Feat/entra id confidential client

.secrets.baseline

@@ -90,6 +90,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -253,6 +257,58 @@
         "is_secret": false
       }
     ],
+    "source/tests/test_confidential_client.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "source/tests/test_confidential_client.py",
+        "hashed_secret": "9223fc97305d1550b2a0ba1d0445598d6f0a8ca0",
+        "is_verified": false,
+        "line_number": 310,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "source/tests/test_confidential_client.py",
+        "hashed_secret": "10eb5a758459a052469c09f5cd56bab6036af011",
+        "is_verified": false,
+        "line_number": 328,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "source/tests/test_confidential_client.py",
+        "hashed_secret": "25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab",
+        "is_verified": false,
+        "line_number": 398,
+        "is_secret": false
+      }
+    ],
+    "source/tests/test_silent_refresh.py": [
+      {
+        "type": "AWS Access Key",
+        "filename": "source/tests/test_silent_refresh.py",
+        "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6",
+        "is_verified": false,
+        "line_number": 55,
+        "is_secret": false
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "source/tests/test_silent_refresh.py",
+        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
+        "is_verified": false,
+        "line_number": 56,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "source/tests/test_silent_refresh.py",
+        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
+        "is_verified": false,
+        "line_number": 56,
+        "is_secret": false
+      }
+    ],
     "source/tests/test_url_validation_security.py": [
       {
         "type": "Secret Keyword",
@@ -272,5 +328,5 @@
       }
     ]
   },
-  "generated_at": "2026-03-27T02:01:37Z"
+  "generated_at": "2026-03-31T12:54:38Z"
 }

assets/docs/CLI_REFERENCE.md

@@ -325,6 +325,33 @@ This ensures that packaging always works, even if some optional platforms are no
 - Includes Claude Code telemetry settings (if monitoring enabled)
 - Configures environment variables for model selection (ANTHROPIC_MODEL, ANTHROPIC_SMALL_FAST_MODEL)
 
+**Credential process binary flags (for end users):**
+
+The distributed `credential-process` binary accepts the following flags directly:
+
+| Flag | Description |
+|---|---|
+| `--profile, -p <name>` | Profile to use (default: `ClaudeCode`, or `$CCWB_PROFILE`) |
+| `--clear-cache` | Clear cached credentials and force re-authentication |
+| `--check-expiration` | Exit 0 if credentials valid, 1 if expired |
+| `--refresh-if-needed` | Refresh credentials if expired (session storage mode only) |
+| `--get-monitoring-token` | Return cached OIDC monitoring token |
+| `--set-client-secret [VALUE]` | Store Azure AD client secret in OS secure storage. Omit `VALUE` for interactive prompt. Pass an empty string or press Enter at the prompt to clear the stored secret. |
+
+**`--set-client-secret` usage examples:**
+
+```bash
+# Interactive (prompts for secret):
+~/claude-code-with-bedrock/credential-process --set-client-secret --profile ClaudeCode
+
+# Non-interactive (MDM/scripted deployment):
+~/claude-code-with-bedrock/credential-process --set-client-secret "my-secret-value" --profile ClaudeCode
+
+# Clear a stored secret:
+~/claude-code-with-bedrock/credential-process --set-client-secret --profile ClaudeCode
+# (press Enter without typing a value)
+```
+
 **Output structure:**
 
 ```