fix(azure): unify credential passing pattern across all LLM handlers

- Pass all provider credentials unconditionally in router, evaluator (matching agent pattern)
- Remove conditional if-branching on providerId for credential fields
- Thread workspaceId through guardrails → hallucination validator for BYOK key resolution
- Remove getApiKey() from hallucination validator, let executeProviderRequest handle it
- Resolve vertex OAuth credentials in hallucination validator matching agent handler pattern

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/guardrails/validate/route.ts

@@ -32,6 +32,7 @@ export async function POST(request: NextRequest) {
       bedrockSecretKey,
       bedrockRegion,
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -129,6 +130,7 @@ export async function POST(request: NextRequest) {
         bedrockRegion,
       },
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -207,6 +209,7 @@ async function executeValidation(
     bedrockRegion?: string
   },
   workflowId: string | undefined,
+  workspaceId: string | undefined,
   piiEntityTypes: string[] | undefined,
   piiMode: string | undefined,
   piiLanguage: string | undefined,
@@ -249,6 +252,7 @@ async function executeValidation(
       apiKey,
       providerCredentials,
       workflowId,
+      workspaceId,
       requestId,
     })
   }

apps/sim/executor/handlers/evaluator/evaluator-handler.ts

@@ -121,26 +121,17 @@ export class EvaluatorBlockHandler implements BlockHandler {
 
         temperature: EVALUATOR.DEFAULT_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: evaluatorConfig.vertexProject,
+        vertexLocation: evaluatorConfig.vertexLocation,
+        bedrockAccessKeyId: evaluatorConfig.bedrockAccessKeyId,
+        bedrockSecretKey: evaluatorConfig.bedrockSecretKey,
+        bedrockRegion: evaluatorConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = evaluatorConfig.vertexProject
-        providerRequest.vertexLocation = evaluatorConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai' || providerId === 'azure-anthropic') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = evaluatorConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = evaluatorConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = evaluatorConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),

apps/sim/executor/handlers/router/router-handler.ts

@@ -96,26 +96,17 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai' || providerId === 'azure-anthropic') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),
@@ -234,6 +225,13 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
         responseFormat: {
@@ -257,22 +255,6 @@ export class RouterBlockHandler implements BlockHandler {
         },
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai' || providerId === 'azure-anthropic') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),

apps/sim/lib/guardrails/validate_hallucination.ts

@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { executeProviderRequest } from '@/providers'
-import { getApiKey, getProviderFromModel } from '@/providers/utils'
+import { getProviderFromModel } from '@/providers/utils'
 
 const logger = createLogger('HallucinationValidator')
 
@@ -34,6 +34,7 @@ export interface HallucinationValidationInput {
     bedrockRegion?: string
   }
   workflowId?: string
+  workspaceId?: string
   requestId: string
 }
 
@@ -103,8 +104,9 @@ async function scoreHallucinationWithLLM(
   userInput: string,
   ragContext: string[],
   model: string,
-  apiKey: string,
+  apiKey: string | undefined,
   providerCredentials: HallucinationValidationInput['providerCredentials'],
+  workspaceId: string | undefined,
   requestId: string
 ): Promise<{ score: number; reasoning: string }> {
   try {
@@ -142,8 +144,7 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
 
     const providerId = getProviderFromModel(model)
 
-    // Resolve Vertex AI OAuth credential to access token if needed
-    let finalApiKey = apiKey
+    let finalApiKey: string | undefined = apiKey
     if (providerId === 'vertex' && providerCredentials?.vertexCredential) {
       const credential = await db.query.account.findFirst({
         where: eq(account.id, providerCredentials.vertexCredential),
@@ -178,6 +179,7 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
       bedrockAccessKeyId: providerCredentials?.bedrockAccessKeyId,
       bedrockSecretKey: providerCredentials?.bedrockSecretKey,
       bedrockRegion: providerCredentials?.bedrockRegion,
+      workspaceId,
     })
 
     if (response instanceof ReadableStream || ('stream' in response && 'execution' in response)) {
@@ -233,6 +235,7 @@ export async function validateHallucination(
     apiKey,
     providerCredentials,
     workflowId,
+    workspaceId,
     requestId,
   } = input
 
@@ -251,17 +254,6 @@ export async function validateHallucination(
       }
     }
 
-    let finalApiKey: string
-    try {
-      const providerId = getProviderFromModel(model)
-      finalApiKey = getApiKey(providerId, model, apiKey)
-    } catch (error: any) {
-      return {
-        passed: false,
-        error: `API key error: ${error.message}`,
-      }
-    }
-
     // Step 1: Query knowledge base with RAG
     const ragContext = await queryKnowledgeBase(
       knowledgeBaseId,
@@ -283,8 +275,9 @@ export async function validateHallucination(
       userInput,
       ragContext,
       model,
-      finalApiKey,
+      apiKey,
       providerCredentials,
+      workspaceId,
       requestId
     )