mirror of
https://github.com/KeygraphHQ/shannon.git
synced 2026-07-09 06:38:09 +02:00
feat: remove Google Vertex AI provider support
This commit is contained in:
@@ -14,12 +14,12 @@
|
||||
*
|
||||
* Users override per tier via ANTHROPIC_SMALL_MODEL / ANTHROPIC_MEDIUM_MODEL /
|
||||
* ANTHROPIC_LARGE_MODEL, which works across all providers (Anthropic, Bedrock,
|
||||
* Vertex, custom base URL).
|
||||
* custom base URL).
|
||||
*
|
||||
* Resolution returns a pi `Model` object via `ModelRegistry.find`, plus the
|
||||
* `thinkingLevel` and an `AuthStorage` primed with runtime credentials. Bedrock
|
||||
* and Vertex authenticate from the process environment (the AWS_ and GOOGLE_ vars
|
||||
* the CLI forwards), so they need no runtime API key.
|
||||
* authenticates from the process environment (the AWS_ vars the CLI forwards), so
|
||||
* it needs no runtime API key.
|
||||
*/
|
||||
|
||||
import type { ThinkingLevel } from '@earendil-works/pi-agent-core';
|
||||
@@ -40,8 +40,6 @@ function piProviderId(providerConfig?: ProviderConfig): string {
|
||||
switch (providerConfig?.providerType) {
|
||||
case 'bedrock':
|
||||
return 'amazon-bedrock';
|
||||
case 'vertex':
|
||||
return 'google-vertex';
|
||||
default:
|
||||
// 'anthropic_api', 'custom_base_url', or unset all resolve to the anthropic
|
||||
// provider; custom_base_url overrides baseUrl/auth below.
|
||||
@@ -94,8 +92,8 @@ export interface ModelSelection {
|
||||
* → ANTHROPIC_API_KEY env. OAuth (CLAUDE_CODE_OAUTH_TOKEN) is read from env by pi.
|
||||
* - Custom base URL (custom_base_url): the auth token is set as the anthropic
|
||||
* runtime key and the model's baseUrl is overridden.
|
||||
* - Bedrock / Vertex: authenticate from the process environment (the AWS_ and
|
||||
* GOOGLE_ vars), no runtime key needed.
|
||||
* - Bedrock: authenticates from the process environment (the AWS_ vars), no
|
||||
* runtime key needed.
|
||||
*/
|
||||
export function resolveModelSelection(
|
||||
registryFactory: (authStorage: AuthStorage) => ModelRegistry,
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
* 1. Repository path exists and contains .git
|
||||
* 2. Config file parses and validates (if provided)
|
||||
* 3. code_path rules match real entries in the repo (filesystem only)
|
||||
* 4. Credentials validate via Claude Agent SDK query (API key, OAuth, Bedrock, or Vertex AI)
|
||||
* 4. Credentials validate via a minimal pi session (API key, OAuth, or Bedrock)
|
||||
* 5. Target URL resolves, is not link-local (cloud metadata), and is reachable (DNS + HTTP)
|
||||
*/
|
||||
|
||||
@@ -405,62 +405,11 @@ async function validateCredentials(
|
||||
return ok(undefined);
|
||||
}
|
||||
|
||||
// 3. Vertex AI mode — validate required GCP credentials are present
|
||||
if (process.env.CLAUDE_CODE_USE_VERTEX === '1') {
|
||||
const required = [
|
||||
'CLOUD_ML_REGION',
|
||||
'ANTHROPIC_VERTEX_PROJECT_ID',
|
||||
'ANTHROPIC_SMALL_MODEL',
|
||||
'ANTHROPIC_MEDIUM_MODEL',
|
||||
'ANTHROPIC_LARGE_MODEL',
|
||||
];
|
||||
const missing = required.filter((v) => !process.env[v]);
|
||||
if (missing.length > 0) {
|
||||
return err(
|
||||
new PentestError(
|
||||
`Vertex AI mode requires the following env vars in .env: ${missing.join(', ')}`,
|
||||
'config',
|
||||
false,
|
||||
{ missing },
|
||||
ErrorCode.AUTH_FAILED,
|
||||
),
|
||||
);
|
||||
}
|
||||
// Validate service account credentials file is accessible
|
||||
const credPath = process.env.GOOGLE_APPLICATION_CREDENTIALS;
|
||||
if (!credPath) {
|
||||
return err(
|
||||
new PentestError(
|
||||
'Vertex AI mode requires GOOGLE_APPLICATION_CREDENTIALS pointing to a service account key JSON file',
|
||||
'config',
|
||||
false,
|
||||
{},
|
||||
ErrorCode.AUTH_FAILED,
|
||||
),
|
||||
);
|
||||
}
|
||||
try {
|
||||
await fs.access(credPath);
|
||||
} catch {
|
||||
return err(
|
||||
new PentestError(
|
||||
`Service account key file not found at: ${credPath}`,
|
||||
'config',
|
||||
false,
|
||||
{ credPath },
|
||||
ErrorCode.AUTH_FAILED,
|
||||
),
|
||||
);
|
||||
}
|
||||
logger.info('Vertex AI credentials OK');
|
||||
return ok(undefined);
|
||||
}
|
||||
|
||||
// 4. Check that at least one credential is present
|
||||
// 3. Check that at least one credential is present
|
||||
if (!process.env.ANTHROPIC_API_KEY && !process.env.CLAUDE_CODE_OAUTH_TOKEN && !process.env.ANTHROPIC_AUTH_TOKEN) {
|
||||
return err(
|
||||
new PentestError(
|
||||
'No API credentials found. Set ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN in .env (or use CLAUDE_CODE_USE_BEDROCK=1 for AWS Bedrock, or CLAUDE_CODE_USE_VERTEX=1 for Google Vertex AI)',
|
||||
'No API credentials found. Set ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN in .env (or use CLAUDE_CODE_USE_BEDROCK=1 for AWS Bedrock)',
|
||||
'config',
|
||||
false,
|
||||
{},
|
||||
@@ -469,7 +418,7 @@ async function validateCredentials(
|
||||
);
|
||||
}
|
||||
|
||||
// 5. Validate via a minimal pi session
|
||||
// 4. Validate via a minimal pi session
|
||||
const authType = process.env.CLAUDE_CODE_OAUTH_TOKEN ? 'OAuth token' : 'API key';
|
||||
logger.info(`Validating ${authType} via pi...`);
|
||||
const probe = await probeCredentialsWithPi(authType);
|
||||
@@ -606,7 +555,7 @@ async function validateTargetUrl(targetUrl: string, logger: ActivityLogger): Pro
|
||||
* 1. Repository path exists and contains .git
|
||||
* 2. Config file parses and validates (if configPath provided)
|
||||
* 3. code_path rules match at least one entry in the repo (skipped without config)
|
||||
* 4. Credentials validate (API key, OAuth, Bedrock, or Vertex AI)
|
||||
* 4. Credentials validate (API key, OAuth, or Bedrock)
|
||||
* 5. Target URL is reachable from the container
|
||||
*
|
||||
* Returns on first failure.
|
||||
|
||||
@@ -459,7 +459,7 @@ export async function runReportAgent(input: ActivityInput): Promise<AgentMetrics
|
||||
* Runs cheap checks before any agent execution:
|
||||
* 1. Repository path exists with .git
|
||||
* 2. Config file validates (if provided)
|
||||
* 3. Credential validation (API key, OAuth, Bedrock, or Vertex AI)
|
||||
* 3. Credential validation (API key, OAuth, or Bedrock)
|
||||
* 4. Target URL reachable from the container
|
||||
*
|
||||
* NOT using runAgentActivity — preflight doesn't run an agent via the SDK.
|
||||
|
||||
@@ -28,7 +28,7 @@ export interface PipelineInput {
|
||||
sastSarifPath?: string; // Optional path for consumer-supplied findings input
|
||||
checkpointsEnabled?: boolean; // Enable checkpoint activities (default: false)
|
||||
skipGitCheck?: boolean; // Skip .git directory validation in preflight (e.g. when .git is removed after clone)
|
||||
providerConfig?: ProviderConfig; // LLM provider configuration (Bedrock, Vertex, etc.)
|
||||
providerConfig?: ProviderConfig; // LLM provider configuration (Bedrock, custom base URL, etc.)
|
||||
vulnClasses?: VulnClass[]; // omitted = all five
|
||||
exploit?: boolean; // false skips the exploitation phase
|
||||
}
|
||||
|
||||
@@ -95,7 +95,7 @@ export interface DistributedConfig {
|
||||
* LLM provider configuration for multi-provider support.
|
||||
*
|
||||
* Resolved by the pi model/provider layer at execution time. Recognized
|
||||
* providerType values: 'bedrock', 'vertex', 'custom_base_url', 'anthropic_api'.
|
||||
* providerType values: 'bedrock', 'custom_base_url', 'anthropic_api'.
|
||||
* When omitted or 'anthropic_api', falls back to apiKey + ANTHROPIC_API_KEY.
|
||||
*/
|
||||
export interface ProviderConfig {
|
||||
@@ -104,9 +104,6 @@ export interface ProviderConfig {
|
||||
readonly awsRegion?: string;
|
||||
readonly awsAccessKeyId?: string;
|
||||
readonly awsSecretAccessKey?: string;
|
||||
readonly gcpRegion?: string;
|
||||
readonly gcpProjectId?: string;
|
||||
readonly gcpCredentialsPath?: string;
|
||||
readonly baseUrl?: string;
|
||||
readonly authToken?: string;
|
||||
readonly modelOverrides?: Record<string, string>;
|
||||
|
||||
Reference in New Issue
Block a user