feat: byok-observability for aibridge

[evgeniy-scherbina]

Summary

Records credential metadata on each AI Bridge interception, enabling admins to see how requests were authenticated and identify which credential was used.

Each provider's CreateInterceptor now captures two new fields on the interceptor:

• credential_kind: centralized, personal_api_key, or subscription
• credential_hint: masked credential for audit (e.g. sk-a...(13)...efgh)

Changes

• Extended Interceptor interface with SetCredential, CredentialKind, and CredentialHint, backed by an embeddable CredentialFields helper
• Each provider sets credential metadata in CreateInterceptor:
  • OpenAI: centralized (admin key) or personal (Bearer token)
  • Anthropic: centralized, personal_api_key (X-Api-Key), or subscription (Bearer token)
  • Copilot: always subscription
• Improved MaskSecret to embed hidden character count (e.g. sk-a...(13)...efgh instead of sk-a*************efgh)

Relates to coder/coder#23808

[evgeniy-scherbina]

CredentialKindSubscription makes sense for Copilot?

[ssncferreira]

Was also thinking the same 🤔 I think subscription is not a really generic term and doesn't quite apply to copilot. Since for the header X-API-Key we use the term api_key, why not something like auth_token?

[evgeniy-scherbina]

I think subscription is widely used term, e.g.:

• https://docs.litellm.ai/docs/tutorials/claude_code_max_subscription
• https://docs.litellm.ai/docs/providers/chatgpt
• I heavily use it documentation PR: docs: add byok docs for aibridge coder#23922
• Copilot also uses subscription term, see: https://github.com/settings/copilot/features
  • You currently have an active Copilot Pro subscription.

Now I started to think it's probably fine to use this term?

---

auth_token sounds good, but I think not everyone can link auth_token to Claude Pro/Max or ChatGPT Pro/Plus subscriptions. So it maybe a bit confusing for auditors?

---

I wouldn't rely on headers, X-API-Key is used by Anthropic. But OpenAI uses Authorization for everything.

[evgeniy-scherbina]

This is a bit tricky, it can be either CredentialKindPersonalAPIKey or CredentialKindSubscription.
We can rely on some hacks to determine it:

• Presence of Chatgpt-Account-Id header
• Check is it JWT Token or API KEY
• Rely on URL (openai vs chatgpt)

See more details here: #227 (comment)

Alternatively we can introduce new enum value, smth like: CredentialKindPersonal

[ssncferreira]

Why not make the modes header specific? If the Authorization header is used use mode auth_token, otherweise, if the X-API-Key header is used, use mode api_key? This would mean that for openai (default) and openai chatgpt both modes would be auth_token.

[evgeniy-scherbina]

I think there are few problems with that:

1. I think headers are implementation details, auditors don't really know/care what headers are used?
2. Different headers are used by different providers. E.g. OpenAI doesn't use X-API-Key.
3. I think we want to differentiate between Personal API Key and ChatGPT Subscription for OpenAI provider?

[evgeniy-scherbina]

@dannykopping The question is do we want to differentiate between Personal API Key and ChatGPT Subscription for OpenAI.

If the answer is yes - I think we should rely on Chatgpt-Account-Id header. That's what I recommend.
if the answer is no - we can either introduce new CredentialKindPersonal type which encompasses both:

• CredentialKindPersonalAPIKey
• CredentialKindSubscription

or go with Susana's approach (though I think it's less informative/obvious for users).

[ssncferreira]

Was also thinking the same 🤔 I think subscription is not a really generic term and doesn't quite apply to copilot. Since for the header X-API-Key we use the term api_key, why not something like auth_token?

[ssncferreira]

Why not make the modes header specific? If the Authorization header is used use mode auth_token, otherweise, if the X-API-Key header is used, use mode api_key? This would mean that for openai (default) and openai chatgpt both modes would be auth_token.

[ssncferreira]

Isn't setting credHint missing here? Also, we should probably check if cfg.key is empty (chatgpt case), and error if the credential key is empty.

[evgeniy-scherbina]

Isn't setting credHint missing here?

Actually - no, it's later used like this:

interceptor.SetCredential(credKind, utils.MaskSecret(cfg.Key))

It's easier for openai case, because authz header is always used.

---

if cfg.key is empty (chatgpt case), and error if the credential key is empty

Yeah, I remember about this. I can add in this PR.

[evgeniy-scherbina]

@ssncferreira

if cfg.key is empty (chatgpt case), and error if the credential key is empty

We already know that claude (maybe other clients) send HEAD requests without authentication, maybe we don't need it?

Also I think it's not specific to chatgpt case.

[ssncferreira]

What is the benefit of doing this? This way we are explicitly saying the length of the key...which I think could be problematic if this is someway leaked?

[dannykopping]

It also adds confusion because the ... prefix and suffix don't actually count towards the length.
If we don't want to leak the length (which could be used by attackers which intercept these masked secrets to know how many chars to spoof to recreate the secret) then I'd suggest we just go with a fixed number of * chars, and not use ..

[evgeniy-scherbina]

It's related to this discussion: #216 (comment)

I remember you wanted "Preserve the length" of the secret, and I'm fine with it.
But the issue with current approach is tokens can be very long, let's say 300 chars.
Do we really want to log and potentially store in Postgres 300 * chars? Feels like a waste of space?
Feels like current approach is most ineffective in storing length of the secret as you can imagine?

[dannykopping]

Clear > clever.

This current approach is not clear. ...(len)... leaves itself open to different interpretations.
Since this change isn't the focus of the PR, I'd suggest reverting it for now and opening an issue to address the size concerns.

I'd like to show the secret length, because it's diagnostically useful, but it has to be done in a way that is obvious.

[evgeniy-scherbina]

Okay, I reverted it.

I’m fine with any format as long as it’s efficient, especially if we plan to store it in Postgres.

Another potential issue is the UI. If we decide to display a secret hint there, as Anthropic and OpenAI do, we’ll probably want to show a compact version anyway. That creates a slightly awkward implementation: we would log and store the long version of a hint, then shorten it at the API or frontend layer before displaying it.

[evgeniy-scherbina]

Maybe good option is to have two fields:

• secret_hint (short version)
• secret_length

[ssncferreira]

I think we are missing adding the credential info to the logs, especially for error cases like 401/403/429

[dannykopping]

It also adds confusion because the ... prefix and suffix don't actually count towards the length.
If we don't want to leak the length (which could be used by attackers which intercept these masked secrets to know how many chars to spoof to recreate the secret) then I'd suggest we just go with a fixed number of * chars, and not use ..

[dannykopping]

This is pointless, TBH. If we're masking the full string then that defeats the original purpose of being able to identify them.

[evgeniy-scherbina]

@dannykopping Logic didn't change? Previously we also masked strings if their length <= 10.
Previously it just looked like: ***** instead of ...(5)...

[dannykopping]

I must've missed that in the previous review.
Related to https://github.com/coder/aibridge/pull/239/changes#r3031158013, we can address this in a follow-up.

[evgeniy-scherbina]

I reverted this change.

[dannykopping]

This feels like a loose assertion here; NotEmpty doesn't tell us much.
Since our masking is deterministic, you could add the expected hint as the masked value and assert on that.

[evgeniy-scherbina]

agree, done

[dannykopping]

Clear > clever.

This current approach is not clear. ...(len)... leaves itself open to different interpretations.
Since this change isn't the focus of the PR, I'd suggest reverting it for now and opening an issue to address the size concerns.

I'd like to show the secret length, because it's diagnostically useful, but it has to be done in a way that is obvious.

[dannykopping]

I must've missed that in the previous review.
Related to https://github.com/coder/aibridge/pull/239/changes#r3031158013, we can address this in a follow-up.

[evgeniy-scherbina]

@ssncferreira

I think we are missing adding the credential info to the logs, especially for error cases like 401/403/429

I extended logger with credential info in newInterceptionProcessor where we call interceptor.ProcessRequest(rw, r).
It should capture all cases you mentioned.