feat: byok-observability for aibridge

Author: evgeniy-scherbina

bridge.go

@@ -228,6 +228,8 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 			Client:                string(client),
 			ClientSessionID:       sessionID,
 			CorrelatingToolCallID: interceptor.CorrelatingToolCallID(),
+			CredentialKind:        interceptor.CredentialKind(),
+			CredentialHint:        interceptor.CredentialHint(),
 		}); err != nil {
 			span.SetStatus(codes.Error, fmt.Sprintf("failed to record interception: %v", err))
 			logger.Warn(ctx, "failed to record interception", slog.Error(err))

intercept/chatcompletions/base.go

@@ -40,6 +40,8 @@ type interceptionBase struct {
 
 	recorder recorder.Recorder
 	mcpProxy mcp.ServerProxier
+
+	intercept.CredentialFields
 }
 
 func (i *interceptionBase) newCompletionsService() openai.ChatCompletionService {

intercept/credential.go

@@ -0,0 +1,29 @@
+package intercept
+
+// Credential kind constants for interception recording.
+const (
+	CredentialKindCentralized    = "centralized"
+	CredentialKindPersonalAPIKey = "personal_api_key"
+	CredentialKindSubscription   = "subscription"
+)
+
+// CredentialFields is an embeddable helper that implements the
+// SetCredential, CredentialKind, and CredentialHint methods of the
+// Interceptor interface.
+type CredentialFields struct {
+	Kind string
+	Hint string
+}
+
+func (c *CredentialFields) SetCredential(kind, hint string) {
+	c.Kind = kind
+	c.Hint = hint
+}
+
+func (c *CredentialFields) CredentialKind() string {
+	return c.Kind
+}
+
+func (c *CredentialFields) CredentialHint() string {
+	return c.Hint
+}

intercept/interceptor.go

@@ -25,6 +25,15 @@ type Interceptor interface {
 	Streaming() bool
 	// TraceAttributes returns tracing attributes for this [Interceptor]
 	TraceAttributes(*http.Request) []attribute.KeyValue
+	// SetCredential sets the credential kind and hint for this
+	// interception. Called by the provider after construction.
+	SetCredential(kind, hint string)
+	// CredentialKind returns how the request was authenticated:
+	// centralized, personal_api_key, or subscription.
+	CredentialKind() string
+	// CredentialHint returns a masked credential identifier for audit
+	// purposes (e.g. sk-a...abc1).
+	CredentialHint() string
 	// CorrelatingToolCallID returns the ID of a tool call result submitted
 	// in the request, if present. This is used to correlate the current
 	// interception back to the previous interception that issued those tool

intercept/messages/base.go

@@ -79,6 +79,8 @@ type interceptionBase struct {
 
 	recorder recorder.Recorder
 	mcpProxy mcp.ServerProxier
+
+	intercept.CredentialFields
 }
 
 func (i *interceptionBase) ID() uuid.UUID {

intercept/responses/base.go

@@ -49,6 +49,8 @@ type responsesInterceptionBase struct {
 
 	logger slog.Logger
 	tracer trace.Tracer
+
+	intercept.CredentialFields
 }
 
 func (i *responsesInterceptionBase) newResponsesService() responses.ResponseService {

provider/anthropic.go

@@ -130,14 +130,20 @@ func (p *Anthropic) CreateInterceptor(w http.ResponseWriter, r *http.Request, tr
 		// set BYOKBearerToken and clear the centralized key.
 		// When both are present, X-Api-Key takes priority to match
 		// claude-code behavior.
+		credKind := intercept.CredentialKindCentralized
+		credHint := utils.MaskSecret(cfg.Key)
 		authHeaderName := p.AuthHeader()
 		if apiKey := r.Header.Get("X-Api-Key"); apiKey != "" {
 			cfg.Key = apiKey
 			authHeaderName = "X-Api-Key"
+			credKind = intercept.CredentialKindPersonalAPIKey
+			credHint = utils.MaskSecret(apiKey)
 		} else if token := utils.ExtractBearerToken(r.Header.Get("Authorization")); token != "" {
 			cfg.BYOKBearerToken = token
 			cfg.Key = ""
 			authHeaderName = "Authorization"
+			credKind = intercept.CredentialKindSubscription
+			credHint = utils.MaskSecret(token)
 		}
 
 		var interceptor intercept.Interceptor
@@ -146,6 +152,7 @@ func (p *Anthropic) CreateInterceptor(w http.ResponseWriter, r *http.Request, tr
 		} else {
 			interceptor = messages.NewBlockingInterceptor(id, reqPayload, p.Name(), cfg, p.bedrockCfg, r.Header, authHeaderName, tracer)
 		}
+		interceptor.SetCredential(credKind, credHint)
 		span.SetAttributes(interceptor.TraceAttributes(r)...)
 		return interceptor, nil
 	}

provider/copilot.go

@@ -182,6 +182,7 @@ func (p *Copilot) CreateInterceptor(_ http.ResponseWriter, r *http.Request, trac
 		return nil, UnknownRoute
 	}
 
+	interceptor.SetCredential(intercept.CredentialKindSubscription, utils.MaskSecret(key))
 	span.SetAttributes(interceptor.TraceAttributes(r)...)
 	return interceptor, nil
 }

provider/openai.go

@@ -113,8 +113,10 @@ func (p *OpenAI) CreateInterceptor(w http.ResponseWriter, r *http.Request, trace
 	//
 	// In BYOK mode the user's credential is in Authorization. Replace
 	// the centralized key with it so it is forwarded upstream.
+	credKind := intercept.CredentialKindCentralized
 	if token := utils.ExtractBearerToken(r.Header.Get("Authorization")); token != "" {
 		cfg.Key = token
+		credKind = intercept.CredentialKindPersonalAPIKey
 	}
 
 	path := strings.TrimPrefix(r.URL.Path, p.RoutePrefix())
@@ -150,6 +152,7 @@ func (p *OpenAI) CreateInterceptor(w http.ResponseWriter, r *http.Request, trace
 		span.SetStatus(codes.Error, "unknown route: "+r.URL.Path)
 		return nil, UnknownRoute
 	}
+	interceptor.SetCredential(credKind, utils.MaskSecret(cfg.Key))
 	span.SetAttributes(interceptor.TraceAttributes(r)...)
 	return interceptor, nil
 }

recorder/types.go

@@ -39,6 +39,8 @@ type InterceptionRecord struct {
 	Client                string
 	UserAgent             string
 	CorrelatingToolCallID *string
+	CredentialKind        string
+	CredentialHint        string
 }
 
 type InterceptionRecordEnded struct {