#19841: feat: add Amazon Bedrock as first-class onboarding provider

## Summary - **Problem:** Bedrock was the only major provider requiring manual config file editing — users had to understand AWS credential chains, IAM, and manually specify model IDs. No onboarding wizard support. - **Why it matters:** Bedrock is a common enterprise choice (especially for Claude via AWS). The friction gap vs OpenAI/Anthropic was significant and a reported pain point. - **What changed:** Added Bedrock to the onboarding auth-choice flow. Users now enter a single bearer token (`AWS_BEARER_TOKEN_BEDROCK`), optionally pick a model from a live-discovered list, and are done. Bedrock appears 3rd in the provider list (after OpenAI + Anthropic). - **What did NOT change:** Existing AWS SDK credential chain auth (env vars, `~/.aws`, IAM roles) still works as before. No changes to the Bedrock runtime/converse-stream integration. No changes to `bedrock-discovery.ts` used elsewhere. ## Change Type (select all) - [ ] Bug fix - [x] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [x] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [x] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # *(none — motivated by UX feedback)* ## User-visible / Behavior Changes - Amazon Bedrock now appears in `openclaw onboard` and `openclaw configure` provider list at **position 3** (after OpenAI, Anthropic) - New auth choice: `--auth-choice bedrock-api-key` - Onboarding prompts for a single API key (bearer token `AWS_BEARER_TOKEN_BEDROCK`), defaults region to `us-east-1`, defaults model to `us.anthropic.claude-opus-4-6-v1` (cross-region inference profile) - Optional model picker shows full list of inference profiles (`us.*`, `eu.*`) + foundation models via `ListInferenceProfilesCommand` + `ListFoundationModelsCommand` - Duplicate generic model picker step is skipped in the onboard wizard after Bedrock setup ## Security Impact (required) - New permissions/capabilities? `No` - Secrets/tokens handling changed? `Yes` — `AWS_BEARER_TOKEN_BEDROCK` and `AWS_REGION` are written to the shared `.env` file (gitignored, same mechanism used by all other providers for API key persistence) - New/changed network calls? `Yes` — calls `ListInferenceProfilesCommand` and `ListFoundationModelsCommand` during onboarding model picker (only when user selects "Change it?"). Both are read-only AWS Bedrock API calls. - Command/tool execution surface changed? `No` - Data access scope changed? `No` - **Risk + mitigation:** API key stored in `.env` — same risk profile as all other providers. Gitignored, consistent with existing pattern. `ListInferenceProfiles` call wrapped in try/catch; falls back gracefully to foundation models then hardcoded default if unavailable. ## Repro + Verification ### Environment - OS: Linux (WSL2 / Ubuntu) - Runtime: Node v24 - Model/provider: Amazon Bedrock / `us.anthropic.claude-opus-4-6-v1` - Integration: Telegram ### Steps 1. Run `openclaw onboard` 2. Select **Amazon Bedrock** (position 3 in provider list) 3. Enter Bedrock bearer token when prompted 4. At "Default model: Claude Opus 4.6. Change it?" — select **No** 5. Complete onboarding ### Expected - Onboarding completes, `AWS_BEARER_TOKEN_BEDROCK` saved to `.env`, `amazon-bedrock` provider config written, `bedrockDiscovery` enabled ### Actual - ✅ Works as expected. Model set to `amazon-bedrock/us.anthropic.claude-opus-4-6-v1`. ## Evidence - [x] Trace/log snippets - Manually tested full onboarding flow end-to-end: fresh key, existing key (keep/replace), model picker with full inference profile list, default model path, `--auth-choice bedrock-api-key` CLI flag - `pnpm build` passes with 0 type errors, 0 lint errors ## Human Verification (required) - **Verified scenarios:** Fresh onboarding (no existing key), existing key detection + keep/replace flow, model picker showing `us.*`/`eu.*` inference profiles, default model (no change), CLI flag `--auth-choice bedrock-api-key` - **Edge cases checked:** Discovery failure gracefully falls back to Opus 4.6 with a note; `ListInferenceProfiles` unavailability handled; region defaults correctly - **What I did not verify:** Non-bearer-token AWS SDK auth paths (unchanged code path), EU-region inference profiles end-to-end against live AWS ## Compatibility / Migration - Backward compatible? `Yes` - Config/env changes? `No` (additive only) - Migration needed? `No` ## Failure Recovery (if this breaks) - How to disable/revert: Remove the `amazon-bedrock` provider block from `models.json` config; revert 2 commits (`feafcc2f8`, `33c6fe072`) - Files/config to restore: `src/commands/onboard-auth.config-bedrock.ts` (delete), revert changes in `auth-choice-options.ts`, `auth-choice.apply.api-providers.ts`, `onboard-types.ts`, `onboarding.ts` - Known bad symptoms: Onboarding wizard shows Bedrock option but key prompt fails — check `AWS_BEARER_TOKEN_BEDROCK` in `.env` ## Risks and Mitigations - Risk: `ListInferenceProfilesCommand` may not be available in all AWS accounts/regions - Mitigation: Wrapped in try/catch; falls back to `ListFoundationModelsCommand`, then to hardcoded default `us.anthropic.claude-opus-4-6-v1` - Risk: Bearer token format/expiry varies by AWS setup - Mitigation: Same handling as all other API keys — user re-runs `openclaw onboard` to update <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds Amazon Bedrock as a first-class onboarding provider (position 3, after OpenAI and Anthropic). Users can now configure Bedrock through the interactive wizard with a single bearer token, optional model picker via live AWS API discovery, and automatic provider config. The implementation follows existing patterns well. - **Type additions**: `bedrock-api-key` auth choice and `bedrock` group ID added to the type system - **Auth flow**: Handles CLI flags, existing key detection, and interactive prompt — consistent with other providers - **Model discovery**: Lists inference profiles and foundation models via AWS SDK, with graceful fallback on failure - **Onboarding skip**: Bedrock correctly bypasses the generic model picker since it has its own inline model selection - **Issue**: `setBedrockApiKey` unconditionally overwrites the AWS region to `us-east-1` in both the shared `.env` and `process.env`, even when the user already has a different region configured. This could disrupt users with multi-region AWS setups. The existing `resolveBedrockRegion` helper already implements the correct precedence logic but isn't used in `setBedrockApiKey`. <h3>Confidence Score: 3/5</h3> - Mostly safe to merge, but the unconditional region overwrite in setBedrockApiKey could cause issues for existing AWS users. - The PR follows established patterns and the overall structure is sound. The single issue — unconditionally overwriting AWS_REGION to us-east-1 — is a real concern for enterprise users who may have AWS configured for a different region, but the impact is limited to the shared .env file and can be worked around. - Pay close attention to `src/commands/onboard-auth.config-bedrock.ts` — the `setBedrockApiKey` function's region handling needs review. _{Last reviewed commit: feafcc2} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->