feat(ai): add AWS ECS/IRSA credential detection for Bedrock, fixes #848

Added support for additional AWS credential environment variables:
- AWS_CONTAINER_CREDENTIALS_RELATIVE_URI (ECS task roles)
- AWS_CONTAINER_CREDENTIALS_FULL_URI (ECS task roles)
- AWS_WEB_IDENTITY_TOKEN_FILE (IRSA for Kubernetes)

Also fixed undefined currentModel variable in OAuth error handling.

packages/ai/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Added
+
+- Added AWS credential detection for ECS/Kubernetes environments: `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`, `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_WEB_IDENTITY_TOKEN_FILE` ([#848](https://github.com/badlogic/pi-mono/issues/848))
+
 ### Fixed
 
 - Fixed OpenAI Responses 400 error "reasoning without following item" by skipping errored/aborted assistant messages entirely in transform-messages.ts ([#838](https://github.com/badlogic/pi-mono/pull/838))

packages/ai/src/stream.ts

@@ -80,10 +80,16 @@ export function getEnvApiKey(provider: any): string | undefined {
 		// 1. AWS_PROFILE - named profile from ~/.aws/credentials
 		// 2. AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY - standard IAM keys
 		// 3. AWS_BEARER_TOKEN_BEDROCK - Bedrock API keys (bearer token)
+		// 4. AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - ECS task roles
+		// 5. AWS_CONTAINER_CREDENTIALS_FULL_URI - ECS task roles (full URI)
+		// 6. AWS_WEB_IDENTITY_TOKEN_FILE - IRSA (IAM Roles for Service Accounts)
 		if (
 			process.env.AWS_PROFILE ||
 			(process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) ||
-			process.env.AWS_BEARER_TOKEN_BEDROCK
+			process.env.AWS_BEARER_TOKEN_BEDROCK ||
+			process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ||
+			process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI ||
+			process.env.AWS_WEB_IDENTITY_TOKEN_FILE
 		) {
 			return "<authenticated>";
 		}

packages/coding-agent/src/core/sdk.ts

@@ -641,17 +641,18 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
 			}
 			const key = await modelRegistry.getApiKeyForProvider(resolvedProvider);
 			if (!key) {
-				const isOAuth = modelRegistry.isUsingOAuth(currentModel);
+				const model = agent.state.model;
+				const isOAuth = model && modelRegistry.isUsingOAuth(model);
 				if (isOAuth) {
 					throw new Error(
-						`Authentication failed for "${currentModel.provider}". ` +
+						`Authentication failed for "${resolvedProvider}". ` +
 							`Credentials may have expired or network is unavailable. ` +
-							`Run '/login ${currentModel.provider}' to re-authenticate.`,
+							`Run '/login ${resolvedProvider}' to re-authenticate.`,
 					);
 				}
 				throw new Error(
-					`No API key found for "${currentModel.provider}". ` +
-						`Set an API key environment variable or run '/login ${currentModel.provider}'.`,
+					`No API key found for "${resolvedProvider}". ` +
+						`Set an API key environment variable or run '/login ${resolvedProvider}'.`,
 				);
 			}
 			return key;