fix(build): repair kiro auth package compilation (round 3)

[KooshaPari]

User description

Summary

Repairs deep symbol drift in pkg/llmproxy/auth/kiro/ so the package compiles cleanly against current main (after #956 + #958 merged).

• Add KiroFingerprintConfig type + Config.KiroFingerprint field; add FingerprintConfig, SetGlobalFingerprintConfig, GlobalFingerprintManager() alias to fingerprint.go.
• Update three FetchUserEmailWithFallback call sites in sso_oidc.go to pass clientID + refreshToken (5-arg signature).
• Wire exported FetchProfileArn to warm the per-account fingerprint via GetAccountKey(clientID, refreshToken) before delegating, so subsequent runtime calls reuse a consistent fingerprint per account.
• Drop stale uuid import in codewhisperer_client.go and stale auth/base import in token.go.

Symbols restored

Symbol	Where
config.Config.KiroFingerprint + KiroFingerprintConfig	pkg/llmproxy/config/config.go
kiro.FingerprintConfig	pkg/llmproxy/auth/kiro/fingerprint.go
kiro.SetGlobalFingerprintConfig / GetGlobalFingerprintConfig	pkg/llmproxy/auth/kiro/fingerprint.go
kiro.GlobalFingerprintManager() (function alias)	pkg/llmproxy/auth/kiro/fingerprint.go
FetchProfileArn proper wiring (no longer no-op forwarding)	pkg/llmproxy/auth/kiro/runtime_helpers.go

Verification

go build ./pkg/llmproxy/auth/kiro/... — clean (0 errors).

Out of scope (still failing on main)

• pkg/llmproxy/translator/openai/claude/...
• pkg/llmproxy/translator/openai/gemini-cli/...
• pkg/llmproxy/translator/claude/gemini-cli/...
• sdk/auth/{codex,kiro,errors}.go

Test plan

• go build ./pkg/llmproxy/auth/kiro/... succeeds
• CI build/test (expected to fail on the out-of-scope packages above)

Note

Medium Risk
Touches Kiro OAuth/CodeWhisperer authentication and request header fingerprinting; while largely a compile/symbol-drift fix, it can change runtime header identity and email lookup behavior per account.

Overview
Repairs Kiro auth package symbol drift so it builds again by reintroducing fingerprint configuration types and config plumbing (Config.KiroFingerprint, kiro.FingerprintConfig, global getters/setters, and GlobalFingerprintManager() alias).

Aligns per-account identity usage in runtime requests by updating SSOOIDCClient.FetchProfileArn to derive an accountKey from (clientID, refreshToken) and warm the fingerprint manager, and by updating FetchUserEmailWithFallback call sites to pass clientID/refreshToken to match its newer signature.

Also removes stale/unused imports in codewhisperer_client.go and token.go that were breaking compilation.

^{Reviewed by Cursor Bugbot for commit 2e083ee. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Restore Kiro login flow and allow fingerprint overrides

What Changed

• Kiro auth now compiles and runs with the current login and profile lookup flow.
• Login now fetches the user email with the required account details, so the email shown after sign-in works again.
• Profile lookup now prepares a stable per-account fingerprint before the request, keeping later runtime requests aligned for the same account.
• A new config option lets operators override Kiro fingerprint details such as SDK, OS, and version fields.

Impact

✅ Working Kiro sign-in
✅ Clearer login identity display
✅ Consistent account fingerprinting

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 31 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 31 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a3b5a175-7a93-4ad0-99a9-c2f0c08c65ae

📥 Commits

Reviewing files that changed from the base of the PR and between 7cb78ef and 2e083ee.

📒 Files selected for processing (6)

• pkg/llmproxy/auth/kiro/codewhisperer_client.go
• pkg/llmproxy/auth/kiro/fingerprint.go
• pkg/llmproxy/auth/kiro/runtime_helpers.go
• pkg/llmproxy/auth/kiro/sso_oidc.go
• pkg/llmproxy/auth/kiro/token.go
• pkg/llmproxy/config/config.go

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'pre_merge_checks'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch build-fix-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
3.8% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[codeant-ai]

Suggestion: Refactor the surrounding post-auth success flow in this modified function into a helper so the function body stays under the 40-line limit. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

The updated LoginWithIDC function in the final file spans far more than 40 lines, so the custom function-length rule is actually violated. This new email-handling line is part of that oversized function body, making the suggestion valid.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/auth/kiro/sso_oidc.go
**Line:** 617:617
**Comment:**
	*Custom Rule: Refactor the surrounding post-auth success flow in this modified function into a helper so the function body stays under the 40-line limit.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: Extract the token-success/profile/email handling block around this new line into a dedicated helper to reduce the modified function body below 40 lines. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

The updated LoginWithBuilderID function is well over the 40-line limit in the final file. The flagged line is inside that oversized success-path block, so the suggestion correctly identifies a real violation.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/auth/kiro/sso_oidc.go
**Line:** 1008:1008
**Comment:**
	*Custom Rule: Extract the token-success/profile/email handling block around this new line into a dedicated helper to reduce the modified function body below 40 lines.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: Split this modified auth-code login function by extracting the completion section (profile/email/token mapping) into a helper to satisfy the 40-line function-body rule. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

The final LoginWithBuilderIDAuthCode function is substantially longer than 40 lines, so it violates the stated function-body limit. This email lookup line sits within that long completion section, so the suggestion is grounded in a real issue.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/auth/kiro/sso_oidc.go
**Line:** 1545:1545
**Comment:**
	*Custom Rule: Split this modified auth-code login function by extracting the completion section (profile/email/token mapping) into a helper to satisfy the 40-line function-body rule.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: SetGlobalFingerprintConfig stores overrides, but nothing in fingerprint generation reads globalFingerprintConfig, so configured values are never applied and runtime fingerprints remain fully randomized. Wire generateFingerprint (or another central creation path) to merge non-empty override fields from the global config before returning the fingerprint. [logic error]

Severity Level: Major ⚠️

- ⚠️ Kiro fingerprint overrides in config.go:9-25 are ignored.
- ⚠️ Kiro HTTP requests always use randomized fingerprints, not configured.
- ⚠️ Users cannot enforce stable Kiro identity across requests.

Steps of Reproduction ✅

1. Configure Kiro fingerprint overrides in YAML so `cfg.KiroFingerprint` is non-nil (see
`pkg/llmproxy/config/config.go:9-25` where `Config.KiroFingerprint *KiroFingerprintConfig`
is defined and documented as controlling the fingerprint manager).

2. Start the CLI or server with that config; for example, `cmd/server/main.go:573-586`
calls `kiro.InitFingerprintConfig(cfg)` before Kiro login commands, and
`cmd/server/main.go:691-693` calls `kiro.InitializeAndStart(cfg.AuthDir, cfg)`, which in
turn calls `initGlobalFingerprintConfig` at
`pkg/llmproxy/auth/kiro/refresh_manager.go:14-21`.

3. During initialization, `initGlobalFingerprintConfig` invokes
`SetGlobalFingerprintConfig(&FingerprintConfig{...})` at
`pkg/llmproxy/auth/kiro/refresh_manager.go:19-29`, which writes the supplied values into
the package-global `globalFingerprintConfig` via `SetGlobalFingerprintConfig` at
`pkg/llmproxy/auth/kiro/fingerprint.go:218-225`.

4. Trigger any Kiro request that uses dynamic fingerprinting, e.g. a request executed
through `KiroExecutor.PrepareRequest` and `HttpRequest` at
`pkg/llmproxy/executor/kiro_auth.go:31-65`, which obtains a fingerprint via
`getGlobalFingerprintManager().GetFingerprint(tokenKey)` at `kiro_auth.go:78` and
`kiro_executor.go:10-17`. That `FingerprintManager` is created with
`NewFingerprintManager()` at `pkg/llmproxy/auth/kiro/fingerprint.go:75-81`, and its
`generateFingerprint` implementation at `fingerprint.go:105-124` uses only randomized
choices (`randomChoice`/`randomIntChoice`) and does not call `GetGlobalFingerprintConfig`
or read `globalFingerprintConfig` anywhere in the file. As a result, the configured
overrides are never applied and headers built in `BuildUserAgent`/`BuildAmzUserAgent` at
`fingerprint.go:175-185` remain fully randomized instead of reflecting the configured
values.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/auth/kiro/fingerprint.go
**Line:** 218:225
**Comment:**
	*Logic Error: `SetGlobalFingerprintConfig` stores overrides, but nothing in fingerprint generation reads `globalFingerprintConfig`, so configured values are never applied and runtime fingerprints remain fully randomized. Wire `generateFingerprint` (or another central creation path) to merge non-empty override fields from the global config before returning the fingerprint.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

🟠 Architect Review — HIGH

FingerprintConfig and the global SetGlobalFingerprintConfig/GetGlobalFingerprintConfig are introduced and wired from config (via initGlobalFingerprintConfig), but FingerprintManager.generateFingerprint never reads globalFingerprintConfig, so kiro-fingerprint overrides are effectively no-ops and runtime fingerprints remain fully randomized.

Suggestion: In FingerprintManager.generateFingerprint (or immediately after creating the Fingerprint), read GetGlobalFingerprintConfig() and, if non-nil, apply each non-empty override field onto the generated Fingerprint before it is cached and used to build headers.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** pkg/llmproxy/auth/kiro/fingerprint.go
**Line:** 199:233
**Comment:**
	*HIGH: FingerprintConfig and the global SetGlobalFingerprintConfig/GetGlobalFingerprintConfig are introduced and wired from config (via initGlobalFingerprintConfig), but FingerprintManager.generateFingerprint never reads globalFingerprintConfig, so kiro-fingerprint overrides are effectively no-ops and runtime fingerprints remain fully randomized.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Global fingerprint config stored but never applied
  • Modified generateFingerprint to retrieve and apply global fingerprint config overrides after generating random defaults, ensuring user-configured kiro-fingerprint settings are respected.

Or push these changes by commenting:

@cursor push 9129473798

Preview (9129473798)

diff --git a/pkg/llmproxy/auth/kiro/fingerprint.go b/pkg/llmproxy/auth/kiro/fingerprint.go
--- a/pkg/llmproxy/auth/kiro/fingerprint.go
+++ b/pkg/llmproxy/auth/kiro/fingerprint.go
@@ -121,6 +121,30 @@
 	}
 
 	fp.KiroHash = fm.generateKiroHash(tokenKey, kiroVersion, osType)
+
+	// Apply global fingerprint config overrides if set
+	cfg := GetGlobalFingerprintConfig()
+	if cfg != nil {
+		if cfg.StreamingSDKVersion != "" {
+			fp.SDKVersion = cfg.StreamingSDKVersion
+		}
+		if cfg.OSType != "" {
+			fp.OSType = cfg.OSType
+		}
+		if cfg.OSVersion != "" {
+			fp.OSVersion = cfg.OSVersion
+		}
+		if cfg.NodeVersion != "" {
+			fp.NodeVersion = cfg.NodeVersion
+		}
+		if cfg.KiroVersion != "" {
+			fp.KiroVersion = cfg.KiroVersion
+		}
+		if cfg.KiroHash != "" {
+			fp.KiroHash = cfg.KiroHash
+		}
+	}
+
 	return fp
 }

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 2e083ee. Configure here.}

[cursor]

Global fingerprint config stored but never applied

Medium Severity

The SetGlobalFingerprintConfig function stores fingerprint overrides, but generateFingerprint doesn't retrieve them via GetGlobalFingerprintConfig. This causes custom kiro-fingerprint configurations to be silently ignored, resulting in all fingerprints being fully randomized, contrary to the documented behavior.

 

^{Reviewed by Cursor Bugbot for commit 2e083ee. Configure here.}

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR wires Kiro fingerprint settings from application config into a global manager and ensures that fetching a profile ARN and user email warms a deterministic per-account fingerprint, so later runtime requests reuse consistent headers for that account.

sequenceDiagram
    participant App
    participant RefreshManager
    participant FingerprintManager
    participant SSOOIDCClient
    participant CodeWhispererAPI

    App->>RefreshManager: Initialize with config including KiroFingerprint
    RefreshManager->>FingerprintManager: Set global fingerprint overrides

    App->>SSOOIDCClient: Start Kiro login and obtain tokens
    SSOOIDCClient->>FingerprintManager: Derive account key and warm account fingerprint
    SSOOIDCClient->>CodeWhispererAPI: Fetch profile ARN with access token
    SSOOIDCClient->>CodeWhispererAPI: Fetch user email using client ID and refresh token
    App->>CodeWhispererAPI: Later runtime calls reuse account fingerprint via same account key

Loading

---

Generated by CodeAnt AI

[codeant-ai]

🟠 Architect Review — HIGH

Global fingerprint override config is stored via SetGlobalFingerprintConfig but never read when generating fingerprints, so kiro-fingerprint configuration is effectively ignored despite comments promising it will affect new fingerprints.

Suggestion: Read GetGlobalFingerprintConfig inside generateFingerprint (or a helper it calls) and apply non-empty override fields on top of the randomized defaults before computing hashes and building headers.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** pkg/llmproxy/auth/kiro/fingerprint.go
**Line:** 218:224
**Comment:**
	*HIGH: Global fingerprint override config is stored via SetGlobalFingerprintConfig but never read when generating fingerprints, so kiro-fingerprint configuration is effectively ignored despite comments promising it will affect new fingerprints.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

Suggestion: This unconditional warm-up can create a new fingerprint entry even when account identity inputs are empty; GetAccountKey("", "") falls back to a random UUID, so repeated calls generate unbounded unique keys and inconsistent fingerprints. Guard against empty identity inputs before warming or use a stable fallback key. [memory leak]

Severity Level: Major ⚠️

- ⚠️ Management endpoint /v0/management/kiro-quota leaks fingerprint entries.
- ⚠️ Kiro quota requests send inconsistent fingerprint identity headers.
- ⚠️ Long-running processes may accumulate unnecessary fingerprint objects.

Steps of Reproduction ✅

1. Call the management quota endpoint `GET /v0/management/kiro-quota` handled by
`GetKiroQuota` in `pkg/llmproxy/api/handlers/management/kiro_quota.go:27-42`, with at
least one valid Kiro credential so `getKiroQuotaWithChecker` at lines 44-88 executes.

2. Inside `getKiroQuotaWithChecker`, after resolving a non-empty access token and profile
ARN (lines 58-72), the handler calls `checker.CheckUsageByAccessToken(c.Request.Context(),
token, profileARN)` at line 74, where `checker` is a real `kiroauth.UsageChecker` created
by `kiroauth.NewUsageChecker(h.cfg)` at line 41.

3. In `pkg/llmproxy/auth/kiro/usage_checker.go`, `CheckUsageByAccessToken` (lines 120-126)
builds a `KiroTokenData` with only `AccessToken` and `ProfileArn` set, leaving `ClientID`
and `RefreshToken` empty, then calls `CheckUsage`; `CheckUsage` at lines 69-96 computes
`accountKey := GetAccountKey(tokenData.ClientID, tokenData.RefreshToken)` at line 94,
effectively calling `GetAccountKey("", "")` from `runtime_helpers.go:116-125`.

4. In `pkg/llmproxy/auth/kiro/runtime_helpers.go`, `GetAccountKey` (lines 116-125) sees
both `clientID` and `refreshToken` empty and executes `return
GenerateAccountKey(uuid.New().String())` at line 125, yielding a new random account key on
every call; `setRuntimeHeaders` (lines 143-151) then invokes
`GetGlobalFingerprintManager().GetFingerprint(accountKey)`, and
`FingerprintManager.GetFingerprint` in `pkg/llmproxy/auth/kiro/fingerprint.go:83-101`
allocates and stores a new fingerprint in its `fingerprints` map for each unique random
key, so repeated `/v0/management/kiro-quota` calls accumulate unbounded fingerprint
entries and send inconsistent fingerprint headers for the same logical account.

5. The new warm-up code in `FetchProfileArn` at `runtime_helpers.go:164-170` uses the same
`GetAccountKey` function via `accountKey := GetAccountKey(clientID, refreshToken)` (line
168) and `_ = GetGlobalFingerprintManager().GetFingerprint(accountKey)` (line 169); its
only current caller, `pollForToken` in `pkg/llmproxy/auth/kiro/oauth_web.go:320-323`,
passes non-empty `session.clientID` and `tokenResp.RefreshToken`, so the immediate
manifestation is through the quota path, but the underlying issue is the non-deterministic
`GetAccountKey` fallback when identity inputs are empty.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/auth/kiro/runtime_helpers.go
**Line:** 168:169
**Comment:**
	*Memory Leak: This unconditional warm-up can create a new fingerprint entry even when account identity inputs are empty; `GetAccountKey("", "")` falls back to a random UUID, so repeated calls generate unbounded unique keys and inconsistent fingerprints. Guard against empty identity inputs before warming or use a stable fallback key.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR restores and wires Kiro fingerprint configuration from application config, warms a deterministic per-account fingerprint when resolving the CodeWhisperer profile ARN, and reuses that fingerprint for subsequent runtime calls.

sequenceDiagram
    participant Config
    participant KiroAuth
    participant FingerprintManager
    participant CodeWhispererAPI
    participant User

    Config->>KiroAuth: Load Kiro fingerprint settings
    KiroAuth->>FingerprintManager: Apply global fingerprint overrides

    User->>KiroAuth: Start Kiro login
    KiroAuth->>CodeWhispererAPI: Exchange auth for tokens
    KiroAuth->>FingerprintManager: Warm per account fingerprint using clientID and refreshToken
    KiroAuth->>CodeWhispererAPI: Fetch profile ARN with access token
    KiroAuth->>CodeWhispererAPI: Fetch user email with fallback
    KiroAuth->>FingerprintManager: Get fingerprint for runtime call
    KiroAuth->>CodeWhispererAPI: Call runtime endpoint with consistent headers

Loading

---

Generated by CodeAnt AI

[codeant-ai]

🟠 Architect Review — HIGH

Global Kiro fingerprint overrides are never applied: FingerprintConfig and SetGlobalFingerprintConfig claim that non-empty fields will override generated fingerprints, but generateFingerprint does not read globalFingerprintConfig/GetGlobalFingerprintConfig, so config.KiroFingerprint has no effect on the runtime fingerprint/user-agent headers.

Suggestion: In FingerprintManager.generateFingerprint (or immediately after creating the Fingerprint), read GetGlobalFingerprintConfig and overlay any non-empty override fields onto the generated fingerprint (including SDK/OS/Node/Kiro fields and hash behavior). Add a test that sets KiroFingerprint in config, calls InitFingerprintConfig and a flow that triggers GetFingerprint, and asserts that the emitted headers/user agents reflect the configured overrides.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** pkg/llmproxy/auth/kiro/fingerprint.go
**Line:** 199:225
**Comment:**
	*HIGH: Global Kiro fingerprint overrides are never applied: FingerprintConfig and SetGlobalFingerprintConfig claim that non-empty fields will override generated fingerprints, but generateFingerprint does not read globalFingerprintConfig/GetGlobalFingerprintConfig, so config.KiroFingerprint has no effect on the runtime fingerprint/user-agent headers.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This diagram shows how the Kiro SSO login flow now warms a deterministic per-account fingerprint using clientID and refreshToken before fetching the profile ARN and user email, so later runtime calls can reuse a consistent fingerprint for that account.

sequenceDiagram
    participant User
    participant CLI
    participant SSOClient
    participant FingerprintManager
    participant CodeWhispererAPI

    User->>CLI: Start Kiro login
    CLI->>SSOClient: Perform SSO login and obtain tokens
    SSOClient->>FingerprintManager: Get fingerprint for account key from clientID and refreshToken
    SSOClient->>CodeWhispererAPI: Fetch profile ARN with access token
    SSOClient->>CodeWhispererAPI: Fetch user email with fallback
    CodeWhispererAPI-->>SSOClient: Return profile ARN and email
    SSOClient-->>User: Show logged in profile and email

Loading

---

Generated by CodeAnt AI

[codeant-ai]

Suggestion: The new KiroFingerprint config is declared as if it controls fingerprint generation, but the runtime path never reads these values when creating fingerprints (generateFingerprint still uses only randomized defaults). This creates a contract bug where user-supplied config is silently ignored. Wire these fields into fingerprint creation (or remove the config) so configured values actually affect request headers. [logic error]

Severity Level: Major ⚠️

- ⚠️ Kiro fingerprint config in config.yaml has no effect.
- ⚠️ CLI Kiro login always uses randomized fingerprint headers.
- ⚠️ Harder to reproduce Kiro traffic for debugging/compliance.

Steps of Reproduction ✅

1. Define a Kiro fingerprint override in your config YAML so it populates
`config.Config.KiroFingerprint` at `pkg/llmproxy/config/config.go:29-45` (for example, set
`kiro-fingerprint.os-type: linux` and `kiro-fingerprint.kiro-version: 0.8.0`).

2. Run the CLI in any Kiro-auth mode that initializes fingerprint config, e.g. `kiroLogin`
branch in `cmd/server/main.go:8-16`, which calls `kiro.InitFingerprintConfig(cfg)`
(importing `pkg/llmproxy/auth/kiro`).

3. Observe `InitFingerprintConfig` in `pkg/llmproxy/auth/kiro/refresh_manager.go:193-195`
calls `initGlobalFingerprintConfig`, which maps `cfg.KiroFingerprint` into a
`FingerprintConfig` and stores it via `SetGlobalFingerprintConfig` into the
`globalFingerprintConfig` singleton at `pkg/llmproxy/auth/kiro/fingerprint.go:213-225`.

4. Trigger any Kiro request that uses dynamic fingerprints, e.g. a CodeWhisperer IDC call
routed through `KiroExecutor.PrepareRequest` in
`pkg/llmproxy/executor/kiro_auth.go:21-30`, which calls `applyDynamicFingerprint` →
`getGlobalFingerprintManager().GetFingerprint(tokenKey)` in
`pkg/llmproxy/executor/kiro_executor.go:20-27`; `getGlobalFingerprintManager` constructs a
plain `kiroauth.NewFingerprintManager()` and `FingerprintManager.generateFingerprint` at
`pkg/llmproxy/auth/kiro/fingerprint.go:25-45` picks randomized SDK/OS/Kiro values without
ever consulting `globalFingerprintConfig` or `cfg.KiroFingerprint`, so the headers and
User-Agent built in `BuildUserAgent`/`BuildAmzUserAgent` ignore the configured values.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/llmproxy/config/config.go
**Line:** 158:160
**Comment:**
	*Logic Error: The new `KiroFingerprint` config is declared as if it controls fingerprint generation, but the runtime path never reads these values when creating fingerprints (`generateFingerprint` still uses only randomized defaults). This creates a contract bug where user-supplied config is silently ignored. Wire these fields into fingerprint creation (or remove the config) so configured values actually affect request headers.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR restores Kiro fingerprint configuration wiring and updates the login/profile flow so a deterministic per-account fingerprint is warmed and then reused when resolving the CodeWhisperer profile ARN and fetching the user's email.

sequenceDiagram
    participant Client
    participant FingerprintManager
    participant CodeWhispererAPI

    Client->>FingerprintManager: Set global fingerprint config from app config
    Client->>FingerprintManager: Warm account fingerprint using clientID and refreshToken
    Client->>CodeWhispererAPI: Resolve profile ARN with access token
    Client->>CodeWhispererAPI: Fetch usage limits and user email using same account key
    CodeWhispererAPI-->>Client: Return profile ARN and email

Loading

---

Generated by CodeAnt AI

[codeant-ai]

🟠 Architect Review — HIGH

Global fingerprint override configuration (SetGlobalFingerprintConfig / GetGlobalFingerprintConfig) is never consulted during fingerprint generation, so kiro-fingerprint values loaded from config are stored but have no effect on the Fingerprints used in headers.

Suggestion: Update FingerprintManager.generateFingerprint (or FingerprintManager initialization) to read GetGlobalFingerprintConfig and merge any non-empty override fields into newly generated Fingerprints, ensuring all configured fields are actually reflected in the resulting headers.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** pkg/llmproxy/auth/kiro/fingerprint.go
**Line:** 218:225
**Comment:**
	*HIGH: Global fingerprint override configuration (SetGlobalFingerprintConfig / GetGlobalFingerprintConfig) is never consulted during fingerprint generation, so kiro-fingerprint values loaded from config are stored but have no effect on the Fingerprints used in headers.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This diagram shows how Kiro auth now loads optional fingerprint overrides from configuration and, after login, uses client ID and refresh token to warm a per-account fingerprint before calling CodeWhisperer to resolve the profile ARN and user email so later runtime calls reuse a stable identity.

sequenceDiagram
    participant App
    participant User
    participant OAuthClient
    participant FingerprintManager
    participant CodeWhispererAPI

    App->>FingerprintManager: Load overrides from Kiro fingerprint config at startup
    User->>OAuthClient: Complete Kiro login and obtain access token client ID refresh token
    OAuthClient->>FingerprintManager: Derive per account fingerprint from client ID and refresh token
    OAuthClient->>CodeWhispererAPI: Fetch profile ARN using access token and account fingerprint
    OAuthClient->>CodeWhispererAPI: Fetch user email using access token client ID refresh token
    OAuthClient-->>User: Save token profile and email for later runtime calls with stable fingerprint

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn