feat: add Amazon Bedrock as inference provider

[mvincentbb]

Add Bedrock's OpenAI-compatible endpoint as a first-class provider,
enabling NemoClaw to run on AWS without GPU infrastructure.

• Add bedrock provider config, endpoint URL, and 7 curated models
• Add bedrock to non-interactive mode and interactive menu
• Skip endpoint validation (Bedrock API key format incompatible with probe)
• Add bedrock case to inference-config.js

Tested models (all support tool calling):
nvidia.nemotron-super-3-120b, nvidia.nemotron-nano-3-30b, deepseek.v3.2, openai.gpt-oss-120b, mistral.devstral-2-123b, moonshotai.kimi-k2.5, minimax.minimax-m2.5

Usage:
export NEMOCLAW_PROVIDER=bedrock
export OPENAI_API_KEY=<bedrock-api-key>
export BEDROCK_REGION=us-west-2 nemoclaw onboard --non-interactive

Summary

Add Amazon Bedrock's OpenAI-compatible endpoint as a first-class inference provider, enabling NemoClaw to run on AWS without GPU infrastructure. Follows the same pattern as existing providers (Gemini, OpenAI, Anthropic).

Related Issue

Closes #962

Changes

• bin/lib/inference-config.js: Add bedrock case to getProviderSelectionConfig()
• bin/lib/onboard.js:
  • Add BEDROCK_ENDPOINT_URL constant (uses BEDROCK_REGION or AWS_REGION env var)
  • Add bedrock to REMOTE_PROVIDER_CONFIG (type: openai, skipVerify: true)
  • Add 7 curated models to REMOTE_MODEL_OPTIONS (all verified to work with NemoClaw)
  • Add bedrock to getNonInteractiveProvider() valid providers set
  • Add bedrock option to interactive menu in setupNim()
  • Skip endpoint validation for Bedrock (API key format incompatible with probe)
  • Add bedrock to provider check in setupInference()

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

Manually tested all 7 curated models via Telegram bridge on EC2 (t4g.large Graviton ARM64, us-west-2):

Manually tested all 7 curated models via Telegram bridge on EC2 (t4g.large Graviton ARM64, us-west-2):

Model	Status
nvidia.nemotron-super-3-120b	✅
nvidia.nemotron-nano-3-30b	✅
deepseek.v3.2	✅
openai.gpt-oss-120b	✅
mistral.devstral-2-123b	✅
moonshotai.kimi-k2.5	✅
minimax.minimax-m2.5	✅

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

Summary by CodeRabbit

• New Features
  • Added Amazon Bedrock as a new inference provider option. Users can now select Bedrock during setup and onboarding with pre-configured defaults and OpenAI-compatible routing capabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

Amazon Bedrock is added as a first-class inference provider to NemoClaw. The integration includes provider configuration in inference-config.js with OpenAI-compatible routing, and extends onboard.js with Bedrock endpoint setup, curated models, and validation bypass logic.

Changes

Cohort / File(s)	Summary
Bedrock Provider Configuration bin/lib/inference-config.js	Added bedrock case to getProviderSelectionConfig() returning OpenAI-compatible endpoint configuration with INFERENCE_ROUTE_URL, default model nvidia.nemotron-super-3-120b, and OPENAI_API_KEY credential handling.
Bedrock Onboarding Integration bin/lib/onboard.js	Added Bedrock as remote provider with region-derived endpoint URL, 7 curated models supporting tool calling, non-interactive provider validation, interactive UI option, and control flow to bypass endpoint verification while forcing OpenAI-compatible routing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A Bedrock provider hops into view,
AWS mountains with models tried and true!
Nemotron and friends through regions roam,
OpenAI's gentle path leads them home! ✨
No GPU care, just pay as you go,
NemoClaw's garden continues to grow! 🌱

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: add Amazon Bedrock as inference provider' directly and concisely describes the main change.
Linked Issues check	✅ Passed	All requirements from issue #962 are implemented: bedrock case added to inference-config.js, BEDROCK_ENDPOINT_URL configured, bedrock added to REMOTE_PROVIDER_CONFIG with skipVerify, curated model list included, non-interactive and interactive provider support added, endpoint validation skipped, and bedrock included in inference setup.
Out of Scope Changes check	✅ Passed	All changes are within scope—limited to adding Bedrock support to inference-config.js and onboard.js without modifying unrelated functionality or introducing scope creep.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/lib/onboard.js`:
- Line 50: The BEDROCK_ENDPOINT_URL currently falls back to "us-west-2" when
neither process.env.BEDROCK_REGION nor process.env.AWS_REGION is set, which can
silently misconfigure region-bound Bedrock API keys; update the onboarding logic
around BEDROCK_ENDPOINT_URL to require an explicit region by checking
process.env.BEDROCK_REGION (and optionally process.env.AWS_REGION) and, if
neither is present, abort with a clear error message (throw or process.exit with
logging) instructing the user to set BEDROCK_REGION instead of defaulting to
"us-west-2"; locate the constant BEDROCK_ENDPOINT_URL and the surrounding
initialization code to add this validation and error handling.
- Around line 116-126: The Bedrock provider entry currently sets skipVerify:
true and bypasses model checks; change it to perform the same validation used by
other OpenAI-compatible providers by removing or setting skipVerify to false on
the bedrock provider object and invoking validateOpenAiLikeModel(...) for the
selectedModel (the same call used for OpenAI/Gemini) inside the provider
selection/validation flow rather than breaking out early; also remove the early
break that skips verification in the provider selection loop and add calls to
validateOpenAiLikeModel at the other two places where Bedrock was skipped so
onboarding validates model availability and region/model mismatches up front.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fa5f150e-6144-4eff-b46f-9a1a5b867aff

📥 Commits

Reviewing files that changed from the base of the PR and between f0f53e4 and 6a47995.

📒 Files selected for processing (2)

• bin/lib/inference-config.js
• bin/lib/onboard.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the file structure and locate the file in question
fd -t f "onboard.js" --path bin/lib/

Repository: NVIDIA/NemoClaw

Length of output: 292

---

🏁 Script executed:

# Let's examine the context around line 50 and the BEDROCK_ENDPOINT_URL usage
cat -n bin/lib/onboard.js | sed -n '45,60p'

Repository: NVIDIA/NemoClaw

Length of output: 875

---

🏁 Script executed:

# Search for how BEDROCK_ENDPOINT_URL is used throughout the codebase
rg "BEDROCK_ENDPOINT_URL" -A 3 -B 3

Repository: NVIDIA/NemoClaw

Length of output: 1015

---

🏁 Script executed:

# Look for validation or setup logic related to Bedrock
rg "bedrock|BEDROCK" -i bin/lib/onboard.js | head -30

Repository: NVIDIA/NemoClaw

Length of output: 1208

---

🏁 Script executed:

# Check if there's any Bedrock validation logic in the file
rg "setupNim|setupInference" -A 10 bin/lib/onboard.js | grep -A 10 "bedrock"

Repository: NVIDIA/NemoClaw

Length of output: 985

---

🏁 Script executed:

# Find the setupNim function and the Bedrock validation skip
rg "setupNim" -A 50 bin/lib/onboard.js | grep -B 5 -A 10 "bedrock"

Repository: NVIDIA/NemoClaw

Length of output: 845

---

🏁 Script executed:

# Search for the specific validation skip comment and context
rg "Skip endpoint validation for Bedrock" -B 5 -A 10 bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 800

---

🏁 Script executed:

# Check if there's any validation or error handling specific to Bedrock
rg "skipVerify|SKIP_VERIFY" -B 3 -A 3 bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 1184

---

🌐 Web query:

AWS Bedrock Mantle endpoint regional behavior API key region bound

💡 Result:

AWS Bedrock Mantle endpoints (bedrock-mantle.{region}.api.aws) are region-specific, as are bedrock-runtime.{region}.amazonaws.com endpoints. Both support OpenAI-compatible APIs (Responses/Chat Completions) and native Bedrock APIs respectively, with model availability varying by region. Amazon Bedrock API keys (Bearer tokens via AWS_BEARER_TOKEN_BEDROCK) are region-bound for short-term keys: "Can be used only in the AWS Region from which you generated it." Long-term keys (service-specific credentials for bedrock.amazonaws.com) documentation does not explicitly state cross-region restrictions, but examples always use region-specific endpoints matching generation region, and Bedrock service quotas/endpoints are regional. API keys are supported in specific regions listed in docs. To use Mantle or any Bedrock endpoint, generate/use an API key in the target region, as keys inherit regional IAM permissions/session scope. For cross-region, regenerate or use IAM credentials with multi-region policies. AWS recommends short-term keys or IAM for production.

Citations:

• 1: https://docs.aws.amazon.com/bedrock/latest/userguide/endpoints.html
• 2: https://docs.aws.amazon.com/bedrock/latest/userguide/models-endpoint-availability.html
• 3: https://docs.aws.amazon.com/general/latest/gr/bedrock.html
• 4: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-supported.html
• 5: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html
• 6: https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html
• 7: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html

---

Require an explicit Bedrock region instead of defaulting to us-west-2.

Bedrock API keys are region-bound and can only be used in the region where they were generated. Bedrock Mantle endpoints are region-specific (bedrock-mantle.{region}.api.aws). If neither BEDROCK_REGION nor AWS_REGION is set, this silently pins every Bedrock onboarding to Oregon, creating a regional mismatch for users working in other regions. Since endpoint validation is intentionally skipped for Bedrock ("validation happens at inference time"), this misconfiguration won't be caught until the first inference request fails.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` at line 50, The BEDROCK_ENDPOINT_URL currently falls back
to "us-west-2" when neither process.env.BEDROCK_REGION nor
process.env.AWS_REGION is set, which can silently misconfigure region-bound
Bedrock API keys; update the onboarding logic around BEDROCK_ENDPOINT_URL to
require an explicit region by checking process.env.BEDROCK_REGION (and
optionally process.env.AWS_REGION) and, if neither is present, abort with a
clear error message (throw or process.exit with logging) instructing the user to
set BEDROCK_REGION instead of defaulting to "us-west-2"; locate the constant
BEDROCK_ENDPOINT_URL and the surrounding initialization code to add this
validation and error handling.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the file exists and get its size
wc -l bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 82

---

🏁 Script executed:

# First, let's examine the Bedrock configuration around lines 116-126
sed -n '110,135p' bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 707

---

🏁 Script executed:

# Search for early breaks related to Bedrock
rg -n "bedrock" bin/lib/onboard.js -A 5 -B 5 | head -100

Repository: NVIDIA/NemoClaw

Length of output: 4269

---

🏁 Script executed:

# Search for validateOpenAiLikeModel function
rg -n "validateOpenAiLikeModel" bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 248

---

🏁 Script executed:

# Search for --no-verify flag
rg -n "\-\-no-verify|skipVerify" bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 446

---

🏁 Script executed:

# Examine validateOpenAiLikeModel function
sed -n '942,1000p' bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 1934

---

🏁 Script executed:

# Check the validation loop context around line 1750 for other providers
sed -n '1740,1790p' bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 2392

---

🏁 Script executed:

# Check what other providers use skipVerify and how they're handled
sed -n '1700,1800p' bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 4424

---

🏁 Script executed:

# Check the setupInference flow for bedrock around lines 2025-2040
sed -n '2020,2065p' bin/lib/onboard.js

Repository: NVIDIA/NemoClaw

Length of output: 2556

---

🌐 Web query:

AWS Bedrock Mantle OpenAI compatible /v1/models endpoint API

💡 Result:

Yes, AWS Bedrock's Mantle inference engine provides OpenAI-compatible API endpoints, including the /v1/models endpoint. This allows listing available models using the OpenAI Models API. Key details: - Endpoint base URL: https://bedrock-mantle.{region}.api.aws/v1 (e.g., us-east-1, us-east-2). - Authentication: Bearer token with Amazon Bedrock API key (via OPENAI_API_KEY env var). - Usage with OpenAI SDK: Set OPENAI_BASE_URL to the Mantle endpoint and use client.models.list. - HTTP example: GET $OPENAI_BASE_URL/v1/models with Authorization: Bearer $OPENAI_API_KEY. - Supported APIs: Models, Responses (/v1/responses), Chat Completions (/v1/chat/completions). - Models: Includes openai.gpt-oss-120b and others; check via the endpoint for current list. - Purpose: Migrate OpenAI apps easily; supports stateful conversations, streaming, tools. Official docs confirm full OpenAI compatibility for these endpoints on bedrock-mantle.

Citations:

• 1: https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html
• 2: https://docs.aws.amazon.com/bedrock/latest/userguide/endpoints.html
• 3: https://medium.com/@mattgillard/getting-started-with-amazon-bedrock-mantle-openai-compatible-apis-on-aws-17cb8a9f2b9d
• 4: https://docs.aws.amazon.com/bedrock/latest/userguide/build.html

---

🌐 Web query:

AWS Bedrock Mantle REST API GET /v1/models authentication

💡 Result:

The AWS Bedrock Mantle REST API (OpenAI-compatible endpoints at bedrock-mantle.{region}.api.aws/v1) uses Bearer token authentication for the GET /v1/models endpoint. Authentication methods: - Amazon Bedrock API key: Set as OPENAI_API_KEY environment variable. Include in header: Authorization: Bearer $OPENAI_API_KEY - AWS credentials (SigV4): Generate short-term bearer token using AWS SDK or tools like aws-bedrock-token-generator, then use Authorization: Bearer $TOKEN Example curl request: curl -X GET $OPENAI_BASE_URL/v1/models \ -H "Authorization: Bearer $OPENAI_API_KEY" This lists available models powered by Mantle. For production, prefer short-term AWS credentials over long-term API keys.

Citations:

• 1: https://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-mantle.html
• 2: https://medium.com/@mattgillard/getting-started-with-amazon-bedrock-mantle-openai-compatible-apis-on-aws-17cb8a9f2b9d

---

Bedrock onboarding should validate model availability like other OpenAI-compatible providers.

Bedrock currently skips model validation during onboarding due to skipVerify: true at line 116-126 and an early break at line 1778-1783. However, AWS Bedrock Mantle exposes an OpenAI-compatible /v1/models endpoint that supports Bearer token authentication with the same OPENAI_API_KEY credential. The code's comment claiming the API key format is incompatible with standard OpenAI probe requests does not align with Bedrock Mantle's documented OpenAI-compatible API. Bedrock should reuse validateOpenAiLikeModel() (like OpenAI and Gemini providers do) to validate model availability before leaving the selection loop, catching invalid model IDs or region/model mismatch issues at onboarding time rather than at inference.

Also applies to: 1778-1783, 2025-2038

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` around lines 116 - 126, The Bedrock provider entry
currently sets skipVerify: true and bypasses model checks; change it to perform
the same validation used by other OpenAI-compatible providers by removing or
setting skipVerify to false on the bedrock provider object and invoking
validateOpenAiLikeModel(...) for the selectedModel (the same call used for
OpenAI/Gemini) inside the provider selection/validation flow rather than
breaking out early; also remove the early break that skips verification in the
provider selection loop and add calls to validateOpenAiLikeModel at the other
two places where Bedrock was skipped so onboarding validates model availability
and region/model mismatches up front.