shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: add ai_gateway options that alias aibridge options (#25061)

Browse Source 
Adds options matching new AI Gateway naming.
New options are added as alias for old options. Old options are still
working.
Old options have deprecated message.
No conflict detection was added.

Updated documentation so it mentions only new options. Added note about
old options still working.

> Various AI tools where used to create this PR
This commit is contained in:
Paweł Banaszewski
2026-05-21 11:14:11 +02:00
committed by GitHub
parent f1b772928d
commit 46e93e6325
23 changed files with 1572 additions and 708 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cli/server.go
+74 -48
View File
@@ -2926,11 +2926,78 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
return providers, nil
}
// ReadAIProvidersFromEnv parses CODER_AIBRIDGE_PROVIDER_<N>_<KEY>
// ReadAIProvidersFromEnv parses CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>
// environment variables into a slice of AIProviderConfig.
// Deprecated alias env vars with the CODER_AIBRIDGE_PROVIDER_<N>_<KEY>
// prefix are also accepted for compatibility. Prefixes are mutually exclusive.
//
// This follows the same indexed pattern as ReadExternalAuthProvidersFromEnv.
func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AIProviderConfig, error) {
parsed := serpent.ParseEnviron(environ, "CODER_AIBRIDGE_PROVIDER_")
providers, err := readAIProvidersForPrefix(logger, environ, "CODER_AIBRIDGE_PROVIDER_")
if err != nil {
return nil, err
}
gatewayProviders, err := readAIProvidersForPrefix(logger, environ, "CODER_AI_GATEWAY_PROVIDER_")
if err != nil {
return nil, err
}
if len(providers) > 0 && len(gatewayProviders) > 0 {
return nil, xerrors.New("cannot mix CODER_AIBRIDGE_PROVIDER_* and CODER_AI_GATEWAY_PROVIDER_* environment variables, please consolidate onto CODER_AI_GATEWAY_PROVIDER_*")
}
providers = append(providers, gatewayProviders...)
// Post-parse validation.
names := make(map[string]int, len(providers))
for i := range providers {
p := &providers[i]
if p.Type == "" {
return nil, xerrors.Errorf("provider %d: TYPE is required", i)
}
switch p.Type {
case aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot:
default:
return nil, xerrors.Errorf("provider %d: unknown TYPE %q (must be %s, %s, or %s)",
i, p.Type, aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot)
}
if p.Type != aibridge.ProviderAnthropic && hasBedrockFields(*p) {
return nil, xerrors.Errorf("provider %d (%s): BEDROCK_* fields are only supported with TYPE %q",
i, p.Type, aibridge.ProviderAnthropic)
}
if p.Type == aibridge.ProviderCopilot && len(p.Keys) > 0 {
return nil, xerrors.Errorf("provider %d (%s): KEY/KEYS are not supported for TYPE %q",
i, p.Type, aibridge.ProviderCopilot)
}
if err := validateProviderCredentialList(i, p.Type, p.Keys); err != nil {
return nil, err
}
if err := validateBedrockCredentials(i, p.Type, p.BedrockAccessKeys, p.BedrockAccessKeySecrets); err != nil {
return nil, err
}
if p.Name == "" {
p.Name = p.Type
}
if other, exists := names[p.Name]; exists {
return nil, xerrors.Errorf("providers %d and %d have duplicate NAME %q (multiple providers of the same type require unique NAME values)", other, i, p.Name)
}
names[p.Name] = i
}
return providers, nil
}
// readAIProvidersForPrefix parses provider env vars under a single
// indexed prefix (e.g. CODER_AI_GATEWAY_PROVIDER_) into a slice of
// AIProviderConfig. Per-field syntax errors and unknown keys are
// reported using the original env var name so the prefix stays visible
// to the operator.
func readAIProvidersForPrefix(logger slog.Logger, environ []string, prefix string) ([]codersdk.AIProviderConfig, error) {
parsed := serpent.ParseEnviron(environ, prefix)
// Sort by numeric index so that PROVIDER_2 comes before PROVIDER_10.
slices.SortFunc(parsed, func(a, b serpent.EnvVar) int {
@@ -2944,14 +3011,15 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI
var providers []codersdk.AIProviderConfig
for _, v := range parsed {
fullName := prefix + v.Name
tokens := strings.SplitN(v.Name, "_", 2)
if len(tokens) != 2 {
return nil, xerrors.Errorf("invalid env var: %s", v.Name)
return nil, xerrors.Errorf("invalid env var: %s", fullName)
}
providerNum, err := strconv.Atoi(tokens[0])
if err != nil {
return nil, xerrors.Errorf("parse number: %s", v.Name)
return nil, xerrors.Errorf("parse number: %s", fullName)
}
var provider codersdk.AIProviderConfig
@@ -2960,7 +3028,7 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI
return nil, xerrors.Errorf(
"provider num %v skipped: %s",
len(providers),
v.Name,
fullName,
)
case len(providers) == providerNum: // First observation of this index, create a new provider.
providers = append(providers, provider)
@@ -3015,54 +3083,12 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI
provider.BedrockSmallFastModel = v.Value
default:
logger.Warn(context.Background(), "ignoring unknown AI provider field (check for typos)",
slog.F("env", fmt.Sprintf("CODER_AIBRIDGE_PROVIDER_%d_%s", providerNum, key)),
slog.F("env", fullName),
)
}
providers[providerNum] = provider
}
// Post-parse validation.
names := make(map[string]int, len(providers))
for i := range providers {
p := &providers[i]
if p.Type == "" {
return nil, xerrors.Errorf("provider %d: TYPE is required", i)
}
switch p.Type {
case aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot:
default:
return nil, xerrors.Errorf("provider %d: unknown TYPE %q (must be %s, %s, or %s)",
i, p.Type, aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot)
}
if p.Type != aibridge.ProviderAnthropic && hasBedrockFields(*p) {
return nil, xerrors.Errorf("provider %d (%s): BEDROCK_* fields are only supported with TYPE %q",
i, p.Type, aibridge.ProviderAnthropic)
}
if p.Type == aibridge.ProviderCopilot && len(p.Keys) > 0 {
return nil, xerrors.Errorf("provider %d (%s): KEY/KEYS are not supported for TYPE %q",
i, p.Type, aibridge.ProviderCopilot)
}
if err := validateProviderCredentialList(i, p.Type, p.Keys); err != nil {
return nil, err
}
if err := validateBedrockCredentials(i, p.Type, p.BedrockAccessKeys, p.BedrockAccessKeySecrets); err != nil {
return nil, err
}
if p.Name == "" {
p.Name = p.Type
}
if other, exists := names[p.Name]; exists {
return nil, xerrors.Errorf("providers %d and %d have duplicate NAME %q (multiple providers of the same type require unique NAME values)", other, i, p.Name)
}
names[p.Name] = i
}
return providers, nil
}
cli/server_aibridge_internal_test.go
+78 -17
View File
@@ -46,6 +46,23 @@ func TestReadAIProvidersFromEnv(t *testing.T) {
},
},
},
{
name: "SingleProviderAIGatewayPrefix",
env: []string{
"CODER_AI_GATEWAY_PROVIDER_0_TYPE=anthropic",
"CODER_AI_GATEWAY_PROVIDER_0_NAME=anthropic-zdr",
"CODER_AI_GATEWAY_PROVIDER_0_KEY=sk-ant-xxx",
"CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://api.anthropic.com/",
},
expected: []codersdk.AIProviderConfig{
{
Type: aibridge.ProviderAnthropic,
Name: "anthropic-zdr",
Keys: []string{"sk-ant-xxx"},
BaseURL: "https://api.anthropic.com/",
},
},
},
{
name: "MultipleProvidersSameType",
env: []string{
@@ -310,6 +327,16 @@ func TestReadAIProvidersFromEnv(t *testing.T) {
},
errContains: "BEDROCK_ACCESS_KEYS count (2) must match BEDROCK_ACCESS_KEY_SECRETS count (1)",
},
{
name: "MixedPrefixesAreNotAllowed",
env: []string{
"CODER_AIBRIDGE_PROVIDER_0_TYPE=anthropic",
"CODER_AIBRIDGE_PROVIDER_0_NAME=anthropic-1",
"CODER_AI_GATEWAY_PROVIDER_0_TYPE=anthropic",
"CODER_AI_GATEWAY_PROVIDER_0_NAME=anthropic-2",
},
errContains: "cannot mix CODER_AIBRIDGE_PROVIDER_* and CODER_AI_GATEWAY_PROVIDER_* environment variables",
},
{
name: "BedrockKeysTooMany",
env: []string{
@@ -339,7 +366,7 @@ func TestReadAIProvidersFromEnv(t *testing.T) {
t.Run("MultiDigitIndices", func(t *testing.T) {
t.Parallel()
// Indices 0, 1, 2, ..., 10 verifies that 10 sorts after 2,
// Indices 0, 1, 2, ..., 10, verifies that 10 sorts after 2,
// not between 1 and 2 as a lexicographic sort would do.
var env []string
var expected []codersdk.AIProviderConfig
@@ -362,23 +389,57 @@ func TestReadAIProvidersFromEnv(t *testing.T) {
t.Run("UnknownFieldWarnsButSucceeds", func(t *testing.T) {
t.Parallel()
// A typo like TPYE instead of TYPE should not prevent startup;
// A typo like TYYYPPOO instead of TYPE should not prevent startup;
// the function logs a warning and continues.
sink := testutil.NewFakeSink(t)
providers, err := ReadAIProvidersFromEnv(sink.Logger(), []string{
"CODER_AIBRIDGE_PROVIDER_0_TYPE=openai",
"CODER_AIBRIDGE_PROVIDER_0_TPYE=openai",
})
require.NoError(t, err)
require.Equal(t, []codersdk.AIProviderConfig{
{Type: aibridge.ProviderOpenAI, Name: aibridge.ProviderOpenAI},
}, providers)
tests := []struct {
name string
env []string
expected []codersdk.AIProviderConfig
expectedWarnings []string
}{
{
name: "AIGatewayPrefix",
env: []string{
"CODER_AI_GATEWAY_PROVIDER_0_TYPE=openai",
"CODER_AI_GATEWAY_PROVIDER_0_Name=test",
"CODER_AI_GATEWAY_PROVIDER_0_TYYYPPOO=openai",
},
expected: []codersdk.AIProviderConfig{
{Type: "openai", Name: "test"},
},
expectedWarnings: []string{"CODER_AI_GATEWAY_PROVIDER_0_TYYYPPOO"},
},
{
name: "AIBridgePrefix",
env: []string{
"CODER_AIBRIDGE_PROVIDER_0_TYPE=openai",
"CODER_AIBRIDGE_PROVIDER_0_Name=test",
"CODER_AIBRIDGE_PROVIDER_0_TYYYPPOO=openai",
},
expected: []codersdk.AIProviderConfig{
{Type: "openai", Name: "test"},
},
expectedWarnings: []string{"CODER_AIBRIDGE_PROVIDER_0_TYYYPPOO"},
},
}
warnings := sink.Entries(func(e slog.SinkEntry) bool {
return e.Message == "ignoring unknown AI provider field (check for typos)"
})
require.Len(t, warnings, 1)
require.Len(t, warnings[0].Fields, 1)
assert.Equal(t, "CODER_AIBRIDGE_PROVIDER_0_TPYE", warnings[0].Fields[0].Value)
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
sink := testutil.NewFakeSink(t)
providers, err := ReadAIProvidersFromEnv(sink.Logger(), tt.env)
require.NoError(t, err)
require.Equal(t, tt.expected, providers)
warnings := sink.Entries(func(e slog.SinkEntry) bool {
return e.Message == "ignoring unknown AI provider field (check for typos)"
})
require.Len(t, warnings, len(tt.expectedWarnings))
for i, want := range tt.expectedWarnings {
require.Len(t, warnings[i].Fields, 1)
assert.Equal(t, want, warnings[i].Fields[0].Value)
}
})
}
})
}
cli/testdata/coder_server_--help.golden
Vendored
+91 -91
View File
@@ -103,80 +103,7 @@ OPTIONS:
Periodically check for new releases of Coder and inform the owner. The
check is performed once per day.
AI BRIDGE OPTIONS:
--aibridge-allow-byok bool, $CODER_AIBRIDGE_ALLOW_BYOK (default: true)
Allow users to provide their own LLM API keys or subscriptions. When
disabled, only centralized key authentication is permitted.
--aibridge-anthropic-base-url string, $CODER_AIBRIDGE_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
The base URL of the Anthropic API.
--aibridge-anthropic-key string, $CODER_AIBRIDGE_ANTHROPIC_KEY
The key to authenticate against the Anthropic API.
--aibridge-bedrock-access-key string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY
The access key to authenticate against the AWS Bedrock API.
--aibridge-bedrock-access-key-secret string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET
The access key secret to use with the access key to authenticate
against the AWS Bedrock API.
--aibridge-bedrock-base-url string, $CODER_AIBRIDGE_BEDROCK_BASE_URL
The base URL to use for the AWS Bedrock API. Use this setting to
specify an exact URL to use. Takes precedence over
CODER_AIBRIDGE_BEDROCK_REGION.
--aibridge-bedrock-model string, $CODER_AIBRIDGE_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
The model to use when making requests to the AWS Bedrock API.
--aibridge-bedrock-region string, $CODER_AIBRIDGE_BEDROCK_REGION
The AWS Bedrock API region to use. Constructs a base URL to use for
the AWS Bedrock API in the form of
'https://bedrock-runtime.<region>.amazonaws.com'.
--aibridge-bedrock-small-fastmodel string, $CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
The small fast model to use when making requests to the AWS Bedrock
API. Claude Code uses Haiku-class models to perform background tasks.
See
https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
--aibridge-circuit-breaker-enabled bool, $CODER_AIBRIDGE_CIRCUIT_BREAKER_ENABLED (default: false)
Enable the circuit breaker to protect against cascading failures from
upstream AI provider overload (503, 529).
--aibridge-retention duration, $CODER_AIBRIDGE_RETENTION (default: 60d)
Length of time to retain data such as interceptions and all related
records (token, prompt, tool use).
--aibridge-enabled bool, $CODER_AIBRIDGE_ENABLED (default: false)
Whether to start an in-memory aibridged instance.
--aibridge-max-concurrency int, $CODER_AIBRIDGE_MAX_CONCURRENCY (default: 0)
Maximum number of concurrent AI Bridge requests per replica. Set to 0
to disable (unlimited).
--aibridge-openai-base-url string, $CODER_AIBRIDGE_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
The base URL of the OpenAI API.
--aibridge-openai-key string, $CODER_AIBRIDGE_OPENAI_KEY
The key to authenticate against the OpenAI API.
--aibridge-rate-limit int, $CODER_AIBRIDGE_RATE_LIMIT (default: 0)
Maximum number of AI Bridge requests per second per replica. Set to 0
to disable (unlimited).
--aibridge-send-actor-headers bool, $CODER_AIBRIDGE_SEND_ACTOR_HEADERS (default: false)
Once enabled, extra headers will be added to upstream requests to
identify the user (actor) making requests to AI Bridge. This is only
needed if you are using a proxy between AI Bridge and an upstream AI
provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user
making the request) and X-Ai-Bridge-Actor-Metadata-Username (their
username).
--aibridge-structured-logging bool, $CODER_AIBRIDGE_STRUCTURED_LOGGING (default: false)
Emit structured logs for AI Bridge interception records. Use this for
exporting these records to external SIEM or observability systems.
AI GATEWAY OPTIONS:
--ai-budget-period month, $CODER_AI_BUDGET_PERIOD (default: month)
Determines when accumulated AI spend resets to zero, aligned to UTC
calendar boundaries. Only "month" is currently supported.
@@ -186,49 +113,122 @@ AI BRIDGE OPTIONS:
with AI budgets. "highest" selects the group with the largest spend
limit, and is currently the only supported value.
AI BRIDGE PROXY OPTIONS:
--aibridge-proxy-dump-dir string, $CODER_AIBRIDGE_PROXY_DUMP_DIR
--ai-gateway-allow-byok bool, $CODER_AI_GATEWAY_ALLOW_BYOK (default: true)
Allow users to provide their own LLM API keys or subscriptions. When
disabled, only centralized key authentication is permitted.
--ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
The base URL of the Anthropic API.
--ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY
The key to authenticate against the Anthropic API.
--ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY
The access key to authenticate against the AWS Bedrock API.
--ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
The access key secret to use with the access key to authenticate
against the AWS Bedrock API.
--ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL
The base URL to use for the AWS Bedrock API. Use this setting to
specify an exact URL to use. Takes precedence over
CODER_AI_GATEWAY_BEDROCK_REGION.
--ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
The model to use when making requests to the AWS Bedrock API.
--ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION
The AWS Bedrock API region to use. Constructs a base URL to use for
the AWS Bedrock API in the form of
'https://bedrock-runtime.<region>.amazonaws.com'.
--ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
The small fast model to use when making requests to the AWS Bedrock
API. Claude Code uses Haiku-class models to perform background tasks.
See
https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
--ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false)
Enable the circuit breaker to protect against cascading failures from
upstream AI provider overload (503, 529).
--ai-gateway-retention duration, $CODER_AI_GATEWAY_RETENTION (default: 60d)
Length of time to retain data such as interceptions and all related
records (token, prompt, tool use).
--ai-gateway-enabled bool, $CODER_AI_GATEWAY_ENABLED (default: false)
Whether to start an in-memory AI Gateway instance.
--ai-gateway-max-concurrency int, $CODER_AI_GATEWAY_MAX_CONCURRENCY (default: 0)
Maximum number of concurrent AI Gateway requests per replica. Set to 0
to disable (unlimited).
--ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
The base URL of the OpenAI API.
--ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY
The key to authenticate against the OpenAI API.
--ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0)
Maximum number of AI Gateway requests per second per replica. Set to 0
to disable (unlimited).
--ai-gateway-send-actor-headers bool, $CODER_AI_GATEWAY_SEND_ACTOR_HEADERS (default: false)
Once enabled, extra headers will be added to upstream requests to
identify the user (actor) making requests to AI Gateway. This is only
needed if you are using a proxy between AI Gateway and an upstream AI
provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user
making the request) and X-Ai-Bridge-Actor-Metadata-Username (their
username).
--ai-gateway-structured-logging bool, $CODER_AI_GATEWAY_STRUCTURED_LOGGING (default: false)
Emit structured logs for AI Gateway interception records. Use this for
exporting these records to external SIEM or observability systems.
AI GATEWAY PROXY OPTIONS:
--ai-gateway-proxy-dump-dir string, $CODER_AI_GATEWAY_PROXY_DUMP_DIR
Directory for dumping MITM request/response pairs to disk for
debugging. When set, each proxied request produces .req.txt and
.resp.txt files organized by provider. Sensitive headers are redacted.
Leave empty to disable.
--aibridge-proxy-allowed-private-cidrs string-array, $CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS
--ai-gateway-proxy-allowed-private-cidrs string-array, $CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS
Comma-separated list of CIDR ranges that are permitted even though
they fall within blocked private/reserved IP ranges. By default all
private ranges are blocked to prevent SSRF attacks. Use this to allow
access to specific internal networks.
--aibridge-proxy-enabled bool, $CODER_AIBRIDGE_PROXY_ENABLED (default: false)
Enable the AI Bridge MITM Proxy for intercepting and decrypting AI
--ai-gateway-proxy-enabled bool, $CODER_AI_GATEWAY_PROXY_ENABLED (default: false)
Enable the AI Gateway MITM Proxy for intercepting and decrypting AI
provider requests.
--aibridge-proxy-listen-addr string, $CODER_AIBRIDGE_PROXY_LISTEN_ADDR (default: :8888)
The address the AI Bridge Proxy will listen on.
--ai-gateway-proxy-listen-addr string, $CODER_AI_GATEWAY_PROXY_LISTEN_ADDR (default: :8888)
The address the AI Gateway Proxy will listen on.
--aibridge-proxy-cert-file string, $CODER_AIBRIDGE_PROXY_CERT_FILE
--ai-gateway-proxy-cert-file string, $CODER_AI_GATEWAY_PROXY_CERT_FILE
Path to the CA certificate file used to intercept (MITM) HTTPS traffic
from AI clients. This CA must be trusted by AI clients for the proxy
to decrypt their requests.
--aibridge-proxy-key-file string, $CODER_AIBRIDGE_PROXY_KEY_FILE
--ai-gateway-proxy-key-file string, $CODER_AI_GATEWAY_PROXY_KEY_FILE
Path to the CA private key file used to intercept (MITM) HTTPS traffic
from AI clients.
--aibridge-proxy-tls-cert-file string, $CODER_AIBRIDGE_PROXY_TLS_CERT_FILE
Path to the TLS certificate file for the AI Bridge Proxy listener.
Must be set together with AI Bridge Proxy TLS Key File.
--ai-gateway-proxy-tls-cert-file string, $CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE
Path to the TLS certificate file for the AI Gateway Proxy listener.
Must be set together with AI Gateway Proxy TLS Key File.
--aibridge-proxy-tls-key-file string, $CODER_AIBRIDGE_PROXY_TLS_KEY_FILE
Path to the TLS private key file for the AI Bridge Proxy listener.
Must be set together with AI Bridge Proxy TLS Certificate File.
--ai-gateway-proxy-tls-key-file string, $CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE
Path to the TLS private key file for the AI Gateway Proxy listener.
Must be set together with AI Gateway Proxy TLS Certificate File.
--aibridge-proxy-upstream string, $CODER_AIBRIDGE_PROXY_UPSTREAM
--ai-gateway-proxy-upstream string, $CODER_AI_GATEWAY_PROXY_UPSTREAM
URL of an upstream HTTP proxy to chain tunneled (non-allowlisted)
requests through. Format: http://[user:pass@]host:port or
https://[user:pass@]host:port.
--aibridge-proxy-upstream-ca string, $CODER_AIBRIDGE_PROXY_UPSTREAM_CA
--ai-gateway-proxy-upstream-ca string, $CODER_AI_GATEWAY_PROXY_UPSTREAM_CA
Path to a PEM-encoded CA certificate to trust for the upstream proxy's
TLS connection. Only needed for HTTPS upstream proxies with
certificates not trusted by the system. If not provided, the system
cli/testdata/server-config.yaml.golden
Vendored
+183 -18
View File
@@ -766,9 +766,109 @@ chat:
# (default: false, type: bool)
debugLoggingEnabled: false
aibridge:
# Deprecated: use --ai-gateway-enabled or CODER_AI_GATEWAY_ENABLED instead.
# Whether to start an in-memory aibridged instance.
# (default: false, type: bool)
enabled: false
# Deprecated: use --ai-gateway-openai-base-url or CODER_AI_GATEWAY_OPENAI_BASE_URL
# instead. The base URL of the OpenAI API.
# (default: https://api.openai.com/v1/, type: string)
openai_base_url: https://api.openai.com/v1/
# Deprecated: use --ai-gateway-anthropic-base-url or
# CODER_AI_GATEWAY_ANTHROPIC_BASE_URL instead. The base URL of the Anthropic API.
# (default: https://api.anthropic.com/, type: string)
anthropic_base_url: https://api.anthropic.com/
# Deprecated: use --ai-gateway-bedrock-base-url or
# CODER_AI_GATEWAY_BEDROCK_BASE_URL instead. The base URL to use for the AWS
# Bedrock API. Use this setting to specify an exact URL to use. Takes precedence
# over CODER_AIBRIDGE_BEDROCK_REGION.
# (default: <unset>, type: string)
bedrock_base_url: ""
# Deprecated: use --ai-gateway-bedrock-region or CODER_AI_GATEWAY_BEDROCK_REGION
# instead. The AWS Bedrock API region to use. Constructs a base URL to use for the
# AWS Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.
# (default: <unset>, type: string)
bedrock_region: ""
# Deprecated: use --ai-gateway-bedrock-model or CODER_AI_GATEWAY_BEDROCK_MODEL
# instead. The model to use when making requests to the AWS Bedrock API.
# (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0, type: string)
bedrock_model: global.anthropic.claude-sonnet-4-5-20250929-v1:0
# Deprecated: use --ai-gateway-bedrock-small-fastmodel or
# CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL instead. The small fast model to use
# when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models
# to perform background tasks. See
# https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
# (default: global.anthropic.claude-haiku-4-5-20251001-v1:0, type: string)
bedrock_small_fast_model: global.anthropic.claude-haiku-4-5-20251001-v1:0
# Deprecated: Injected MCP in AI Gateway is deprecated and will be removed in a
# future release. This option is an alias for --ai-gateway-inject-coder-mcp-tools.
# (default: false, type: bool)
inject_coder_mcp_tools: false
# Deprecated: use --ai-gateway-retention or CODER_AI_GATEWAY_RETENTION instead.
# Length of time to retain data such as interceptions and all related records
# (token, prompt, tool use).
# (default: 60d, type: duration)
retention: 1440h0m0s
# Deprecated: use --ai-gateway-max-concurrency or CODER_AI_GATEWAY_MAX_CONCURRENCY
# instead. Maximum number of concurrent AI Bridge requests per replica. Set to 0
# to disable (unlimited).
# (default: 0, type: int)
max_concurrency: 0
# Deprecated: use --ai-gateway-rate-limit or CODER_AI_GATEWAY_RATE_LIMIT instead.
# Maximum number of AI Bridge requests per second per replica. Set to 0 to disable
# (unlimited).
# (default: 0, type: int)
rate_limit: 0
# Deprecated: use --ai-gateway-structured-logging or
# CODER_AI_GATEWAY_STRUCTURED_LOGGING instead. Emit structured logs for AI Bridge
# interception records. Use this for exporting these records to external SIEM or
# observability systems.
# (default: false, type: bool)
structured_logging: false
# Deprecated: use --ai-gateway-send-actor-headers or
# CODER_AI_GATEWAY_SEND_ACTOR_HEADERS instead. Once enabled, extra headers will be
# added to upstream requests to identify the user (actor) making requests to AI
# Bridge. This is only needed if you are using a proxy between AI Bridge and an
# upstream AI provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user
# making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).
# (default: false, type: bool)
send_actor_headers: false
# Deprecated: use --ai-gateway-allow-byok or CODER_AI_GATEWAY_ALLOW_BYOK instead.
# Allow users to provide their own LLM API keys or subscriptions. When disabled,
# only centralized key authentication is permitted.
# (default: true, type: bool)
allow_byok: true
# Deprecated: use --ai-gateway-circuit-breaker-enabled or
# CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED instead. Enable the circuit breaker to
# protect against cascading failures from upstream AI provider overload (503,
# 529).
# (default: false, type: bool)
circuit_breaker_enabled: false
# Deprecated: use --ai-gateway-circuit-breaker-failure-threshold or
# CODER_AI_GATEWAY_CIRCUIT_BREAKER_FAILURE_THRESHOLD instead. Number of
# consecutive failures that triggers the circuit breaker to open.
# (default: 5, type: int)
circuit_breaker_failure_threshold: 5
# Deprecated: use --ai-gateway-circuit-breaker-interval or
# CODER_AI_GATEWAY_CIRCUIT_BREAKER_INTERVAL instead. Cyclic period of the closed
# state for clearing internal failure counts.
# (default: 10s, type: duration)
circuit_breaker_interval: 10s
# Deprecated: use --ai-gateway-circuit-breaker-timeout or
# CODER_AI_GATEWAY_CIRCUIT_BREAKER_TIMEOUT instead. How long the circuit breaker
# stays open before transitioning to half-open state.
# (default: 30s, type: duration)
circuit_breaker_timeout: 30s
# Deprecated: use --ai-gateway-circuit-breaker-max-requests or
# CODER_AI_GATEWAY_CIRCUIT_BREAKER_MAX_REQUESTS instead. Maximum number of
# requests allowed in half-open state before deciding to close or re-open the
# circuit.
# (default: 3, type: int)
circuit_breaker_max_requests: 3
ai_gateway:
# Whether to start an in-memory AI Gateway instance.
# (default: false, type: bool)
enabled: false
# The base URL of the OpenAI API.
# (default: https://api.openai.com/v1/, type: string)
openai_base_url: https://api.openai.com/v1/
@@ -776,7 +876,7 @@ aibridge:
# (default: https://api.anthropic.com/, type: string)
anthropic_base_url: https://api.anthropic.com/
# The base URL to use for the AWS Bedrock API. Use this setting to specify an
# exact URL to use. Takes precedence over CODER_AIBRIDGE_BEDROCK_REGION.
# exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
# (default: <unset>, type: string)
bedrock_base_url: ""
# The AWS Bedrock API region to use. Constructs a base URL to use for the AWS
@@ -791,8 +891,8 @@ aibridge:
# https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
# (default: global.anthropic.claude-haiku-4-5-20251001-v1:0, type: string)
bedrock_small_fast_model: global.anthropic.claude-haiku-4-5-20251001-v1:0
# Deprecated: Injected MCP in AI Bridge is deprecated and will be removed in a
# future release. Whether to inject Coder's MCP tools into intercepted AI Bridge
# Deprecated: Injected MCP in AI Gateway is deprecated and will be removed in a
# future release. Whether to inject Coder's MCP tools into intercepted AI Gateway
# requests (requires the "oauth2" and "mcp-server-http" experiments to be
# enabled).
# (default: false, type: bool)
@@ -801,21 +901,21 @@ aibridge:
# (token, prompt, tool use).
# (default: 60d, type: duration)
retention: 1440h0m0s
# Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable
# (unlimited).
# Maximum number of concurrent AI Gateway requests per replica. Set to 0 to
# disable (unlimited).
# (default: 0, type: int)
max_concurrency: 0
# Maximum number of AI Bridge requests per second per replica. Set to 0 to disable
# (unlimited).
# Maximum number of AI Gateway requests per second per replica. Set to 0 to
# disable (unlimited).
# (default: 0, type: int)
rate_limit: 0
# Emit structured logs for AI Bridge interception records. Use this for exporting
# Emit structured logs for AI Gateway interception records. Use this for exporting
# these records to external SIEM or observability systems.
# (default: false, type: bool)
structured_logging: false
# Once enabled, extra headers will be added to upstream requests to identify the
# user (actor) making requests to AI Bridge. This is only needed if you are using
# a proxy between AI Bridge and an upstream AI provider. This will send
# user (actor) making requests to AI Gateway. This is only needed if you are using
# a proxy between AI Gateway and an upstream AI provider. This will send
# X-Ai-Bridge-Actor-Id (the ID of the user making the request) and
# X-Ai-Bridge-Actor-Metadata-Username (their username).
# (default: false, type: bool)
@@ -851,19 +951,84 @@ aibridge:
# (default: month, type: enum[month])
budget_period: month
aibridgeproxy:
# Enable the AI Bridge MITM Proxy for intercepting and decrypting AI provider
# Deprecated: use --ai-gateway-proxy-enabled or CODER_AI_GATEWAY_PROXY_ENABLED
# instead. Enable the AI Bridge MITM Proxy for intercepting and decrypting AI
# provider requests.
# (default: false, type: bool)
enabled: false
# Deprecated: use --ai-gateway-proxy-listen-addr or
# CODER_AI_GATEWAY_PROXY_LISTEN_ADDR instead. The address the AI Bridge Proxy will
# listen on.
# (default: :8888, type: string)
listen_addr: :8888
# Deprecated: use --ai-gateway-proxy-tls-cert-file or
# CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE instead. Path to the TLS certificate file
# for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS
# Key File.
# (default: <unset>, type: string)
tls_cert_file: ""
# Deprecated: use --ai-gateway-proxy-tls-key-file or
# CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE instead. Path to the TLS private key file
# for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS
# Certificate File.
# (default: <unset>, type: string)
tls_key_file: ""
# Deprecated: use --ai-gateway-proxy-cert-file or CODER_AI_GATEWAY_PROXY_CERT_FILE
# instead. Path to the CA certificate file used to intercept (MITM) HTTPS traffic
# from AI clients. This CA must be trusted by AI clients for the proxy to decrypt
# their requests.
# (default: <unset>, type: string)
cert_file: ""
# Deprecated: use --ai-gateway-proxy-key-file or CODER_AI_GATEWAY_PROXY_KEY_FILE
# instead. Path to the CA private key file used to intercept (MITM) HTTPS traffic
# from AI clients.
# (default: <unset>, type: string)
key_file: ""
# Deprecated: This value is now derived automatically from the configured AI
# providers' base URLs. Setting this value has no effect. This option will be
# removed in a future release.
# (default: <unset>, type: string-array)
domain_allowlist: []
# Deprecated: use --ai-gateway-proxy-upstream or CODER_AI_GATEWAY_PROXY_UPSTREAM
# instead. URL of an upstream HTTP proxy to chain tunneled (non-allowlisted)
# requests through. Format: http://[user:pass@]host:port or
# https://[user:pass@]host:port.
# (default: <unset>, type: string)
upstream_proxy: ""
# Deprecated: use --ai-gateway-proxy-upstream-ca or
# CODER_AI_GATEWAY_PROXY_UPSTREAM_CA instead. Path to a PEM-encoded CA certificate
# to trust for the upstream proxy's TLS connection. Only needed for HTTPS upstream
# proxies with certificates not trusted by the system. If not provided, the system
# certificate pool is used.
# (default: <unset>, type: string)
upstream_proxy_ca: ""
# Deprecated: use --ai-gateway-proxy-allowed-private-cidrs or
# CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS instead. Comma-separated list of
# CIDR ranges that are permitted even though they fall within blocked
# private/reserved IP ranges. By default all private ranges are blocked to prevent
# SSRF attacks. Use this to allow access to specific internal networks.
# (default: <unset>, type: string-array)
allowed_private_cidrs: []
# Deprecated: use --ai-gateway-proxy-dump-dir or CODER_AI_GATEWAY_PROXY_DUMP_DIR
# instead. Directory for dumping MITM request/response pairs to disk for
# debugging. When set, each proxied request produces .req.txt and .resp.txt files
# organized by provider. Sensitive headers are redacted. Leave empty to disable.
# (default: <unset>, type: string)
api_dump_dir: ""
ai_gateway_proxy:
# Enable the AI Gateway MITM Proxy for intercepting and decrypting AI provider
# requests.
# (default: false, type: bool)
enabled: false
# The address the AI Bridge Proxy will listen on.
# The address the AI Gateway Proxy will listen on.
# (default: :8888, type: string)
listen_addr: :8888
# Path to the TLS certificate file for the AI Bridge Proxy listener. Must be set
# together with AI Bridge Proxy TLS Key File.
# Path to the TLS certificate file for the AI Gateway Proxy listener. Must be set
# together with AI Gateway Proxy TLS Key File.
# (default: <unset>, type: string)
tls_cert_file: ""
# Path to the TLS private key file for the AI Bridge Proxy listener. Must be set
# together with AI Bridge Proxy TLS Certificate File.
# Path to the TLS private key file for the AI Gateway Proxy listener. Must be set
# together with AI Gateway Proxy TLS Certificate File.
# (default: <unset>, type: string)
tls_key_file: ""
# Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI
@@ -876,8 +1041,8 @@ aibridgeproxy:
# (default: <unset>, type: string)
key_file: ""
# Deprecated: This value is now derived automatically from the configured AI
# providers' base URLs. Setting this value has no effect. This option will be
# removed in a future release.
# Gateway providers' base URLs. Setting this value has no effect. This option will
# be removed in a future release.
# (default: <unset>, type: string-array)
domain_allowlist: []
# URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests
coderd/apidoc/docs.go
Generated
+4 -4
View File
@@ -14443,7 +14443,7 @@ const docTemplate = `{
"type": "boolean"
},
"anthropic": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeAnthropicConfig"
@@ -14451,7 +14451,7 @@ const docTemplate = `{
]
},
"bedrock": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeBedrockConfig"
@@ -14492,7 +14492,7 @@ const docTemplate = `{
"type": "integer"
},
"openai": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeOpenAIConfig"
@@ -14500,7 +14500,7 @@ const docTemplate = `{
]
},
"providers": {
"description": "Providers holds provider instances populated from CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_\u003cKEY\u003e\nenv vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.",
"description": "Providers holds provider instances populated from CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_\u003cKEY\u003e\nenv vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.",
"type": "array",
"items": {
"$ref": "#/definitions/codersdk.AIProviderConfig"
coderd/apidoc/swagger.json
Generated
+4 -4
View File
@@ -12847,7 +12847,7 @@
"type": "boolean"
},
"anthropic": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeAnthropicConfig"
@@ -12855,7 +12855,7 @@
]
},
"bedrock": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeBedrockConfig"
@@ -12896,7 +12896,7 @@
"type": "integer"
},
"openai": {
"description": "Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_* env vars instead.",
"description": "Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_* env vars instead.",
"allOf": [
{
"$ref": "#/definitions/codersdk.AIBridgeOpenAIConfig"
@@ -12904,7 +12904,7 @@
]
},
"providers": {
"description": "Providers holds provider instances populated from CODER_AIBRIDGE_PROVIDER_\u003cN\u003e_\u003cKEY\u003e\nenv vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.",
"description": "Providers holds provider instances populated from CODER_AI_GATEWAY_PROVIDER_\u003cN\u003e_\u003cKEY\u003e\nenv vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.",
"type": "array",
"items": {
"$ref": "#/definitions/codersdk.AIProviderConfig"
codersdk/deployment.go
+540 -83
View File
@@ -1479,12 +1479,20 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
YAML: "chat",
Description: "Configure the background chat processing daemon.",
}
deploymentGroupAIGateway = serpent.Group{
Name: "AI Gateway",
YAML: "ai_gateway",
}
deploymentGroupAIGatewayProxy = serpent.Group{
Name: "AI Gateway Proxy",
YAML: "ai_gateway_proxy",
}
deploymentGroupAIBridge = serpent.Group{
Name: "AI Bridge",
Name: "AI Bridge (Deprecated)",
YAML: "aibridge",
}
deploymentGroupAIBridgeProxy = serpent.Group{
Name: "AI Bridge Proxy",
Name: "AI Bridge Proxy (Deprecated)",
YAML: "aibridgeproxy",
}
deploymentGroupRetention = serpent.Group{
@@ -1689,6 +1697,369 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
Hidden: false,
Default: "coder",
}
// AI Gateway options
aiGatewayEnabled := serpent.Option{
Name: "AI Gateway Enabled",
Description: "Whether to start an in-memory AI Gateway instance.",
Flag: "ai-gateway-enabled",
Env: "CODER_AI_GATEWAY_ENABLED",
Value: &c.AI.BridgeConfig.Enabled,
Default: "false",
Group: &deploymentGroupAIGateway,
YAML: "enabled",
}
aiGatewayOpenAIBaseURL := serpent.Option{
Name: "AI Gateway OpenAI Base URL",
Description: "The base URL of the OpenAI API.",
Flag: "ai-gateway-openai-base-url",
Env: "CODER_AI_GATEWAY_OPENAI_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyOpenAI.BaseURL,
Default: "https://api.openai.com/v1/",
Group: &deploymentGroupAIGateway,
YAML: "openai_base_url",
}
aiGatewayOpenAIKey := serpent.Option{
Name: "AI Gateway OpenAI Key",
Description: "The key to authenticate against the OpenAI API.",
Flag: "ai-gateway-openai-key",
Env: "CODER_AI_GATEWAY_OPENAI_KEY",
Value: &c.AI.BridgeConfig.LegacyOpenAI.Key,
Default: "",
Group: &deploymentGroupAIGateway,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
}
aiGatewayAnthropicBaseURL := serpent.Option{
Name: "AI Gateway Anthropic Base URL",
Description: "The base URL of the Anthropic API.",
Flag: "ai-gateway-anthropic-base-url",
Env: "CODER_AI_GATEWAY_ANTHROPIC_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyAnthropic.BaseURL,
Default: "https://api.anthropic.com/",
Group: &deploymentGroupAIGateway,
YAML: "anthropic_base_url",
}
aiGatewayAnthropicKey := serpent.Option{
Name: "AI Gateway Anthropic Key",
Description: "The key to authenticate against the Anthropic API.",
Flag: "ai-gateway-anthropic-key",
Env: "CODER_AI_GATEWAY_ANTHROPIC_KEY",
Value: &c.AI.BridgeConfig.LegacyAnthropic.Key,
Default: "",
Group: &deploymentGroupAIGateway,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
}
aiGatewayBedrockBaseURL := serpent.Option{
Name: "AI Gateway Bedrock Base URL",
Description: "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence " +
"over CODER_AI_GATEWAY_BEDROCK_REGION.",
Flag: "ai-gateway-bedrock-base-url",
Env: "CODER_AI_GATEWAY_BEDROCK_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyBedrock.BaseURL,
Default: "",
Group: &deploymentGroupAIGateway,
YAML: "bedrock_base_url",
}
aiGatewayBedrockRegion := serpent.Option{
Name: "AI Gateway Bedrock Region",
Description: "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of " +
"'https://bedrock-runtime.<region>.amazonaws.com'.",
Flag: "ai-gateway-bedrock-region",
Env: "CODER_AI_GATEWAY_BEDROCK_REGION",
Value: &c.AI.BridgeConfig.LegacyBedrock.Region,
Default: "",
Group: &deploymentGroupAIGateway,
YAML: "bedrock_region",
}
aiGatewayBedrockAccessKey := serpent.Option{
Name: "AI Gateway Bedrock Access Key",
Description: "The access key to authenticate against the AWS Bedrock API.",
Flag: "ai-gateway-bedrock-access-key",
Env: "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY",
Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKey,
Default: "",
Group: &deploymentGroupAIGateway,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
}
aiGatewayBedrockAccessKeySecret := serpent.Option{
Name: "AI Gateway Bedrock Access Key Secret",
Description: "The access key secret to use with the access key to authenticate against the AWS Bedrock API.",
Flag: "ai-gateway-bedrock-access-key-secret",
Env: "CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET",
Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKeySecret,
Default: "",
Group: &deploymentGroupAIGateway,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
}
aiGatewayBedrockModel := serpent.Option{
Name: "AI Gateway Bedrock Model",
Description: "The model to use when making requests to the AWS Bedrock API.",
Flag: "ai-gateway-bedrock-model",
Env: "CODER_AI_GATEWAY_BEDROCK_MODEL",
Value: &c.AI.BridgeConfig.LegacyBedrock.Model,
Default: "global.anthropic.claude-sonnet-4-5-20250929-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
Group: &deploymentGroupAIGateway,
YAML: "bedrock_model",
}
aiGatewayBedrockSmallFastModel := serpent.Option{
Name: "AI Gateway Bedrock Small Fast Model",
Description: "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.",
Flag: "ai-gateway-bedrock-small-fastmodel",
Env: "CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL",
Value: &c.AI.BridgeConfig.LegacyBedrock.SmallFastModel,
Default: "global.anthropic.claude-haiku-4-5-20251001-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
Group: &deploymentGroupAIGateway,
YAML: "bedrock_small_fast_model",
}
aiGatewayInjectCoderMCPTools := serpent.Option{
Name: "AI Gateway Inject Coder MCP tools",
Description: "Deprecated: Injected MCP in AI Gateway is deprecated and will be removed in a future release. Whether to inject Coder's MCP tools into intercepted AI Gateway requests (requires the \"oauth2\" and \"mcp-server-http\" experiments to be enabled).",
Flag: "ai-gateway-inject-coder-mcp-tools",
Env: "CODER_AI_GATEWAY_INJECT_CODER_MCP_TOOLS",
Value: &c.AI.BridgeConfig.InjectCoderMCPTools,
Default: "false",
Group: &deploymentGroupAIGateway,
YAML: "inject_coder_mcp_tools",
Hidden: true,
}
aiGatewayRetention := serpent.Option{
Name: "AI Gateway Data Retention Duration",
Description: "Length of time to retain data such as interceptions and all related records (token, prompt, tool use).",
Flag: "ai-gateway-retention",
Env: "CODER_AI_GATEWAY_RETENTION",
Value: &c.AI.BridgeConfig.Retention,
Default: "60d",
Group: &deploymentGroupAIGateway,
YAML: "retention",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
}
aiGatewayMaxConcurrency := serpent.Option{
Name: "AI Gateway Max Concurrency",
Description: "Maximum number of concurrent AI Gateway requests per replica. Set to 0 to disable (unlimited).",
Flag: "ai-gateway-max-concurrency",
Env: "CODER_AI_GATEWAY_MAX_CONCURRENCY",
Value: &c.AI.BridgeConfig.MaxConcurrency,
Default: "0",
Group: &deploymentGroupAIGateway,
YAML: "max_concurrency",
}
aiGatewayRateLimit := serpent.Option{
Name: "AI Gateway Rate Limit",
Description: "Maximum number of AI Gateway requests per second per replica. Set to 0 to disable (unlimited).",
Flag: "ai-gateway-rate-limit",
Env: "CODER_AI_GATEWAY_RATE_LIMIT",
Value: &c.AI.BridgeConfig.RateLimit,
Default: "0",
Group: &deploymentGroupAIGateway,
YAML: "rate_limit",
}
aiGatewayStructuredLogging := serpent.Option{
Name: "AI Gateway Structured Logging",
Description: "Emit structured logs for AI Gateway interception records. Use this for exporting these records to external SIEM or observability systems.",
Flag: "ai-gateway-structured-logging",
Env: "CODER_AI_GATEWAY_STRUCTURED_LOGGING",
Value: &c.AI.BridgeConfig.StructuredLogging,
Default: "false",
Group: &deploymentGroupAIGateway,
YAML: "structured_logging",
}
aiGatewaySendActorHeaders := serpent.Option{
Name: "AI Gateway Send Actor Headers",
Description: "Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Gateway. " +
"This is only needed if you are using a proxy between AI Gateway and an upstream AI provider. " +
"This will send X-Ai-Bridge-Actor-Id (the ID of the user making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).",
Flag: "ai-gateway-send-actor-headers",
Env: "CODER_AI_GATEWAY_SEND_ACTOR_HEADERS",
Value: &c.AI.BridgeConfig.SendActorHeaders,
Default: "false",
Group: &deploymentGroupAIGateway,
YAML: "send_actor_headers",
}
aiGatewayAllowBYOK := serpent.Option{
Name: "AI Gateway Allow BYOK",
Description: "Allow users to provide their own LLM API keys or subscriptions. When disabled, only centralized key authentication is permitted.",
Flag: "ai-gateway-allow-byok",
Env: "CODER_AI_GATEWAY_ALLOW_BYOK",
Value: &c.AI.BridgeConfig.AllowBYOK,
Default: "true",
Group: &deploymentGroupAIGateway,
YAML: "allow_byok",
}
// validateCircuitBreakerPercent is shared by AI Gateway circuit breaker options
validateCircuitBreakerPercent := func(value *serpent.Int64) error {
if value.Value() <= 0 || value.Value() > 100 {
return xerrors.New("must be between 1 and 100")
}
return nil
}
aiGatewayCircuitBreakerEnabled := serpent.Option{
Name: "AI Gateway Circuit Breaker Enabled",
Description: "Enable the circuit breaker to protect against cascading failures from upstream AI provider overload (503, 529).",
Flag: "ai-gateway-circuit-breaker-enabled",
Env: "CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED",
Value: &c.AI.BridgeConfig.CircuitBreakerEnabled,
Default: "false",
Group: &deploymentGroupAIGateway,
YAML: "circuit_breaker_enabled",
}
aiGatewayCircuitBreakerFailureThreshold := serpent.Option{
Name: "AI Gateway Circuit Breaker Failure Threshold",
Description: "Number of consecutive failures that triggers the circuit breaker to open.",
Flag: "ai-gateway-circuit-breaker-failure-threshold",
Env: "CODER_AI_GATEWAY_CIRCUIT_BREAKER_FAILURE_THRESHOLD",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerFailureThreshold, validateCircuitBreakerPercent),
Default: "5",
Hidden: true,
Group: &deploymentGroupAIGateway,
YAML: "circuit_breaker_failure_threshold",
}
aiGatewayCircuitBreakerInterval := serpent.Option{
Name: "AI Gateway Circuit Breaker Interval",
Description: "Cyclic period of the closed state for clearing internal failure counts.",
Flag: "ai-gateway-circuit-breaker-interval",
Env: "CODER_AI_GATEWAY_CIRCUIT_BREAKER_INTERVAL",
Value: &c.AI.BridgeConfig.CircuitBreakerInterval,
Default: "10s",
Hidden: true,
Group: &deploymentGroupAIGateway,
YAML: "circuit_breaker_interval",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
}
aiGatewayCircuitBreakerTimeout := serpent.Option{
Name: "AI Gateway Circuit Breaker Timeout",
Description: "How long the circuit breaker stays open before transitioning to half-open state.",
Flag: "ai-gateway-circuit-breaker-timeout",
Env: "CODER_AI_GATEWAY_CIRCUIT_BREAKER_TIMEOUT",
Value: &c.AI.BridgeConfig.CircuitBreakerTimeout,
Default: "30s",
Hidden: true,
Group: &deploymentGroupAIGateway,
YAML: "circuit_breaker_timeout",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
}
aiGatewayCircuitBreakerMaxRequests := serpent.Option{
Name: "AI Gateway Circuit Breaker Max Requests",
Description: "Maximum number of requests allowed in half-open state before deciding to close or re-open the circuit.",
Flag: "ai-gateway-circuit-breaker-max-requests",
Env: "CODER_AI_GATEWAY_CIRCUIT_BREAKER_MAX_REQUESTS",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerMaxRequests, validateCircuitBreakerPercent),
Default: "3",
Hidden: true,
Group: &deploymentGroupAIGateway,
YAML: "circuit_breaker_max_requests",
}
aiGatewayProxyEnabled := serpent.Option{
Name: "AI Gateway Proxy Enabled",
Description: "Enable the AI Gateway MITM Proxy for intercepting and decrypting AI provider requests.",
Flag: "ai-gateway-proxy-enabled",
Env: "CODER_AI_GATEWAY_PROXY_ENABLED",
Value: &c.AI.BridgeProxyConfig.Enabled,
Default: "false",
Group: &deploymentGroupAIGatewayProxy,
YAML: "enabled",
}
aiGatewayProxyListenAddr := serpent.Option{
Name: "AI Gateway Proxy Listen Address",
Description: "The address the AI Gateway Proxy will listen on.",
Flag: "ai-gateway-proxy-listen-addr",
Env: "CODER_AI_GATEWAY_PROXY_LISTEN_ADDR",
Value: &c.AI.BridgeProxyConfig.ListenAddr,
Default: ":8888",
Group: &deploymentGroupAIGatewayProxy,
YAML: "listen_addr",
}
aiGatewayProxyTLSCertFile := serpent.Option{
Name: "AI Gateway Proxy TLS Certificate File",
Description: "Path to the TLS certificate file for the AI Gateway Proxy listener. Must be set together with AI Gateway Proxy TLS Key File.",
Flag: "ai-gateway-proxy-tls-cert-file",
Env: "CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE",
Value: &c.AI.BridgeProxyConfig.TLSCertFile,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "tls_cert_file",
}
aiGatewayProxyTLSKeyFile := serpent.Option{
Name: "AI Gateway Proxy TLS Key File",
Description: "Path to the TLS private key file for the AI Gateway Proxy listener. Must be set together with AI Gateway Proxy TLS Certificate File.",
Flag: "ai-gateway-proxy-tls-key-file",
Env: "CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE",
Value: &c.AI.BridgeProxyConfig.TLSKeyFile,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "tls_key_file",
}
aiGatewayProxyMITMCertFile := serpent.Option{
Name: "AI Gateway Proxy MITM CA Certificate File",
Description: "Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI clients. This CA must be trusted by AI clients for the proxy to decrypt their requests.",
Flag: "ai-gateway-proxy-cert-file",
Env: "CODER_AI_GATEWAY_PROXY_CERT_FILE",
Value: &c.AI.BridgeProxyConfig.MITMCertFile,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "cert_file",
}
aiGatewayProxyMITMKeyFile := serpent.Option{
Name: "AI Gateway Proxy MITM CA Key File",
Description: "Path to the CA private key file used to intercept (MITM) HTTPS traffic from AI clients.",
Flag: "ai-gateway-proxy-key-file",
Env: "CODER_AI_GATEWAY_PROXY_KEY_FILE",
Value: &c.AI.BridgeProxyConfig.MITMKeyFile,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "key_file",
}
aiGatewayProxyDomainAllowlist := serpent.Option{
Name: "AI Gateway Proxy Domain Allowlist",
Description: "Deprecated: This value is now derived automatically from the configured AI Gateway providers' base URLs. Setting this value has no effect. This option will be removed in a future release.",
Flag: "ai-gateway-proxy-domain-allowlist",
Env: "CODER_AI_GATEWAY_PROXY_DOMAIN_ALLOWLIST",
Value: &c.AI.BridgeProxyConfig.DomainAllowlist,
Default: "",
Hidden: true,
Group: &deploymentGroupAIGatewayProxy,
YAML: "domain_allowlist",
}
aiGatewayProxyUpstreamProxy := serpent.Option{
Name: "AI Gateway Proxy Upstream Proxy",
Description: "URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests through. Format: http://[user:pass@]host:port or https://[user:pass@]host:port.",
Flag: "ai-gateway-proxy-upstream",
Env: "CODER_AI_GATEWAY_PROXY_UPSTREAM",
Value: &c.AI.BridgeProxyConfig.UpstreamProxy,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "upstream_proxy",
}
aiGatewayProxyUpstreamProxyCA := serpent.Option{
Name: "AI Gateway Proxy Upstream Proxy CA",
Description: "Path to a PEM-encoded CA certificate to trust for the upstream proxy's TLS connection. Only needed for HTTPS upstream proxies with certificates not trusted by the system. If not provided, the system certificate pool is used.",
Flag: "ai-gateway-proxy-upstream-ca",
Env: "CODER_AI_GATEWAY_PROXY_UPSTREAM_CA",
Value: &c.AI.BridgeProxyConfig.UpstreamProxyCA,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "upstream_proxy_ca",
}
aiGatewayProxyAllowedPrivateCIDRs := serpent.Option{
Name: "AI Gateway Proxy Allowed Private CIDRs",
Description: "Comma-separated list of CIDR ranges that are permitted even though they fall within blocked private/reserved IP ranges. By default all private ranges are blocked to prevent SSRF attacks. Use this to allow access to specific internal networks.",
Flag: "ai-gateway-proxy-allowed-private-cidrs",
Env: "CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS",
Value: &c.AI.BridgeProxyConfig.AllowedPrivateCIDRs,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "allowed_private_cidrs",
}
aiGatewayProxyAPIDumpDir := serpent.Option{
Name: "AI Gateway Proxy API Dump Directory",
Description: "Directory for dumping MITM request/response pairs to disk for debugging. When set, each proxied request produces .req.txt and .resp.txt files organized by provider. Sensitive headers are redacted. Leave empty to disable.",
Flag: "ai-gateway-proxy-dump-dir",
Env: "CODER_AI_GATEWAY_PROXY_DUMP_DIR",
Value: &c.AI.BridgeProxyConfig.APIDumpDir,
Default: "",
Group: &deploymentGroupAIGatewayProxy,
YAML: "api_dump_dir",
}
opts := serpent.OptionSet{
{
Name: "Access URL",
@@ -3677,122 +4048,155 @@ Write out the current server config as YAML to stdout.`,
Group: &deploymentGroupChat,
YAML: "debugLoggingEnabled",
},
// AI Bridge Options
// AI Bridge Options (deprecated in favor of AI Gateway options)
{
Name: "AI Bridge Enabled",
Description: "Whether to start an in-memory aibridged instance.",
Description: "Deprecated: use --ai-gateway-enabled or CODER_AI_GATEWAY_ENABLED instead. Whether to start an in-memory aibridged instance.",
Flag: "aibridge-enabled",
Env: "CODER_AIBRIDGE_ENABLED",
Value: &c.AI.BridgeConfig.Enabled,
Default: "false",
Group: &deploymentGroupAIBridge,
YAML: "enabled",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayEnabled},
},
aiGatewayEnabled,
{
Name: "AI Bridge OpenAI Base URL",
Description: "The base URL of the OpenAI API.",
Description: "Deprecated: use --ai-gateway-openai-base-url or CODER_AI_GATEWAY_OPENAI_BASE_URL instead. The base URL of the OpenAI API.",
Flag: "aibridge-openai-base-url",
Env: "CODER_AIBRIDGE_OPENAI_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyOpenAI.BaseURL,
Default: "https://api.openai.com/v1/",
Group: &deploymentGroupAIBridge,
YAML: "openai_base_url",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayOpenAIBaseURL},
},
aiGatewayOpenAIBaseURL,
{
Name: "AI Bridge OpenAI Key",
Description: "The key to authenticate against the OpenAI API.",
Description: "Deprecated: use --ai-gateway-openai-key or CODER_AI_GATEWAY_OPENAI_KEY instead. The key to authenticate against the OpenAI API.",
Flag: "aibridge-openai-key",
Env: "CODER_AIBRIDGE_OPENAI_KEY",
Value: &c.AI.BridgeConfig.LegacyOpenAI.Key,
Default: "",
Group: &deploymentGroupAIBridge,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayOpenAIKey},
},
aiGatewayOpenAIKey,
{
Name: "AI Bridge Anthropic Base URL",
Description: "The base URL of the Anthropic API.",
Description: "Deprecated: use --ai-gateway-anthropic-base-url or CODER_AI_GATEWAY_ANTHROPIC_BASE_URL instead. The base URL of the Anthropic API.",
Flag: "aibridge-anthropic-base-url",
Env: "CODER_AIBRIDGE_ANTHROPIC_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyAnthropic.BaseURL,
Default: "https://api.anthropic.com/",
Group: &deploymentGroupAIBridge,
YAML: "anthropic_base_url",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayAnthropicBaseURL},
},
aiGatewayAnthropicBaseURL,
{
Name: "AI Bridge Anthropic Key",
Description: "The key to authenticate against the Anthropic API.",
Description: "Deprecated: use --ai-gateway-anthropic-key or CODER_AI_GATEWAY_ANTHROPIC_KEY instead. The key to authenticate against the Anthropic API.",
Flag: "aibridge-anthropic-key",
Env: "CODER_AIBRIDGE_ANTHROPIC_KEY",
Value: &c.AI.BridgeConfig.LegacyAnthropic.Key,
Default: "",
Group: &deploymentGroupAIBridge,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayAnthropicKey},
},
aiGatewayAnthropicKey,
{
Name: "AI Bridge Bedrock Base URL",
Description: "The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence " +
Description: "Deprecated: use --ai-gateway-bedrock-base-url or CODER_AI_GATEWAY_BEDROCK_BASE_URL instead. The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence " +
"over CODER_AIBRIDGE_BEDROCK_REGION.",
Flag: "aibridge-bedrock-base-url",
Env: "CODER_AIBRIDGE_BEDROCK_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyBedrock.BaseURL,
Default: "",
Group: &deploymentGroupAIBridge,
YAML: "bedrock_base_url",
Flag: "aibridge-bedrock-base-url",
Env: "CODER_AIBRIDGE_BEDROCK_BASE_URL",
Value: &c.AI.BridgeConfig.LegacyBedrock.BaseURL,
Default: "",
Group: &deploymentGroupAIBridge,
YAML: "bedrock_base_url",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockBaseURL},
},
aiGatewayBedrockBaseURL,
{
Name: "AI Bridge Bedrock Region",
Description: "The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of " +
Description: "Deprecated: use --ai-gateway-bedrock-region or CODER_AI_GATEWAY_BEDROCK_REGION instead. The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of " +
"'https://bedrock-runtime.<region>.amazonaws.com'.",
Flag: "aibridge-bedrock-region",
Env: "CODER_AIBRIDGE_BEDROCK_REGION",
Value: &c.AI.BridgeConfig.LegacyBedrock.Region,
Default: "",
Group: &deploymentGroupAIBridge,
YAML: "bedrock_region",
Flag: "aibridge-bedrock-region",
Env: "CODER_AIBRIDGE_BEDROCK_REGION",
Value: &c.AI.BridgeConfig.LegacyBedrock.Region,
Default: "",
Group: &deploymentGroupAIBridge,
YAML: "bedrock_region",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockRegion},
},
aiGatewayBedrockRegion,
{
Name: "AI Bridge Bedrock Access Key",
Description: "The access key to authenticate against the AWS Bedrock API.",
Description: "Deprecated: use --ai-gateway-bedrock-access-key or CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY instead. The access key to authenticate against the AWS Bedrock API.",
Flag: "aibridge-bedrock-access-key",
Env: "CODER_AIBRIDGE_BEDROCK_ACCESS_KEY",
Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKey,
Default: "",
Group: &deploymentGroupAIBridge,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockAccessKey},
},
aiGatewayBedrockAccessKey,
{
Name: "AI Bridge Bedrock Access Key Secret",
Description: "The access key secret to use with the access key to authenticate against the AWS Bedrock API.",
Description: "Deprecated: use --ai-gateway-bedrock-access-key-secret or CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET instead. The access key secret to use with the access key to authenticate against the AWS Bedrock API.",
Flag: "aibridge-bedrock-access-key-secret",
Env: "CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET",
Value: &c.AI.BridgeConfig.LegacyBedrock.AccessKeySecret,
Default: "",
Group: &deploymentGroupAIBridge,
Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockAccessKeySecret},
},
aiGatewayBedrockAccessKeySecret,
{
Name: "AI Bridge Bedrock Model",
Description: "The model to use when making requests to the AWS Bedrock API.",
Description: "Deprecated: use --ai-gateway-bedrock-model or CODER_AI_GATEWAY_BEDROCK_MODEL instead. The model to use when making requests to the AWS Bedrock API.",
Flag: "aibridge-bedrock-model",
Env: "CODER_AIBRIDGE_BEDROCK_MODEL",
Value: &c.AI.BridgeConfig.LegacyBedrock.Model,
Default: "global.anthropic.claude-sonnet-4-5-20250929-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
Group: &deploymentGroupAIBridge,
YAML: "bedrock_model",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockModel},
},
aiGatewayBedrockModel,
{
Name: "AI Bridge Bedrock Small Fast Model",
Description: "The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.",
Description: "Deprecated: use --ai-gateway-bedrock-small-fastmodel or CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL instead. The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.",
Flag: "aibridge-bedrock-small-fastmodel",
Env: "CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL",
Value: &c.AI.BridgeConfig.LegacyBedrock.SmallFastModel,
Default: "global.anthropic.claude-haiku-4-5-20251001-v1:0", // See https://docs.claude.com/en/api/claude-on-amazon-bedrock#accessing-bedrock.
Group: &deploymentGroupAIBridge,
YAML: "bedrock_small_fast_model",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayBedrockSmallFastModel},
},
aiGatewayBedrockSmallFastModel,
{
Name: "AI Bridge Inject Coder MCP tools",
Description: "Deprecated: Injected MCP in AI Bridge is deprecated and will be removed in a future release. Whether to inject Coder's MCP tools into intercepted AI Bridge requests (requires the \"oauth2\" and \"mcp-server-http\" experiments to be enabled).",
Description: "Deprecated: Injected MCP in AI Gateway is deprecated and will be removed in a future release. This option is an alias for --ai-gateway-inject-coder-mcp-tools.",
Flag: "aibridge-inject-coder-mcp-tools",
Env: "CODER_AIBRIDGE_INJECT_CODER_MCP_TOOLS",
Value: &c.AI.BridgeConfig.InjectCoderMCPTools,
@@ -3800,10 +4204,12 @@ Write out the current server config as YAML to stdout.`,
Group: &deploymentGroupAIBridge,
YAML: "inject_coder_mcp_tools",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayInjectCoderMCPTools},
},
aiGatewayInjectCoderMCPTools,
{
Name: "AI Bridge Data Retention Duration",
Description: "Length of time to retain data such as interceptions and all related records (token, prompt, tool use).",
Description: "Deprecated: use --ai-gateway-retention or CODER_AI_GATEWAY_RETENTION instead. Length of time to retain data such as interceptions and all related records (token, prompt, tool use).",
Flag: "aibridge-retention",
Env: "CODER_AIBRIDGE_RETENTION",
Value: &c.AI.BridgeConfig.Retention,
@@ -3811,88 +4217,106 @@ Write out the current server config as YAML to stdout.`,
Group: &deploymentGroupAIBridge,
YAML: "retention",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayRetention},
},
aiGatewayRetention,
{
Name: "AI Bridge Max Concurrency",
Description: "Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable (unlimited).",
Description: "Deprecated: use --ai-gateway-max-concurrency or CODER_AI_GATEWAY_MAX_CONCURRENCY instead. Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable (unlimited).",
Flag: "aibridge-max-concurrency",
Env: "CODER_AIBRIDGE_MAX_CONCURRENCY",
Value: &c.AI.BridgeConfig.MaxConcurrency,
Default: "0",
Group: &deploymentGroupAIBridge,
YAML: "max_concurrency",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayMaxConcurrency},
},
aiGatewayMaxConcurrency,
{
Name: "AI Bridge Rate Limit",
Description: "Maximum number of AI Bridge requests per second per replica. Set to 0 to disable (unlimited).",
Description: "Deprecated: use --ai-gateway-rate-limit or CODER_AI_GATEWAY_RATE_LIMIT instead. Maximum number of AI Bridge requests per second per replica. Set to 0 to disable (unlimited).",
Flag: "aibridge-rate-limit",
Env: "CODER_AIBRIDGE_RATE_LIMIT",
Value: &c.AI.BridgeConfig.RateLimit,
Default: "0",
Group: &deploymentGroupAIBridge,
YAML: "rate_limit",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayRateLimit},
},
aiGatewayRateLimit,
{
Name: "AI Bridge Structured Logging",
Description: "Emit structured logs for AI Bridge interception records. Use this for exporting these records to external SIEM or observability systems.",
Description: "Deprecated: use --ai-gateway-structured-logging or CODER_AI_GATEWAY_STRUCTURED_LOGGING instead. Emit structured logs for AI Bridge interception records. Use this for exporting these records to external SIEM or observability systems.",
Flag: "aibridge-structured-logging",
Env: "CODER_AIBRIDGE_STRUCTURED_LOGGING",
Value: &c.AI.BridgeConfig.StructuredLogging,
Default: "false",
Group: &deploymentGroupAIBridge,
YAML: "structured_logging",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayStructuredLogging},
},
aiGatewayStructuredLogging,
{
Name: "AI Bridge Send Actor Headers",
Description: "Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Bridge. " +
Description: "Deprecated: use --ai-gateway-send-actor-headers or CODER_AI_GATEWAY_SEND_ACTOR_HEADERS instead. Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Bridge. " +
"This is only needed if you are using a proxy between AI Bridge and an upstream AI provider. " +
"This will send X-Ai-Bridge-Actor-Id (the ID of the user making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).",
Flag: "aibridge-send-actor-headers",
Env: "CODER_AIBRIDGE_SEND_ACTOR_HEADERS",
Value: &c.AI.BridgeConfig.SendActorHeaders,
Default: "false",
Group: &deploymentGroupAIBridge,
YAML: "send_actor_headers",
Flag: "aibridge-send-actor-headers",
Env: "CODER_AIBRIDGE_SEND_ACTOR_HEADERS",
Value: &c.AI.BridgeConfig.SendActorHeaders,
Default: "false",
Group: &deploymentGroupAIBridge,
YAML: "send_actor_headers",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewaySendActorHeaders},
},
aiGatewaySendActorHeaders,
{
Name: "AI Bridge Allow BYOK",
Description: "Allow users to provide their own LLM API keys or subscriptions. When disabled, only centralized key authentication is permitted.",
Description: "Deprecated: use --ai-gateway-allow-byok or CODER_AI_GATEWAY_ALLOW_BYOK instead. Allow users to provide their own LLM API keys or subscriptions. When disabled, only centralized key authentication is permitted.",
Flag: "aibridge-allow-byok",
Env: "CODER_AIBRIDGE_ALLOW_BYOK",
Value: &c.AI.BridgeConfig.AllowBYOK,
Default: "true",
Group: &deploymentGroupAIBridge,
YAML: "allow_byok",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayAllowBYOK},
},
aiGatewayAllowBYOK,
{
Name: "AI Bridge Circuit Breaker Enabled",
Description: "Enable the circuit breaker to protect against cascading failures from upstream AI provider overload (503, 529).",
Description: "Deprecated: use --ai-gateway-circuit-breaker-enabled or CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED instead. Enable the circuit breaker to protect against cascading failures from upstream AI provider overload (503, 529).",
Flag: "aibridge-circuit-breaker-enabled",
Env: "CODER_AIBRIDGE_CIRCUIT_BREAKER_ENABLED",
Value: &c.AI.BridgeConfig.CircuitBreakerEnabled,
Default: "false",
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_enabled",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayCircuitBreakerEnabled},
},
aiGatewayCircuitBreakerEnabled,
{
Name: "AI Bridge Circuit Breaker Failure Threshold",
Description: "Number of consecutive failures that triggers the circuit breaker to open.",
Description: "Deprecated: use --ai-gateway-circuit-breaker-failure-threshold or CODER_AI_GATEWAY_CIRCUIT_BREAKER_FAILURE_THRESHOLD instead. Number of consecutive failures that triggers the circuit breaker to open.",
Flag: "aibridge-circuit-breaker-failure-threshold",
Env: "CODER_AIBRIDGE_CIRCUIT_BREAKER_FAILURE_THRESHOLD",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerFailureThreshold, func(value *serpent.Int64) error {
if value.Value() <= 0 || value.Value() > 100 {
return xerrors.New("must be between 1 and 100")
}
return nil
}),
Default: "5",
Hidden: true,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_failure_threshold",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerFailureThreshold, validateCircuitBreakerPercent),
Default: "5",
Hidden: true,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_failure_threshold",
UseInstead: serpent.OptionSet{aiGatewayCircuitBreakerFailureThreshold},
},
aiGatewayCircuitBreakerFailureThreshold,
{
Name: "AI Bridge Circuit Breaker Interval",
Description: "Cyclic period of the closed state for clearing internal failure counts.",
Description: "Deprecated: use --ai-gateway-circuit-breaker-interval or CODER_AI_GATEWAY_CIRCUIT_BREAKER_INTERVAL instead. Cyclic period of the closed state for clearing internal failure counts.",
Flag: "aibridge-circuit-breaker-interval",
Env: "CODER_AIBRIDGE_CIRCUIT_BREAKER_INTERVAL",
Value: &c.AI.BridgeConfig.CircuitBreakerInterval,
@@ -3901,10 +4325,12 @@ Write out the current server config as YAML to stdout.`,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_interval",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
UseInstead: serpent.OptionSet{aiGatewayCircuitBreakerInterval},
},
aiGatewayCircuitBreakerInterval,
{
Name: "AI Bridge Circuit Breaker Timeout",
Description: "How long the circuit breaker stays open before transitioning to half-open state.",
Description: "Deprecated: use --ai-gateway-circuit-breaker-timeout or CODER_AI_GATEWAY_CIRCUIT_BREAKER_TIMEOUT instead. How long the circuit breaker stays open before transitioning to half-open state.",
Flag: "aibridge-circuit-breaker-timeout",
Env: "CODER_AIBRIDGE_CIRCUIT_BREAKER_TIMEOUT",
Value: &c.AI.BridgeConfig.CircuitBreakerTimeout,
@@ -3913,24 +4339,22 @@ Write out the current server config as YAML to stdout.`,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_timeout",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
UseInstead: serpent.OptionSet{aiGatewayCircuitBreakerTimeout},
},
aiGatewayCircuitBreakerTimeout,
{
Name: "AI Bridge Circuit Breaker Max Requests",
Description: "Maximum number of requests allowed in half-open state before deciding to close or re-open the circuit.",
Description: "Deprecated: use --ai-gateway-circuit-breaker-max-requests or CODER_AI_GATEWAY_CIRCUIT_BREAKER_MAX_REQUESTS instead. Maximum number of requests allowed in half-open state before deciding to close or re-open the circuit.",
Flag: "aibridge-circuit-breaker-max-requests",
Env: "CODER_AIBRIDGE_CIRCUIT_BREAKER_MAX_REQUESTS",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerMaxRequests, func(value *serpent.Int64) error {
if value.Value() <= 0 || value.Value() > 100 {
return xerrors.New("must be between 1 and 100")
}
return nil
}),
Default: "3",
Hidden: true,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_max_requests",
Value: serpent.Validate(&c.AI.BridgeConfig.CircuitBreakerMaxRequests, validateCircuitBreakerPercent),
Default: "3",
Hidden: true,
Group: &deploymentGroupAIBridge,
YAML: "circuit_breaker_max_requests",
UseInstead: serpent.OptionSet{aiGatewayCircuitBreakerMaxRequests},
},
aiGatewayCircuitBreakerMaxRequests,
{
Name: "AI Budget Policy",
Description: "Determines the effective group when a user belongs to multiple groups with AI budgets. \"highest\" selects the group with the largest spend limit, and is currently the only supported value.",
@@ -3938,7 +4362,7 @@ Write out the current server config as YAML to stdout.`,
Env: "CODER_AI_BUDGET_POLICY",
Value: serpent.EnumOf(&c.AI.BridgeConfig.BudgetPolicy, AIBudgetPolicies...),
Default: string(AIBudgetPolicyHighest),
Group: &deploymentGroupAIBridge,
Group: &deploymentGroupAIGateway,
YAML: "budget_policy",
},
{
@@ -3948,71 +4372,89 @@ Write out the current server config as YAML to stdout.`,
Env: "CODER_AI_BUDGET_PERIOD",
Value: serpent.EnumOf(&c.AI.BridgeConfig.BudgetPeriod, AIBudgetPeriods...),
Default: string(AIBudgetPeriodMonth),
Group: &deploymentGroupAIBridge,
Group: &deploymentGroupAIGateway,
YAML: "budget_period",
},
// AI Bridge Proxy Options
// AI Gateway Proxy Options
{
Name: "AI Bridge Proxy Enabled",
Description: "Enable the AI Bridge MITM Proxy for intercepting and decrypting AI provider requests.",
Description: "Deprecated: use --ai-gateway-proxy-enabled or CODER_AI_GATEWAY_PROXY_ENABLED instead. Enable the AI Bridge MITM Proxy for intercepting and decrypting AI provider requests.",
Flag: "aibridge-proxy-enabled",
Env: "CODER_AIBRIDGE_PROXY_ENABLED",
Value: &c.AI.BridgeProxyConfig.Enabled,
Default: "false",
Group: &deploymentGroupAIBridgeProxy,
YAML: "enabled",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyEnabled},
},
aiGatewayProxyEnabled,
{
Name: "AI Bridge Proxy Listen Address",
Description: "The address the AI Bridge Proxy will listen on.",
Description: "Deprecated: use --ai-gateway-proxy-listen-addr or CODER_AI_GATEWAY_PROXY_LISTEN_ADDR instead. The address the AI Bridge Proxy will listen on.",
Flag: "aibridge-proxy-listen-addr",
Env: "CODER_AIBRIDGE_PROXY_LISTEN_ADDR",
Value: &c.AI.BridgeProxyConfig.ListenAddr,
Default: ":8888",
Group: &deploymentGroupAIBridgeProxy,
YAML: "listen_addr",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyListenAddr},
},
aiGatewayProxyListenAddr,
{
Name: "AI Bridge Proxy TLS Certificate File",
Description: "Path to the TLS certificate file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Key File.",
Description: "Deprecated: use --ai-gateway-proxy-tls-cert-file or CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE instead. Path to the TLS certificate file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Key File.",
Flag: "aibridge-proxy-tls-cert-file",
Env: "CODER_AIBRIDGE_PROXY_TLS_CERT_FILE",
Value: &c.AI.BridgeProxyConfig.TLSCertFile,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "tls_cert_file",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyTLSCertFile},
},
aiGatewayProxyTLSCertFile,
{
Name: "AI Bridge Proxy TLS Key File",
Description: "Path to the TLS private key file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Certificate File.",
Description: "Deprecated: use --ai-gateway-proxy-tls-key-file or CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE instead. Path to the TLS private key file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Certificate File.",
Flag: "aibridge-proxy-tls-key-file",
Env: "CODER_AIBRIDGE_PROXY_TLS_KEY_FILE",
Value: &c.AI.BridgeProxyConfig.TLSKeyFile,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "tls_key_file",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyTLSKeyFile},
},
aiGatewayProxyTLSKeyFile,
{
Name: "AI Bridge Proxy MITM CA Certificate File",
Description: "Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI clients. This CA must be trusted by AI clients for the proxy to decrypt their requests.",
Description: "Deprecated: use --ai-gateway-proxy-cert-file or CODER_AI_GATEWAY_PROXY_CERT_FILE instead. Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI clients. This CA must be trusted by AI clients for the proxy to decrypt their requests.",
Flag: "aibridge-proxy-cert-file",
Env: "CODER_AIBRIDGE_PROXY_CERT_FILE",
Value: &c.AI.BridgeProxyConfig.MITMCertFile,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "cert_file",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyMITMCertFile},
},
aiGatewayProxyMITMCertFile,
{
Name: "AI Bridge Proxy MITM CA Key File",
Description: "Path to the CA private key file used to intercept (MITM) HTTPS traffic from AI clients.",
Description: "Deprecated: use --ai-gateway-proxy-key-file or CODER_AI_GATEWAY_PROXY_KEY_FILE instead. Path to the CA private key file used to intercept (MITM) HTTPS traffic from AI clients.",
Flag: "aibridge-proxy-key-file",
Env: "CODER_AIBRIDGE_PROXY_KEY_FILE",
Value: &c.AI.BridgeProxyConfig.MITMKeyFile,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "key_file",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyMITMKeyFile},
},
aiGatewayProxyMITMKeyFile,
{
Name: "AI Bridge Proxy Domain Allowlist",
Description: "Deprecated: This value is now derived automatically from the configured AI providers' base URLs. Setting this value has no effect. This option will be removed in a future release.",
@@ -4023,47 +4465,61 @@ Write out the current server config as YAML to stdout.`,
Hidden: true,
Group: &deploymentGroupAIBridgeProxy,
YAML: "domain_allowlist",
UseInstead: serpent.OptionSet{aiGatewayProxyDomainAllowlist},
},
aiGatewayProxyDomainAllowlist,
{
Name: "AI Bridge Proxy Upstream Proxy",
Description: "URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests through. Format: http://[user:pass@]host:port or https://[user:pass@]host:port.",
Description: "Deprecated: use --ai-gateway-proxy-upstream or CODER_AI_GATEWAY_PROXY_UPSTREAM instead. URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests through. Format: http://[user:pass@]host:port or https://[user:pass@]host:port.",
Flag: "aibridge-proxy-upstream",
Env: "CODER_AIBRIDGE_PROXY_UPSTREAM",
Value: &c.AI.BridgeProxyConfig.UpstreamProxy,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "upstream_proxy",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyUpstreamProxy},
},
aiGatewayProxyUpstreamProxy,
{
Name: "AI Bridge Proxy Upstream Proxy CA",
Description: "Path to a PEM-encoded CA certificate to trust for the upstream proxy's TLS connection. Only needed for HTTPS upstream proxies with certificates not trusted by the system. If not provided, the system certificate pool is used.",
Description: "Deprecated: use --ai-gateway-proxy-upstream-ca or CODER_AI_GATEWAY_PROXY_UPSTREAM_CA instead. Path to a PEM-encoded CA certificate to trust for the upstream proxy's TLS connection. Only needed for HTTPS upstream proxies with certificates not trusted by the system. If not provided, the system certificate pool is used.",
Flag: "aibridge-proxy-upstream-ca",
Env: "CODER_AIBRIDGE_PROXY_UPSTREAM_CA",
Value: &c.AI.BridgeProxyConfig.UpstreamProxyCA,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "upstream_proxy_ca",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyUpstreamProxyCA},
},
aiGatewayProxyUpstreamProxyCA,
{
Name: "AI Bridge Proxy Allowed Private CIDRs",
Description: "Comma-separated list of CIDR ranges that are permitted even though they fall within blocked private/reserved IP ranges. By default all private ranges are blocked to prevent SSRF attacks. Use this to allow access to specific internal networks.",
Description: "Deprecated: use --ai-gateway-proxy-allowed-private-cidrs or CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS instead. Comma-separated list of CIDR ranges that are permitted even though they fall within blocked private/reserved IP ranges. By default all private ranges are blocked to prevent SSRF attacks. Use this to allow access to specific internal networks.",
Flag: "aibridge-proxy-allowed-private-cidrs",
Env: "CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS",
Value: &c.AI.BridgeProxyConfig.AllowedPrivateCIDRs,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "allowed_private_cidrs",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyAllowedPrivateCIDRs},
},
aiGatewayProxyAllowedPrivateCIDRs,
{
Name: "AI Bridge Proxy API Dump Directory",
Description: "Directory for dumping MITM request/response pairs to disk for debugging. When set, each proxied request produces .req.txt and .resp.txt files organized by provider. Sensitive headers are redacted. Leave empty to disable.",
Description: "Deprecated: use --ai-gateway-proxy-dump-dir or CODER_AI_GATEWAY_PROXY_DUMP_DIR instead. Directory for dumping MITM request/response pairs to disk for debugging. When set, each proxied request produces .req.txt and .resp.txt files organized by provider. Sensitive headers are redacted. Leave empty to disable.",
Flag: "aibridge-proxy-dump-dir",
Env: "CODER_AIBRIDGE_PROXY_DUMP_DIR",
Value: &c.AI.BridgeProxyConfig.APIDumpDir,
Default: "",
Group: &deploymentGroupAIBridgeProxy,
YAML: "api_dump_dir",
Hidden: true,
UseInstead: serpent.OptionSet{aiGatewayProxyAPIDumpDir},
},
aiGatewayProxyAPIDumpDir,
// Retention settings
{
@@ -4149,13 +4605,13 @@ Write out the current server config as YAML to stdout.`,
type AIBridgeConfig struct {
Enabled serpent.Bool `json:"enabled" typescript:",notnull"`
// Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
// Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
LegacyOpenAI AIBridgeOpenAIConfig `json:"openai" typescript:",notnull"`
// Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
// Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
LegacyAnthropic AIBridgeAnthropicConfig `json:"anthropic" typescript:",notnull"`
// Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
// Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
LegacyBedrock AIBridgeBedrockConfig `json:"bedrock" typescript:",notnull"`
// Providers holds provider instances populated from CODER_AIBRIDGE_PROVIDER_<N>_<KEY>
// Providers holds provider instances populated from CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>
// env vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.
Providers []AIProviderConfig `json:"providers,omitempty"`
// Deprecated: Injected MCP in AI Bridge is deprecated and will be removed in a future release.
@@ -4198,7 +4654,8 @@ type AIBridgeBedrockConfig struct {
}
// AIProviderConfig represents a single AI provider instance,
// parsed from CODER_AIBRIDGE_PROVIDER_<N>_<KEY> environment variables.
// parsed from CODER_AI_GATEWAY_PROVIDER_<N>_<KEY> environment variables.
// CODER_AIBRIDGE_PROVIDER_<N>_<KEY> is also accepted as a deprecated alias.
// This follows the same indexed pattern as ExternalAuthConfig.
type AIProviderConfig struct {
// Type is the provider type: "openai", "anthropic", or "copilot".
codersdk/deployment_test.go
+152 -4
View File
@@ -87,16 +87,16 @@ func TestDeploymentValues_HighlyConfigurable(t *testing.T) {
},
// We don't want these to be configurable via YAML because they are secrets.
// However, we do want to allow them to be shown in documentation.
"AI Bridge OpenAI Key": {
"AI Gateway OpenAI Key": {
yaml: true,
},
"AI Bridge Anthropic Key": {
"AI Gateway Anthropic Key": {
yaml: true,
},
"AI Bridge Bedrock Access Key": {
"AI Gateway Bedrock Access Key": {
yaml: true,
},
"AI Bridge Bedrock Access Key Secret": {
"AI Gateway Bedrock Access Key Secret": {
yaml: true,
},
}
@@ -307,6 +307,154 @@ func must[T any](value T, err error) T {
return value
}
func TestAIGatewayCompatibilityAliases(t *testing.T) {
t.Parallel()
options := (&codersdk.DeploymentValues{}).Options()
byFlag := map[string]serpent.Option{}
for _, opt := range options {
if opt.Flag != "" {
byFlag[opt.Flag] = opt
}
}
type alias struct {
old serpent.Option
new serpent.Option
}
var aliases []alias
for _, opt := range options {
if !strings.HasPrefix(opt.Flag, "aibridge-") {
continue
}
require.True(t, strings.HasPrefix(opt.Description, "Deprecated:"), "aibridge option %s should have a 'Deprecated:' description", opt.Flag)
require.Len(t, opt.UseInstead, 1, "aibridge option %s should point to a single replacement", opt.Flag)
newOpt, ok := byFlag[opt.UseInstead[0].Flag]
require.True(t, ok, "aibridge option %s points to unknown flag %s", opt.Flag, opt.UseInstead[0].Flag)
require.NotEqual(t, opt.Flag, newOpt.Flag, "flag %s shares its flag with the new alias option", opt.Flag)
require.NotEqual(t, opt.Env, newOpt.Env, "flag %s shares its env with the new alias option", opt.Flag)
if oldYAML := opt.YAMLPath(); oldYAML != "" {
require.NotEqual(t, oldYAML, newOpt.YAMLPath(), "flag %s shares its YAML path with the new alias option", opt.Flag)
} else {
require.Empty(t, newOpt.YAMLPath(), "flag %s has no YAML path but the new alias option %s does", opt.Flag, newOpt.Flag)
}
aliases = append(aliases, alias{old: opt, new: newOpt})
}
// Update this count when adding or removing aibridge alias options.
require.Len(t, aliases, 34, "unexpected number of aibridge alias options")
sampleVal := func(opt serpent.Option) any {
switch opt.Value.Type() {
case "bool":
return opt.Default != "true"
case "int":
return 7
case "duration":
return "2h"
case "string-array":
return []string{"10.0.0.0/8", "172.16.0.0/12"}
default:
return "alias-value"
}
}
sampleArg := func(opt serpent.Option) string {
v := sampleVal(opt)
if arr, ok := v.([]string); ok {
return strings.Join(arr, ",")
}
return fmt.Sprint(v)
}
aiConfFromOpts := func(t *testing.T, apply func(opts serpent.OptionSet) error) codersdk.AIConfig {
t.Helper()
dv := &codersdk.DeploymentValues{}
opts := dv.Options()
require.NoError(t, opts.SetDefaults())
require.NoError(t, apply(opts))
return dv.AI
}
t.Run("FlagParity", func(t *testing.T) {
t.Parallel()
var oldArgs, newArgs []string
for _, a := range aliases {
value := sampleArg(a.old)
oldArgs = append(oldArgs, "--"+a.old.Flag, value)
newArgs = append(newArgs, "--"+a.new.Flag, value)
}
oldAI := aiConfFromOpts(t, func(opts serpent.OptionSet) error {
return opts.FlagSet().Parse(oldArgs)
})
newAI := aiConfFromOpts(t, func(opts serpent.OptionSet) error {
return opts.FlagSet().Parse(newArgs)
})
require.Equal(t, newAI, oldAI)
})
t.Run("EnvParity", func(t *testing.T) {
t.Parallel()
var oldEnv, newEnv []serpent.EnvVar
for _, a := range aliases {
value := sampleArg(a.old)
oldEnv = append(oldEnv, serpent.EnvVar{Name: a.old.Env, Value: value})
newEnv = append(newEnv, serpent.EnvVar{Name: a.new.Env, Value: value})
}
oldAI := aiConfFromOpts(t, func(opts serpent.OptionSet) error {
return opts.ParseEnv(oldEnv)
})
newAI := aiConfFromOpts(t, func(opts serpent.OptionSet) error {
return opts.ParseEnv(newEnv)
})
require.Equal(t, newAI, oldAI)
})
t.Run("YAMLParity", func(t *testing.T) {
t.Parallel()
setPath := func(doc map[string]any, path string, value any) {
parts := strings.Split(path, ".")
for _, field := range parts[:len(parts)-1] {
next, ok := doc[field].(map[string]any)
if !ok {
next = map[string]any{}
doc[field] = next
}
doc = next
}
doc[parts[len(parts)-1]] = value
}
oldYAML := map[string]any{}
newYAML := map[string]any{}
for _, a := range aliases {
oldPath := a.old.YAMLPath()
newPath := a.new.YAMLPath()
if oldPath == "" {
require.Empty(t, newPath)
continue
}
require.NotEmpty(t, newPath, "new flag %s has no YAML path", a.old.Flag)
value := sampleVal(a.old)
setPath(oldYAML, oldPath, value)
setPath(newYAML, newPath, value)
}
parse := func(doc map[string]any) codersdk.AIConfig {
var node yaml.Node
require.NoError(t, node.Encode(doc))
return aiConfFromOpts(t, func(opts serpent.OptionSet) error {
return opts.UnmarshalYAML(&node)
})
}
require.Equal(t, parse(newYAML), parse(oldYAML))
})
}
func TestDeploymentValues_Validate_RefreshLifetime(t *testing.T) {
t.Parallel()
docs/admin/setup/data-retention.md
+6 -6
View File
@@ -33,7 +33,7 @@ a YAML configuration file.
| Connection Logs | `--connection-logs-retention` | `CODER_CONNECTION_LOGS_RETENTION` | `0` (disabled) | How long to retain Connection Logs |
| API Keys | `--api-keys-retention` | `CODER_API_KEYS_RETENTION` | `7d` | How long to retain expired API keys |
| Workspace Agent Logs | `--workspace-agent-logs-retention` | `CODER_WORKSPACE_AGENT_LOGS_RETENTION` | `7d` | How long to retain workspace agent logs |
| AI Gateway | `--aibridge-retention` | `CODER_AIBRIDGE_RETENTION` | `60d` | How long to retain AI Gateway records |
| AI Gateway | `--ai-gateway-retention` | `CODER_AI_GATEWAY_RETENTION` | `60d` | How long to retain AI Gateway records |
> [!NOTE]
> AI Gateway retention is configured separately from other retention settings.
@@ -59,7 +59,7 @@ coder server \
--connection-logs-retention=90d \
--api-keys-retention=7d \
--workspace-agent-logs-retention=7d \
--aibridge-retention=60d
--ai-gateway-retention=60d
```
### Environment Variables Example
@@ -69,7 +69,7 @@ export CODER_AUDIT_LOGS_RETENTION=365d
export CODER_CONNECTION_LOGS_RETENTION=90d
export CODER_API_KEYS_RETENTION=7d
export CODER_WORKSPACE_AGENT_LOGS_RETENTION=7d
export CODER_AIBRIDGE_RETENTION=60d
export CODER_AI_GATEWAY_RETENTION=60d
```
### YAML Configuration Example
@@ -81,7 +81,7 @@ retention:
api_keys: 7d
workspace_agent_logs: 7d
aibridge:
ai_gateway:
retention: 60d
```
@@ -152,7 +152,7 @@ retention:
api_keys: 7d
workspace_agent_logs: 7d
aibridge:
ai_gateway:
retention: 60d
```
@@ -198,7 +198,7 @@ retention:
api_keys: 0s # Keep expired API keys forever
workspace_agent_logs: 0s # Keep workspace agent logs forever
aibridge:
ai_gateway:
retention: 0s # Keep AI Gateway records forever
```
docs/ai-coder/agents/models.md
+1 -1
View File
@@ -70,7 +70,7 @@ custom endpoints or VPC endpoints.
> [!NOTE]
> Agents Bedrock provider configuration is separate from AI Gateway Bedrock
> flags (`CODER_AIBRIDGE_BEDROCK_*`). AI Gateway and Agents use independent
> flags (`CODER_AI_GATEWAY_BEDROCK_*`). AI Gateway and Agents use independent
> credential paths.
## Provider credentials and security
docs/ai-coder/ai-gateway/ai-gateway-proxy/setup.md
+28 -28
View File
@@ -15,17 +15,17 @@ Once enabled, `coderd` runs the `aibridgeproxyd` in-memory and intercepts traffi
AI Gateway Proxy is disabled by default. To enable it, set the following configuration options:
```shell
CODER_AIBRIDGE_ENABLED=true \
CODER_AIBRIDGE_PROXY_ENABLED=true \
CODER_AIBRIDGE_PROXY_CERT_FILE=/path/to/ca.crt \
CODER_AIBRIDGE_PROXY_KEY_FILE=/path/to/ca.key \
CODER_AI_GATEWAY_ENABLED=true \
CODER_AI_GATEWAY_PROXY_ENABLED=true \
CODER_AI_GATEWAY_PROXY_CERT_FILE=/path/to/ca.crt \
CODER_AI_GATEWAY_PROXY_KEY_FILE=/path/to/ca.key \
coder server
# or via CLI flags:
coder server \
--aibridge-enabled=true \
--aibridge-proxy-enabled=true \
--aibridge-proxy-cert-file=/path/to/ca.crt \
--aibridge-proxy-key-file=/path/to/ca.key
--ai-gateway-enabled=true \
--ai-gateway-proxy-enabled=true \
--ai-gateway-proxy-cert-file=/path/to/ca.crt \
--ai-gateway-proxy-key-file=/path/to/ca.key
```
Both the certificate and private key are required for AI Gateway Proxy to start.
@@ -35,11 +35,11 @@ By default, the proxy listener accepts plain HTTP connections.
To serve the listener over HTTPS, provide a TLS certificate and key:
```shell
CODER_AIBRIDGE_PROXY_TLS_CERT_FILE=/path/to/listener.crt
CODER_AIBRIDGE_PROXY_TLS_KEY_FILE=/path/to/listener.key
CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE=/path/to/listener.crt
CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE=/path/to/listener.key
# or via CLI flags:
--aibridge-proxy-tls-cert-file=/path/to/listener.crt
--aibridge-proxy-tls-key-file=/path/to/listener.key
--ai-gateway-proxy-tls-cert-file=/path/to/listener.crt
--ai-gateway-proxy-tls-key-file=/path/to/listener.key
```
Both files must be provided together.
@@ -85,12 +85,12 @@ The IP validation and TCP connect happen atomically, preventing DNS rebinding at
To prevent unauthorized use, restrict network access to the proxy so that only authorized clients can connect.
In case the Coder access URL resolves to a private address, it is automatically exempt from this restriction so the proxy can always reach its own deployment.
If you need to allow access to additional internal networks via the proxy, use the Allowlist CIDRs option ([`CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS`](../../../reference/cli/server.md#--aibridge-proxy-allowed-private-cidrs)):
If you need to allow access to additional internal networks via the proxy, use the Allowlist CIDRs option ([`CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS`](../../../reference/cli/server.md#--ai-gateway-proxy-allowed-private-cidrs)):
```shell
CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS=10.0.0.0/8,172.16.0.0/12
CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS=10.0.0.0/8,172.16.0.0/12
# or via CLI flag:
--aibridge-proxy-allowed-private-cidrs=10.0.0.0/8,172.16.0.0/12
--ai-gateway-proxy-allowed-private-cidrs=10.0.0.0/8,172.16.0.0/12
```
## CA Certificate
@@ -124,8 +124,8 @@ openssl req -new -x509 -days 3650 \
Configure AI Gateway Proxy with both files:
```shell
CODER_AIBRIDGE_PROXY_CERT_FILE=/path/to/ca.crt
CODER_AIBRIDGE_PROXY_KEY_FILE=/path/to/ca.key
CODER_AI_GATEWAY_PROXY_CERT_FILE=/path/to/ca.crt
CODER_AI_GATEWAY_PROXY_KEY_FILE=/path/to/ca.key
```
### Corporate CA certificate
@@ -136,8 +136,8 @@ This simplifies deployment since AI tools that already trust your organization's
Your organization's CA issues a certificate and private key pair for the proxy. Configure the proxy with both files:
```shell
CODER_AIBRIDGE_PROXY_CERT_FILE=/path/to/intermediate-ca.crt
CODER_AIBRIDGE_PROXY_KEY_FILE=/path/to/intermediate-ca.key
CODER_AI_GATEWAY_PROXY_CERT_FILE=/path/to/intermediate-ca.crt
CODER_AI_GATEWAY_PROXY_KEY_FILE=/path/to/intermediate-ca.key
```
### Securing the private key
@@ -182,11 +182,11 @@ The AI Gateway Proxy enforces a minimum TLS version of 1.2.
In addition to the required proxy configuration, set the following to enable TLS on the proxy:
```shell
CODER_AIBRIDGE_PROXY_TLS_CERT_FILE=/path/to/listener.crt
CODER_AIBRIDGE_PROXY_TLS_KEY_FILE=/path/to/listener.key
CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE=/path/to/listener.crt
CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE=/path/to/listener.key
# or via CLI flags:
--aibridge-proxy-tls-cert-file=/path/to/listener.crt
--aibridge-proxy-tls-key-file=/path/to/listener.key
--ai-gateway-proxy-tls-cert-file=/path/to/listener.crt
--ai-gateway-proxy-tls-key-file=/path/to/listener.key
```
Both files must be provided together. If only one is set, the proxy will fail to start.
@@ -243,7 +243,7 @@ If your organization requires all outbound traffic to pass through a corporate p
### How it works
Tunneled requests (non-allowlisted domains) are forwarded to the upstream proxy configured via [`CODER_AIBRIDGE_PROXY_UPSTREAM`](../../../reference/cli/server.md#--aibridge-proxy-upstream).
Tunneled requests (non-allowlisted domains) are forwarded to the upstream proxy configured via [`CODER_AI_GATEWAY_PROXY_UPSTREAM`](../../../reference/cli/server.md#--ai-gateway-proxy-upstream).
MITM'd requests (AI provider domains) are forwarded to AI Gateway, which then communicates with AI providers.
To ensure AI Gateway also routes requests through the upstream proxy, make sure to configure the proxy settings for the Coder server process.
@@ -260,17 +260,17 @@ To ensure AI Gateway also routes requests through the upstream proxy, make sure
Configure the upstream proxy URL:
```shell
CODER_AIBRIDGE_PROXY_UPSTREAM=http://<corporate-proxy-url>:8080
CODER_AI_GATEWAY_PROXY_UPSTREAM=http://<corporate-proxy-url>:8080
```
For HTTPS upstream proxies, if the upstream proxy uses a certificate not trusted by the system, provide the CA certificate:
```shell
CODER_AIBRIDGE_PROXY_UPSTREAM=https://<corporate-proxy-url>:8080
CODER_AIBRIDGE_PROXY_UPSTREAM_CA=/path/to/corporate-ca.crt
CODER_AI_GATEWAY_PROXY_UPSTREAM=https://<corporate-proxy-url>:8080
CODER_AI_GATEWAY_PROXY_UPSTREAM_CA=/path/to/corporate-ca.crt
```
If the system already trusts the upstream proxy's CA certificate, [`CODER_AIBRIDGE_PROXY_UPSTREAM_CA`](../../../reference/cli/server.md#--aibridge-proxy-upstream-ca) is not required.
If the system already trusts the upstream proxy's CA certificate, [`CODER_AI_GATEWAY_PROXY_UPSTREAM_CA`](../../../reference/cli/server.md#--ai-gateway-proxy-upstream-ca) is not required.
<!-- TODO(ssncferreira): Add Client Configuration section -->
docs/ai-coder/ai-gateway/auth.md
+2 -2
View File
@@ -97,10 +97,10 @@ Visit individual [client pages](./clients/index.md) for configuration details.
### Enable or disable BYOK
BYOK is enabled by default.
Administrators can disable it using `--aibridge-allow-byok=false` or `CODER_AIBRIDGE_ALLOW_BYOK=false`:
Administrators can disable it using `--ai-gateway-allow-byok=false` or `CODER_AI_GATEWAY_ALLOW_BYOK=false`:
```sh
coder server --aibridge-allow-byok=false
coder server --ai-gateway-allow-byok=false
```
When disabled, BYOK requests are rejected with a `403 Forbidden` response and only centralized key authentication is permitted.
docs/ai-coder/ai-gateway/clients/coder-agents.md
+2 -2
View File
@@ -70,10 +70,10 @@ credentials.
AI Gateway accepts Coder-issued tokens for client authentication and also
supports [Bring Your Own Key
(BYOK)](../clients/index.md#bring-your-own-key-byok) for other clients.
(BYOK)](../auth.md#bring-your-own-key-byok) for other clients.
Coder Agents only uses the centralized key mode today. The upstream
provider keys you configured for AI Gateway (for example,
`CODER_AIBRIDGE_OPENAI_KEY`) are used by AI Gateway internally to call the
`CODER_AI_GATEWAY_OPENAI_KEY`) are used by AI Gateway internally to call the
upstream provider; they are not what Coder Agents sends.
Coder Agents stores the **API Key** field on each provider as the bearer
docs/ai-coder/ai-gateway/clients/index.md
+1 -1
View File
@@ -20,7 +20,7 @@ There are two ways to connect AI tools to AI Gateway:
Most AI coding tools allow the "base URL" to be customized. In other words, when a request is made to OpenAI's API from your coding tool, the API endpoint such as [`/v1/chat/completions`](https://platform.openai.com/docs/api-reference/chat) will be appended to the configured base. Therefore, instead of the default base URL of `https://api.openai.com/v1`, you'll need to set it to `https://coder.example.com/api/v2/aibridge/openai/v1`.
The exact configuration method varies by client some use environment variables, others use configuration files or UI settings:
The exact configuration method varies by client, some use environment variables, others use configuration files or UI settings:
- **OpenAI-compatible clients**: Set the base URL (commonly via the `OPENAI_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/openai/v1`
- **Anthropic-compatible clients**: Set the base URL (commonly via the `ANTHROPIC_BASE_URL` environment variable) to `https://coder.example.com/api/v2/aibridge/anthropic`
docs/ai-coder/ai-gateway/mcp.md
+2 -2
View File
@@ -68,12 +68,12 @@ If a model decides to invoke a tool and it has a `bmcp_` suffix and AI Gateway h
In contrast, tools which are defined by the client (i.e. the [`Bash` tool](https://docs.claude.com/en/docs/claude-code/settings#tools-available-to-claude) defined by _Claude Code_) cannot be invoked by AI Gateway, and the tool call from the model will be relayed to the client, after which it will invoke the tool.
If you have [Coder MCP Server](../mcp-server.md) enabled, as well as have `CODER_AIBRIDGE_INJECT_CODER_MCP_TOOLS=true` set, Coder's MCP tools will be injected into intercepted requests.
If you have [Coder MCP Server](../mcp-server.md) enabled, as well as have `CODER_AI_GATEWAY_INJECT_CODER_MCP_TOOLS=true` set, Coder's MCP tools will be injected into intercepted requests.
### Troubleshooting
- **Too many tools**: should you receive an error like `Invalid 'tools': array too long. Expected an array with maximum length 128, but got an array with length 132 instead`, you can reduce the number by filtering out tools using the allow/deny patterns documented in the [MCP](#mcp) section.
- **Coder MCP tools not being injected**: in order for Coder MCP tools to be injected, the internal MCP server needs to be active. Follow the instructions in the [MCP Server](../mcp-server.md) page to enable it and ensure `CODER_AIBRIDGE_INJECT_CODER_MCP_TOOLS` is set to `true`.
- **Coder MCP tools not being injected**: in order for Coder MCP tools to be injected, the internal MCP server needs to be active. Follow the instructions in the [MCP Server](../mcp-server.md) page to enable it and ensure `CODER_AI_GATEWAY_INJECT_CODER_MCP_TOOLS` is set to `true`.
- **External Auth tools not being injected**: this is generally due to the requesting user not being authenticated against the [External Auth](../../admin/external-auth/index.md) app; when this is the case, no attempt is made to connect to the MCP server.
docs/ai-coder/ai-gateway/setup.md
+68 -62
View File
@@ -8,15 +8,20 @@ AI Gateway runs inside the Coder control plane (`coderd`), requiring no separate
1. Feature must be [enabled](#activation) using the server flag
1. One or more [providers](#configure-providers) API key(s) must be configured
> [!NOTE]
> AI Gateway environment variables and CLI flags have migrated to the new
> `CODER_AI_GATEWAY_*` and `--ai-gateway-*` naming scheme. The earlier
> `CODER_AIBRIDGE_*` and `--aibridge-*` names continue to work as aliases.
## Activation
You will need to enable AI Gateway explicitly:
```sh
export CODER_AIBRIDGE_ENABLED=true
export CODER_AI_GATEWAY_ENABLED=true
coder server
# or
coder server --aibridge-enabled=true
coder server --ai-gateway-enabled=true
```
## Configure Providers
@@ -27,10 +32,10 @@ AI Gateway proxies requests to upstream LLM APIs. Configure at least one provide
### OpenAI
Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--aibridge-openai-key) traffic through AI Gateway:
Set the following when routing [OpenAI-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-openai-key) traffic through AI Gateway:
- `CODER_AIBRIDGE_OPENAI_KEY` or `--aibridge-openai-key`
- `CODER_AIBRIDGE_OPENAI_BASE_URL` or `--aibridge-openai-base-url`
- `CODER_AI_GATEWAY_OPENAI_KEY` or `--ai-gateway-openai-key`
- `CODER_AI_GATEWAY_OPENAI_BASE_URL` or `--ai-gateway-openai-base-url`
The default base URL (`https://api.openai.com/v1/`) works for the native OpenAI service. Point the base URL at your preferred OpenAI-compatible endpoint (for example, a hosted proxy or LiteLLM deployment) when needed.
@@ -40,10 +45,10 @@ If you'd like to create an [OpenAI key](https://platform.openai.com/api-keys) wi
### Anthropic
Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--aibridge-anthropic-key) traffic through AI Gateway:
Set the following when routing [Anthropic-compatible](https://coder.com/docs/reference/cli/server#--ai-gateway-anthropic-key) traffic through AI Gateway:
- `CODER_AIBRIDGE_ANTHROPIC_KEY` or `--aibridge-anthropic-key`
- `CODER_AIBRIDGE_ANTHROPIC_BASE_URL` or `--aibridge-anthropic-base-url`
- `CODER_AI_GATEWAY_ANTHROPIC_KEY` or `--ai-gateway-anthropic-key`
- `CODER_AI_GATEWAY_ANTHROPIC_BASE_URL` or `--ai-gateway-anthropic-base-url`
The default base URL (`https://api.anthropic.com/`) targets Anthropic's public API. Override it for Anthropic-compatible brokers.
@@ -51,15 +56,15 @@ Anthropic does not allow [API keys](https://console.anthropic.com/settings/keys)
### Amazon Bedrock
Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--aibridge-bedrock-region) traffic through AI Gateway:
Set the following when routing [Amazon Bedrock](https://coder.com/docs/reference/cli/server#--ai-gateway-bedrock-region) traffic through AI Gateway:
**Required:**
- `CODER_AIBRIDGE_BEDROCK_REGION` or `--aibridge-bedrock-region`.
Alternatively, set `CODER_AIBRIDGE_BEDROCK_BASE_URL` or `--aibridge-bedrock-base-url` to a full URL (e.g., when routing through a proxy between AI Gateway and AWS Bedrock or using a non-standard endpoint that doesn't follow the `https://bedrock-runtime.<region>.amazonaws.com` format).
If both are set, `CODER_AIBRIDGE_BEDROCK_BASE_URL` takes precedence.
- `CODER_AIBRIDGE_BEDROCK_MODEL` or `--aibridge-bedrock-model`
- `CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL` or `--aibridge-bedrock-small-fast-model`
- `CODER_AI_GATEWAY_BEDROCK_REGION` or `--ai-gateway-bedrock-region`.
Alternatively, set `CODER_AI_GATEWAY_BEDROCK_BASE_URL` or `--ai-gateway-bedrock-base-url` to a full URL (e.g., when routing through a proxy between AI Gateway and AWS Bedrock or using a non-standard endpoint that doesn't follow the `https://bedrock-runtime.<region>.amazonaws.com` format).
If both are set, `CODER_AI_GATEWAY_BEDROCK_BASE_URL` takes precedence.
- `CODER_AI_GATEWAY_BEDROCK_MODEL` or `--ai-gateway-bedrock-model`
- `CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL` or `--ai-gateway-bedrock-small-fastmodel`
> [!NOTE]
> These Bedrock settings configure AI Gateway only. To configure Bedrock as an
@@ -67,8 +72,8 @@ If both are set, `CODER_AIBRIDGE_BEDROCK_BASE_URL` takes precedence.
**Optional:**
- `CODER_AIBRIDGE_BEDROCK_ACCESS_KEY` or `--aibridge-bedrock-access-key`
- `CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET` or `--aibridge-bedrock-access-key-secret`
- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY` or `--ai-gateway-bedrock-access-key`
- `CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET` or `--ai-gateway-bedrock-access-key-secret`
#### Authentication
@@ -112,15 +117,15 @@ For deployments when explicit credentials are preferred, provide an access key a
4. **Configure your Coder deployment** with the credentials:
```sh
export CODER_AIBRIDGE_BEDROCK_REGION=us-east-1
export CODER_AIBRIDGE_BEDROCK_ACCESS_KEY=<your-access-key-id>
export CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET=<your-secret-access-key>
export CODER_AI_GATEWAY_BEDROCK_REGION=us-east-1
export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY=<your-access-key-id>
export CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET=<your-secret-access-key>
coder server
```
### GitHub Copilot
GitHub Copilot offers three plans Individual, Business, and Enterprise
GitHub Copilot offers three plans: Individual, Business, and Enterprise,
each with its own API endpoint. Configure one or more `copilot` providers
using the [indexed provider format](#multiple-instances-of-the-same-provider)
depending on which plans your organization uses.
@@ -129,22 +134,22 @@ static API keys.
```sh
# GitHub Copilot (Individual)
export CODER_AIBRIDGE_PROVIDER_0_TYPE=copilot
export CODER_AIBRIDGE_PROVIDER_0_NAME=copilot
export CODER_AI_GATEWAY_PROVIDER_0_TYPE=copilot
export CODER_AI_GATEWAY_PROVIDER_0_NAME=copilot
# GitHub Copilot Business
export CODER_AIBRIDGE_PROVIDER_1_TYPE=copilot
export CODER_AIBRIDGE_PROVIDER_1_NAME=copilot-business
export CODER_AIBRIDGE_PROVIDER_1_BASE_URL=https://api.business.githubcopilot.com
export CODER_AI_GATEWAY_PROVIDER_1_TYPE=copilot
export CODER_AI_GATEWAY_PROVIDER_1_NAME=copilot-business
export CODER_AI_GATEWAY_PROVIDER_1_BASE_URL=https://api.business.githubcopilot.com
# GitHub Copilot Enterprise
export CODER_AIBRIDGE_PROVIDER_2_TYPE=copilot
export CODER_AIBRIDGE_PROVIDER_2_NAME=copilot-enterprise
export CODER_AIBRIDGE_PROVIDER_2_BASE_URL=https://api.enterprise.githubcopilot.com
export CODER_AI_GATEWAY_PROVIDER_2_TYPE=copilot
export CODER_AI_GATEWAY_PROVIDER_2_NAME=copilot-enterprise
export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://api.enterprise.githubcopilot.com
```
The default base URL targets the individual Copilot API
(`api.individual.githubcopilot.com`). Override `CODER_AIBRIDGE_PROVIDER_<N>_BASE_URL`
(`api.individual.githubcopilot.com`). Override `CODER_AI_GATEWAY_PROVIDER_<N>_BASE_URL`
for Business or Enterprise tiers as shown above.
For client-side setup (proxy, certificates, IDE configuration), see
@@ -156,9 +161,9 @@ Configure a ChatGPT provider by creating an `openai`-typed instance with the
ChatGPT Codex base URL:
```sh
export CODER_AIBRIDGE_PROVIDER_0_TYPE=openai
export CODER_AIBRIDGE_PROVIDER_0_NAME=chatgpt
export CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex
export CODER_AI_GATEWAY_PROVIDER_0_TYPE=openai
export CODER_AI_GATEWAY_PROVIDER_0_NAME=chatgpt
export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex
```
</div>
@@ -168,35 +173,35 @@ export CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://chatgpt.com/backend-api/codex
### Multiple instances of the same provider
You can configure multiple instances of the same provider type for example, to
You can configure multiple instances of the same provider type, for example, to
route different teams to separate API keys, use different base URLs per region, or
connect to both a direct API and a proxy simultaneously. Use indexed environment
variables following the pattern `CODER_AIBRIDGE_PROVIDER_<N>_<KEY>`:
variables following the pattern `CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>`:
```sh
# Anthropic routed through a corporate proxy
export CODER_AIBRIDGE_PROVIDER_0_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_0_NAME=anthropic-corp
export CODER_AIBRIDGE_PROVIDER_0_KEY=sk-ant-corp-xxx
export CODER_AIBRIDGE_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic
export CODER_AI_GATEWAY_PROVIDER_0_TYPE=anthropic
export CODER_AI_GATEWAY_PROVIDER_0_NAME=anthropic-corp
export CODER_AI_GATEWAY_PROVIDER_0_KEY=sk-ant-corp-xxx
export CODER_AI_GATEWAY_PROVIDER_0_BASE_URL=https://llm-proxy.internal.example.com/anthropic
# Anthropic direct (for teams that need direct access)
export CODER_AIBRIDGE_PROVIDER_1_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_1_NAME=anthropic-direct
export CODER_AIBRIDGE_PROVIDER_1_KEY=sk-ant-direct-yyy
export CODER_AI_GATEWAY_PROVIDER_1_TYPE=anthropic
export CODER_AI_GATEWAY_PROVIDER_1_NAME=anthropic-direct
export CODER_AI_GATEWAY_PROVIDER_1_KEY=sk-ant-direct-yyy
# Azure-hosted OpenAI deployment
export CODER_AIBRIDGE_PROVIDER_2_TYPE=openai
export CODER_AIBRIDGE_PROVIDER_2_NAME=azure-openai
export CODER_AIBRIDGE_PROVIDER_2_KEY=azure-key-zzz
export CODER_AIBRIDGE_PROVIDER_2_BASE_URL=https://my-deployment.openai.azure.com/
export CODER_AI_GATEWAY_PROVIDER_2_TYPE=openai
export CODER_AI_GATEWAY_PROVIDER_2_NAME=azure-openai
export CODER_AI_GATEWAY_PROVIDER_2_KEY=azure-key-zzz
export CODER_AI_GATEWAY_PROVIDER_2_BASE_URL=https://my-deployment.openai.azure.com/
# Anthropic via AWS Bedrock
export CODER_AIBRIDGE_PROVIDER_3_TYPE=anthropic
export CODER_AIBRIDGE_PROVIDER_3_NAME=anthropic-bedrock
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_REGION=us-west-2
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
export CODER_AIBRIDGE_PROVIDER_3_BEDROCK_ACCESS_KEY_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export CODER_AI_GATEWAY_PROVIDER_3_TYPE=anthropic
export CODER_AI_GATEWAY_PROVIDER_3_NAME=anthropic-bedrock
export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_REGION=us-west-2
export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
export CODER_AI_GATEWAY_PROVIDER_3_BEDROCK_ACCESS_KEY_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
coder server
```
@@ -236,30 +241,31 @@ available: `BEDROCK_BASE_URL`, `BEDROCK_REGION`,
> [!NOTE]
> Indices must be contiguous and start at `0`. Each instance must have a unique
> `NAME` — if two instances of the same `TYPE` omit `NAME`, they will both
> `NAME`. If two instances of the same `TYPE` omit `NAME`, they will both
> default to the type name and fail with a duplicate name error.
>
> The legacy single-provider environment variables (`CODER_AIBRIDGE_OPENAI_KEY`,
> `CODER_AIBRIDGE_ANTHROPIC_KEY`, etc.) continue to work. However, setting both
> a legacy variable and an indexed provider with the same default name (e.g.
> `CODER_AIBRIDGE_OPENAI_KEY` and an indexed provider named `openai`) will
> produce a startup error — remove one or the other to resolve the conflict.
> The legacy single-provider environment variables (`CODER_AI_GATEWAY_OPENAI_KEY`,
> `CODER_AI_GATEWAY_ANTHROPIC_KEY`, etc.) continue to work. However, setting
> both a legacy variable and an indexed provider with the same default name
> (e.g. `CODER_AI_GATEWAY_OPENAI_KEY` and an indexed provider named `openai`)
> will produce a startup error. Remove one or the other to resolve the
> conflict.
## Data Retention
AI Gateway records prompts, token usage, tool invocations, and model reasoning for auditing and
monitoring purposes. By default, this data is retained for **60 days**.
Configure retention using `--aibridge-retention` or `CODER_AIBRIDGE_RETENTION`:
Configure retention using `--ai-gateway-retention` or `CODER_AI_GATEWAY_RETENTION`:
```sh
coder server --aibridge-retention=90d
coder server --ai-gateway-retention=90d
```
Or in YAML:
```yaml
aibridge:
ai_gateway:
retention: 90d
```
@@ -273,16 +279,16 @@ For duration formats, how retention works, and best practices, see the
AI Gateway can emit structured logs for every interception record, making it
straightforward to export data to external SIEM or observability platforms.
Enable with `--aibridge-structured-logging` or `CODER_AIBRIDGE_STRUCTURED_LOGGING`:
Enable with `--ai-gateway-structured-logging` or `CODER_AI_GATEWAY_STRUCTURED_LOGGING`:
```sh
coder server --aibridge-structured-logging=true
coder server --ai-gateway-structured-logging=true
```
Or in YAML:
```yaml
aibridge:
ai_gateway:
structured_logging: true
```
docs/reference/api/schemas.md
Generated
+21 -21
View File
@@ -484,27 +484,27 @@
### Properties
| Name | Type | Required | Restrictions | Description |
|-------------------------------------|----------------------------------------------------------------------|----------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `allow_byok` | boolean | false | | |
| `anthropic` | [codersdk.AIBridgeAnthropicConfig](#codersdkaibridgeanthropicconfig) | false | | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead. |
| `bedrock` | [codersdk.AIBridgeBedrockConfig](#codersdkaibridgebedrockconfig) | false | | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead. |
| `budget_period` | string | false | | |
| `budget_policy` | string | false | | Budget settings for AI Governance cost controls. |
| `circuit_breaker_enabled` | boolean | false | | Circuit breaker protects against cascading failures from upstream AI provider overload (503, 529). |
| `circuit_breaker_failure_threshold` | integer | false | | |
| `circuit_breaker_interval` | integer | false | | |
| `circuit_breaker_max_requests` | integer | false | | |
| `circuit_breaker_timeout` | integer | false | | |
| `enabled` | boolean | false | | |
| `inject_coder_mcp_tools` | boolean | false | | Deprecated: Injected MCP in AI Bridge is deprecated and will be removed in a future release. |
| `max_concurrency` | integer | false | | |
| `openai` | [codersdk.AIBridgeOpenAIConfig](#codersdkaibridgeopenaiconfig) | false | | Deprecated: Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead. |
| `providers` | array of [codersdk.AIProviderConfig](#codersdkaiproviderconfig) | false | | Providers holds provider instances populated from CODER_AIBRIDGE_PROVIDER_<N>_<KEY> env vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above. |
| `rate_limit` | integer | false | | |
| `retention` | integer | false | | |
| `send_actor_headers` | boolean | false | | |
| `structured_logging` | boolean | false | | |
| Name | Type | Required | Restrictions | Description |
|-------------------------------------|----------------------------------------------------------------------|----------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `allow_byok` | boolean | false | | |
| `anthropic` | [codersdk.AIBridgeAnthropicConfig](#codersdkaibridgeanthropicconfig) | false | | Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead. |
| `bedrock` | [codersdk.AIBridgeBedrockConfig](#codersdkaibridgebedrockconfig) | false | | Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead. |
| `budget_period` | string | false | | |
| `budget_policy` | string | false | | Budget settings for AI Governance cost controls. |
| `circuit_breaker_enabled` | boolean | false | | Circuit breaker protects against cascading failures from upstream AI provider overload (503, 529). |
| `circuit_breaker_failure_threshold` | integer | false | | |
| `circuit_breaker_interval` | integer | false | | |
| `circuit_breaker_max_requests` | integer | false | | |
| `circuit_breaker_timeout` | integer | false | | |
| `enabled` | boolean | false | | |
| `inject_coder_mcp_tools` | boolean | false | | Deprecated: Injected MCP in AI Bridge is deprecated and will be removed in a future release. |
| `max_concurrency` | integer | false | | |
| `openai` | [codersdk.AIBridgeOpenAIConfig](#codersdkaibridgeopenaiconfig) | false | | Deprecated: Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead. |
| `providers` | array of [codersdk.AIProviderConfig](#codersdkaiproviderconfig) | false | | Providers holds provider instances populated from CODER_AI_GATEWAY_PROVIDER_<N>_<KEY> env vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above. |
| `rate_limit` | integer | false | | |
| `retention` | integer | false | | |
| `send_actor_headers` | boolean | false | | |
| `structured_logging` | boolean | false | | |
## codersdk.AIBridgeInterception
docs/reference/cli/server.md
Generated
+202 -202
View File
@@ -1723,315 +1723,315 @@ Hide AI tasks from the dashboard.
Force chat debug logging on for every chat, bypassing the runtime admin and user opt-in settings.
### --aibridge-enabled
### --ai-gateway-enabled
| | |
|-------------|--------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_ENABLED</code> |
| YAML | <code>aibridge.enabled</code> |
| Default | <code>false</code> |
| | |
|-------------|----------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_ENABLED</code> |
| YAML | <code>ai_gateway.enabled</code> |
| Default | <code>false</code> |
Whether to start an in-memory aibridged instance.
Whether to start an in-memory AI Gateway instance.
### --aibridge-openai-base-url
### --ai-gateway-openai-base-url
| | |
|-------------|------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_OPENAI_BASE_URL</code> |
| YAML | <code>ai_gateway.openai_base_url</code> |
| Default | <code>https://api.openai.com/v1/</code> |
The base URL of the OpenAI API.
### --ai-gateway-openai-key
| | |
|-------------|-------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_OPENAI_KEY</code> |
The key to authenticate against the OpenAI API.
### --ai-gateway-anthropic-base-url
| | |
|-------------|---------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_ANTHROPIC_BASE_URL</code> |
| YAML | <code>ai_gateway.anthropic_base_url</code> |
| Default | <code>https://api.anthropic.com/</code> |
The base URL of the Anthropic API.
### --ai-gateway-anthropic-key
| | |
|-------------|----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_OPENAI_BASE_URL</code> |
| YAML | <code>aibridge.openai_base_url</code> |
| Default | <code>https://api.openai.com/v1/</code> |
| Environment | <code>$CODER_AI_GATEWAY_ANTHROPIC_KEY</code> |
The base URL of the OpenAI API.
The key to authenticate against the Anthropic API.
### --aibridge-openai-key
| | |
|-------------|-----------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_OPENAI_KEY</code> |
The key to authenticate against the OpenAI API.
### --aibridge-anthropic-base-url
### --ai-gateway-bedrock-base-url
| | |
|-------------|-------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_ANTHROPIC_BASE_URL</code> |
| YAML | <code>aibridge.anthropic_base_url</code> |
| Default | <code>https://api.anthropic.com/</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_BASE_URL</code> |
| YAML | <code>ai_gateway.bedrock_base_url</code> |
The base URL of the Anthropic API.
The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AI_GATEWAY_BEDROCK_REGION.
### --aibridge-anthropic-key
| | |
|-------------|--------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_ANTHROPIC_KEY</code> |
The key to authenticate against the Anthropic API.
### --aibridge-bedrock-base-url
### --ai-gateway-bedrock-region
| | |
|-------------|-----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_BASE_URL</code> |
| YAML | <code>aibridge.bedrock_base_url</code> |
The base URL to use for the AWS Bedrock API. Use this setting to specify an exact URL to use. Takes precedence over CODER_AIBRIDGE_BEDROCK_REGION.
### --aibridge-bedrock-region
| | |
|-------------|---------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_REGION</code> |
| YAML | <code>aibridge.bedrock_region</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_REGION</code> |
| YAML | <code>ai_gateway.bedrock_region</code> |
The AWS Bedrock API region to use. Constructs a base URL to use for the AWS Bedrock API in the form of 'https://bedrock-runtime.<region>.amazonaws.com'.
### --aibridge-bedrock-access-key
### --ai-gateway-bedrock-access-key
| | |
|-------------|-------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_ACCESS_KEY</code> |
| | |
|-------------|---------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY</code> |
The access key to authenticate against the AWS Bedrock API.
### --aibridge-bedrock-access-key-secret
### --ai-gateway-bedrock-access-key-secret
| | |
|-------------|--------------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET</code> |
| | |
|-------------|----------------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET</code> |
The access key secret to use with the access key to authenticate against the AWS Bedrock API.
### --aibridge-bedrock-model
### --ai-gateway-bedrock-model
| | |
|-------------|---------------------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_MODEL</code> |
| YAML | <code>aibridge.bedrock_model</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_MODEL</code> |
| YAML | <code>ai_gateway.bedrock_model</code> |
| Default | <code>global.anthropic.claude-sonnet-4-5-20250929-v1:0</code> |
The model to use when making requests to the AWS Bedrock API.
### --aibridge-bedrock-small-fastmodel
### --ai-gateway-bedrock-small-fastmodel
| | |
|-------------|--------------------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL</code> |
| YAML | <code>aibridge.bedrock_small_fast_model</code> |
| Environment | <code>$CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL</code> |
| YAML | <code>ai_gateway.bedrock_small_fast_model</code> |
| Default | <code>global.anthropic.claude-haiku-4-5-20251001-v1:0</code> |
The small fast model to use when making requests to the AWS Bedrock API. Claude Code uses Haiku-class models to perform background tasks. See https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
### --aibridge-retention
### --ai-gateway-retention
| | |
|-------------|----------------------------------------|
| Type | <code>duration</code> |
| Environment | <code>$CODER_AIBRIDGE_RETENTION</code> |
| YAML | <code>aibridge.retention</code> |
| Default | <code>60d</code> |
| | |
|-------------|------------------------------------------|
| Type | <code>duration</code> |
| Environment | <code>$CODER_AI_GATEWAY_RETENTION</code> |
| YAML | <code>ai_gateway.retention</code> |
| Default | <code>60d</code> |
Length of time to retain data such as interceptions and all related records (token, prompt, tool use).
### --aibridge-max-concurrency
### --ai-gateway-max-concurrency
| | |
|-------------|----------------------------------------------|
| Type | <code>int</code> |
| Environment | <code>$CODER_AIBRIDGE_MAX_CONCURRENCY</code> |
| YAML | <code>aibridge.max_concurrency</code> |
| Default | <code>0</code> |
| | |
|-------------|------------------------------------------------|
| Type | <code>int</code> |
| Environment | <code>$CODER_AI_GATEWAY_MAX_CONCURRENCY</code> |
| YAML | <code>ai_gateway.max_concurrency</code> |
| Default | <code>0</code> |
Maximum number of concurrent AI Bridge requests per replica. Set to 0 to disable (unlimited).
Maximum number of concurrent AI Gateway requests per replica. Set to 0 to disable (unlimited).
### --aibridge-rate-limit
### --ai-gateway-rate-limit
| | |
|-------------|-----------------------------------------|
| Type | <code>int</code> |
| Environment | <code>$CODER_AIBRIDGE_RATE_LIMIT</code> |
| YAML | <code>aibridge.rate_limit</code> |
| Default | <code>0</code> |
| | |
|-------------|-------------------------------------------|
| Type | <code>int</code> |
| Environment | <code>$CODER_AI_GATEWAY_RATE_LIMIT</code> |
| YAML | <code>ai_gateway.rate_limit</code> |
| Default | <code>0</code> |
Maximum number of AI Bridge requests per second per replica. Set to 0 to disable (unlimited).
Maximum number of AI Gateway requests per second per replica. Set to 0 to disable (unlimited).
### --aibridge-structured-logging
### --ai-gateway-structured-logging
| | |
|-------------|-------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_STRUCTURED_LOGGING</code> |
| YAML | <code>aibridge.structured_logging</code> |
| Default | <code>false</code> |
| | |
|-------------|---------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_STRUCTURED_LOGGING</code> |
| YAML | <code>ai_gateway.structured_logging</code> |
| Default | <code>false</code> |
Emit structured logs for AI Bridge interception records. Use this for exporting these records to external SIEM or observability systems.
Emit structured logs for AI Gateway interception records. Use this for exporting these records to external SIEM or observability systems.
### --aibridge-send-actor-headers
### --ai-gateway-send-actor-headers
| | |
|-------------|-------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_SEND_ACTOR_HEADERS</code> |
| YAML | <code>aibridge.send_actor_headers</code> |
| Default | <code>false</code> |
| | |
|-------------|---------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_SEND_ACTOR_HEADERS</code> |
| YAML | <code>ai_gateway.send_actor_headers</code> |
| Default | <code>false</code> |
Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Bridge. This is only needed if you are using a proxy between AI Bridge and an upstream AI provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).
Once enabled, extra headers will be added to upstream requests to identify the user (actor) making requests to AI Gateway. This is only needed if you are using a proxy between AI Gateway and an upstream AI provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user making the request) and X-Ai-Bridge-Actor-Metadata-Username (their username).
### --aibridge-allow-byok
### --ai-gateway-allow-byok
| | |
|-------------|-----------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_ALLOW_BYOK</code> |
| YAML | <code>aibridge.allow_byok</code> |
| Default | <code>true</code> |
| | |
|-------------|-------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_ALLOW_BYOK</code> |
| YAML | <code>ai_gateway.allow_byok</code> |
| Default | <code>true</code> |
Allow users to provide their own LLM API keys or subscriptions. When disabled, only centralized key authentication is permitted.
### --aibridge-circuit-breaker-enabled
### --ai-gateway-circuit-breaker-enabled
| | |
|-------------|------------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_CIRCUIT_BREAKER_ENABLED</code> |
| YAML | <code>aibridge.circuit_breaker_enabled</code> |
| Default | <code>false</code> |
| | |
|-------------|--------------------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED</code> |
| YAML | <code>ai_gateway.circuit_breaker_enabled</code> |
| Default | <code>false</code> |
Enable the circuit breaker to protect against cascading failures from upstream AI provider overload (503, 529).
### --ai-budget-policy
| | |
|-------------|--------------------------------------|
| Type | <code>highest</code> |
| Environment | <code>$CODER_AI_BUDGET_POLICY</code> |
| YAML | <code>aibridge.budget_policy</code> |
| Default | <code>highest</code> |
| | |
|-------------|---------------------------------------|
| Type | <code>highest</code> |
| Environment | <code>$CODER_AI_BUDGET_POLICY</code> |
| YAML | <code>ai_gateway.budget_policy</code> |
| Default | <code>highest</code> |
Determines the effective group when a user belongs to multiple groups with AI budgets. "highest" selects the group with the largest spend limit, and is currently the only supported value.
### --ai-budget-period
| | |
|-------------|--------------------------------------|
| Type | <code>month</code> |
| Environment | <code>$CODER_AI_BUDGET_PERIOD</code> |
| YAML | <code>aibridge.budget_period</code> |
| Default | <code>month</code> |
| | |
|-------------|---------------------------------------|
| Type | <code>month</code> |
| Environment | <code>$CODER_AI_BUDGET_PERIOD</code> |
| YAML | <code>ai_gateway.budget_period</code> |
| Default | <code>month</code> |
Determines when accumulated AI spend resets to zero, aligned to UTC calendar boundaries. Only "month" is currently supported.
### --aibridge-proxy-enabled
### --ai-gateway-proxy-enabled
| | |
|-------------|--------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_ENABLED</code> |
| YAML | <code>aibridgeproxy.enabled</code> |
| Default | <code>false</code> |
| | |
|-------------|----------------------------------------------|
| Type | <code>bool</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_ENABLED</code> |
| YAML | <code>ai_gateway_proxy.enabled</code> |
| Default | <code>false</code> |
Enable the AI Bridge MITM Proxy for intercepting and decrypting AI provider requests.
Enable the AI Gateway MITM Proxy for intercepting and decrypting AI provider requests.
### --aibridge-proxy-listen-addr
| | |
|-------------|------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_LISTEN_ADDR</code> |
| YAML | <code>aibridgeproxy.listen_addr</code> |
| Default | <code>:8888</code> |
The address the AI Bridge Proxy will listen on.
### --aibridge-proxy-tls-cert-file
### --ai-gateway-proxy-listen-addr
| | |
|-------------|--------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_TLS_CERT_FILE</code> |
| YAML | <code>aibridgeproxy.tls_cert_file</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_LISTEN_ADDR</code> |
| YAML | <code>ai_gateway_proxy.listen_addr</code> |
| Default | <code>:8888</code> |
Path to the TLS certificate file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Key File.
The address the AI Gateway Proxy will listen on.
### --aibridge-proxy-tls-key-file
### --ai-gateway-proxy-tls-cert-file
| | |
|-------------|-------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_TLS_KEY_FILE</code> |
| YAML | <code>aibridgeproxy.tls_key_file</code> |
| | |
|-------------|----------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE</code> |
| YAML | <code>ai_gateway_proxy.tls_cert_file</code> |
Path to the TLS private key file for the AI Bridge Proxy listener. Must be set together with AI Bridge Proxy TLS Certificate File.
Path to the TLS certificate file for the AI Gateway Proxy listener. Must be set together with AI Gateway Proxy TLS Key File.
### --aibridge-proxy-cert-file
### --ai-gateway-proxy-tls-key-file
| | |
|-------------|----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_CERT_FILE</code> |
| YAML | <code>aibridgeproxy.cert_file</code> |
| | |
|-------------|---------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE</code> |
| YAML | <code>ai_gateway_proxy.tls_key_file</code> |
Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI clients. This CA must be trusted by AI clients for the proxy to decrypt their requests.
Path to the TLS private key file for the AI Gateway Proxy listener. Must be set together with AI Gateway Proxy TLS Certificate File.
### --aibridge-proxy-key-file
| | |
|-------------|---------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_KEY_FILE</code> |
| YAML | <code>aibridgeproxy.key_file</code> |
Path to the CA private key file used to intercept (MITM) HTTPS traffic from AI clients.
### --aibridge-proxy-upstream
| | |
|-------------|---------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_UPSTREAM</code> |
| YAML | <code>aibridgeproxy.upstream_proxy</code> |
URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests through. Format: http://[user:pass@]host:port or https://[user:pass@]host:port.
### --aibridge-proxy-upstream-ca
### --ai-gateway-proxy-cert-file
| | |
|-------------|------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_UPSTREAM_CA</code> |
| YAML | <code>aibridgeproxy.upstream_proxy_ca</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_CERT_FILE</code> |
| YAML | <code>ai_gateway_proxy.cert_file</code> |
Path to the CA certificate file used to intercept (MITM) HTTPS traffic from AI clients. This CA must be trusted by AI clients for the proxy to decrypt their requests.
### --ai-gateway-proxy-key-file
| | |
|-------------|-----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_KEY_FILE</code> |
| YAML | <code>ai_gateway_proxy.key_file</code> |
Path to the CA private key file used to intercept (MITM) HTTPS traffic from AI clients.
### --ai-gateway-proxy-upstream
| | |
|-------------|-----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_UPSTREAM</code> |
| YAML | <code>ai_gateway_proxy.upstream_proxy</code> |
URL of an upstream HTTP proxy to chain tunneled (non-allowlisted) requests through. Format: http://[user:pass@]host:port or https://[user:pass@]host:port.
### --ai-gateway-proxy-upstream-ca
| | |
|-------------|--------------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_UPSTREAM_CA</code> |
| YAML | <code>ai_gateway_proxy.upstream_proxy_ca</code> |
Path to a PEM-encoded CA certificate to trust for the upstream proxy's TLS connection. Only needed for HTTPS upstream proxies with certificates not trusted by the system. If not provided, the system certificate pool is used.
### --aibridge-proxy-allowed-private-cidrs
### --ai-gateway-proxy-allowed-private-cidrs
| | |
|-------------|----------------------------------------------------------|
| Type | <code>string-array</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS</code> |
| YAML | <code>aibridgeproxy.allowed_private_cidrs</code> |
| | |
|-------------|------------------------------------------------------------|
| Type | <code>string-array</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS</code> |
| YAML | <code>ai_gateway_proxy.allowed_private_cidrs</code> |
Comma-separated list of CIDR ranges that are permitted even though they fall within blocked private/reserved IP ranges. By default all private ranges are blocked to prevent SSRF attacks. Use this to allow access to specific internal networks.
### --aibridge-proxy-dump-dir
### --ai-gateway-proxy-dump-dir
| | |
|-------------|---------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AIBRIDGE_PROXY_DUMP_DIR</code> |
| YAML | <code>aibridgeproxy.api_dump_dir</code> |
| | |
|-------------|-----------------------------------------------|
| Type | <code>string</code> |
| Environment | <code>$CODER_AI_GATEWAY_PROXY_DUMP_DIR</code> |
| YAML | <code>ai_gateway_proxy.api_dump_dir</code> |
Directory for dumping MITM request/response pairs to disk for debugging. When set, each proxied request produces .req.txt and .resp.txt files organized by provider. Sensitive headers are redacted. Leave empty to disable.
enterprise/cli/aibridged.go
+4 -4
View File
@@ -46,10 +46,10 @@ func newAIBridgeDaemon(coderAPI *coderd.API, providers []aibridge.Provider) (*ai
// buildProviders constructs the list of AI providers from config.
// It merges legacy single-provider env vars and indexed provider configs:
// 1. Legacy providers (from CODER_AIBRIDGE_OPENAI_KEY, etc.) are added first.
// 1. Legacy providers (from CODER_AI_GATEWAY_OPENAI_KEY, etc.) are added first.
// If a legacy name conflicts with an indexed provider, startup fails with
// a clear error asking the admin to remove one or the other.
// 2. Indexed providers (from CODER_AIBRIDGE_PROVIDER_<N>_*) are added next.
// 2. Indexed providers (from CODER_AI_GATEWAY_PROVIDER_<N>_*) are added next.
func buildProviders(cfg codersdk.AIBridgeConfig) ([]aibridge.Provider, error) {
var cbConfig *config.CircuitBreaker
if cfg.CircuitBreakerEnabled.Value() {
@@ -77,7 +77,7 @@ func buildProviders(cfg codersdk.AIBridgeConfig) ([]aibridge.Provider, error) {
// Add legacy OpenAI provider if configured.
if cfg.LegacyOpenAI.Key.String() != "" {
if _, conflict := usedNames[aibridge.ProviderOpenAI]; conflict {
return nil, xerrors.Errorf("legacy CODER_AIBRIDGE_OPENAI_KEY conflicts with indexed provider named %q; remove one or the other", aibridge.ProviderOpenAI)
return nil, xerrors.Errorf("legacy CODER_AI_GATEWAY_OPENAI_KEY (or CODER_AIBRIDGE_OPENAI_KEY) conflicts with indexed provider named %q; remove one or the other", aibridge.ProviderOpenAI)
}
providers = append(providers, aibridge.NewOpenAIProvider(aibridge.OpenAIConfig{
Name: aibridge.ProviderOpenAI,
@@ -94,7 +94,7 @@ func buildProviders(cfg codersdk.AIBridgeConfig) ([]aibridge.Provider, error) {
// using AWS Bedrock.
if cfg.LegacyAnthropic.Key.String() != "" || getBedrockConfig(cfg.LegacyBedrock) != nil {
if _, conflict := usedNames[aibridge.ProviderAnthropic]; conflict {
return nil, xerrors.Errorf("legacy CODER_AIBRIDGE_ANTHROPIC_KEY conflicts with indexed provider named %q; remove one or the other", aibridge.ProviderAnthropic)
return nil, xerrors.Errorf("legacy CODER_AI_GATEWAY_ANTHROPIC_KEY (or CODER_AIBRIDGE_ANTHROPIC_KEY) conflicts with indexed provider named %q; remove one or the other", aibridge.ProviderAnthropic)
}
var pool *keypool.Pool
if key := cfg.LegacyAnthropic.Key.String(); key != "" {
enterprise/cli/testdata/coder_server_--help.golden
Vendored
+91 -91
View File
@@ -104,80 +104,7 @@ OPTIONS:
Periodically check for new releases of Coder and inform the owner. The
check is performed once per day.
AI BRIDGE OPTIONS:
--aibridge-allow-byok bool, $CODER_AIBRIDGE_ALLOW_BYOK (default: true)
Allow users to provide their own LLM API keys or subscriptions. When
disabled, only centralized key authentication is permitted.
--aibridge-anthropic-base-url string, $CODER_AIBRIDGE_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
The base URL of the Anthropic API.
--aibridge-anthropic-key string, $CODER_AIBRIDGE_ANTHROPIC_KEY
The key to authenticate against the Anthropic API.
--aibridge-bedrock-access-key string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY
The access key to authenticate against the AWS Bedrock API.
--aibridge-bedrock-access-key-secret string, $CODER_AIBRIDGE_BEDROCK_ACCESS_KEY_SECRET
The access key secret to use with the access key to authenticate
against the AWS Bedrock API.
--aibridge-bedrock-base-url string, $CODER_AIBRIDGE_BEDROCK_BASE_URL
The base URL to use for the AWS Bedrock API. Use this setting to
specify an exact URL to use. Takes precedence over
CODER_AIBRIDGE_BEDROCK_REGION.
--aibridge-bedrock-model string, $CODER_AIBRIDGE_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
The model to use when making requests to the AWS Bedrock API.
--aibridge-bedrock-region string, $CODER_AIBRIDGE_BEDROCK_REGION
The AWS Bedrock API region to use. Constructs a base URL to use for
the AWS Bedrock API in the form of
'https://bedrock-runtime.<region>.amazonaws.com'.
--aibridge-bedrock-small-fastmodel string, $CODER_AIBRIDGE_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
The small fast model to use when making requests to the AWS Bedrock
API. Claude Code uses Haiku-class models to perform background tasks.
See
https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
--aibridge-circuit-breaker-enabled bool, $CODER_AIBRIDGE_CIRCUIT_BREAKER_ENABLED (default: false)
Enable the circuit breaker to protect against cascading failures from
upstream AI provider overload (503, 529).
--aibridge-retention duration, $CODER_AIBRIDGE_RETENTION (default: 60d)
Length of time to retain data such as interceptions and all related
records (token, prompt, tool use).
--aibridge-enabled bool, $CODER_AIBRIDGE_ENABLED (default: false)
Whether to start an in-memory aibridged instance.
--aibridge-max-concurrency int, $CODER_AIBRIDGE_MAX_CONCURRENCY (default: 0)
Maximum number of concurrent AI Bridge requests per replica. Set to 0
to disable (unlimited).
--aibridge-openai-base-url string, $CODER_AIBRIDGE_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
The base URL of the OpenAI API.
--aibridge-openai-key string, $CODER_AIBRIDGE_OPENAI_KEY
The key to authenticate against the OpenAI API.
--aibridge-rate-limit int, $CODER_AIBRIDGE_RATE_LIMIT (default: 0)
Maximum number of AI Bridge requests per second per replica. Set to 0
to disable (unlimited).
--aibridge-send-actor-headers bool, $CODER_AIBRIDGE_SEND_ACTOR_HEADERS (default: false)
Once enabled, extra headers will be added to upstream requests to
identify the user (actor) making requests to AI Bridge. This is only
needed if you are using a proxy between AI Bridge and an upstream AI
provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user
making the request) and X-Ai-Bridge-Actor-Metadata-Username (their
username).
--aibridge-structured-logging bool, $CODER_AIBRIDGE_STRUCTURED_LOGGING (default: false)
Emit structured logs for AI Bridge interception records. Use this for
exporting these records to external SIEM or observability systems.
AI GATEWAY OPTIONS:
--ai-budget-period month, $CODER_AI_BUDGET_PERIOD (default: month)
Determines when accumulated AI spend resets to zero, aligned to UTC
calendar boundaries. Only "month" is currently supported.
@@ -187,49 +114,122 @@ AI BRIDGE OPTIONS:
with AI budgets. "highest" selects the group with the largest spend
limit, and is currently the only supported value.
AI BRIDGE PROXY OPTIONS:
--aibridge-proxy-dump-dir string, $CODER_AIBRIDGE_PROXY_DUMP_DIR
--ai-gateway-allow-byok bool, $CODER_AI_GATEWAY_ALLOW_BYOK (default: true)
Allow users to provide their own LLM API keys or subscriptions. When
disabled, only centralized key authentication is permitted.
--ai-gateway-anthropic-base-url string, $CODER_AI_GATEWAY_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
The base URL of the Anthropic API.
--ai-gateway-anthropic-key string, $CODER_AI_GATEWAY_ANTHROPIC_KEY
The key to authenticate against the Anthropic API.
--ai-gateway-bedrock-access-key string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY
The access key to authenticate against the AWS Bedrock API.
--ai-gateway-bedrock-access-key-secret string, $CODER_AI_GATEWAY_BEDROCK_ACCESS_KEY_SECRET
The access key secret to use with the access key to authenticate
against the AWS Bedrock API.
--ai-gateway-bedrock-base-url string, $CODER_AI_GATEWAY_BEDROCK_BASE_URL
The base URL to use for the AWS Bedrock API. Use this setting to
specify an exact URL to use. Takes precedence over
CODER_AI_GATEWAY_BEDROCK_REGION.
--ai-gateway-bedrock-model string, $CODER_AI_GATEWAY_BEDROCK_MODEL (default: global.anthropic.claude-sonnet-4-5-20250929-v1:0)
The model to use when making requests to the AWS Bedrock API.
--ai-gateway-bedrock-region string, $CODER_AI_GATEWAY_BEDROCK_REGION
The AWS Bedrock API region to use. Constructs a base URL to use for
the AWS Bedrock API in the form of
'https://bedrock-runtime.<region>.amazonaws.com'.
--ai-gateway-bedrock-small-fastmodel string, $CODER_AI_GATEWAY_BEDROCK_SMALL_FAST_MODEL (default: global.anthropic.claude-haiku-4-5-20251001-v1:0)
The small fast model to use when making requests to the AWS Bedrock
API. Claude Code uses Haiku-class models to perform background tasks.
See
https://docs.claude.com/en/docs/claude-code/settings#environment-variables.
--ai-gateway-circuit-breaker-enabled bool, $CODER_AI_GATEWAY_CIRCUIT_BREAKER_ENABLED (default: false)
Enable the circuit breaker to protect against cascading failures from
upstream AI provider overload (503, 529).
--ai-gateway-retention duration, $CODER_AI_GATEWAY_RETENTION (default: 60d)
Length of time to retain data such as interceptions and all related
records (token, prompt, tool use).
--ai-gateway-enabled bool, $CODER_AI_GATEWAY_ENABLED (default: false)
Whether to start an in-memory AI Gateway instance.
--ai-gateway-max-concurrency int, $CODER_AI_GATEWAY_MAX_CONCURRENCY (default: 0)
Maximum number of concurrent AI Gateway requests per replica. Set to 0
to disable (unlimited).
--ai-gateway-openai-base-url string, $CODER_AI_GATEWAY_OPENAI_BASE_URL (default: https://api.openai.com/v1/)
The base URL of the OpenAI API.
--ai-gateway-openai-key string, $CODER_AI_GATEWAY_OPENAI_KEY
The key to authenticate against the OpenAI API.
--ai-gateway-rate-limit int, $CODER_AI_GATEWAY_RATE_LIMIT (default: 0)
Maximum number of AI Gateway requests per second per replica. Set to 0
to disable (unlimited).
--ai-gateway-send-actor-headers bool, $CODER_AI_GATEWAY_SEND_ACTOR_HEADERS (default: false)
Once enabled, extra headers will be added to upstream requests to
identify the user (actor) making requests to AI Gateway. This is only
needed if you are using a proxy between AI Gateway and an upstream AI
provider. This will send X-Ai-Bridge-Actor-Id (the ID of the user
making the request) and X-Ai-Bridge-Actor-Metadata-Username (their
username).
--ai-gateway-structured-logging bool, $CODER_AI_GATEWAY_STRUCTURED_LOGGING (default: false)
Emit structured logs for AI Gateway interception records. Use this for
exporting these records to external SIEM or observability systems.
AI GATEWAY PROXY OPTIONS:
--ai-gateway-proxy-dump-dir string, $CODER_AI_GATEWAY_PROXY_DUMP_DIR
Directory for dumping MITM request/response pairs to disk for
debugging. When set, each proxied request produces .req.txt and
.resp.txt files organized by provider. Sensitive headers are redacted.
Leave empty to disable.
--aibridge-proxy-allowed-private-cidrs string-array, $CODER_AIBRIDGE_PROXY_ALLOWED_PRIVATE_CIDRS
--ai-gateway-proxy-allowed-private-cidrs string-array, $CODER_AI_GATEWAY_PROXY_ALLOWED_PRIVATE_CIDRS
Comma-separated list of CIDR ranges that are permitted even though
they fall within blocked private/reserved IP ranges. By default all
private ranges are blocked to prevent SSRF attacks. Use this to allow
access to specific internal networks.
--aibridge-proxy-enabled bool, $CODER_AIBRIDGE_PROXY_ENABLED (default: false)
Enable the AI Bridge MITM Proxy for intercepting and decrypting AI
--ai-gateway-proxy-enabled bool, $CODER_AI_GATEWAY_PROXY_ENABLED (default: false)
Enable the AI Gateway MITM Proxy for intercepting and decrypting AI
provider requests.
--aibridge-proxy-listen-addr string, $CODER_AIBRIDGE_PROXY_LISTEN_ADDR (default: :8888)
The address the AI Bridge Proxy will listen on.
--ai-gateway-proxy-listen-addr string, $CODER_AI_GATEWAY_PROXY_LISTEN_ADDR (default: :8888)
The address the AI Gateway Proxy will listen on.
--aibridge-proxy-cert-file string, $CODER_AIBRIDGE_PROXY_CERT_FILE
--ai-gateway-proxy-cert-file string, $CODER_AI_GATEWAY_PROXY_CERT_FILE
Path to the CA certificate file used to intercept (MITM) HTTPS traffic
from AI clients. This CA must be trusted by AI clients for the proxy
to decrypt their requests.
--aibridge-proxy-key-file string, $CODER_AIBRIDGE_PROXY_KEY_FILE
--ai-gateway-proxy-key-file string, $CODER_AI_GATEWAY_PROXY_KEY_FILE
Path to the CA private key file used to intercept (MITM) HTTPS traffic
from AI clients.
--aibridge-proxy-tls-cert-file string, $CODER_AIBRIDGE_PROXY_TLS_CERT_FILE
Path to the TLS certificate file for the AI Bridge Proxy listener.
Must be set together with AI Bridge Proxy TLS Key File.
--ai-gateway-proxy-tls-cert-file string, $CODER_AI_GATEWAY_PROXY_TLS_CERT_FILE
Path to the TLS certificate file for the AI Gateway Proxy listener.
Must be set together with AI Gateway Proxy TLS Key File.
--aibridge-proxy-tls-key-file string, $CODER_AIBRIDGE_PROXY_TLS_KEY_FILE
Path to the TLS private key file for the AI Bridge Proxy listener.
Must be set together with AI Bridge Proxy TLS Certificate File.
--ai-gateway-proxy-tls-key-file string, $CODER_AI_GATEWAY_PROXY_TLS_KEY_FILE
Path to the TLS private key file for the AI Gateway Proxy listener.
Must be set together with AI Gateway Proxy TLS Certificate File.
--aibridge-proxy-upstream string, $CODER_AIBRIDGE_PROXY_UPSTREAM
--ai-gateway-proxy-upstream string, $CODER_AI_GATEWAY_PROXY_UPSTREAM
URL of an upstream HTTP proxy to chain tunneled (non-allowlisted)
requests through. Format: http://[user:pass@]host:port or
https://[user:pass@]host:port.
--aibridge-proxy-upstream-ca string, $CODER_AIBRIDGE_PROXY_UPSTREAM_CA
--ai-gateway-proxy-upstream-ca string, $CODER_AI_GATEWAY_PROXY_UPSTREAM_CA
Path to a PEM-encoded CA certificate to trust for the upstream proxy's
TLS connection. Only needed for HTTPS upstream proxies with
certificates not trusted by the system. If not provided, the system
site/src/api/typesGenerated.ts
Generated
+6 -5
View File
@@ -42,19 +42,19 @@ export interface AIBridgeBedrockConfig {
export interface AIBridgeConfig {
readonly enabled: boolean;
/**
* @deprecated Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
* @deprecated Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
*/
readonly openai: AIBridgeOpenAIConfig;
/**
* @deprecated Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
* @deprecated Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
*/
readonly anthropic: AIBridgeAnthropicConfig;
/**
* @deprecated Use Providers with indexed CODER_AIBRIDGE_PROVIDER_<N>_* env vars instead.
* @deprecated Use Providers with indexed CODER_AI_GATEWAY_PROVIDER_<N>_* env vars instead.
*/
readonly bedrock: AIBridgeBedrockConfig;
/**
* Providers holds provider instances populated from CODER_AIBRIDGE_PROVIDER_<N>_<KEY>
* Providers holds provider instances populated from CODER_AI_GATEWAY_PROVIDER_<N>_<KEY>
* env vars and/or the deprecated LegacyOpenAI/LegacyAnthropic/LegacyBedrock fields above.
*/
readonly providers?: readonly AIProviderConfig[];
@@ -366,7 +366,8 @@ export const AIProviderBedrockSettingsVersion = 1;
// From codersdk/deployment.go
/**
* AIProviderConfig represents a single AI provider instance,
* parsed from CODER_AIBRIDGE_PROVIDER_<N>_<KEY> environment variables.
* parsed from CODER_AI_GATEWAY_PROVIDER_<N>_<KEY> environment variables.
* CODER_AIBRIDGE_PROVIDER_<N>_<KEY> is also accepted as a deprecated alias.
* This follows the same indexed pattern as ExternalAuthConfig.
*/
export interface AIProviderConfig {
site/src/pages/DeploymentSettingsPage/AIGovernanceSettingsPage/AIGovernanceSettingsPageView.stories.tsx
+6 -6
View File
@@ -7,19 +7,19 @@ const meta: Meta<typeof AIGovernanceSettingsPageView> = {
args: {
options: [
{
name: "AI Bridge Enabled",
name: "AI Gateway Enabled",
value: true,
group: { name: "AI Bridge" },
flag: "aibridge-enabled",
group: { name: "AI Gateway" },
flag: "ai-gateway-enabled",
hidden: false,
},
{
name: "AI Bridge Circuit Breaker Enabled",
name: "AI Gateway Circuit Breaker Enabled",
description:
"Enable the circuit breaker to protect against cascading failures from upstream AI provider rate limits.",
value: false,
group: { name: "AI Bridge" },
flag: "aibridge-circuit-breaker-enabled",
group: { name: "AI Gateway" },
flag: "ai-gateway-circuit-breaker-enabled",
hidden: false,
},
],
site/src/pages/DeploymentSettingsPage/AIGovernanceSettingsPage/AIGovernanceSettingsPageView.tsx
+6 -6
View File
@@ -31,11 +31,11 @@ export const AIGovernanceSettingsPageView: FC<
<div>
<SettingsHeader
actions={
<SettingsHeaderDocsLink href={docs("/ai-coder/ai-bridge")} />
<SettingsHeaderDocsLink href={docs("/ai-coder/ai-gateway")} />
}
>
<SettingsHeaderTitle hierarchy="secondary" level="h2">
AI Bridge
AI Gateway
</SettingsHeaderTitle>
<SettingsHeaderDescription>
Monitor and manage AI requests across your deployment.
@@ -47,13 +47,13 @@ export const AIGovernanceSettingsPageView: FC<
{!featureAIBridgeEnabled && (
<Alert className="mb-12" severity="warning" prominent>
<AlertTitle>
AI Bridge is included in your license, but not set up yet.
AI Gateway is included in your license, but not set up yet.
</AlertTitle>
<AlertDescription>
You have access to AI Governance, but it still needs to be
setup. Check out the{" "}
<Link href={docs("/ai-coder/ai-bridge")} target="_blank">
AI Bridge
<Link href={docs("/ai-coder/ai-gateway")} target="_blank">
AI Gateway
</Link>{" "}
documentation to get started.
</AlertDescription>
@@ -61,7 +61,7 @@ export const AIGovernanceSettingsPageView: FC<
)}
<OptionsTable
options={options
.filter((o) => deploymentGroupHasParent(o.group, "AI Bridge"))
.filter((o) => deploymentGroupHasParent(o.group, "AI Gateway"))
.filter((o) => !o.annotations?.secret === true)}
/>
</>