feat: byok-observability for aibridge (#239)

* feat: byok-observability for aibridge

* refactor: re-org credential configuring

* Update intercept/credential.go

Co-authored-by: Susana Ferreira <susana@coder.com>

* refactor: minor refactor

* refactor: make secret is always called

* refactor: add CredentialKind custom type

* test: enhance tests

* test: enhance tests

* ci: make fmt

* fix: revert MaskSecret changes

* fix: add small comment to enum

* feat: log credential info on interception errors

* refactor: update CredentialKind enum

* refactor: MaskSecret should be fixed-length

* feat: keep secret length in logs

* Update provider/anthropic_test.go

Co-authored-by: Susana Ferreira <susana@coder.com>

* refactor: minor change in MaskSecret

* refactor: minor change in MaskSecret

---------

Co-authored-by: Susana Ferreira <susana@coder.com>

Author: evgeniy-scherbina

bridge.go

@@ -217,6 +217,7 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 		asyncRecorder.WithClient(string(client))
 		interceptor.Setup(logger, asyncRecorder, mcpProxy)
 
+		cred := interceptor.Credential()
 		if err := rec.RecordInterception(ctx, &recorder.InterceptionRecord{
 			ID:                    interceptor.ID().String(),
 			InitiatorID:           actor.ID,
@@ -228,6 +229,8 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 			Client:                string(client),
 			ClientSessionID:       sessionID,
 			CorrelatingToolCallID: interceptor.CorrelatingToolCallID(),
+			CredentialKind:        string(cred.Kind),
+			CredentialHint:        cred.Hint,
 		}); err != nil {
 			span.SetStatus(codes.Error, fmt.Sprintf("failed to record interception: %v", err))
 			logger.Warn(ctx, "failed to record interception", slog.Error(err))
@@ -242,6 +245,9 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 			slog.F("interception_id", interceptor.ID()),
 			slog.F("user_agent", r.UserAgent()),
 			slog.F("streaming", interceptor.Streaming()),
+			slog.F("credential_kind", string(cred.Kind)),
+			slog.F("credential_hint", cred.Hint),
+			slog.F("credential_length", cred.Length),
 		)
 
 		log.Debug(ctx, "interception started")

intercept/chatcompletions/base.go

@@ -38,8 +38,9 @@ type interceptionBase struct {
 	logger slog.Logger
 	tracer trace.Tracer
 
-	recorder recorder.Recorder
-	mcpProxy mcp.ServerProxier
+	recorder   recorder.Recorder
+	mcpProxy   mcp.ServerProxier
+	credential intercept.CredentialInfo
 }
 
 func (i *interceptionBase) newCompletionsService() openai.ChatCompletionService {
@@ -74,6 +75,10 @@ func (i *interceptionBase) ID() uuid.UUID {
 	return i.id
 }
 
+func (i *interceptionBase) Credential() intercept.CredentialInfo {
+	return i.credential
+}
+
 func (i *interceptionBase) Setup(logger slog.Logger, recorder recorder.Recorder, mcpProxy mcp.ServerProxier) {
 	i.logger = logger
 	i.recorder = recorder

intercept/chatcompletions/blocking.go

@@ -36,6 +36,7 @@ func NewBlockingInterceptor(
 	clientHeaders http.Header,
 	authHeaderName string,
 	tracer trace.Tracer,
+	cred intercept.CredentialInfo,
 ) *BlockingInterception {
 	return &BlockingInterception{interceptionBase: interceptionBase{
 		id:             id,
@@ -45,6 +46,7 @@ func NewBlockingInterceptor(
 		clientHeaders:  clientHeaders,
 		authHeaderName: authHeaderName,
 		tracer:         tracer,
+		credential:     cred,
 	}}
 }
 

intercept/chatcompletions/streaming.go

@@ -41,6 +41,7 @@ func NewStreamingInterceptor(
 	clientHeaders http.Header,
 	authHeaderName string,
 	tracer trace.Tracer,
+	cred intercept.CredentialInfo,
 ) *StreamingInterception {
 	return &StreamingInterception{interceptionBase: interceptionBase{
 		id:             id,
@@ -50,6 +51,7 @@ func NewStreamingInterceptor(
 		clientHeaders:  clientHeaders,
 		authHeaderName: authHeaderName,
 		tracer:         tracer,
+		credential:     cred,
 	}}
 }
 

intercept/chatcompletions/streaming_test.go

@@ -9,6 +9,7 @@ import (
 	"cdr.dev/slog/v3"
 	"cdr.dev/slog/v3/sloggers/slogtest"
 	"github.com/coder/aibridge/config"
+	"github.com/coder/aibridge/intercept"
 	"github.com/coder/aibridge/internal/testutil"
 	"github.com/google/uuid"
 	"github.com/openai/openai-go/v3"
@@ -86,7 +87,7 @@ func TestStreamingInterception_RelaysUpstreamErrorToClient(t *testing.T) {
 			httpReq := httptest.NewRequest(http.MethodPost, "/chat/completions", nil)
 
 			tracer := otel.Tracer("test")
-			interceptor := NewStreamingInterceptor(uuid.New(), req, config.ProviderOpenAI, cfg, httpReq.Header, "Authorization", tracer)
+			interceptor := NewStreamingInterceptor(uuid.New(), req, config.ProviderOpenAI, cfg, httpReq.Header, "Authorization", tracer, intercept.CredentialInfo{})
 
 			logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: false}).Leveled(slog.LevelDebug)
 			interceptor.Setup(logger, &testutil.MockRecorder{}, nil)

intercept/credential.go

@@ -0,0 +1,31 @@
+package intercept
+
+import "github.com/coder/aibridge/utils"
+
+// CredentialKind identifies how a request was authenticated.
+// Keep in sync with the credential_kind enum in coderd's database.
+type CredentialKind string
+
+// Credential kind constants for interception recording.
+const (
+	CredentialKindCentralized CredentialKind = "centralized"
+	CredentialKindBYOK        CredentialKind = "byok"
+)
+
+// CredentialInfo holds credential metadata for an interception.
+type CredentialInfo struct {
+	Kind   CredentialKind
+	Hint   string
+	Length int
+}
+
+// NewCredentialInfo creates a CredentialInfo from a raw credential.
+// The credential is automatically masked before storage so that the
+// original secret is never retained.
+func NewCredentialInfo(kind CredentialKind, credential string) CredentialInfo {
+	return CredentialInfo{
+		Kind:   kind,
+		Hint:   utils.MaskSecret(credential),
+		Length: len(credential),
+	}
+}

intercept/interceptor.go

@@ -25,6 +25,8 @@ type Interceptor interface {
 	Streaming() bool
 	// TraceAttributes returns tracing attributes for this [Interceptor]
 	TraceAttributes(*http.Request) []attribute.KeyValue
+	// Credential returns the credential metadata for this interception.
+	Credential() CredentialInfo
 	// CorrelatingToolCallID returns the ID of a tool call result submitted
 	// in the request, if present. This is used to correlate the current
 	// interception back to the previous interception that issued those tool

intercept/messages/base.go

@@ -77,14 +77,19 @@ type interceptionBase struct {
 	tracer trace.Tracer
 	logger slog.Logger
 
-	recorder recorder.Recorder
-	mcpProxy mcp.ServerProxier
+	recorder   recorder.Recorder
+	mcpProxy   mcp.ServerProxier
+	credential intercept.CredentialInfo
 }
 
 func (i *interceptionBase) ID() uuid.UUID {
 	return i.id
 }
 
+func (i *interceptionBase) Credential() intercept.CredentialInfo {
+	return i.credential
+}
+
 func (i *interceptionBase) Setup(logger slog.Logger, recorder recorder.Recorder, mcpProxy mcp.ServerProxier) {
 	i.logger = logger
 	i.recorder = recorder

intercept/messages/blocking.go

@@ -37,6 +37,7 @@ func NewBlockingInterceptor(
 	clientHeaders http.Header,
 	authHeaderName string,
 	tracer trace.Tracer,
+	cred intercept.CredentialInfo,
 ) *BlockingInterception {
 	return &BlockingInterception{interceptionBase: interceptionBase{
 		id:             id,
@@ -47,6 +48,7 @@ func NewBlockingInterceptor(
 		clientHeaders:  clientHeaders,
 		authHeaderName: authHeaderName,
 		tracer:         tracer,
+		credential:     cred,
 	}}
 }
 

intercept/messages/streaming.go

@@ -43,6 +43,7 @@ func NewStreamingInterceptor(
 	clientHeaders http.Header,
 	authHeaderName string,
 	tracer trace.Tracer,
+	cred intercept.CredentialInfo,
 ) *StreamingInterception {
 	return &StreamingInterception{interceptionBase: interceptionBase{
 		id:             id,
@@ -53,6 +54,7 @@ func NewStreamingInterceptor(
 		clientHeaders:  clientHeaders,
 		authHeaderName: authHeaderName,
 		tracer:         tracer,
+		credential:     cred,
 	}}
 }