All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Windows console window flashing: Fixed credential-process.exe and otel-helper.exe spawning visible console windows on every AWS API call. The AWS SDK invokes credential_process frequently to check credential expiration, causing dozens of CMD windows to flash during Claude Code sessions. Binaries are now built with
-H windowsguildflags (GUI subsystem) to suppress console windows while preserving stdout/stderr for credential output and error messages.
- Go binary version number: The credential-process Go binary now has a version number stored in
source/go/VERSION(currently1.0.0). The version is embedded at build time via ldflags.ccwb packagereads this file automatically. Users can check it with~/claude-code-with-bedrock/credential-process --version. - Usage dashboard version display: The usage dashboard now shows the client version (e.g.
v1.0.0) next to each user's email address. The version is emitted as aClientVersionCloudWatch metric (dimensions:UserEmail,Version) by the daemon on every heartbeat tick. - OS-level daemon watchdog: The install package now includes an OS-level watchdog that keeps the daemon alive independently of Claude Code invocations. On macOS, a launchd plist (
com.ionanalytics.claude-code-daemon.plist) is installed withKeepAlive=true. On Windows, a Scheduled Task namedClaudeCodeDaemonruns at logon.
- Daemon fast startup: Daemon now polls every 1 second after startup until credentials are cached, then starts otelcol immediately (previously up to 10s delay before otelcol launched).
- Daemon version beacon:
ClientVersionCloudWatch metric is now emitted on every heartbeat tick (not just at startup). - otelcol proactive credential refresh: Daemon now proactively restarts otelcol 5 minutes before collector credentials expire, forcing a fresh credential exchange first. This prevents 403 errors from stale in-memory credentials held by otelcol.
- Quota dashboard cost display: Cost amounts on the usage dashboard are now shown to 2 decimal places.
- Quota dashboard colours: Quota status colours are now green (0–80%), yellow (80–100%), and red (>100%).
- Windows daemon heartbeats: Fixed Windows daemon not sending heartbeats — the daemon was killed immediately because it was not properly detached as a separate process. Fixed by launching with
CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS. - Daily quota reset: Stale
daily_costvalues in DynamoDB are now zeroed by the quota_monitor Lambda at UTC midnight, ensuring daily quota values reset correctly. - QuotaPolicy enforcement mode fields:
QuotaPolicynow has separatemonthly_enforcement_modeanddaily_enforcement_modefields (previously a singleenforcement_mode).ccwb quota usagewas crashing due to the old field name — now fixed.
- Sidecar monitoring mode: New "sidecar" collector option during
ccwb init— runs a local OTel collector on each dev machine, no ECS/VPC infrastructure needed - Monitoring mode backward compatibility: Existing profiles without
monitoring_modedefault to "central", preserving current behavior on upgrade without re-running init
- OTLP-first monitoring: OTEL Collector now exports to CloudWatch OTLP endpoint (for PromQL dashboards). EMF export is conditionally added only when analytics is enabled, controlled by the
EnableAnalyticsCloudFormation parameter. - PromQL dashboard: Replaced all Lambda-backed custom widgets with native PromQL chart widgets — zero Lambda functions in the dashboard stack
- Quota monitoring: Quota monitor Lambda now queries CloudWatch Prometheus-compatible API (
/api/v1/query) for usage data instead of relying on MetricsAggregator - Auth templates: Removed
cloudwatch:namespaceIAM conditions (OTLP metrics don't use CW namespaces) - Dashboard deployment: No longer requires S3 packaging (no Lambda functions to package)
- Init wizard: Sidecar mode description now clearly states that Claude Cowork (desktop) telemetry is not supported
- CoWork MDM generation: Sidecar mode no longer emits
otlpEndpoint/otlpProtocolin MDM config files
- Orphaned stack deletion order: Stacks are now deleted in reverse deployment order, respecting dependencies (e.g., monitoring before networking)
- CoWork MDM OTLP endpoint: Central mode correctly resolves the collector endpoint from CloudFormation stack outputs
- CoWork dashboard in sidecar mode: Blocked deployment of CoWork dashboard when in sidecar mode (Cowork desktop cannot reach localhost collector)
- Orphaned stack detection: Added
cowork-dashboardto orphaned stack detection so it is offered for cleanup when switching from central to sidecar
- MetricsAggregator Lambda: Replaced by PromQL queries — no longer needed to pre-compute metrics
- DynamoDB MetricsTable: Dashboard reads directly from OTLP metrics via PromQL
- Custom widget Lambda functions: All 16 widget Lambdas replaced by PromQL chart widgets
- metrics-aggregation.yaml: Standalone aggregation stack removed
- MetricsAggregatorQuotaPolicy: Cross-stack IAM policy no longer needed
- Analytics pipeline (optional) — Kinesis Firehose → S3 → Athena for long-term historical SQL
- ECS/ALB/VPC networking infrastructure
- Quota monitoring DynamoDB tables (UserQuotaMetrics, QuotaPolicies)
- Per-user quota monitoring: Fine-grained token quota controls with daily/monthly limits, alert/block enforcement modes, and DynamoDB-backed quota policies
- SageMaker plugin: Async inference skill for SageMaker endpoint integration
- Bedrock plugin: Tool-use structured output skill for Bedrock model integration
- ML-training plugin: GRPO fine-tuning skill for custom model training workflows
- Claude Opus 4.6 support: New model added with EU/AU CRIS profile support and correct quota codes
- ALB JWT validation: JWT validation for OTEL Collector endpoint via Application Load Balancer
- OIDC id_token caching: Caches OIDC id_token to avoid redundant browser-based re-authentication on every credential refresh
- Fixed quota stack S3 bucket lookup targeting wrong CloudFormation stack
- Fixed Auth0 issuer URL missing trailing slash for quota API JWT authorizer
- Fixed vpc_config flattening and nested rebuild when loading existing profile
- Fixed Opus 4.6 EU/AU entries missing from init.py display dicts and dashboard throttle metrics
- Fixed OTEL telemetry UI freezes with two-layer caching on otel-helper
- Fixed browser popup appearing every ~1h by caching OTEL headers indefinitely
- Fixed id_token expiry buffer reduced from 10 minutes to 60 seconds
- Fixed hardcoded legacy model IDs in test command replaced with configured inference profile
- Added comprehensive test suite with 176 passing tests
- Added bandit, semgrep, cfn-nag, and scanner security workflows
- Added stale PR/issue workflow (60-day policy)
- Added CODEOWNERS file
- Updated Dependabot configuration
- Dependency updates: requests, urllib3, filelock, virtualenv, github-actions
- Version sync: Bumped
source/pyproject.tomlto 2.2.0 to align with the published release tag (no feature or bug-fix changes from v2.1.0)
- Version sync: Bumped
source/pyproject.tomlfrom 1.1.4 to 2.1.0 to match project release version- The v2.0.0 release updated CHANGELOG but never bumped pyproject.toml
- Users installing the package saw version 1.1.4 instead of 2.0.x
- PR checklist: Added version bump reminder to CONTRIBUTING.md to prevent future version drift
- Profile System v2.0: Multi-deployment management from single machine
- Manage multiple AWS accounts, regions, or organizations
- Profile commands:
ccwb context list,ccwb context use,ccwb context show - Config commands:
ccwb config validate,ccwb config export,ccwb config import - Per-profile configuration files in
~/.ccwb/profiles/ - Active profile tracking with easy switching
- Common use cases: production vs development, multi-region, multi-tenant
- Authenticated Landing Page Distribution: Enterprise-grade package distribution
- IdP-gated self-service download portal (Okta/Azure AD/Auth0/Cognito)
- Platform detection with automatic OS recommendation
- Custom domain support with ACM certificates
- ALB access logs for audit trail
- Lambda-generated presigned URLs (1-hour expiry)
- CloudFormation template:
landing-page-distribution.yaml(1,038 lines)
- Distribution Options: Three methods for sharing packages
- Manual sharing: Zip dist/ folder, share via email/internal file sharing
- Presigned S3 URLs: Time-limited URLs (configurable 1-168 hours)
- Landing page: Self-service portal with IdP authentication
- QUICK_START.md: Comprehensive deployment walkthrough (301 lines)
- Step-by-step deployment instructions
- Platform build requirements
- Distribution method comparison
- Basic troubleshooting
- Profile Documentation: Complete documentation for profile system
- README section explaining profiles and use cases
- CLI_REFERENCE section with all 7 profile commands
- Migration notes for v1.x users
- Configuration Location (BREAKING): Config moved from
source/.ccwb-config/to~/.ccwb/- Automatic migration on first run
- Timestamped backup created:
config.json.backup.YYYYMMDD_HHMMSS - Profile names and active profile preserved
- No manual steps required
- Configuration Schema (BREAKING): Schema version 1.0 → 2.0
- Single config file → per-profile files
- Profile stored in
~/.ccwb/profiles/<profile-name>.json - Active profile tracked in
~/.ccwb/config.json
- README Refactored: Focused on architecture and decision-making (575 → 280 lines, 51% reduction)
- Clear distinction: IdP integration (NOT AWS SSO/IAM Identity Center)
- Removed deployment steps (→ QUICK_START.md)
- Removed end user sections (IT admin focus)
- New "What Gets Deployed" section with infrastructure overview
- Distribution options include manual sharing (0 minutes setup)
- Prerequisites split: "For Deployment" and "For End Users"
- Monitoring section reorganized by metrics categories
- Distribution Configuration:
enable_distribution→distribution_type- Options:
manual,presigned-s3,landing-page - Configured during
ccwb init ccwb distributecommand works for all automated types
- Options:
- Deploy Command: Support for distribution stack deployment
ccwb deploy distributiondeploys landing page infrastructure- Validates IdP configuration before deployment
- Handles Cognito User Pool automatic client creation
Automatic Migration from v1.x:
- Runs automatically on first
ccwbcommand after upgrade - Creates timestamped backup of existing config
- Migrates all profiles to new
~/.ccwb/profiles/structure - Preserves profile names, active profile, and all settings
- No manual intervention required
Verification:
ccwb context list # Verify profiles migrated
ccwb context show # Verify active profile preservedRollback if needed:
rm -rf ~/.ccwb
cp ~/.ccwb-config/config.json.backup.TIMESTAMP ~/.ccwb-config/config.json- Client Secret Storage: IdP client secrets stored in AWS Secrets Manager
- Cognito User Pool: Automatic secret storage via CloudFormation
- Other IdPs: Manual secret entry during init, stored in Secrets Manager
- ALB Access Logs: Automatic S3 logging for landing page authentication
- Presigned URL Expiration: Configurable 1-168 hours (default 48 hours)
- S3 Bucket Policies: Least privilege access for distribution buckets
- Landing Page Stack: Complete ALB + Lambda + S3 infrastructure
- Application Load Balancer with OIDC authentication
- Lambda function for presigned URL generation
- S3 bucket for package storage
- Security groups and VPC integration
- Optional custom domain with ACM certificate
- Distribution Bucket: Created for both presigned-s3 and landing-page
- Lifecycle policies for object expiration
- Versioning enabled
- Server-side encryption
- New Guides:
- QUICK_START.md: Complete deployment walkthrough
- assets/docs/distribution/comparison.md: Distribution method comparison
- assets/docs/distribution/deployment-guide.md: Landing page setup
- Updated Guides:
- README.md: Refactored for clarity, IT admin focus
- CLI_REFERENCE.md: Added profile management commands
- DEPLOYMENT.md: Updated with distribution options
- Provider Guides: Landing page setup for all IdPs
- Okta web application configuration
- Azure AD app registration
- Auth0 regular web application
- Cognito User Pool web client (automated)
- Legacy Distribution Flag:
enable_distributiondeprecated, usedistribution_type- Migration logic handles legacy field automatically
- No breaking change for existing deployments
-
Auth0 OIDC provider URL format: Fixed issuer validation failures during token exchange
- Added trailing slash to Auth0 OIDC provider URL (
https://${Auth0Domain}/) - Auth0's OIDC issuer includes trailing slash per OAuth 2.0 spec
- Prevents "issuer mismatch" errors during Direct IAM federation
- Updated CloudFormation template parameter documentation with supported domain formats
- Added trailing slash to Auth0 OIDC provider URL (
-
Auth0 session name sanitization: Fixed AssumeRoleWithWebIdentity errors for Auth0 users
- Auth0 uses pipe-delimited format in sub claims (e.g.,
auth0|12345) - AWS RoleSessionName regex
[\w+=,.@-]*doesn't allow pipe characters - Automatically sanitize invalid characters to hyphens in session names
- Prevents "Member must satisfy regular expression pattern" validation errors
- Auth0 uses pipe-delimited format in sub claims (e.g.,
-
Bedrock list permissions: Fixed permission errors for model listing operations
- Changed Resource from specific ARNs to
'*'for list operations - Affects
ListFoundationModels,GetFoundationModel,GetFoundationModelAvailability,ListInferenceProfiles,GetInferenceProfile - AWS Bedrock list operations require
Resource: '*'per AWS IAM documentation - Applied fix to all provider templates (Auth0, Azure AD, Okta, Cognito User Pool)
- Changed Resource from specific ARNs to
-
Dashboard region configuration: Fixed monitoring dashboards for multi-region deployments
- Replaced hardcoded
us-east-1with${MetricsRegion}parameter in log widgets - Deploy command now passes
MetricsRegionparameter fromprofile.aws_region - Prevents
ResourceNotFoundExceptionfor deployments outside us-east-1 - Affects CloudWatch Logs Insights widgets in monitoring dashboard
- Replaced hardcoded
- Code quality improvements:
- Moved
subprocessimport to module level indeploy.py - Fixed variable shadowing:
platform_choice→platform_nameinpackage.py
- Moved
- Enhanced Auth0 setup documentation
- Added comprehensive table of supported Auth0 domain formats (standard and regional)
- Added troubleshooting section for AssumeRoleWithWebIdentity validation errors
- Documented automatic handling of Auth0 pipe character issue
- Added examples of valid and invalid domain formats
- Clarified that https:// prefix and trailing slash are added automatically
- Azure AD tenant ID extraction: Fixed deployment failures when using Azure AD provider with various URL formats
- Regex pattern matching now extracts tenant GUID from multiple input formats
- Supports full URLs (with/without /v2.0), just tenant ID, and with https:// prefix
- Updated CloudFormation template to use correct Microsoft OIDC v2.0 endpoint (
login.microsoftonline.com/{tenant}/v2.0) - Added documentation for supported Azure provider domain formats with comprehensive examples
- Added troubleshooting section for "Parameter AzureTenantId failed to satisfy constraint" error
- Fast Credential Access: Session mode now uses
~/.aws/credentialsfor 99.7% performance improvement- Credentials file I/O methods with atomic writes
- CLI flags:
--check-expirationand--refresh-if-needed - Expiration tracking with 30-second safety buffer
- ConfigParser-based INI file handling
- Code Quality Infrastructure: Ruff pre-commit hooks for automated linting
- Auto-fix import ordering, spacing, and formatting
- Consistent code style enforcement on commit
- UX Improvements: Enhanced package command
- Interactive platform selection with questionary checkbox
- Co-authorship preference prompt (opt-in, defaults to False)
--build-verboseflag for detailed build logging- Unique Docker image tags for reliable builds
- Session Storage Mode: Now writes to
~/.aws/credentialsinstead of custom cache files- Eliminates credential_process overhead (300ms → 1ms retrieval time)
- Better credential persistence across terminal sessions
- Standard AWS CLI tooling compatibility
- Automatic upgrade for existing session mode users
- Package Command: Improved user interaction with interactive prompts
- Atomic Writes: Temp file +
os.replace()pattern prevents credential file corruption - File Permissions: Credentials file automatically set to 0600 (owner read/write only)
- Fail-Safe Expiration: Assumes expired on any error (security-first approach)
- Credential Retrieval: 99.7% improvement for session mode (300ms → 1ms)
- No Breaking Changes: Keyring mode unchanged, session mode automatically upgraded
- Direct IAM Federation: Alternative to Cognito Identity Pool for authentication (#32)
- Support for Okta, Azure AD, Auth0, and Cognito User Pools
- Session duration configurable up to 12 hours
- Provider-specific CloudFormation templates
- Automatic federation type detection
- Claude Sonnet 4.5 Support: Full support for the latest Claude Sonnet 4.5 model
- US CRIS profile (us-east-1, us-east-2, us-west-1, us-west-2)
- EU CRIS profile (8 European regions: Frankfurt, Zurich, Stockholm, Ireland, London, Paris, Milan, Spain)
- Japan CRIS profile (Tokyo, Osaka)
- Global CRIS profile (23 regions worldwide including North America, Europe, Asia Pacific, and South America)
- Inference Profile Permissions: Added bedrock:ListInferenceProfiles and bedrock:GetInferenceProfile (#33, #34)
- CloudFormation Utilities: New exception handling and CloudFormation helper utilities
- Global Endpoint Support: IAM policies now properly support global inference profile ARNs
- Module Rename:
cognito_auth→credential_provider(more accurate naming) - IAM Policy Structure: Split IAM policy statements into separate regional and global statements
- Regional resources use
aws:RequestedRegioncondition - Global resources have no region condition
- Regional resources use
- Deploy Command: Refactored deploy.py with improved error handling and provider template support
- Region Configuration: Init wizard now dynamically uses regions from model profiles instead of hardcoded fallbacks
- CloudWatch Metrics: Fixed Resource specification to use '*' instead of Bedrock ARNs
- Configuration Schema: Added federation_type and federated_role_arn fields
- Global endpoint access now works correctly without region condition blocking
- CloudFormation error handling improved across all commands
- Region condition no longer incorrectly applied to regionless global endpoints
- Init process properly handles all CRIS profile regions for selected model
- 4 new provider-specific CloudFormation templates (Okta, Azure AD, Auth0, Cognito User Pool)
- Improved IAM role structure with provider-specific roles
- CloudFormation exception handling and utilities
- Updated README, ARCHITECTURE, DEPLOYMENT, and CLI_REFERENCE
- Clear explanations of both authentication methods
- Documented configuration options for all providers
Initial release with enterprise authentication support.