
    I -->|found| J[Use BYOK key]
    I -->|not found| K[Use rotating hosted key]
    H -->|no| L[Use userProvidedKey or throw]

    subgraph UI Visibility
        M[NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS=true] --> N[Hide bedrockAccessKeyId + bedrockSecretKey]
        O[NEXT_PUBLIC_AZURE_CONFIGURED=true] --> P[Hide azureEndpoint + azureApiVersion + apiKey for Azure models]
    end

Loading

_{Reviews (6): Last reviewed commit: "fix(blocks): add canonicalParamId to ver..." | Re-trigger Greptile}

[waleedlatif1]

Fixed in 5232efc. Added hideWhenEnvSet: 'NEXT_PUBLIC_AZURE_CONFIGURED' to azureEndpoint and azureApiVersion, and hideWhenEnvSet: 'NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS' to bedrockAccessKeyId and bedrockSecretKey in getProviderCredentialSubBlocks(). Note: kept required: true and original placeholders for Bedrock — hidden fields are already skipped by the serializer's shouldSerializeSubBlock check before required validation runs, so required: true is safe here and consistent with agent.ts.

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR