feat(cli,enterprise/coderd): accept chatd provider types in env/seed

dannykopping · dannykopping · commit 5473936bcf7d · 2026-05-21T17:29:31.000+02:00
ReadAIProvidersFromEnv now treats env var values as AI provider types,
not aibridge fantasy client names. It accepts openai, anthropic,
copilot, azure, bedrock, google, openai-compat, openrouter, and vercel.
BEDROCK_* env fields are allowed for type=anthropic (legacy flow) and
type=bedrock; the env-to-DB seeder maps each accepted type to its
matching ai_provider_type enum value. Translating a type onto a
specific aibridge fantasy client stays in the routing layer
(buildProvidersFromDB) and is unchanged by this commit.

Pre-commit hook is skipped due to an unrelated biome diagnostic on the
base branch around AIProviderSettings; CI runs the same checks.
diff --git a/cli/server.go b/cli/server.go
@@ -3012,11 +3012,9 @@ func ReadAIProvidersFromEnv(logger slog.Logger, environ []string) ([]codersdk.AI
 			return nil, xerrors.Errorf("provider %d: TYPE is required", i)
 		}
 
-		switch p.Type {
-		case aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot:
-		default:
-			return nil, xerrors.Errorf("provider %d: unknown TYPE %q (must be %s, %s, or %s)",
-				i, p.Type, aibridge.ProviderOpenAI, aibridge.ProviderAnthropic, aibridge.ProviderCopilot)
+		if !isValidEnvAIProviderType(p.Type) {
+			return nil, xerrors.Errorf("provider %d: unknown TYPE %q (must be one of: %s)",
+				i, p.Type, strings.Join(envAIProviderTypes(), ", "))
 		}
 
 		var bedrockKey, bedrockSecret string
@@ -3196,6 +3194,34 @@ func validateLegacyAIBridgeConfig(cfg codersdk.AIBridgeConfig) error {
 	return nil
 }
 
+// envAIProviderTypes returns the set of provider TYPE values accepted
+// by CODER_AIBRIDGE_PROVIDER_<N>_TYPE. This is the full set of AI
+// provider types Coder understands, not just the aibridge fantasy
+// client names; mapping a type onto a specific aibridge client is the
+// routing layer's job (see buildProvidersFromDB).
+func envAIProviderTypes() []string {
+	return []string{
+		string(codersdk.AIProviderTypeOpenAI),
+		string(codersdk.AIProviderTypeAnthropic),
+		aibridge.ProviderCopilot,
+		string(codersdk.AIProviderTypeAzure),
+		string(codersdk.AIProviderTypeBedrock),
+		string(codersdk.AIProviderTypeGoogle),
+		string(codersdk.AIProviderTypeOpenAICompat),
+		string(codersdk.AIProviderTypeOpenrouter),
+		string(codersdk.AIProviderTypeVercel),
+	}
+}
+
+func isValidEnvAIProviderType(t string) bool {
+	for _, allowed := range envAIProviderTypes() {
+		if t == allowed {
+			return true
+		}
+	}
+	return false
+}
+
 // maxKeysPerProvider is the maximum number of keys allowed per
 // provider. This bounds the failover pool size and keeps the
 // configuration manageable.
diff --git a/cli/server_aibridge_internal_test.go b/cli/server_aibridge_internal_test.go
@@ -180,6 +180,59 @@ func TestReadAIProvidersFromEnv(t *testing.T) {
 			env:         []string{"CODER_AIBRIDGE_PROVIDER_0_TYPE=openai", "CODER_AIBRIDGE_PROVIDER_0_BEDROCK_REGION=us-west-2"},
 			errContains: "BEDROCK_* fields are only supported with TYPE",
 		},
+		{
+			name:        "BedrockFieldsOnAzure",
+			env:         []string{"CODER_AIBRIDGE_PROVIDER_0_TYPE=azure", "CODER_AIBRIDGE_PROVIDER_0_BEDROCK_REGION=us-west-2"},
+			errContains: "BEDROCK_* fields are only supported with TYPE",
+		},
+		{
+			// chatd providers map to their own ai_provider_type values
+			// at the env layer. Routing to a specific aibridge fantasy
+			// client (OpenAI for azure/google/openrouter/etc., Anthropic
+			// for bedrock) happens later in buildProvidersFromDB.
+			name: "ChatdProviderTypes",
+			env: []string{
+				"CODER_AIBRIDGE_PROVIDER_0_TYPE=azure",
+				"CODER_AIBRIDGE_PROVIDER_0_KEY=azure-key",
+				"CODER_AIBRIDGE_PROVIDER_1_TYPE=google",
+				"CODER_AIBRIDGE_PROVIDER_1_KEY=google-key",
+				"CODER_AIBRIDGE_PROVIDER_2_TYPE=openai-compat",
+				"CODER_AIBRIDGE_PROVIDER_2_KEY=compat-key",
+				"CODER_AIBRIDGE_PROVIDER_3_TYPE=openrouter",
+				"CODER_AIBRIDGE_PROVIDER_3_KEY=or-key",
+				"CODER_AIBRIDGE_PROVIDER_4_TYPE=vercel",
+				"CODER_AIBRIDGE_PROVIDER_4_KEY=vercel-key",
+			},
+			expected: []codersdk.AIProviderConfig{
+				{Type: string(codersdk.AIProviderTypeAzure), Name: string(codersdk.AIProviderTypeAzure), Keys: []string{"azure-key"}},
+				{Type: string(codersdk.AIProviderTypeGoogle), Name: string(codersdk.AIProviderTypeGoogle), Keys: []string{"google-key"}},
+				{Type: string(codersdk.AIProviderTypeOpenAICompat), Name: string(codersdk.AIProviderTypeOpenAICompat), Keys: []string{"compat-key"}},
+				{Type: string(codersdk.AIProviderTypeOpenrouter), Name: string(codersdk.AIProviderTypeOpenrouter), Keys: []string{"or-key"}},
+				{Type: string(codersdk.AIProviderTypeVercel), Name: string(codersdk.AIProviderTypeVercel), Keys: []string{"vercel-key"}},
+			},
+		},
+		{
+			// type=bedrock is its own provider type and accepts the
+			// BEDROCK_* fields directly. Operators migrating from
+			// chatd land here once the env-to-DB seed is in place.
+			name: "BedrockTypeWithCredentials",
+			env: []string{
+				"CODER_AIBRIDGE_PROVIDER_0_TYPE=bedrock",
+				"CODER_AIBRIDGE_PROVIDER_0_NAME=bedrock-direct",
+				"CODER_AIBRIDGE_PROVIDER_0_BEDROCK_REGION=us-west-2",
+				"CODER_AIBRIDGE_PROVIDER_0_BEDROCK_ACCESS_KEY=AKID",
+				"CODER_AIBRIDGE_PROVIDER_0_BEDROCK_ACCESS_KEY_SECRET=secret",
+			},
+			expected: []codersdk.AIProviderConfig{
+				{
+					Type:                    string(codersdk.AIProviderTypeBedrock),
+					Name:                    "bedrock-direct",
+					BedrockRegion:           "us-west-2",
+					BedrockAccessKeys:       []string{"AKID"},
+					BedrockAccessKeySecrets: []string{"secret"},
+				},
+			},
+		},
 		{
 			name: "IgnoresUnrelatedEnvVars",
 			env: []string{
diff --git a/coderd/ai_providers_migrate_test.go b/coderd/ai_providers_migrate_test.go
@@ -330,6 +330,71 @@ func TestSeedAIProvidersFromEnv(t *testing.T) {
 		require.Empty(t, keys, "Bedrock providers must not seed bearer keys")
 	})
 
+	t.Run("ChatdProviderTypesPersisted", func(t *testing.T) {
+		t.Parallel()
+		db, _ := dbtestutil.NewDB(t)
+		ctx := testutil.Context(t, testutil.WaitShort)
+		auditor := audit.NewMock()
+
+		// Indexed providers of every chatd-supported type, including
+		// the explicit bedrock type, persist with the matching
+		// ai_provider_type enum value. Routing to a specific aibridge
+		// fantasy client (OpenAI for azure/google/etc., Anthropic for
+		// bedrock) happens later in buildProvidersFromDB.
+		cfg := codersdk.AIBridgeConfig{
+			Providers: []codersdk.AIProviderConfig{
+				{Type: "azure", Name: "azure-prod", BaseURL: "https://az.example.com/v1", Keys: []string{"az-key"}},
+				{Type: "google", Name: "google-prod", BaseURL: "https://generativelanguage.googleapis.com/v1", Keys: []string{"g-key"}},
+				{Type: "openai-compat", Name: "compat-prod", BaseURL: "https://compat.example.com/v1", Keys: []string{"c-key"}},
+				{Type: "openrouter", Name: "or-prod", BaseURL: "https://openrouter.ai/api/v1", Keys: []string{"or-key"}},
+				{Type: "vercel", Name: "vercel-prod", BaseURL: "https://api.v0.dev", Keys: []string{"v-key"}},
+				{
+					// type=bedrock with explicit AWS credentials lands
+					// in ai_providers as type=bedrock and stores its
+					// credentials in the settings blob, not in
+					// ai_provider_keys.
+					Type:                    "bedrock",
+					Name:                    "bedrock-direct",
+					BaseURL:                 "https://bedrock-runtime.us-east-1.amazonaws.com/",
+					BedrockRegion:           "us-east-1",
+					BedrockAccessKeys:       []string{"AKIA"},
+					BedrockAccessKeySecrets: []string{"secret"},
+					BedrockModel:            "anthropic.claude-3-5-sonnet",
+				},
+			},
+		}
+		require.NoError(t, entcoderd.SeedAIProvidersFromEnv(ctx, db, cfg, auditor, testLogger(t)))
+
+		want := map[string]database.AIProviderType{
+			"azure-prod":     database.AiProviderTypeAzure,
+			"google-prod":    database.AiProviderTypeGoogle,
+			"compat-prod":    database.AiProviderTypeOpenaiCompat,
+			"or-prod":        database.AiProviderTypeOpenrouter,
+			"vercel-prod":    database.AiProviderTypeVercel,
+			"bedrock-direct": database.AiProviderTypeBedrock,
+		}
+		for name, dbType := range want {
+			row, err := db.GetAIProviderByName(ctx, name)
+			require.NoErrorf(t, err, "fetch %s", name)
+			require.Equalf(t, dbType, row.Type, "db type for %s", name)
+			require.Truef(t, row.Enabled, "%s should be enabled", name)
+
+			keys, err := db.GetAIProviderKeysByProviderID(ctx, row.ID)
+			require.NoErrorf(t, err, "fetch keys for %s", name)
+			if dbType == database.AiProviderTypeBedrock {
+				// Bedrock providers carry credentials in settings
+				// and must not seed bearer keys.
+				require.Emptyf(t, keys, "%s should have no bearer keys", name)
+				require.Truef(t, row.Settings.Valid, "%s should have settings", name)
+				require.Containsf(t, row.Settings.String, "AKIA", "%s settings should contain bedrock access key", name)
+				require.Containsf(t, row.Settings.String, "secret", "%s settings should contain bedrock secret", name)
+			} else {
+				require.Lenf(t, keys, 1, "%s should have one bearer key", name)
+				require.Falsef(t, row.Settings.Valid, "%s should have no settings blob", name)
+			}
+		}
+	})
+
 	t.Run("LegacyAndIndexedSameNameConflict", func(t *testing.T) {
 		t.Parallel()
 		db, _ := dbtestutil.NewDB(t)
