v0.5.0

What's New

Credential Sync

Optionally sync AWS session credentials to remote machines after every successful login. Supports three sync types:

• SSH — Copy credentials to remote ~/.aws/credentials via SSH (key-based or sshpass)
• Webhook — POST credentials to an HTTPS endpoint
• Command — Pipe credential JSON to a custom shell command's stdin

Features

• Fires proactively (each prompt when creds are fresh) and reactively (after auto-login re-auth)
• Debounced via configurable syncCooldownSeconds (default: 60s)
• Refuses to sync long-lived IAM keys (session token required)
• HTTPS-only enforcement for webhooks
• Atomic remote writes (write to .tmp, then mv)
• Credentials piped via stdin — never in CLI arguments or env vars
• sshArgs accepts both string and array form

Security Hardening

• remotePath validated against safe-path regex (blocks shell injection)
• sshpass -e (env var) instead of -p (no password in ps output)
• Capped stderr buffers at 8KB
• Webhook URL validated early with clear error messages
• Documented TOFU trade-off for SSH host key verification

Configuration

New fields in ~/.config/cc-aws-keepalive/config.json:

{
  "syncTargets": [],
  "syncTimeoutSeconds": 15,
  "syncCooldownSeconds": 60
}

See README — Credential sync for full documentation.

v0.4.1

What's Changed

• fix: remove Okta Verify from push notification pattern by @GeiserX in #23
• chore: bump version to 0.4.1 by @GeiserX in #24

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• ci: auto-release on version bump to main by @GeiserX in #16
• ci: bump codecov/codecov-action from 5 to 6 by @dependabot[bot] in #19
• ci: bump actions/checkout from 4 to 6 by @dependabot[bot] in #17
• ci: bump actions/setup-node from 4 to 6 by @dependabot[bot] in #18
• fix: treat future-timestamp lock files as stale + rename CLAUDE.md by @GeiserX in #20
• fix: harden cross-platform compatibility, security, and test coverage by @GeiserX in #21
• chore: bump version to 0.4.0 by @GeiserX in #22

Full Changelog: v0.3.2...v0.4.0

v0.3.2

Fixes

• Prevent duplicate MFA notifications: Added atomic cross-process lock so only one auto-login runs system-wide, regardless of how many CC sessions are open
• Cross-platform sleep: Replaced execSync("sleep 3") with Atomics.wait (works on all platforms without shell dependency)
• STS fallback in wait loop: Sessions waiting for another's auto-login now also check via STS when expirationField metadata is unavailable
• Lock directory creation: Ensure ~/.config/cc-aws-keepalive/ exists before attempting lock acquisition

Tests

• 46 unit tests (11 new), 98.76% statement coverage via c8
• Tests cover lock acquisition, stale lock cleanup, lock contention, release, and sleepSync timing
• Added loadConfig validation branch coverage (unknown keys, type coercion, warnings)

v0.3.1

Fixes

• INI parser: Skip comment lines (# and ;) in credentials file parser
• Expiration validation: Reject non-numeric, trailing-junk, and sub-epoch expiration values instead of silently misinterpreting them
• stdout encoding: Handle Buffer and Uint8Array chunks with proper encoding in omc-timer stdout patch
• Tests: 5 new unit tests (35 total) covering comment lines, ISO-8601 rejection, sub-epoch rejection, and trailing-junk rejection

v0.3.0

What's new

autoLoginCmd — automated credential re-authentication

• Proactive: aws-cred-check.mjs spawns autoLoginCmd in the background when session nears expiry (configurable autoLoginMinutes, 5-min cooldown)
• Reactive: aws-auth-refresh.mjs runs autoLoginCmd synchronously on Bedrock 403 (3-min timeout)
• Designed for expect scripts that drive interactive CLIs (password from Keychain, MFA push)

Config validation

• Warns on unknown config keys (typo detection)
• Type coerces numeric strings; warns on type mismatches
• Graceful recovery from malformed JSON
• Warns when autoLoginMinutes requires expirationField

Unit tests (30 tests, zero dependencies)

• lib.test.mjs: formatTime, parseCredentials, loadConfig, getRemaining
• aws-cred-export.test.mjs: integration tests spawning the script as subprocess

CI improvements

• Matrix: 3 OS (ubuntu, macOS, windows) × 3 Node versions (18, 20, 22)
• fail-fast: false for full visibility

Cross-platform hardening

• spawn(cmd, { shell: true }) for Windows compatibility
• CRLF-safe splits everywhere
• USERPROFILE alongside HOME for Windows os.homedir()
• STS timeouts (10s/15s) to prevent hanging
• Lockfile written after successful spawn; guarded I/O

Docs

• CC_KEEPALIVE_PROFILE env var
• expirationField examples per provider
• Platform notes section

v0.2.2

Fix CI tests for wrapper-based OMC integration. Add file existence guard in legacy patch cleanup test.

v0.2.1

Fixes

• OMC-update-safe timer: Replaced fragile omc-hud.mjs patching with a standalone aws-hud-wrapper.mjs that survives OMC updates. The wrapper intercepts OMC's stdout and appends the AWS timer, then delegates to omc-hud.mjs without modifying it.
• Auto-configures statusLine: Installer automatically swaps omc-hud.mjs → aws-hud-wrapper.mjs in settings.json
• Legacy cleanup: Strips old marker-based patch from omc-hud.mjs if present from previous versions
• Graceful fallback: If cc-aws-keepalive is unavailable, OMC HUD runs normally without the timer

v0.2.0

New

• Auto-login: New autoLoginMinutes config option. When your session has fewer minutes remaining than configured, the hook silently runs loginCmd to re-authenticate before the prompt proceeds. Rate-limited to once per 5 minutes. Set to 0 to disable (default).

Example

{
  "autoLoginMinutes": 120
}

With this config, when your session drops below 2 hours remaining, the next prompt auto-runs your login command. If it succeeds silently, you'll see:

AWS session auto-renewed (valid for 7h59m).

v0.1.2

Fixes

• Stop blocking expired prompts: Expired credentials now warn via stderr instead of blocking. Blocked prompts were discarded by CC, causing users to lose their typed message. The reactive path (awsAuthRefresh + awsCredentialExport) handles recovery without losing context.