v2.2.0 - AWS GovCloud Support

🎉 Release v2.2.0

Major Feature

🏛️ AWS GovCloud (US) Partition Support

This release adds comprehensive support for deploying to AWS GovCloud (US) regions, enabling US government agencies, contractors, and regulated workloads to use Claude Code with Amazon Bedrock.

What's New:

• Partition-Aware CloudFormation Templates: All 8 CloudFormation templates now use AWS::Partition pseudo-parameter for dynamic ARN construction
• GovCloud Service Principals: Proper handling of GovCloud-specific Cognito Identity service principals:
  • Commercial: cognito-identity.amazonaws.com
  • GovCloud West: cognito-identity-us-gov.amazonaws.com
  • GovCloud East: cognito-identity.us-gov-east-1.amazonaws.com
• GovCloud Models: Added Claude Sonnet 4.5 and 3.7 GovCloud model configurations with us-gov prefix
• FIPS Endpoints: Automatic detection and correction for GovCloud FIPS endpoints
• Comprehensive Documentation: Updated README with GovCloud deployment guide, partition comparison table, and validation commands

Supported Regions:

• us-gov-west-1 (US GovCloud West)
• us-gov-east-1 (US GovCloud East)

Changed Files

CloudFormation Templates (8 files):

• cognito-identity-pool.yaml - Partition-aware IAM roles and service principals
• bedrock-auth-*.yaml - Updated ARN construction for all auth providers
• analytics-pipeline.yaml - Partition support for Kinesis/S3
• otel-collector.yaml - Partition-aware CloudWatch integration

Python Code (4 files):

• models.py - Added GovCloud models and default regions
• init.py - GovCloud region selection and FIPS endpoint correction
• cloudformation.py - Partition-aware S3 URL construction
• distribute.py - Profile handling improvements

Documentation:

• README.md - Added GovCloud deployment guide (+432 lines)
• .gitignore - Added sensitive file exclusions

Security Improvements

• ✅ Proper IAM resource scoping across all partitions
• ✅ FIPS endpoint enforcement for GovCloud
• ✅ Enhanced .gitignore for sensitive files (.kiro/settings/mcp.json, etc.)
• ✅ No hardcoded credentials or secrets

Backward Compatibility

• ✅ Zero breaking changes - Existing commercial deployments continue working
• ✅ CloudFormation updates apply cleanly to existing stacks
• ✅ No data migration required
• ✅ User-facing functionality unchanged

Quality Assurance

• ✅ All pre-commit hooks passing (Ruff linting & formatting)
• ✅ Code quality: Excellent
• ✅ Security review: Approved
• ✅ Architecture: Clean, extensible design

Contributors

• @livermush (Doug Hairfield) - GovCloud partition support implementation
• @schuettc (Court Schuett) - Integration and release coordination

What's Next?

• Extended partition support (China regions)
• Additional GovCloud region support as they become available
• Cross-partition replication scenarios

---

Full Changelog: v2.1.0...v2.2.0

v2.1.0 - Quota Monitoring & EPCC Workflow Enhancements

v2.1.0 - Quota Monitoring & EPCC Workflow Enhancements

🎯 Major Features

Quota Monitoring System

Comprehensive per-user token quota management with fine-grained controls to manage costs and prevent unexpected overages.

Key Features:

• 📊 Per-user/group quota policies with precedence rules (user > group > default)
• 🔒 JWT-authenticated real-time quota API
• 🚦 Dual enforcement modes: alert (notify only) or block (deny access)
• 🌐 Browser notifications with visual progress bars
• ⏰ Periodic re-check for cached credentials (configurable interval)
• 💰 Bill shock protection with auto-calculated daily limits
• 📈 Monthly and daily token limits with burst buffer

New CLI Commands:

ccwb quota set-user <email> --monthly-limit 500M --daily-limit 20M
ccwb quota set-group <group> --monthly-limit 400M --enforcement block
ccwb quota set-default --monthly-limit 225M
ccwb quota list
ccwb quota show <email>
ccwb quota usage <email>
ccwb quota delete user <email>
ccwb quota unblock <email> --duration 24h
ccwb quota export <file>
ccwb quota import <file> --dry-run

Infrastructure:

• New CloudFormation stack: quota-monitoring.yaml
• DynamoDB tables: QuotaPolicies, UserQuotaMetrics
• Lambda functions: quota_check, quota_monitor, metrics_aggregator
• API Gateway with JWT authorizer
• SNS topic for alerts

EPCC Workflow v3.1.0 Updates

Enhanced multi-session support for long-running projects:

• 📋 New /epcc-resume command for session continuity
• 🔄 Session startup protocol with automatic orientation
• ✅ Feature verification gates
• 📝 Progress tracking with epcc-progress.md
• 🎯 Feature list management with epcc-features.json
• 🏗️ Technical Requirements Document (TRD) command
• 🎨 Frontend design plugin

🔒 Security Enhancements

All security measures include secure defaults and configurable behavior:

• ✅ HTML escaping for XSS prevention in browser notifications
• ✅ Fail-closed security by default (configurable via environment variables)
• ✅ Email validation (RFC 5322) for all quota commands
• ✅ STS caller identity for audit trails
• ✅ Maximum unblock duration enforcement (7 days)
• ✅ Configurable security policies via MISSING_EMAIL_ENFORCEMENT and ERROR_HANDLING_MODE

🐛 Bug Fixes

• fix: Resolve Cognito authentication issues for CLI credential process (#32e1825)
• fix: Correct vpc_config typo in infrastructure templates (#75)
• fix: Malformed Windows install.bat script (#73)
• fix: Existing VPC configuration handling (#66)

📚 Documentation

• New comprehensive QUOTA_MONITORING.md guide
• Updated CLI_REFERENCE.md with all quota commands
• Enhanced Okta setup guide with quota monitoring configuration
• Updated EPCC workflow command documentation

🔄 Changes Since v2.0.1

Added:

• Quota monitoring system (27 files, 7,782 additions)
• EPCC workflow enhancements with multi-session support
• TRD (Technical Requirements Document) phase
• Frontend design plugin for EPCC workflow
• PRD (Product Requirements Document) enhancements

Fixed:

• Cognito authentication credential provider
• VPC configuration template typo
• Windows installer script
• Existing VPC integration

⚙️ Configuration

Quota monitoring is opt-in during ccwb init. To enable:

ccwb init  # Select "Yes" when prompted for quota monitoring
ccwb deploy quota  # Deploy the quota monitoring stack

🔐 Security Configuration

Lambda environment variables for security tuning:

• MISSING_EMAIL_ENFORCEMENT: "block" (default) | "open"
• ERROR_HANDLING_MODE: "fail_closed" (default) | "fail_open"

📊 Compatibility

• ✅ Backward compatible - No breaking changes
• ✅ Opt-in feature - Quota monitoring disabled by default
• ✅ Existing deployments - No migration required

🙏 Contributors

• @jawhnycooke - Quota monitoring system and EPCC workflow enhancements
• @OleksandrRebenok - VPC configuration fixes
• @schuettc - Security review and release management

📦 Installation

# Install or upgrade
pip install --upgrade claude-code-with-bedrock

# Or download the latest release binaries

---

Full Changelog: v2.0.1...v2.1.0

v2.0.1: Fix Default Profile Name

What's Changed

Bug Fix

Fixed an issue where the system was using "default" as the AWS profile name fallback, which conflicts with existing company AWS profiles.

Changes

• Migration: Use "ClaudeCode" as fallback when migrating from v1.x with missing default_profile
• Package Command: Add "ClaudeCode" as final fallback for profile_name
• Credential Provider: Change fallback from "default" to "ClaudeCode"

Impact

• ✅ New installations will use "ClaudeCode" consistently
• ✅ Migrations from v1.x will default to "ClaudeCode"
• ✅ No conflicts with company AWS "default" profiles
• ✅ Aligns with existing documentation

Files Changed

• source/claude_code_with_bedrock/migration.py
• source/claude_code_with_bedrock/cli/commands/package.py
• source/credential_provider/__main__.py

Full Changelog: v2.0.0...v2.0.1

Release v2.0.0: Profile System & Landing Page Distribution

Release v2.0.0

Major release featuring profile management system and authenticated landing page distribution.

🎯 Key Features

Profile System v2.0

• Multi-deployment management from single machine
• Manage multiple AWS accounts, regions, or organizations
• Profile commands: ccwb context list, ccwb context use, ccwb context show
• Config commands: ccwb config validate, ccwb config export, ccwb config import
• Common use cases: production vs development, multi-region, multi-tenant

Authenticated Landing Page Distribution

• IdP-gated self-service download portal (Okta/Azure AD/Auth0/Cognito)
• Platform detection with automatic OS recommendation
• Custom domain support with ACM certificates
• ALB access logs for audit trail
• Lambda-generated presigned URLs (1-hour expiry)

Distribution Options

Three methods for sharing packages:

1. Manual sharing: Zip dist/ folder, share via email/internal file sharing
2. Presigned S3 URLs: Time-limited URLs (configurable 1-168 hours)
3. Landing page: Self-service portal with IdP authentication

Documentation

• QUICK_START.md: New 301-line deployment walkthrough
• README.md: Refactored for clarity (575 → 280 lines, 51% reduction)
• Distribution guides: Complete setup documentation for all IdPs

⚠️ Breaking Changes

Configuration Location (Automatic Migration)

• Config moved from source/.ccwb-config/ to ~/.ccwb/
• Automatic migration on first run
• Timestamped backup created: config.json.backup.YYYYMMDD_HHMMSS
• Profile names and active profile preserved
• No manual steps required

Configuration Schema

• Schema version 1.0 → 2.0
• Single config file → per-profile files
• Profile stored in ~/.ccwb/profiles/<profile-name>.json
• Active profile tracked in ~/.ccwb/config.json

📦 Migration

Automatic Migration from v1.x:

# Migration runs automatically on first ccwb command
ccwb context list     # Verify profiles migrated
ccwb context show     # Verify active profile preserved

Rollback if needed:

rm -rf ~/.ccwb
cp ~/.ccwb-config/config.json.backup.TIMESTAMP ~/.ccwb-config/config.json

📚 Documentation

• QUICK_START.md - Complete deployment walkthrough
• CHANGELOG.md - Full release notes
• CLI_REFERENCE.md - Complete command reference
• Distribution Guide - Landing page setup

🔒 Security

• Client secrets stored in AWS Secrets Manager
• ALB access logs for audit trail
• Configurable presigned URL expiration (1-168 hours)
• S3 bucket policies with least privilege access

---

Full Changelog: See CHANGELOG.md for complete details

v1.1.4 - Auth0 Direct IAM Federation and Dashboard Region Fixes

Fixed

• Auth0 OIDC provider URL format: Fixed issuer validation failures during token exchange

  • Added trailing slash to Auth0 OIDC provider URL (https://${Auth0Domain}/)
  • Auth0's OIDC issuer includes trailing slash per OAuth 2.0 spec
  • Prevents "issuer mismatch" errors during Direct IAM federation
  • Updated CloudFormation template parameter documentation with supported domain formats

• Auth0 session name sanitization: Fixed AssumeRoleWithWebIdentity errors for Auth0 users

  • Auth0 uses pipe-delimited format in sub claims (e.g., auth0|12345)
  • AWS RoleSessionName regex [\w+=,.@-]* doesn't allow pipe characters
  • Automatically sanitize invalid characters to hyphens in session names
  • Prevents "Member must satisfy regular expression pattern" validation errors

• Bedrock list permissions: Fixed permission errors for model listing operations

  • Changed Resource from specific ARNs to '*' for list operations
  • Affects ListFoundationModels, GetFoundationModel, GetFoundationModelAvailability, ListInferenceProfiles, GetInferenceProfile
  • AWS Bedrock list operations require Resource: '*' per AWS IAM documentation
  • Applied fix to all provider templates (Auth0, Azure AD, Okta, Cognito User Pool)

• Dashboard region configuration: Fixed monitoring dashboards for multi-region deployments

  • Replaced hardcoded us-east-1 with ${MetricsRegion} parameter in log widgets
  • Deploy command now passes MetricsRegion parameter from profile.aws_region
  • Prevents ResourceNotFoundException for deployments outside us-east-1
  • Affects CloudWatch Logs Insights widgets in monitoring dashboard

Changed

• Code quality improvements:
  • Moved subprocess import to module level in deploy.py
  • Fixed variable shadowing: platform_choice → platform_name in package.py

Documentation

• Enhanced Auth0 setup documentation
  • Added comprehensive table of supported Auth0 domain formats (standard and regional)
  • Added troubleshooting section for AssumeRoleWithWebIdentity validation errors
  • Documented automatic handling of Auth0 pipe character issue
  • Added examples of valid and invalid domain formats
  • Clarified that https:// prefix and trailing slash are added automatically

v1.1.3 - Azure AD Integration Fix

v1.1.3 - Azure AD Integration Fix

This release fixes Azure AD/Microsoft Entra ID integration failures that were blocking deployments.

🐛 Bug Fixes

• Fix Azure tenant ID extraction: Resolves "Parameter AzureTenantId failed to satisfy constraint" deployment error
  • Implemented regex-based GUID extraction to support multiple URL formats
  • Now handles full URLs (with/without /v2.0), just tenant ID, and with https:// prefix
• Correct OIDC endpoint: Updated CloudFormation template to use proper Microsoft v2.0 endpoint
  • Changed from sts.windows.net/{tenant} to login.microsoftonline.com/{tenant}/v2.0
  • Ensures token issuer matches OIDC provider URL
• Enhanced documentation: Added comprehensive table of supported Azure provider domain formats
  • Includes troubleshooting section for common deployment errors

🔄 Upgrade Notes

No breaking changes. Simply pull the latest version:

```bash
git pull origin main
cd source
poetry install
```

📝 Full Changelog

What's Changed

• Fix: Azure tenant ID extraction from provider URL formats by @schuettc in #53

Full Changelog: v1.1.2...v1.1.3

v1.1.2 - Packaging Fixes

v1.1.2 - Packaging Fixes

This release fixes critical bugs in the packaging workflow and improves the Windows build experience.

🐛 Bug Fixes

• Fix variable shadowing error: Resolved 'str' object has no attribute 'system' error that blocked package command
• Preserve federation type: Fixed init command inadvertently changing federation type from Cognito to Direct STS
• Fix Docker checks: Corrected subprocess argument conflicts in Docker daemon checks

✨ Improvements

• Direct Windows artifact download: Added --download flag to builds command for easier Windows binary retrieval

  poetry run ccwb builds --status latest --download

• Better error messages: Improved Docker error handling with clear, actionable messages
• Clearer workflow instructions: Updated Windows build messaging based on whether distribution is enabled

🔄 Upgrade Notes

No breaking changes. Simply pull the latest version:

git pull origin main
poetry install

📝 Full Changelog

What's Changed

• Fix critical packaging bugs and improve Windows build workflow by @schuettc in #51

Full Changelog: v1.1.1...v1.1.2

v1.1.1 - Session Mode Performance Improvement

Performance Improvement

Session mode credential retrieval is now significantly faster (300ms → 1ms) by using AWS standard ~/.aws/credentials files instead of invoking the Python credential_process.

---

What's Changed

Session Mode Upgrade

• Session storage now writes to ~/.aws/credentials
• Eliminates credential_process overhead
• Credentials persist across terminal sessions
• Automatic upgrade for existing users (no migration needed)

New CLI Flags

• --check-expiration - Check if cached credentials are expired
• --refresh-if-needed - Refresh credentials if expired

Package Command Improvements

• Interactive platform selection
• Co-authorship preference prompt (opt-in, defaults to False)
• --build-verbose flag for build debugging

Code Quality

• Added Ruff pre-commit hooks for automated linting
• Auto-fix import ordering and formatting

---

Security

• Atomic writes using temp file + os.replace()
• File permissions set to 0600 (owner read/write only)
• 30-second expiration safety buffer

---

Migration

No action required. Existing session mode users will be prompted to re-authenticate on first use after update.

---

Full Changelog: v1.1.0...v1.1.1

v1.1.0 - Direct IAM Federation & Claude Sonnet 4.5

Release v1.1.0: Direct IAM federation, inference profiles, and Claude…