feat: 支持凭据级 region/machineId 配置及自动认证方式检测 (#24)

* feat: 支持凭据级 region/machineId 配置及自动认证方式检测

凭据级配置:
- 新增 credentials.region 字段，用于 OIDC token 刷新时指定 endpoint 区域
- 新增 credentials.machineId 字段，支持凭据级机器码配置
- 优先级: 凭据级 > config.json 全局配置 > refreshToken 派生

machineId 格式兼容:
- 支持 64 字符十六进制格式（原有）
- 支持 UUID 格式（如 2582956e-cc88-4669-b546-07adbffcb894），自动转换为 64 字符

认证方式自动检测:
- 当 authMethod 未指定时，根据 clientId/clientSecret 存在与否自动判断
- 有 clientId + clientSecret → idc 认证
- 否则 → social 认证

文件变更:
- src/kiro/machine_id.rs: 添加 normalize_machine_id 函数
- src/kiro/token_manager.rs: 添加 region 优先级逻辑和 authMethod 自动检测
- src/kiro/model/credentials.rs: 新增 region/machineId 字段及测试
- src/admin/types.rs, src/admin/service.rs: Admin API 支持新字段
- README.md, credentials.example.*.json: 文档和示例更新

* feat: 支持凭据级 region/machineId 配置及自动认证方式检测

凭据级配置:
- 新增 credentials.region 字段，用于 OIDC token 刷新时指定 endpoint 区域
- 新增 credentials.machineId 字段，支持凭据级机器码配置
- 优先级: 凭据级 > config.json 全局配置 > refreshToken 派生

machineId 格式兼容:
- 支持 64 字符十六进制格式（原有）
- 支持 UUID 格式（如 2582956e-cc88-4669-b546-07adbffcb894），自动转换为 64 字符

认证方式自动检测:
- 当 authMethod 未指定时，根据 clientId/clientSecret 存在与否自动判断
- 有 clientId + clientSecret → idc 认证
- 否则 → social 认证

文件变更:
- src/kiro/machine_id.rs: 添加 normalize_machine_id 函数
- src/kiro/token_manager.rs: 添加 region 优先级逻辑和 authMethod 自动检测
- src/kiro/model/credentials.rs: 新增 region/machineId 字段及测试
- src/admin/types.rs, src/admin/service.rs: Admin API 支持新字段
- README.md, credentials.example.*.json: 文档和示例更新

README.md

@@ -101,6 +101,7 @@ cargo build --release
       "authMethod": "idc",
       "clientId": "xxxxxxxxx",
       "clientSecret": "xxxxxxxxx",
+      "region": "us-east-2",
       "priority": 1
    }
 ]
@@ -111,6 +112,7 @@ cargo build --release
 > - 单凭据最多重试 3 次，单请求最多重试 9 次
 > - 自动故障转移到下一个可用凭据
 > - 多凭据格式下 Token 刷新后自动回写到源文件
+> - 可选的 `region` 字段：用于 OIDC token 刷新时指定 endpoint 区域，未配置时回退到 config.json 的 region
 
 最小启动配置(social):
 ```json
@@ -194,6 +196,8 @@ curl http://127.0.0.1:8990/v1/messages \
 | `clientId` | string | IdC 登录的客户端 ID（可选）      |
 | `clientSecret` | string | IdC 登录的客户端密钥（可选）      |
 | `priority` | number | 凭据优先级，数字越小越优先，默认为 0（多凭据格式时有效）|
+| `region` | string | 凭据级 region（可选），用于 OIDC token 刷新时指定 endpoint 的区域。未配置时回退到 config.json 的 region。注意：API 调用始终使用 config.json 的 region |
+| `machineId` | string | 凭据级机器码（可选，64位十六进制）。未配置时回退到 config.json 的 machineId；都未配置时由 refreshToken 派生 |
 
 ## 模型映射
 
@@ -344,4 +348,4 @@ MIT
  - [kiro2api](https://github.com/caidaoli/kiro2api)
  - [proxycast](https://github.com/aiclientproxy/proxycast)
 
-本项目部分逻辑参考了以上的项目, 再次由衷的感谢!
+本项目部分逻辑参考了以上的项目, 再次由衷的感谢!

credentials.example.idc.json

@@ -3,5 +3,7 @@
   "expiresAt": "2025-12-31T02:32:45.144Z",
   "authMethod": "idc",
   "clientId": "xxxxxxxxx",
-  "clientSecret": "xxxxxxxxx"
-}
+  "clientSecret": "xxxxxxxxx",
+  "region": "us-east-2",
+  "machineId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+}

credentials.example.multiple.json

@@ -3,6 +3,7 @@
     "refreshToken": "xxxxxxxxxxxxxxxxxxxx",
     "expiresAt": "2025-12-31T02:32:45.144Z",
     "authMethod": "social",
+    "machineId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
     "priority": 0
   },
   {
@@ -11,6 +12,8 @@
     "authMethod": "idc",
     "clientId": "xxxxxxxxx",
     "clientSecret": "xxxxxxxxx",
+    "region": "us-east-2",
+    "machineId": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
     "priority": 1
   }
 ]

credentials.example.social.json

@@ -1,5 +1,6 @@
 {
   "refreshToken": "xxxxxxxxxxxxxxxxxxxx",
   "expiresAt": "2025-12-31T02:32:45.144Z",
-  "authMethod": "social"
-}
+  "authMethod": "social",
+  "machineId": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+}

src/admin/service.rs

@@ -128,6 +128,8 @@ impl AdminService {
             client_id: req.client_id,
             client_secret: req.client_secret,
             priority: req.priority,
+            region: req.region,
+            machine_id: req.machine_id,
         };
 
         // 调用 token_manager 添加凭据

src/admin/types.rs

@@ -78,6 +78,14 @@ pub struct AddCredentialRequest {
     /// 优先级（可选，默认 0）
     #[serde(default)]
     pub priority: u32,
+
+    /// 凭据级 Region 配置（用于 OIDC token 刷新）
+    /// 未配置时回退到 config.json 的全局 region
+    pub region: Option<String>,
+
+    /// 凭据级 Machine ID（可选，64 位字符串）
+    /// 未配置时回退到 config.json 的 machineId
+    pub machine_id: Option<String>,
 }
 
 fn default_auth_method() -> String {

src/kiro/machine_id.rs

@@ -6,14 +6,47 @@ use sha2::{Digest, Sha256};
 use crate::kiro::model::credentials::KiroCredentials;
 use crate::model::config::Config;
 
+/// 标准化 machineId 格式
+///
+/// 支持以下格式：
+/// - 64 字符十六进制字符串（直接返回）
+/// - UUID 格式（如 "2582956e-cc88-4669-b546-07adbffcb894"，移除连字符后补齐到 64 字符）
+fn normalize_machine_id(machine_id: &str) -> Option<String> {
+    let trimmed = machine_id.trim();
+
+    // 如果已经是 64 字符，直接返回
+    if trimmed.len() == 64 && trimmed.chars().all(|c| c.is_ascii_hexdigit()) {
+        return Some(trimmed.to_string());
+    }
+
+    // 尝试解析 UUID 格式（移除连字符）
+    let without_dashes: String = trimmed.chars().filter(|c| *c != '-').collect();
+
+    // UUID 去掉连字符后是 32 字符
+    if without_dashes.len() == 32 && without_dashes.chars().all(|c| c.is_ascii_hexdigit()) {
+        // 补齐到 64 字符（重复一次）
+        return Some(format!("{}{}", without_dashes, without_dashes));
+    }
+
+    // 无法识别的格式
+    None
+}
+
 /// 根据凭证信息生成唯一的 Machine ID
 ///
-/// 优先使用自定义配置，然后使用 refreshToken 生成
+/// 优先使用凭据级 machineId，其次使用 config.machineId，然后使用 refreshToken 生成
 pub fn generate_from_credentials(credentials: &KiroCredentials, config: &Config) -> Option<String> {
-    // 如果配置了自定义 machineId 且长度为 64，优先使用
+    // 如果配置了凭据级 machineId，优先使用
+    if let Some(ref machine_id) = credentials.machine_id {
+        if let Some(normalized) = normalize_machine_id(machine_id) {
+            return Some(normalized);
+        }
+    }
+
+    // 如果配置了全局 machineId，作为默认值
     if let Some(ref machine_id) = config.machine_id {
-        if machine_id.len() == 64 {
-            return Some(machine_id.clone());
+        if let Some(normalized) = normalize_machine_id(machine_id) {
+            return Some(normalized);
         }
     }
 
@@ -60,10 +93,22 @@ mod tests {
         assert_eq!(result, Some("a".repeat(64)));
     }
 
+    #[test]
+    fn test_generate_with_credential_machine_id_overrides_config() {
+        let mut credentials = KiroCredentials::default();
+        credentials.machine_id = Some("b".repeat(64));
+
+        let mut config = Config::default();
+        config.machine_id = Some("a".repeat(64));
+
+        let result = generate_from_credentials(&credentials, &config);
+        assert_eq!(result, Some("b".repeat(64)));
+    }
+
     #[test]
     fn test_generate_with_refresh_token() {
         let mut credentials = KiroCredentials::default();
-        credentials.refresh_token = Some("test_refresh_token".to_string());
+        credentials.refresh_token = Some("test_refresh_token".to_string());     
         let config = Config::default();
 
         let result = generate_from_credentials(&credentials, &config);
@@ -79,4 +124,44 @@ mod tests {
         let result = generate_from_credentials(&credentials, &config);
         assert!(result.is_none());
     }
+
+    #[test]
+    fn test_normalize_uuid_format() {
+        // UUID 格式应该被转换为 64 字符
+        let uuid = "2582956e-cc88-4669-b546-07adbffcb894";
+        let result = normalize_machine_id(uuid);
+        assert!(result.is_some());
+        let normalized = result.unwrap();
+        assert_eq!(normalized.len(), 64);
+        // UUID 去掉连字符后重复一次
+        assert_eq!(normalized, "2582956ecc884669b54607adbffcb8942582956ecc884669b54607adbffcb894");
+    }
+
+    #[test]
+    fn test_normalize_64_char_hex() {
+        // 64 字符十六进制应该直接返回
+        let hex64 = "a".repeat(64);
+        let result = normalize_machine_id(&hex64);
+        assert_eq!(result, Some(hex64));
+    }
+
+    #[test]
+    fn test_normalize_invalid_format() {
+        // 无效格式应该返回 None
+        assert!(normalize_machine_id("invalid").is_none());
+        assert!(normalize_machine_id("too-short").is_none());
+        assert!(normalize_machine_id(&"g".repeat(64)).is_none()); // 非十六进制
+    }
+
+    #[test]
+    fn test_generate_with_uuid_machine_id() {
+        let mut credentials = KiroCredentials::default();
+        credentials.machine_id = Some("2582956e-cc88-4669-b546-07adbffcb894".to_string());
+
+        let config = Config::default();
+
+        let result = generate_from_credentials(&credentials, &config);
+        assert!(result.is_some());
+        assert_eq!(result.as_ref().unwrap().len(), 64);
+    }
 }

src/kiro/model/credentials.rs

@@ -47,6 +47,16 @@ pub struct KiroCredentials {
     #[serde(default)]
     #[serde(skip_serializing_if = "is_zero")]
     pub priority: u32,
+
+    /// 凭据级 Region 配置（用于 OIDC token 刷新）
+    /// 未配置时回退到 config.json 的全局 region
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub region: Option<String>,
+
+    /// 凭据级 Machine ID 配置（可选）
+    /// 未配置时回退到 config.json 的 machineId；都未配置时由 refreshToken 派生
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub machine_id: Option<String>,
 }
 
 /// 判断是否为零（用于跳过序列化）
@@ -199,6 +209,8 @@ mod tests {
             client_id: None,
             client_secret: None,
             priority: 0,
+            region: None,
+            machine_id: None,
         };
 
         let json = creds.to_pretty_json().unwrap();
@@ -265,4 +277,186 @@ mod tests {
         assert_eq!(list[1].refresh_token, Some("t3".to_string())); // priority 1
         assert_eq!(list[2].refresh_token, Some("t1".to_string())); // priority 2
     }
+
+    // ============ Region 字段测试 ============
+
+    #[test]
+    fn test_region_field_parsing() {
+        // 测试解析包含 region 字段的 JSON
+        let json = r#"{
+            "refreshToken": "test_refresh",
+            "region": "us-east-1"
+        }"#;
+
+        let creds = KiroCredentials::from_json(json).unwrap();
+        assert_eq!(creds.refresh_token, Some("test_refresh".to_string()));
+        assert_eq!(creds.region, Some("us-east-1".to_string()));
+    }
+
+    #[test]
+    fn test_region_field_missing_backward_compat() {
+        // 测试向后兼容：不包含 region 字段的旧格式 JSON
+        let json = r#"{
+            "refreshToken": "test_refresh",
+            "authMethod": "social"
+        }"#;
+
+        let creds = KiroCredentials::from_json(json).unwrap();
+        assert_eq!(creds.refresh_token, Some("test_refresh".to_string()));
+        assert_eq!(creds.region, None);
+    }
+
+    #[test]
+    fn test_region_field_serialization() {
+        // 测试序列化时正确输出 region 字段
+        let creds = KiroCredentials {
+            id: None,
+            access_token: None,
+            refresh_token: Some("test".to_string()),
+            profile_arn: None,
+            expires_at: None,
+            auth_method: None,
+            client_id: None,
+            client_secret: None,
+            priority: 0,
+            region: Some("eu-west-1".to_string()),
+            machine_id: None,
+        };
+
+        let json = creds.to_pretty_json().unwrap();
+        assert!(json.contains("region"));
+        assert!(json.contains("eu-west-1"));
+    }
+
+    #[test]
+    fn test_region_field_none_not_serialized() {
+        // 测试 region 为 None 时不序列化
+        let creds = KiroCredentials {
+            id: None,
+            access_token: None,
+            refresh_token: Some("test".to_string()),
+            profile_arn: None,
+            expires_at: None,
+            auth_method: None,
+            client_id: None,
+            client_secret: None,
+            priority: 0,
+            region: None,
+            machine_id: None,
+        };
+
+        let json = creds.to_pretty_json().unwrap();
+        assert!(!json.contains("region"));
+    }
+
+    // ============ MachineId 字段测试 ============
+
+    #[test]
+    fn test_machine_id_field_parsing() {
+        let machine_id = "a".repeat(64);
+        let json = format!(
+            r#"{{
+                "refreshToken": "test_refresh",
+                "machineId": "{machine_id}"
+            }}"#
+        );
+
+        let creds = KiroCredentials::from_json(&json).unwrap();
+        assert_eq!(creds.refresh_token, Some("test_refresh".to_string()));
+        assert_eq!(creds.machine_id, Some(machine_id));
+    }
+
+    #[test]
+    fn test_machine_id_field_serialization() {
+        let mut creds = KiroCredentials::default();
+        creds.refresh_token = Some("test".to_string());
+        creds.machine_id = Some("b".repeat(64));
+
+        let json = creds.to_pretty_json().unwrap();
+        assert!(json.contains("machineId"));
+    }
+
+    #[test]
+    fn test_machine_id_field_none_not_serialized() {
+        let mut creds = KiroCredentials::default();
+        creds.refresh_token = Some("test".to_string());
+        creds.machine_id = None;
+
+        let json = creds.to_pretty_json().unwrap();
+        assert!(!json.contains("machineId"));
+    }
+
+    #[test]
+    fn test_multiple_credentials_with_different_regions() {
+        // 测试多凭据场景下不同凭据使用各自的 region
+        let json = r#"[
+            {"refreshToken": "t1", "region": "us-east-1"},
+            {"refreshToken": "t2", "region": "eu-west-1"},
+            {"refreshToken": "t3"}
+        ]"#;
+
+        let config: CredentialsConfig = serde_json::from_str(json).unwrap();
+        let list = config.into_sorted_credentials();
+
+        assert_eq!(list[0].region, Some("us-east-1".to_string()));
+        assert_eq!(list[1].region, Some("eu-west-1".to_string()));
+        assert_eq!(list[2].region, None);
+    }
+
+    #[test]
+    fn test_region_field_with_all_fields() {
+        // 测试包含所有字段的完整 JSON
+        let json = r#"{
+            "id": 1,
+            "accessToken": "access",
+            "refreshToken": "refresh",
+            "profileArn": "arn:aws:test",
+            "expiresAt": "2025-12-31T00:00:00Z",
+            "authMethod": "idc",
+            "clientId": "client123",
+            "clientSecret": "secret456",
+            "priority": 5,
+            "region": "ap-northeast-1"
+        }"#;
+
+        let creds = KiroCredentials::from_json(json).unwrap();
+        assert_eq!(creds.id, Some(1));
+        assert_eq!(creds.access_token, Some("access".to_string()));
+        assert_eq!(creds.refresh_token, Some("refresh".to_string()));
+        assert_eq!(creds.profile_arn, Some("arn:aws:test".to_string()));
+        assert_eq!(creds.expires_at, Some("2025-12-31T00:00:00Z".to_string()));
+        assert_eq!(creds.auth_method, Some("idc".to_string()));
+        assert_eq!(creds.client_id, Some("client123".to_string()));
+        assert_eq!(creds.client_secret, Some("secret456".to_string()));
+        assert_eq!(creds.priority, 5);
+        assert_eq!(creds.region, Some("ap-northeast-1".to_string()));
+    }
+
+    #[test]
+    fn test_region_roundtrip() {
+        // 测试序列化和反序列化的往返一致性
+        let original = KiroCredentials {
+            id: Some(42),
+            access_token: Some("token".to_string()),
+            refresh_token: Some("refresh".to_string()),
+            profile_arn: None,
+            expires_at: None,
+            auth_method: Some("social".to_string()),
+            client_id: None,
+            client_secret: None,
+            priority: 3,
+            region: Some("us-west-2".to_string()),
+            machine_id: Some("c".repeat(64)),
+        };
+
+        let json = original.to_pretty_json().unwrap();
+        let parsed = KiroCredentials::from_json(&json).unwrap();
+
+        assert_eq!(parsed.id, original.id);
+        assert_eq!(parsed.access_token, original.access_token);
+        assert_eq!(parsed.refresh_token, original.refresh_token);
+        assert_eq!(parsed.priority, original.priority);
+        assert_eq!(parsed.region, original.region);
+        assert_eq!(parsed.machine_id, original.machine_id);
+    }
 }

src/kiro/token_manager.rs

@@ -132,7 +132,14 @@ pub(crate) async fn refresh_token(
     validate_refresh_token(credentials)?;
 
     // 根据 auth_method 选择刷新方式
-    let auth_method = credentials.auth_method.as_deref().unwrap_or("social");
+    // 如果未指定 auth_method，根据是否有 clientId/clientSecret 自动判断
+    let auth_method = credentials.auth_method.as_deref().unwrap_or_else(|| {
+        if credentials.client_id.is_some() && credentials.client_secret.is_some() {
+            "idc"
+        } else {
+            "social"
+        }
+    });
 
     match auth_method.to_lowercase().as_str() {
         "idc" | "builder-id" => refresh_idc_token(credentials, config, proxy).await,
@@ -149,7 +156,8 @@ async fn refresh_social_token(
     tracing::info!("正在刷新 Social Token...");
 
     let refresh_token = credentials.refresh_token.as_ref().unwrap();
-    let region = &config.region;
+    // 优先使用凭据级 region，未配置时回退到 config.region
+    let region = credentials.region.as_ref().unwrap_or(&config.region);
 
     let refresh_url = format!("https://prod.{}.auth.desktop.kiro.dev/refreshToken", region);
     let refresh_domain = format!("prod.{}.auth.desktop.kiro.dev", region);
@@ -232,7 +240,8 @@ async fn refresh_idc_token(
         .as_ref()
         .ok_or_else(|| anyhow::anyhow!("IdC 刷新需要 clientSecret"))?;
 
-    let region = &config.region;
+    // 优先使用凭据级 region，未配置时回退到 config.region
+    let region = credentials.region.as_ref().unwrap_or(&config.region);
     let refresh_url = format!("https://oidc.{}.amazonaws.com/token", region);
 
     let client = build_client(proxy, 60)?;
@@ -1501,4 +1510,128 @@ mod tests {
         );
         assert_eq!(manager.available_count(), 0);
     }
+
+    // ============ 凭据级 Region 优先级测试 ============
+
+    /// 辅助函数：获取 OIDC 刷新使用的 region（用于测试）
+    fn get_oidc_region_for_credential<'a>(
+        credentials: &'a KiroCredentials,
+        config: &'a Config,
+    ) -> &'a str {
+        credentials.region.as_ref().unwrap_or(&config.region)
+    }
+
+    #[test]
+    fn test_credential_region_priority_uses_credential_region() {
+        // 凭据配置了 region 时，应使用凭据的 region
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let mut credentials = KiroCredentials::default();
+        credentials.region = Some("eu-west-1".to_string());
+
+        let region = get_oidc_region_for_credential(&credentials, &config);
+        assert_eq!(region, "eu-west-1");
+    }
+
+    #[test]
+    fn test_credential_region_priority_fallback_to_config() {
+        // 凭据未配置 region 时，应回退到 config.region
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let credentials = KiroCredentials::default();
+        assert!(credentials.region.is_none());
+
+        let region = get_oidc_region_for_credential(&credentials, &config);
+        assert_eq!(region, "us-west-2");
+    }
+
+    #[test]
+    fn test_multiple_credentials_use_respective_regions() {
+        // 多凭据场景下，不同凭据使用各自的 region
+        let mut config = Config::default();
+        config.region = "ap-northeast-1".to_string();
+
+        let mut cred1 = KiroCredentials::default();
+        cred1.region = Some("us-east-1".to_string());
+
+        let mut cred2 = KiroCredentials::default();
+        cred2.region = Some("eu-west-1".to_string());
+
+        let cred3 = KiroCredentials::default(); // 无 region，使用 config
+
+        assert_eq!(get_oidc_region_for_credential(&cred1, &config), "us-east-1");
+        assert_eq!(get_oidc_region_for_credential(&cred2, &config), "eu-west-1");
+        assert_eq!(
+            get_oidc_region_for_credential(&cred3, &config),
+            "ap-northeast-1"
+        );
+    }
+
+    #[test]
+    fn test_idc_oidc_endpoint_uses_credential_region() {
+        // 验证 IdC OIDC endpoint URL 使用凭据 region
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let mut credentials = KiroCredentials::default();
+        credentials.region = Some("eu-central-1".to_string());
+
+        let region = get_oidc_region_for_credential(&credentials, &config);
+        let refresh_url = format!("https://oidc.{}.amazonaws.com/token", region);
+
+        assert_eq!(refresh_url, "https://oidc.eu-central-1.amazonaws.com/token");
+    }
+
+    #[test]
+    fn test_social_refresh_endpoint_uses_credential_region() {
+        // 验证 Social refresh endpoint URL 使用凭据 region
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let mut credentials = KiroCredentials::default();
+        credentials.region = Some("ap-southeast-1".to_string());
+
+        let region = get_oidc_region_for_credential(&credentials, &config);
+        let refresh_url = format!("https://prod.{}.auth.desktop.kiro.dev/refreshToken", region);
+
+        assert_eq!(
+            refresh_url,
+            "https://prod.ap-southeast-1.auth.desktop.kiro.dev/refreshToken"
+        );
+    }
+
+    #[test]
+    fn test_api_call_still_uses_config_region() {
+        // 验证 API 调用（如 getUsageLimits）仍使用 config.region
+        // 这确保只有 OIDC 刷新使用凭据 region，API 调用行为不变
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let mut credentials = KiroCredentials::default();
+        credentials.region = Some("eu-west-1".to_string());
+
+        // API 调用应使用 config.region，而非 credentials.region
+        let api_region = &config.region;
+        let api_host = format!("q.{}.amazonaws.com", api_region);
+
+        assert_eq!(api_host, "q.us-west-2.amazonaws.com");
+        // 确认凭据 region 不影响 API 调用
+        assert_ne!(api_region, credentials.region.as_ref().unwrap());
+    }
+
+    #[test]
+    fn test_credential_region_empty_string_treated_as_set() {
+        // 空字符串 region 被视为已设置（虽然不推荐，但行为应一致）
+        let mut config = Config::default();
+        config.region = "us-west-2".to_string();
+
+        let mut credentials = KiroCredentials::default();
+        credentials.region = Some("".to_string());
+
+        let region = get_oidc_region_for_credential(&credentials, &config);
+        // 空字符串被视为已设置，不会回退到 config
+        assert_eq!(region, "");
+    }
 }