fix: Claude 4.x compatibility and security updates (#711)

This commit addresses multiple issues related to model compatibility and security:

1. Claude 4.x Models Support:
   - Fix single sampling parameter requirement for Claude 4.x models
   - Claude 4.x only accepts 'temperature' parameter, not both temperature and top_p
   - Add version detection and conditional parameter handling

2. CRIS Model Listing Fix:
   - Resolve dictionary collision when listing models via CRIS integration
   - Prevent duplicate model entries from overwriting each other

3. Security Updates:
   - Upgrade pdfminer.six to version 20251107 to address known vulnerabilities
   - Complete pip-audit vulnerability suppression for GHSA-f83h-ghpp-7wcc across all requirements files
   - Add --ignore-vuln flag to file-import-batch-job pip-audit (was missing)

References:
- pdfminer.six vulnerability: pdfminer/pdfminer.six#1175
- The GHSA-f83h-ghpp-7wcc vulnerability remains unpatched in the latest version

Author: subhaviv

.github/workflows/build.yaml

@@ -37,7 +37,7 @@ jobs:
           bandit -c bandit.yaml -r .
           pip-audit -r pytest_requirements.txt --ignore-vuln GHSA-f83h-ghpp-7wcc
           pip-audit -r lib/shared/web-crawler-batch-job/requirements.txt --ignore-vuln GHSA-f83h-ghpp-7wcc
-          pip-audit -r lib/shared/file-import-batch-job/requirements.txt
+          pip-audit -r lib/shared/file-import-batch-job/requirements.txt --ignore-vuln GHSA-f83h-ghpp-7wcc
           pytest tests/
       - name: Frontend
         working-directory: ./lib/user-interface/react-app

lib/model-interfaces/langchain/functions/request-handler/adapters/bedrock/base.py

@@ -39,14 +39,36 @@ def should_call_apply_bedrock_guardrails(self) -> bool:
         else:
             return False
 
+    def _requires_single_sampling_param(self) -> bool:
+        """
+        Some newer Claude models only allow one sampling parameter at a time.
+        Returns True if the model requires choosing between temperature OR
+        top_p.
+
+        Claude 4.x models (Sonnet 4, Opus 4, Haiku 4) require only one
+        sampling parameter. Handles regional prefixes (us., global., eu.).
+        Reference: https://docs.aws.amazon.com/bedrock/latest/userguide/
+        model-parameters-anthropic-claude-messages.html
+        """
+        # Models that only support one sampling parameter
+        # Pattern matches any regional prefix (us., global., eu., etc.)
+        single_param_model_patterns = [
+            "anthropic.claude-sonnet-4",  # Claude Sonnet 4.x (any region)
+            "anthropic.claude-opus-4",    # Claude Opus 4.x (any region)
+            "anthropic.claude-haiku-4",   # Claude Haiku 4.x (any region)
+        ]
+
+        model_lower = self.model_id.lower()
+        return any(pattern in model_lower for pattern in single_param_model_patterns)
+
     def add_files_to_message_history(self, images=[], documents=[], videos=[]):
         for image in images:
             filename, file_extension = os.path.splitext(image["key"])
             file_extension = file_extension.lower().replace(".", "")
             if file_extension == "jpg" or file_extension == "jpeg":
                 file_extension = "jpeg"
             elif file_extension != "png":
-                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_ImageBlock.html
+                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_ImageBlock.html  # noqa
                 raise Exception("Unsupported format " + file_extension)
 
             self.chat_history.add_temporary_message(
@@ -84,7 +106,7 @@ def add_files_to_message_history(self, images=[], documents=[], videos=[]):
                 "md",
             ]
             if file_extension not in supported:
-                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_DocumentBlock.html
+                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_DocumentBlock.html  # noqa
                 raise Exception("Unsupported format " + file_extension)
             self.chat_history.add_temporary_message(
                 HumanMessage(
@@ -111,7 +133,7 @@ def add_files_to_message_history(self, images=[], documents=[], videos=[]):
             filename, file_extension = os.path.splitext(video["key"])
             file_extension = file_extension.lower().replace(".", "")
             if file_extension != "mp4":
-                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_VideoBlock.html
+                # https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_VideoBlock.html  # noqa
                 raise Exception("Unsupported format " + file_extension)
             self.chat_history.add_temporary_message(
                 HumanMessage(
@@ -243,10 +265,21 @@ def get_llm(self, model_kwargs={}, extra={}):
         top_p = model_kwargs.get("topP")
         max_tokens = model_kwargs.get("maxTokens")
 
-        if temperature is not None:
-            params["temperature"] = temperature
-        if top_p:
-            params["top_p"] = top_p
+        # Handle sampling parameters based on model requirements
+        if self._requires_single_sampling_param():
+            # For Claude 4.x+ models: only set temperature OR top_p, not both
+            # Prioritize temperature if both are provided
+            if temperature is not None:
+                params["temperature"] = temperature
+            elif top_p:
+                params["top_p"] = top_p
+        else:
+            # For older models (Claude 3.x, etc.): allow both parameters
+            if temperature is not None:
+                params["temperature"] = temperature
+            if top_p:
+                params["top_p"] = top_p
+
         if max_tokens:
             params["max_tokens"] = max_tokens
 

lib/shared/file-import-batch-job/requirements.txt

@@ -15,4 +15,5 @@ beautifulsoup4==4.12.2
 requests==2.32.5
 attrs==23.1.0
 feedparser==6.0.11
-PyJWT==2.9.0
+PyJWT==2.9.0
+pdfminer-six==20251107

lib/shared/layers/python-sdk/python/genai_core/model_providers/direct/provider.py

@@ -145,7 +145,8 @@ def _list_azure_openai_models():
 
 
 # Based on the table (Need to support both document and sytem prompt)
-# https://docs.aws.amazon.com/bedrock/latest/userguide/conversation-inference-supported-models-features.html
+# https://docs.aws.amazon.com/bedrock/latest/userguide/
+# conversation-inference-supported-models-features.html
 def _does_model_support_documents(model_name):
     return (
         not re.match(r"^ai21.jamba*", model_name)
@@ -182,32 +183,47 @@ def _list_cross_region_inference_profiles():
     bedrock = genai_core.clients.get_bedrock_client(service_name="bedrock")
     response = bedrock.list_inference_profiles()
 
-    return {
-        inference_profile["models"][0]["modelArn"].split("/")[1]: inference_profile[
-            "inferenceProfileId"
-        ]
+    # Return list of profiles instead of dict to avoid collisions
+    # (multiple regional variants can have the same base model ID)
+    return [
+        inference_profile
         for inference_profile in response.get("inferenceProfileSummaries", [])
         if (
             inference_profile.get("status") == "ACTIVE"
             and inference_profile.get("type") == "SYSTEM_DEFINED"
         )
-    }
+    ]
 
 
 def _list_bedrock_cris_models():
     try:
-        cross_region_profiles = _list_cross_region_inference_profiles()
+        inference_profiles = _list_cross_region_inference_profiles()
         bedrock_client = genai_core.clients.get_bedrock_client(service_name="bedrock")
         all_models = bedrock_client.list_foundation_models()["modelSummaries"]
 
-        return [
-            _create_bedrock_model_profile(
-                model, cross_region_profiles[model["modelId"]]
-            )
+        # Create dict of base models for lookup
+        models_by_id = {
+            model["modelId"]: model
             for model in all_models
             if genai_core.types.InferenceType.INFERENCE_PROFILE.value
             in model["inferenceTypesSupported"]
-        ]
+        }
+
+        # Return all inference profiles (including multiple regional variants)
+        result = []
+        for profile in inference_profiles:
+            base_model_id = profile["models"][0]["modelArn"].split("/")[1]
+            profile_id = profile["inferenceProfileId"]
+
+            if base_model_id in models_by_id:
+                result.append(
+                    _create_bedrock_model_profile(
+                        models_by_id[base_model_id],
+                        profile_id
+                    )
+                )
+
+        return result
     except Exception as e:
         logger.error(f"Error listing cross region inference profiles models: {e}")
         return None

lib/shared/web-crawler-batch-job/requirements.txt

@@ -17,4 +17,4 @@ feedparser==6.0.11
 aws_xray_sdk==2.14.0
 defusedxml==0.7.1
 pdfplumber==0.11.8
-pdfminer.six==20251107
+pdfminer.six==20251107