Add AWS Bedrock sessionToken

[bmcclaugherty]

Add Bedrock sessionToken which is supported by the AI SDK.

Summary by CodeRabbit

• New Features

  • Amazon Bedrock accepts an optional session token in configuration; supply via secret or environment variable. If omitted, AWS_SESSION_TOKEN is used and honored at runtime.

• Documentation

  • Docs, public schemas, and changelog updated to document the new sessionToken option with secret/env examples and default behavior.

[coderabbitai]

Walkthrough

Adds optional sessionToken support for Amazon Bedrock across docs, schemas, types, env, and runtime resolution. The token can come from a secret/env in config or fall back to AWS_SESSION_TOKEN. Chat action now passes sessionToken to createAmazonBedrock. No other providers or behaviors changed.

Changes

Cohort / File(s)	Summary
Docs — Provider usage docs/docs/configuration/language-model-providers.mdx	Inserted sessionToken example mapped to AWS_SESSION_TOKEN in Bedrock provider docs.
Docs — Schema (MDX) docs/snippets/schemas/v3/index.schema.mdx, docs/snippets/schemas/v3/languageModel.schema.mdx	Added optional sessionToken to AmazonBedrockLanguageModel in definitions and oneOf entries, using secret/env two-shape pattern with a note defaulting to AWS_SESSION_TOKEN.
Runtime schema (TS) packages/schemas/src/v3/index.schema.ts, packages/schemas/src/v3/languageModel.schema.ts	Extended schemas to include optional sessionToken for Bedrock with anyOf/anyOf shapes { secret } or { env }, additionalProperties: false, description noting AWS_SESSION_TOKEN default.
Types packages/schemas/src/v3/index.type.ts, packages/schemas/src/v3/languageModel.type.ts	Added `sessionToken?: { secret: string }
Env wiring packages/web/src/env.mjs	Added AWS_SESSION_TOKEN: z.string().optional() to server env schema.
Chat action logic packages/web/src/features/chat/actions.ts	In the amazon-bedrock path, resolves sessionToken via getTokenFromConfig(orgId, prisma) when present or falls back to env.AWS_SESSION_TOKEN, then passes it into createAmazonBedrock.
JSON schema schemas/v3/languageModel.json	Added sessionToken property to AmazonBedrockLanguageModel referencing shared Token with description defaulting to AWS_SESSION_TOKEN.
Changelog CHANGELOG.md	Added entry: "Add sessionToken as optional Bedrock configuration parameter."

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant UI as Chat UI
  participant Actions as _getAISDKLanguageModelAndOptions
  participant Cfg as Config (Bedrock)
  participant Secrets as getTokenFromConfig
  participant Env as Process Env
  participant Bedrock as createAmazonBedrock

  UI->>Actions: Request model + options
  Actions->>Cfg: Read Bedrock config
  alt sessionToken specified in config
    Actions->>Secrets: Resolve sessionToken for org
    Secrets-->>Actions: tokenValue
  else no sessionToken in config
    Actions->>Env: Read AWS_SESSION_TOKEN
    Env-->>Actions: tokenValue (possibly undefined)
  end
  Actions->>Bedrock: Init with { accessKeyId, secretAccessKey, region, sessionToken, ... }
  Bedrock-->>Actions: Language model instance
  Actions-->>UI: Model + options

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(ask_sb): Add headers param to config to allow users to specify custom headers #449 — Also modifies packages/web/src/features/chat/actions.ts in the Bedrock/provider path (adds headers handling in the same function where this PR adds sessionToken).

Suggested reviewers

• msukkari
• Ferexx

Poem

A whisk of keys, a token hops in line,
Secret or env — a tiny sign.
Bedrock wakes with one more key,
I thump and hum: "Config, agree!"
Ears up high, I press deploy—hop, joy! 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/docs/configuration/language-model-providers.mdx (1)

297-304: OpenRouter example uses the wrong provider id.

The “OpenRouter” section shows "provider": "openai" which will mislead users. It should be "openrouter".

Apply this diff:

-            "provider": "openai",
+            "provider": "openrouter",

🧹 Nitpick comments (7)

packages/web/src/features/chat/actions.ts (1)

392-394: Optional: Avoid unintended AWS_SESSION_TOKEN merges in serverless envs (e.g., Vercel).

AI SDK warns that environment defaults may lead to merged credentials; explicitly setting fields to undefined avoids implicit env defaults. Today you actively pass env.AWS_SESSION_TOKEN when config.sessionToken is absent, which perpetuates any injected token. Consider passing undefined instead so only explicit config uses a session token; users relying on env can set sessionToken via config { env: "AWS_SESSION_TOKEN" }. This would be a behavior change—confirm expectations before adopting. (sdk.vercel.ai, ai-sdk.dev)

Proposed change:

-                sessionToken: config.sessionToken
-                    ? await getTokenFromConfig(config.sessionToken, orgId, prisma)
-                    : env.AWS_SESSION_TOKEN,
+                // Avoid implicit env fallbacks that can conflict in serverless envs.
+                sessionToken: config.sessionToken
+                    ? await getTokenFromConfig(config.sessionToken, orgId, prisma)
+                    : undefined,

docs/docs/configuration/language-model-providers.mdx (3)

114-114: Fix typo: “defailts” → “defaults”.

Minor documentation typo in the Azure example comment.

Apply this diff:

-            "apiVersion": "OPTIONAL_API_VERSION", // defailts to 'preview' if not set
+            "apiVersion": "OPTIONAL_API_VERSION", // defaults to 'preview' if not set

---

169-169: Fix typo: “paramater” → “parameter”.

Two occurrences in the Google Vertex and Google Vertex Anthropic notes.

Apply this diff:

-<Note>The `credentials` paramater here expects a **path** to a [credentials](https://console.cloud.google.com/apis/credentials) file. This file **must be in a volume mounted by Sourcebot** for it to be readable.</Note>
+<Note>The `credentials` parameter here expects a **path** to a [credentials](https://console.cloud.google.com/apis/credentials) file. This file **must be in a volume mounted by Sourcebot** for it to be readable.</Note>

Also applies to: 194-194

---

343-343: Grammar: “a environment variable” → “an environment variable”.

Tiny grammar fix in the custom headers example.

Apply this diff:

-                // Header values can be passed as a environment variable...
+                // Header values can be passed as an environment variable...

docs/snippets/schemas/v3/index.schema.mdx (1)

1287-1317: Amazon Bedrock: sessionToken added in definitions — looks correct and consistent.

• Shape mirrors accessKeyId/accessKeySecret with {secret}|{env} and additionalProperties: false. Good.
• Minor doc clarity: consider noting that sessionToken is required when using temporary AWS credentials (STS/assumed roles) and typically accompanies accessKeyId/Secret. Recommend adding this wording in the source schema generator so the auto-generated docs inherit it.

I can draft the exact wording in the TS schema source so the generator emits it here.

docs/snippets/schemas/v3/languageModel.schema.mdx (2)

84-114: Amazon Bedrock definitions: sessionToken field added — schema shape LGTM.

• anyOf with {secret}|{env} aligns with existing token patterns and keeps additionalProperties closed.
• Optional enhancement (non-blocking): add an “examples” snippet (env-based) similar to other areas in the repo to improve discoverability in docs output (e.g., { "sessionToken": { "env": "AWS_SESSION_TOKEN" } }). Implement in the source generator, not here.

---

1459-1489: oneOf amazon-bedrock entry: sessionToken included — consistent with definitions.

• Consistency across both definitions and oneOf reduces confusion for consumers; nice.
• Cross-field validation idea (optional): when any of accessKeyId/accessKeySecret/sessionToken is explicitly provided in config, consider a schema-level “if/then” to nudge users toward providing a complete temporary-credentials triplet (or rely entirely on env). Current behavior already mirrors prior fields, so treat this as a future nicety rather than a blocker.

If you want, I can propose a JSON Schema constraint (draft-07-friendly) in the TS generator that enforces completeness only when any of the three is present.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d9fa221 and 4e4f5f3.

📒 Files selected for processing (10)

• docs/docs/configuration/language-model-providers.mdx (1 hunks)
• docs/snippets/schemas/v3/index.schema.mdx (2 hunks)
• docs/snippets/schemas/v3/languageModel.schema.mdx (2 hunks)
• packages/schemas/src/v3/index.schema.ts (2 hunks)
• packages/schemas/src/v3/index.type.ts (1 hunks)
• packages/schemas/src/v3/languageModel.schema.ts (2 hunks)
• packages/schemas/src/v3/languageModel.type.ts (1 hunks)
• packages/web/src/env.mjs (1 hunks)
• packages/web/src/features/chat/actions.ts (1 hunks)
• schemas/v3/languageModel.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (.cursor/rules/style.mdc)

Filenames should always be camelCase. Exception: if there are filenames in the same directory with a format other than camelCase, use that format to keep things consistent.

Files:

• schemas/v3/languageModel.json
• packages/web/src/env.mjs
• packages/schemas/src/v3/index.type.ts
• docs/docs/configuration/language-model-providers.mdx
• packages/schemas/src/v3/languageModel.type.ts
• packages/web/src/features/chat/actions.ts
• packages/schemas/src/v3/languageModel.schema.ts
• docs/snippets/schemas/v3/languageModel.schema.mdx
• packages/schemas/src/v3/index.schema.ts
• docs/snippets/schemas/v3/index.schema.mdx

🧬 Code graph analysis (1)

packages/web/src/features/chat/actions.ts (1)

packages/web/src/env.mjs (2)

• env (14-168)
• env (14-168)

🔇 Additional comments (11)

packages/web/src/env.mjs (1)

124-126: LGTM: Added AWS_SESSION_TOKEN to server env schema (server-only).

The optional AWS_SESSION_TOKEN fits the existing AWS creds block and is not exposed via experimental__runtimeEnv, so no risk of leaking to the client.

packages/web/src/features/chat/actions.ts (1)

392-394: LGTM: Pass Bedrock sessionToken with config-or-env resolution.

createAmazonBedrock supports a sessionToken field and defaults to the AWS_SESSION_TOKEN env var when present; your addition aligns with the provider API. Verified against AI SDK docs. (sdk.vercel.ai, ai-sdk.dev)

packages/schemas/src/v3/index.type.ts (1)

491-507: LGTM: sessionToken added to AmazonBedrockLanguageModel (secret/env union).

Matches the existing credential token pattern and the documented default behavior to AWS_SESSION_TOKEN. Keeps types in sync with schema/docs.

schemas/v3/languageModel.json (1)

28-31: LGTM: JSON Schema now includes sessionToken for Bedrock.

Uses the shared Token ref and description consistent with types and runtime usage. Required set remains unchanged (provider, model).

packages/schemas/src/v3/languageModel.type.ts (1)

62-77: LGTM: sessionToken added to Bedrock type (generated).

Auto-generated type mirrors index.type.ts and schema changes; no issues spotted.

packages/schemas/src/v3/languageModel.schema.ts (2)

83-113: Bedrock sessionToken shape and description look correct.

Matches the existing token pattern (secret/env + additionalProperties: false) and the default-to-env behavior is clearly described.

---

1458-1488: Approve: sessionToken is correctly implemented end-to-end.

All layers—including the TypeScript interface (AmazonBedrockLanguageModel in packages/schemas/src/v3/languageModel.type.ts), the public JSON schema (schemas/v3/languageModel.json), the web environment variable (AWS_SESSION_TOKEN in packages/web/src/env.mjs), the Bedrock runtime wiring (createAmazonBedrock call in packages/web/src/features/chat/actions.ts), and the documentation (docs/snippets and docs/configuration/language-model-providers.mdx)—consistently expose and handle sessionToken as intended. No further changes required.

packages/schemas/src/v3/index.schema.ts (2)

1286-1316: LGTM: Added sessionToken under definitions.AmazonBedrockLanguageModel.

Shape, description, and placement align with existing AWS credential fields. No unintended “required” changes.

---

2661-2691: LGTM: Added sessionToken to the amazon-bedrock entry in models.oneOf.

Consistent with definitions and other providers’ token fields. Auto-generated file note respected—no manual refactors suggested here.

docs/docs/configuration/language-model-providers.mdx (1)

70-72: Docs match the new schema: sessionToken example included for Bedrock.

The example correctly shows mapping to AWS_SESSION_TOKEN, consistent with the schema and runtime behavior.

docs/snippets/schemas/v3/index.schema.mdx (1)

2662-2692: sessionToken precedence and propagation validated

• In packages/crypto/src/tokenUtils.ts, getTokenFromConfig first checks for secret, then env, reading from process.env[token.env] and throwing if unset. This ensures any configured secret or env override the default.
• In packages/web/src/features/chat/actions.ts, the amazon-bedrock invocation uses

  sessionToken: config.sessionToken
    ? await getTokenFromConfig(config.sessionToken, orgId, prisma)
    : env.AWS_SESSION_TOKEN,

  so config.sessionToken always takes priority and falls back to AWS_SESSION_TOKEN only when no config is provided.

Schemas, types, docs, and runtime behavior are all in alignment.

[brendan-kellam]

LGTM! 🎉 If you could add a changelog entry, then will be g2g for merging

[bmcclaugherty]

LGTM! 🎉 If you could add a changelog entry, then will be g2g for merging

Awesome! Just pushed. Thanks for reviewing and merging so quickly!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

CHANGELOG.md (2)

12-12: Move entry to “Added” section and fix tense/wording.

This is a new capability, not a change. For consistency with Keep a Changelog and your prior entries, place it under an “Added” subsection and use past tense. Also prefer “Amazon Bedrock” and “an optional” for clarity.

Apply something like:

 ## [Unreleased]

-### Changed
+### Added
+- Added `sessionToken` as an optional Amazon Bedrock configuration parameter. [#478](https://github.com/sourcebot-dev/sourcebot/pull/478)

+### Changed
 - Updated NextJS to version 15. [#477](https://github.com/sourcebot-dev/sourcebot/pull/477)
- - Add `sessionToken` as optional Bedrock configuration parameter. [#478](https://github.com/sourcebot-dev/sourcebot/pull/478)

---

12-12: Optional: Align provider tagging with prior convention.

Several entries use the “[ask sb]” prefix for chat-related features. If this sessionToken flows through chat actions (per PR), consider adding the prefix for quick scannability.

Example:

- - Added `sessionToken` as an optional Amazon Bedrock configuration parameter. [#478](https://github.com/sourcebot-dev/sourcebot/pull/478)
+ - [ask sb] Added `sessionToken` as an optional Amazon Bedrock configuration parameter. [#478](https://github.com/sourcebot-dev/sourcebot/pull/478)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4e4f5f3 and a64fb95.

📒 Files selected for processing (1)

• CHANGELOG.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (.cursor/rules/style.mdc)

Filenames should always be camelCase. Exception: if there are filenames in the same directory with a format other than camelCase, use that format to keep things consistent.

Files:

• CHANGELOG.md

🪛 LanguageTool

CHANGELOG.md

[grammar] ~12-~12: There might be a mistake here.
Context: ...ourcebot/pull/477) - Add sessionToken as optional Bedrock configuration paramete...

(QB_NEW_EN)