entelix-cloud 0.5.5

entelix cloud transports — Bedrock, Vertex, Foundry; OAuth refresh (gcp_auth, aws-sigv4, azure_identity)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287

//! `FoundryTransport` — `entelix_core::transports::Transport` over
//! Azure AI Foundry. Two auth modes:
//! - [`FoundryAuth::ApiKey`]: static `api-key` header (the bridge
//!   path most operators use day-1).
//! - [`FoundryAuth::Entra`]: OAuth via `azure_identity` flowing
//!   through [`crate::refresh::CachedTokenProvider`].

use std::sync::Arc;

use bytes::Bytes;
use futures::StreamExt;
use secrecy::{ExposeSecret, SecretString};

use entelix_core::codecs::EncodedRequest;
use entelix_core::context::ExecutionContext;
use entelix_core::error::{Error, Result};
use entelix_core::transports::{Transport, TransportResponse, TransportStream};

use crate::CloudError;
use crate::refresh::{CachedTokenProvider, TokenRefresher};

/// Auth strategy for [`FoundryTransport`].
#[derive(Clone)]
#[non_exhaustive]
pub enum FoundryAuth {
    /// Static API key — sent as `api-key: {value}`.
    ApiKey {
        /// Pre-resolved key, redacted in `Debug`.
        token: SecretString,
    },
    /// Entra ID (Azure AD) OAuth — token resolved through the
    /// supplied refresher.
    Entra {
        /// Refresher driven by `azure_identity`.
        refresher: Arc<dyn TokenRefresher<SecretString>>,
    },
}

impl std::fmt::Debug for FoundryAuth {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::ApiKey { .. } => f.write_str("FoundryAuth::ApiKey {{ <redacted> }}"),
            Self::Entra { .. } => f.write_str("FoundryAuth::Entra {{ .. }}"),
        }
    }
}

#[derive(Clone)]
enum ResolvedAuth {
    ApiKey(SecretString),
    Entra(Arc<CachedTokenProvider<SecretString>>),
}

/// Azure AI Foundry HTTP transport.
#[derive(Clone)]
pub struct FoundryTransport {
    client: reqwest::Client,
    base_url: String,
    auth: ResolvedAuth,
}

impl FoundryTransport {
    /// Start a fluent builder.
    pub fn builder() -> FoundryTransportBuilder {
        FoundryTransportBuilder {
            base_url: None,
            auth: None,
        }
    }

    /// Borrow the resolved base URL.
    pub fn base_url(&self) -> &str {
        &self.base_url
    }

    async fn build_headers(
        &self,
        request_headers: &http::HeaderMap,
    ) -> Result<Vec<(String, String)>> {
        let mut pairs: Vec<(String, String)> = Vec::with_capacity(request_headers.len() + 1);
        for (name, value) in request_headers {
            if let Ok(v) = value.to_str() {
                pairs.push((name.as_str().to_owned(), v.to_owned()));
            }
        }
        match &self.auth {
            ResolvedAuth::ApiKey(token) => {
                pairs.push(("api-key".to_owned(), token.expose_secret().to_owned()));
            }
            ResolvedAuth::Entra(refreshable) => {
                let token = refreshable.current().await.map_err(Error::from)?;
                pairs.push((
                    "authorization".to_owned(),
                    format!("Bearer {}", token.expose_secret()),
                ));
            }
        }
        Ok(pairs)
    }

    fn maybe_invalidate_on_unauthorized(&self, status: u16) {
        if status == 401
            && let ResolvedAuth::Entra(token) = &self.auth
        {
            token.invalidate();
        }
    }

    fn apply_pairs(
        req: reqwest::RequestBuilder,
        pairs: &[(String, String)],
    ) -> reqwest::RequestBuilder {
        let mut out = req;
        for (name, value) in pairs {
            out = out.header(name.as_str(), value.as_str());
        }
        out
    }
}

#[async_trait::async_trait]
impl Transport for FoundryTransport {
    fn name(&self) -> &'static str {
        "foundry"
    }

    async fn send(
        &self,
        request: EncodedRequest,
        ctx: &ExecutionContext,
    ) -> Result<TransportResponse> {
        if ctx.is_cancelled() {
            return Err(Error::Cancelled);
        }
        let url = format!("{}{}", self.base_url, request.path);
        // Header build can stall on Entra token refresh — race the
        // caller's cancellation token so a cancel surfaces within
        // one HTTP round-trip instead of waiting for the full
        // OAuth refresh to complete.
        let pairs = tokio::select! {
            biased;
            () = ctx.cancellation().cancelled() => return Err(Error::Cancelled),
            p = self.build_headers(&request.headers) => p?,
        };
        let body_bytes = Bytes::clone(&request.body);
        let mut http_req = self.client.request(request.method.clone(), &url);
        http_req = Self::apply_pairs(http_req, &pairs).body(body_bytes);
        let response = tokio::select! {
            biased;
            () = ctx.cancellation().cancelled() => return Err(Error::Cancelled),
            r = http_req.send() => r,
        }
        .map_err(Error::provider_network_from)?;
        let status = response.status().as_u16();
        let headers = response.headers().clone();
        let body = response
            .bytes()
            .await
            .map_err(|e| Error::provider_http(status, format!("response body read failed: {e}")))?;
        self.maybe_invalidate_on_unauthorized(status);
        Ok(TransportResponse {
            status,
            headers,
            body,
        })
    }

    #[allow(tail_expr_drop_order)]
    async fn send_streaming(
        &self,
        request: EncodedRequest,
        ctx: &ExecutionContext,
    ) -> Result<TransportStream> {
        if ctx.is_cancelled() {
            return Err(Error::Cancelled);
        }
        let url = format!("{}{}", self.base_url, request.path);
        // Header build can stall on Entra token refresh — race the
        // caller's cancellation token so a cancel surfaces within
        // one HTTP round-trip instead of waiting for the full
        // OAuth refresh to complete.
        let pairs = tokio::select! {
            biased;
            () = ctx.cancellation().cancelled() => return Err(Error::Cancelled),
            p = self.build_headers(&request.headers) => p?,
        };
        let body_bytes = Bytes::clone(&request.body);
        let mut http_req = self.client.request(request.method.clone(), &url);
        http_req = Self::apply_pairs(http_req, &pairs).body(body_bytes);
        let response = tokio::select! {
            biased;
            () = ctx.cancellation().cancelled() => return Err(Error::Cancelled),
            r = http_req.send() => r,
        }
        .map_err(Error::provider_network_from)?;
        let status = response.status().as_u16();
        let headers = response.headers().clone();
        self.maybe_invalidate_on_unauthorized(status);
        if !(200..300).contains(&status) {
            let body = response.bytes().await.unwrap_or_else(|_| Bytes::new()); // silent-fallback-ok: error-response body read already failed; empty body preserves status + headers for caller diagnostics
            let body_stream = futures::stream::once(async move { Ok::<_, Error>(body) });
            return Ok(TransportStream {
                status,
                headers,
                body: Box::pin(body_stream),
            });
        }
        let cancellation = ctx.cancellation().clone();
        let raw_stream = response.bytes_stream();
        let body = async_stream::stream! {
            let mut s = raw_stream;
            loop {
                tokio::select! {
                    biased;
                    () = cancellation.cancelled() => {
                        yield Err(Error::Cancelled);
                        return;
                    }
                    item = s.next() => match item {
                        Some(Ok(b)) => yield Ok(b),
                        Some(Err(e)) => {
                            yield Err(Error::provider_http(status, format!("stream chunk read failed: {e}")));
                            return;
                        }
                        None => return,
                    }
                }
            }
        };
        Ok(TransportStream {
            status,
            headers,
            body: Box::pin(body),
        })
    }
}

/// Fluent builder for [`FoundryTransport`].
#[must_use]
pub struct FoundryTransportBuilder {
    base_url: Option<String>,
    auth: Option<FoundryAuth>,
}

impl FoundryTransportBuilder {
    /// Foundry endpoint base URL — typically
    /// `https://{resource}.services.ai.azure.com/anthropic` or
    /// `https://{resource}.openai.azure.com`. Required.
    pub fn with_base_url(mut self, url: impl Into<String>) -> Self {
        self.base_url = Some(url.into());
        self
    }

    /// Pick the auth strategy.
    pub fn with_auth(mut self, auth: FoundryAuth) -> Self {
        self.auth = Some(auth);
        self
    }

    /// Resolve and return the transport.
    pub fn build(self) -> Result<FoundryTransport> {
        let base_url = self
            .base_url
            .ok_or_else(|| Error::config("FoundryTransport: base_url is required"))?;
        let auth = self
            .auth
            .ok_or_else(|| Error::config("FoundryTransport: auth is required"))?;
        let resolved = match auth {
            FoundryAuth::ApiKey { token } => ResolvedAuth::ApiKey(token),
            FoundryAuth::Entra { refresher } => {
                ResolvedAuth::Entra(Arc::new(CachedTokenProvider::new(refresher)))
            }
        };
        let client = reqwest::Client::builder()
            .build()
            .map_err(|e| Error::config(format!("failed to build HTTP client: {e}")))?;
        Ok(FoundryTransport {
            client,
            base_url,
            auth: resolved,
        })
    }
}

const _: fn() = || {
    let _ = std::marker::PhantomData::<CloudError>;
};