@juspay/neurolink 7.29.0 → 7.29.2

package/dist/providers/aws/credentialTester.js

@@ -0,0 +1,394 @@
+/**
+ * AWS Credential Testing Utilities for NeuroLink
+ *
+ * Provides comprehensive validation and debugging capabilities for AWS credentials
+ * to ensure compatibility with Bedrock-MCP-Connector authentication patterns.
+ */
+import { BedrockClient, ListFoundationModelsCommand, } from "@aws-sdk/client-bedrock";
+import { logger } from "../../utils/logger.js";
+/**
+ * Helper function to safely extract comprehensive error information from AWS errors
+ * This centralizes error extraction and captures AWS SDK v3 name, statusCode, and requestId
+ * Enhanced to handle multiple AWS SDK error formats and edge cases
+ */
+function extractAwsErrorInfo(error) {
+    const result = {};
+    if (typeof error === "object" && error !== null) {
+        const awsError = error; // Use AWSError interface to handle various error shapes
+        // Extract error code with comprehensive fallbacks
+        // AWS SDK v2: error.code, error.Code
+        // AWS SDK v3: error.name, error.Code, error.code
+        // Some services: error.errorCode, error.ErrorCode
+        result.code =
+            awsError.Code ||
+                awsError.code ||
+                awsError.errorCode ||
+                awsError.ErrorCode ||
+                awsError.name; // AWS SDK v3 often uses name as error code
+        // Extract error name with fallbacks
+        // AWS SDK v3: error.name is primary
+        // Some errors: error.errorType, error.ErrorType
+        // Fallback to constructor name
+        result.name =
+            awsError.name ||
+                awsError.errorType ||
+                awsError.ErrorType ||
+                awsError.constructor?.name;
+        // Extract error message with fallbacks
+        // Standard: error.message
+        // Some services: error.Message, error.errorMessage
+        result.message =
+            awsError.message ||
+                awsError.Message ||
+                awsError.errorMessage ||
+                String(error); // Last resort stringification
+        // Extract metadata with multiple patterns
+        // AWS SDK v3: error.$metadata
+        // Some services: error.metadata, error.$response
+        const metadata = awsError.$metadata || awsError.metadata || awsError.$response;
+        if (metadata && typeof metadata === "object") {
+            const metadataObj = metadata;
+            result.statusCode =
+                metadataObj.httpStatusCode ||
+                    metadataObj.statusCode ||
+                    metadataObj.status;
+            result.requestId =
+                metadataObj.requestId ||
+                    metadataObj.RequestId ||
+                    metadataObj.request_id ||
+                    metadataObj["x-amzn-requestid"]; // Common response header
+        }
+        // Handle wrapped errors (common in AWS SDK v3)
+        // Sometimes the actual error is nested in error.cause or error.$fault
+        if (!result.code && (awsError.cause || awsError.$fault)) {
+            const nestedError = awsError.cause || awsError.$fault;
+            const nestedInfo = extractAwsErrorInfo(nestedError);
+            // Merge nested error info, preferring current level
+            result.code = result.code || nestedInfo.code;
+            result.name = result.name || nestedInfo.name;
+            result.message = result.message || nestedInfo.message;
+            result.statusCode = result.statusCode || nestedInfo.statusCode;
+            result.requestId = result.requestId || nestedInfo.requestId;
+        }
+    }
+    // Handle primitive error types (strings, etc.)
+    if (!result.message && error) {
+        result.message = String(error);
+    }
+    return result;
+}
+/**
+ * Credential testing and validation utility class
+ */
+export class CredentialTester {
+    /**
+     * Validate AWS credentials and detect their source
+     */
+    static async validateCredentials(provider) {
+        const startTime = Date.now();
+        try {
+            // Get credentials from provider
+            const credentials = await provider.getCredentials();
+            const config = provider.getConfig();
+            // Detect credential source based on available information
+            const credentialSource = await this.detectCredentialSource(credentials, config);
+            const result = {
+                isValid: true,
+                credentialSource,
+                region: config.region,
+                hasExpiration: !!credentials.expiration,
+                expirationTime: credentials.expiration,
+                debugInfo: {
+                    accessKeyId: credentials.accessKeyId.substring(0, 8) + "***",
+                    hasSessionToken: !!credentials.sessionToken,
+                    providerConfig: config,
+                },
+            };
+            logger.debug("Credential validation successful", {
+                source: credentialSource,
+                region: config.region,
+                validationTimeMs: Date.now() - startTime,
+            });
+            return result;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            logger.error("Credential validation failed", {
+                error: errorMessage,
+                validationTimeMs: Date.now() - startTime,
+            });
+            return {
+                isValid: false,
+                credentialSource: "unknown",
+                region: provider.getConfig().region,
+                hasExpiration: false,
+                error: errorMessage,
+                debugInfo: {
+                    accessKeyId: "unavailable",
+                    hasSessionToken: false,
+                    providerConfig: provider.getConfig(),
+                },
+            };
+        }
+    }
+    /**
+     * Test AWS Bedrock service connectivity
+     */
+    static async testBedrockConnectivity(provider, region) {
+        const startTime = Date.now();
+        const testRegion = region || provider.getConfig().region;
+        logger.debug("Starting Bedrock connectivity test", {
+            region: testRegion,
+            providerConfig: provider.getConfig(),
+        });
+        try {
+            // First, get credentials to see what we're working with
+            const credentials = await provider.getCredentials();
+            logger.debug("Got credentials for Bedrock test", {
+                accessKeyId: credentials.accessKeyId.substring(0, 8) + "***",
+                hasSessionToken: !!credentials.sessionToken,
+                hasExpiration: !!credentials.expiration,
+                expiration: credentials.expiration?.toISOString(),
+                credentialType: credentials.accessKeyId?.startsWith("ASIA")
+                    ? "temporary"
+                    : "long-term",
+            });
+            // Create Bedrock client with credential provider (use BedrockClient for listing models)
+            logger.debug("Creating BedrockClient", {
+                region: testRegion,
+                credentialProviderType: typeof provider.getCredentialProvider(),
+            });
+            const bedrockClient = new BedrockClient({
+                region: testRegion,
+                credentials: provider.getCredentialProvider(),
+                maxAttempts: provider.getConfig().maxAttempts || 3,
+            });
+            logger.debug("BedrockClient created, sending ListFoundationModelsCommand");
+            // Test connectivity by listing foundation models
+            const command = new ListFoundationModelsCommand({});
+            const ctrl = new AbortController();
+            const timeoutId = setTimeout(() => ctrl.abort(), provider.getConfig().timeout || 15000);
+            let response;
+            try {
+                response = await bedrockClient.send(command, {
+                    abortSignal: ctrl.signal,
+                });
+            }
+            finally {
+                clearTimeout(timeoutId);
+            }
+            logger.debug("ListFoundationModelsCommand response received", {
+                hasModelSummaries: !!response.modelSummaries,
+                modelCount: response.modelSummaries?.length || 0,
+                responseMetadata: response.$metadata,
+            });
+            const models = response.modelSummaries || [];
+            const responseTime = Date.now() - startTime;
+            const result = {
+                bedrockAccessible: true,
+                availableModels: models.length,
+                responseTimeMs: responseTime,
+                sampleModels: models
+                    .slice(0, 5)
+                    .map((model) => model.modelId || "unknown"),
+            };
+            logger.debug("Bedrock connectivity test successful", {
+                region: testRegion,
+                modelsFound: models.length,
+                responseTimeMs: responseTime,
+                sampleModels: result.sampleModels,
+            });
+            return result;
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const responseTime = Date.now() - startTime;
+            const { code, statusCode, requestId } = extractAwsErrorInfo(error);
+            logger.error("Bedrock connectivity test failed", {
+                region: testRegion,
+                error: errorMessage,
+                errorType: error instanceof Error ? error.constructor.name : "unknown",
+                errorCode: code,
+                statusCode,
+                requestId,
+                stack: error instanceof Error ? error.stack : "no stack trace",
+                responseTimeMs: responseTime,
+            });
+            return {
+                bedrockAccessible: false,
+                availableModels: 0,
+                responseTimeMs: responseTime,
+                error: errorMessage,
+                sampleModels: [],
+            };
+        }
+    }
+    /**
+     * Perform comprehensive credential and service testing
+     */
+    static async runComprehensiveTest(provider, testRegions = ["us-east-1", "us-west-2"]) {
+        logger.debug("Starting comprehensive AWS credential and connectivity test");
+        // Test credential validation
+        const credentialValidation = await this.validateCredentials(provider);
+        // Test connectivity across multiple regions (in parallel)
+        const connectivityTests = await Promise.all(testRegions.map(async (region) => {
+            try {
+                const result = await this.testBedrockConnectivity(provider, region);
+                return { region, result };
+            }
+            catch (error) {
+                const errorMessage = error instanceof Error ? error.message : String(error);
+                return {
+                    region,
+                    result: {
+                        bedrockAccessible: false,
+                        availableModels: 0,
+                        responseTimeMs: 0,
+                        error: errorMessage,
+                        sampleModels: [],
+                    },
+                };
+            }
+        }));
+        // Determine overall status
+        let overallStatus;
+        let summary;
+        if (!credentialValidation.isValid) {
+            overallStatus = "failed";
+            summary = `Credential validation failed: ${credentialValidation.error}`;
+        }
+        else {
+            const successfulConnections = connectivityTests.filter((test) => test.result.bedrockAccessible).length;
+            if (successfulConnections === testRegions.length) {
+                overallStatus = "success";
+                summary = `All tests passed. Credentials valid, Bedrock accessible in ${successfulConnections}/${testRegions.length} regions.`;
+            }
+            else if (successfulConnections > 0) {
+                overallStatus = "partial";
+                summary = `Partial success. Credentials valid, Bedrock accessible in ${successfulConnections}/${testRegions.length} regions.`;
+            }
+            else {
+                overallStatus = "failed";
+                summary = `Credentials valid but Bedrock inaccessible in all tested regions.`;
+            }
+        }
+        logger.info("Comprehensive test completed", {
+            overallStatus,
+            credentialSource: credentialValidation.credentialSource,
+            successfulConnections: connectivityTests.filter((test) => test.result.bedrockAccessible).length,
+            totalRegionsTested: testRegions.length,
+        });
+        return {
+            credentialValidation,
+            connectivityTests,
+            overallStatus,
+            summary,
+        };
+    }
+    /**
+     * Detect the source of AWS credentials based on credential properties and environment
+     */
+    static async detectCredentialSource(credentials, config) {
+        // Check for environment variables (static creds)
+        if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) {
+            return credentials.sessionToken
+                ? "Environment Variables (with session token)"
+                : "Environment Variables";
+        }
+        // Explicit env‐based sources first
+        if (process.env.AWS_WEB_IDENTITY_TOKEN_FILE) {
+            return "Web Identity Token";
+        }
+        if (process.env.AWS_CREDENTIAL_PROCESS) {
+            return "Credential Process";
+        }
+        // Check for role‐based credentials (temporary credentials with session token)
+        if (credentials.sessionToken && credentials.expiration) {
+            // Prefer explicit hints first
+            if (config.roleArn) {
+                return "STS Assume Role";
+            }
+            // Enhanced container detection
+            if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ||
+                process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI) {
+                // Detect specific container environments
+                if (process.env.AWS_EXECUTION_ENV === "AWS_ECS_FARGATE") {
+                    return "Container Credentials (ECS Fargate)";
+                }
+                if (process.env.AWS_EXECUTION_ENV === "AWS_ECS_EC2") {
+                    return "Container Credentials (ECS)";
+                }
+                return "Container Credentials (ECS)";
+            }
+            // Enhanced Lambda detection
+            if (process.env.AWS_LAMBDA_FUNCTION_NAME) {
+                return "Lambda Execution Role";
+            }
+            // Enhanced EC2 detection
+            if (process.env.AWS_EXECUTION_ENV?.includes("EC2")) {
+                return "Instance Metadata (EC2)";
+            }
+            // Enhanced EKS detection
+            if (process.env.KUBERNETES_SERVICE_HOST) {
+                return "Service Account (EKS)";
+            }
+            return "Temporary Credentials (IAM Role)";
+        }
+        // SSO (env‐configured)
+        if (process.env.AWS_SSO_START_URL || process.env.AWS_SSO_REGION) {
+            return "AWS SSO";
+        }
+        // Check for profile‐based credentials
+        if (config.profile !== "default") {
+            return `AWS Profile (${config.profile})`;
+        }
+        if (process.env.AWS_PROFILE) {
+            return `AWS Profile (${process.env.AWS_PROFILE})`;
+        }
+        // Default fallback
+        return "AWS Credentials File";
+    }
+    /**
+     * Get credential source name for debugging
+     */
+    static async getCredentialSource(provider) {
+        try {
+            const credentials = await provider.getCredentials();
+            const config = provider.getConfig();
+            return await this.detectCredentialSource(credentials, config);
+        }
+        catch {
+            return "Unable to determine credential source";
+        }
+    }
+    /**
+     * Test credential refresh functionality
+     */
+    static async testCredentialRefresh(provider) {
+        const startTime = Date.now();
+        try {
+            await provider.refreshCredentials();
+            const refreshTime = Date.now() - startTime;
+            logger.debug("Credential refresh test successful", {
+                refreshTimeMs: refreshTime,
+            });
+            return {
+                refreshSuccessful: true,
+                refreshTimeMs: refreshTime,
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const refreshTime = Date.now() - startTime;
+            logger.error("Credential refresh test failed", {
+                error: errorMessage,
+                refreshTimeMs: refreshTime,
+            });
+            return {
+                refreshSuccessful: false,
+                refreshTimeMs: refreshTime,
+                error: errorMessage,
+            };
+        }
+    }
+}

package/dist/providers/googleVertex.js

@@ -105,10 +105,10 @@ const createVertexSettings = async () => {
             // Silent error handling for runtime credentials file creation
         }
     }
-    // 🎯 OPTION 1: Check for principal account authentication (existing flow with debug logs)
+    // 🎯 OPTION 1: Check for principal account authentication (Accept any valid GOOGLE_APPLICATION_CREDENTIALS file (service account OR ADC))
     if (process.env.GOOGLE_APPLICATION_CREDENTIALS) {
         const credentialsPath = process.env.GOOGLE_APPLICATION_CREDENTIALS;
-        // 🚨 CRITICAL FIX: Check if the credentials file actually exists
+        // Check if the credentials file exists
         let fileExists = false;
         try {
             fileExists = fs.existsSync(credentialsPath);
@@ -1115,8 +1115,9 @@ export class GoogleVertexProvider extends BaseProvider {
                 method: authValidation.method,
                 issues: authValidation.issues,
                 solutions: [
-                    "Option 1: Set GOOGLE_APPLICATION_CREDENTIALS to valid service account file",
+                    "Option 1: Set GOOGLE_APPLICATION_CREDENTIALS to valid service account OR ADC file",
                     "Option 2: Set individual env vars: GOOGLE_AUTH_CLIENT_EMAIL, GOOGLE_AUTH_PRIVATE_KEY",
+                    "Option 3: Use gcloud auth application-default login for ADC",
                     "Documentation: https://cloud.google.com/docs/authentication/provide-credentials-adc",
                 ],
             });
@@ -1268,8 +1269,16 @@ export class GoogleVertexProvider extends BaseProvider {
                             result.method = "service_account_file";
                             return result;
                         }
+                        else if (credentials.client_id &&
+                            credentials.client_secret &&
+                            credentials.refresh_token &&
+                            credentials.type !== "service_account") {
+                            result.isValid = true;
+                            result.method = "application_default_credentials";
+                            return result;
+                        }
                         else {
-                            result.issues.push("Service account file missing required fields");
+                            result.issues.push("Credentials file missing required fields (not service account or ADC format)");
                         }
                     }
                     else {

package/dist/proxy/awsProxyIntegration.d.ts

@@ -0,0 +1,23 @@
+/**
+ * AWS SDK Global Agent Configuration for Proxy Support
+ * Configures Node.js global HTTP/HTTPS agents to work with AWS SDK
+ * Ensures BedrockRuntimeClient and other AWS services respect proxy settings
+ */
+/**
+ * Configure global Node.js agents for AWS SDK proxy support
+ * This ensures BedrockRuntimeClient and other AWS SDK clients respect proxy settings
+ */
+export declare function configureAWSProxySupport(): Promise<void>;
+/**
+ * Create a proxy-aware HTTP handler for AWS SDK clients
+ * This is the proper way to inject proxy support into AWS SDK v3 clients
+ */
+export declare function createAWSProxyHandler(targetUrl?: string): Promise<unknown | null>;
+/**
+ * Clean up global agents (for testing or shutdown)
+ */
+export declare function cleanupAWSProxySupport(): Promise<void>;
+/**
+ * Test AWS endpoint connectivity through proxy
+ */
+export declare function testAWSProxyConnectivity(): Promise<boolean>;