entelix-cloud 0.5.5

entelix cloud transports — Bedrock, Vertex, Foundry; OAuth refresh (gcp_auth, aws-sigv4, azure_identity)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# entelix-cloud

Cloud-routed `Transport` impls. Provider IR is unchanged across cloud routes — only credential resolution, request signing, and transport-specific framing live here.

## Surface

| Module | Feature flag | Auth | Native codec |
|---|---|---|---|
| `bedrock::BedrockTransport` | `aws` | SigV4 default chain (env, profile, IMDS) + bearer fallback | `BedrockConverseCodec` |
| `vertex::VertexTransport` | `gcp` | `gcp_auth` (ADC, service-account JSON, GKE) | `GeminiCodec` (Vertex-flavoured) |
| `foundry::FoundryTransport` | `azure` | API-key + AAD (`azure_identity`) | `OpenAiResponsesCodec` (Azure-flavoured) |

## Crate-local rules

- **Codec × transport pairing is sparse, not free.** Only the listed pairings are valid. A `BedrockTransport` cannot run an `AnthropicMessagesCodec` directly — Anthropic on Bedrock uses Converse. Vertex AI hosts Anthropic Claude on a `:rawPredict` endpoint with a vendor-specific `anthropic_version: "vertex-2023-10-16"` body field that the direct `AnthropicMessagesCodec` does not produce — a dedicated `VertexAnthropicCodec` is the proper integration point and lands as a separate slice. Live integration tests must pair the matched codec; the live-API smoke crate file names encode the intended pair (`live_bedrock.rs` uses `BedrockConverseCodec`).
- **Signing happens in the transport, not the codec.** SigV4 / AAD / OAuth refresh is `Transport::send` territory. The codec sees neutral IR and produces neutral wire bytes; the transport stamps auth headers.
- **Credential refresh is async-cached.** Long-lived processes hit refresh on the timer the credential type carries (e.g. SigV4 chain caches via `aws-config`). New auth chain → wrap with `Cached*Provider` so concurrent requests share one refresh.
- **AWS event-stream framing is transport-internal.** The `:event-type` headers, `:exception-type` mapping, and CRC validation never leak into IR.

## Forbidden

- Codec × transport pairings outside the sparse matrix.
- Hand-rolled SigV4 / AAD when the official SDK helpers exist (`aws-sigv4` for SigV4, `azure_identity` for AAD).
- Embedding raw API keys in transport struct fields — credentials always flow through `Arc<dyn CredentialProvider>` (invariant 10).