// NEVER convert to top-level imports - breaks browser/Vite builds (web-ui) let _existsSync: typeof import("node:fs").existsSync | null = null; let _homedir: typeof import("node:os").homedir | null = null; let _join: typeof import("node:path").join | null = null; type DynamicImport = (specifier: string) => Promise; const dynamicImport: DynamicImport = (specifier) => import(specifier); const NODE_FS_SPECIFIER = "node:" + "fs"; const NODE_OS_SPECIFIER = "node:" + "os"; const NODE_PATH_SPECIFIER = "node:" + "path"; // Eagerly load in Node.js/Bun environment only if ( typeof process !== "undefined" && (process.versions?.node || process.versions?.bun) ) { dynamicImport(NODE_FS_SPECIFIER).then((m) => { _existsSync = (m as typeof import("node:fs")).existsSync; }); dynamicImport(NODE_OS_SPECIFIER).then((m) => { _homedir = (m as typeof import("node:os")).homedir; }); dynamicImport(NODE_PATH_SPECIFIER).then((m) => { _join = (m as typeof import("node:path")).join; }); } import type { KnownProvider } from "./types.js"; let cachedVertexAdcCredentialsExists: boolean | null = null; function hasVertexAdcCredentials(): boolean { if (cachedVertexAdcCredentialsExists === null) { // If node modules haven't loaded yet (async import race at startup), // return false WITHOUT caching so the next call retries once they're ready. // Only cache false permanently in a browser environment where fs is never available. if (!_existsSync || !_homedir || !_join) { const isNode = typeof process !== "undefined" && (process.versions?.node || process.versions?.bun); if (!isNode) { // Definitively in a browser — safe to cache false permanently cachedVertexAdcCredentialsExists = false; } return false; } // Check GOOGLE_APPLICATION_CREDENTIALS env var first (standard way) const gacPath = process.env.GOOGLE_APPLICATION_CREDENTIALS; if (gacPath) { cachedVertexAdcCredentialsExists = _existsSync(gacPath); } else { // Fall back to default ADC path (lazy evaluation) cachedVertexAdcCredentialsExists = _existsSync( _join( _homedir(), ".config", "gcloud", "application_default_credentials.json", ), ); } } return cachedVertexAdcCredentialsExists; } /** * Get API key for provider from known environment variables, e.g. OPENAI_API_KEY. * * Will not return API keys for providers that require OAuth tokens. */ export function getEnvApiKey(provider: KnownProvider): string | undefined; export function getEnvApiKey(provider: string): string | undefined; export function getEnvApiKey(provider: any): string | undefined { // Fall back to environment variables if (provider === "github-copilot") { return ( process.env.COPILOT_GITHUB_TOKEN || process.env.GH_TOKEN || process.env.GITHUB_TOKEN ); } // ANTHROPIC_OAUTH_TOKEN takes precedence over ANTHROPIC_API_KEY if (provider === "anthropic") { return process.env.ANTHROPIC_OAUTH_TOKEN || process.env.ANTHROPIC_API_KEY; } // Anthropic on Vertex AI uses Application Default Credentials. // Detected via ANTHROPIC_VERTEX_PROJECT_ID (same env var as Claude Code). if (provider === "anthropic-vertex") { const hasProject = !!process.env.ANTHROPIC_VERTEX_PROJECT_ID; if (hasProject) { return ""; } // Fall back to Google Cloud project env vars const hasGoogleProject = !!( process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT ); if (hasGoogleProject && hasVertexAdcCredentials()) { return ""; } } // Vertex AI uses Application Default Credentials, not API keys. // Auth is configured via `gcloud auth application-default login`. if (provider === "google-vertex") { const hasCredentials = hasVertexAdcCredentials(); const hasProject = !!( process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT ); const hasLocation = !!process.env.GOOGLE_CLOUD_LOCATION; if (hasCredentials && hasProject && hasLocation) { return ""; } } // Xiaomi MiMo token-plan providers share a single key; allow legacy fallbacks. if ( provider === "xiaomi" || provider === "xiaomi-token-plan-ams" || provider === "xiaomi-token-plan-sgp" || provider === "xiaomi-token-plan-cn" ) { return ( process.env.XIAOMI_API_KEY || process.env.XIAOMI_TOKEN_PLAN_API_KEY || process.env.MIMO_API_KEY ); } if (provider === "amazon-bedrock") { // Amazon Bedrock supports multiple credential sources: // 1. AWS_PROFILE - named profile from ~/.aws/credentials // 2. AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY - standard IAM keys // 3. AWS_BEARER_TOKEN_BEDROCK - Bedrock API keys (bearer token) // 4. AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - ECS task roles // 5. AWS_CONTAINER_CREDENTIALS_FULL_URI - ECS task roles (full URI) // 6. AWS_WEB_IDENTITY_TOKEN_FILE - IRSA (IAM Roles for Service Accounts) if ( process.env.AWS_PROFILE || (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) || process.env.AWS_BEARER_TOKEN_BEDROCK || process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI || process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI || process.env.AWS_WEB_IDENTITY_TOKEN_FILE ) { return ""; } } const envMap: Record = { openai: "OPENAI_API_KEY", "azure-openai-responses": "AZURE_OPENAI_API_KEY", google: ["GEMINI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"], groq: "GROQ_API_KEY", cerebras: "CEREBRAS_API_KEY", xai: "XAI_API_KEY", openrouter: "OPENROUTER_API_KEY", "vercel-ai-gateway": "AI_GATEWAY_API_KEY", zai: "ZAI_API_KEY", mistral: "MISTRAL_API_KEY", minimax: "MINIMAX_API_KEY", "minimax-cn": "MINIMAX_CN_API_KEY", huggingface: "HF_TOKEN", opencode: "OPENCODE_API_KEY", "opencode-go": ["OPENCODE_GO_API_KEY", "OPENCODE_API_KEY"], "kimi-coding": "KIMI_API_KEY", xiaomi: "XIAOMI_API_KEY", "xiaomi-token-plan-ams": "XIAOMI_API_KEY", "xiaomi-token-plan-sgp": "XIAOMI_API_KEY", "xiaomi-token-plan-cn": "XIAOMI_API_KEY", "alibaba-coding-plan": "ALIBABA_API_KEY", "alibaba-dashscope": "DASHSCOPE_API_KEY", ollama: "OLLAMA_API_KEY", "ollama-cloud": "OLLAMA_API_KEY", "custom-openai": "CUSTOM_OPENAI_API_KEY", longcat: "LONGCAT_API_KEY", }; const envVar = envMap[provider]; if (Array.isArray(envVar)) { for (const name of envVar) { const value = process.env[name]; if (value) return value; } return undefined; } return envVar ? process.env[envVar] : undefined; }