feat: cleanup plugin & support different auth modes for plugin based …

[b4s36t4]

…on runtime

Description

Motivation

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)

How Has This Been Tested?

• Unit Tests
• Integration Tests
• Manual Testing

Screenshots (if applicable)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Related Issues

[matter-code-review]

Summary By MatterAI

🔄 What Changed

Added centralized logging via logger import from APM across AWS credential retrieval flows in Bedrock plugin. Enhanced error visibility by logging STS, Pod Identity, ECS Container, IMDSv2, and IAM credential failures. Minor code cleanup with structured error messages.

🔍 Impact of the Change

Improves observability and debuggability of authentication failures in AWS environments. Ensures consistent error logging across multiple auth backends (STS, IRSA, Pod Identity, ECS, IMDSv2). Reduces MTTR for credential-related issues in production.

📁 Total Files Changed

File	ChangeLog
Logger Import plugins/bedrock/util.ts	Added APM logger import for structured logging
STS Error Log plugins/bedrock/util.ts	Logs STS request failures with error message
IRSA Error Log plugins/bedrock/util.ts	Adds error logging in assumed web identity credential flow
Pod Identity Log plugins/bedrock/util.ts	Logs failure during Pod Identity credential retrieval
ECS Credential Log plugins/bedrock/util.ts	Logs error when fetching credentials from ECS container
IMDSv2 Token Log plugins/bedrock/util.ts	Logs failure in IMDSv2 token acquisition
IAM Credential Log plugins/bedrock/util.ts	Logs error during IAM credential fetch
Generic Error Log plugins/bedrock/util.ts	Adds response-level error logging for fallback cases
Fallback Auth Log plugins/bedrock/util.ts	Adds error logging in credential fallback chain

🧪 Test Added/Recommended

Recommended

• Add unit tests for each credential provider’s error logging path
• Add integration test simulating network failure in STS and IMDSv2 calls
• Add log validation test to confirm structured fields (e.g. message) are present

🔒Security Vulnerabilities

N/A

⏳ Estimated code review effort

LOW (~7 minutes)

Tip

Quality Recommendations

1. Ensure all logger calls use consistent structured format (e.g. always include 'errorType' field)

2. Add correlation ID to logs for tracing across auth attempts

3. Wrap raw 'error' object in logger to avoid potential serialization issues

♫ Tanka Poem

Logs now speak loud,
When tokens fail in the dark,
Errors come to light,
Debugging breathes easier,
Trust flows through the chain. 🌐🔍

Sequence Diagram

sequenceDiagram
    participant C as Credential Chain
    participant L as logger
    participant S as STS
    participant P as Pod Identity
    participant E as ECS Container
    participant I as IMDSv2
    participant R as IRSA

    Note over C: Fallback credential resolution

    C->>S: getAssumedRoleCredentials()
    alt STS Failure
        S-->>C: !ok
        C->>L: error({ message: STS error })
    end

    C->>R: getAssumedWebIdentityCredentials()
    alt IRSA Failure
        R-->>C: exception
        C->>L: error({ message: IRSA error })
    end

    C->>P: getPodIdentityCredentials()
    alt Pod Identity Failure
        P-->>C: exception
        C->>L: error('Failed to get Pod Identity credentials:')
    end

    C->>E: getCredentialsFromECSContainer()
    alt ECS Failure
        E-->>C: !ok
        C->>L: error({ message: ECS error })
    end

    C->>I: getIMDSv2Token()
    alt IMDSv2 Failure
        I-->>C: !ok
        C->>L: error({ message: IMDSv2 token error })
    end

    Note over C: Logs all auth failures

Loading

[matter-code-review]

✅ Reviewed the changes: The PR introduces significant changes to AWS credential handling and plugin architecture. Key areas for review include type safety, error handling, and security in credential management.

[matter-code-review]

🧪 PR Review is completed: Improved credential handling logic with better error management and structured credential acquisition.

[matter-code-review]

🔴 Security

Issue: Using console.error for logging errors during credential acquisition can expose sensitive information or mask critical failures. This can lead to silent failures and complicate debugging.

Fix: Replace console.error with proper error handling that either propagates the error or uses a secure logging mechanism that redacts sensitive information.

Impact: Improves security by preventing sensitive data exposure and enhances debuggability by ensuring errors are properly handled.

Suggested change

	console.error(error);
	// Use a secure logger or propagate the error
	throw error;

[matter-code-review]

🔴 Security

Issue: Using console.error for logging errors during credential acquisition can expose sensitive information or mask critical failures. This can lead to silent failures and complicate debugging.

Fix: Replace console.error with proper error handling that either propagates the error or uses a secure logging mechanism that redacts sensitive information.

Impact: Improves security by preventing sensitive data exposure and enhances debuggability by ensuring errors are properly handled.

Suggested change

	console.error(error);
	// Use a secure logger or propagate the error
	throw error;

[matter-code-review]

🔴 Security

Issue: Using console.error for logging errors during credential acquisition can expose sensitive information or mask critical failures. This can lead to silent failures and complicate debugging.

Fix: Replace console.error with proper error handling that either propagates the error or uses a secure logging mechanism that redacts sensitive information.

Impact: Improves security by preventing sensitive data exposure and enhances debuggability by ensuring errors are properly handled.

Suggested change

	console.error(error);
	// Use a secure logger or propagate the error
	throw error;

[matter-code-review]

✅ Reviewed the changes: Review of AWS endpoint domain handling and credential management in Bedrock plugin.

[matter-code-review]

✅ Reviewed the changes: PR introduces new Qualifire guardrails, MatterAI provider, enhanced APM (Prometheus/Loki), and refactored caching. Key areas for review include type safety, secure credential handling, error management, and performance implications of new integrations.

[matter-code-review]

✅ Reviewed the changes: Security validation needed for tool message content and minor type safety improvement.

[matter-code-review]

✅ Reviewed the changes: This PR introduces significant new features including plugin cleanup, new auth modes, and comprehensive caching backends. Key areas for review include security of config loading, type safety, and performance of new caching layers.

[matter-code-review]

✅ Reviewed the changes: Improved logging by replacing console calls with a centralized logger utility.