@kervnet/opencode-kiro-auth 1.5.4 → 1.6.0

package/README.md

@@ -8,9 +8,9 @@ OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet a
 
 ## Features
 
-- **Multiple Auth Methods**: Supports AWS Builder ID (IDC), Kiro Desktop (CLI-based), and AWS SSO authentication.
+- **Multiple Auth Methods**: Supports AWS Builder ID (IDC), Kiro Desktop (CLI-based), and IAM authentication.
 - **Auto-Sync Kiro CLI**: Automatically imports and synchronizes active sessions from your local `kiro-cli` SQLite database.
-- **Auto-Sync AWS SSO**: Automatically imports credentials from `~/.aws/sso/cache` for seamless integration with AWS profiles.
+- **IAM Profile Support**: Automatically detects and uses IAM profiles configured via `kiro-cli login` with IAM Identity Center.
 - **Gradual Context Truncation**: Intelligently prevents error 400 by reducing context size dynamically during retries.
 - **Intelligent Account Rotation**: Prioritizes multi-account usage based on lowest available quota.
 - **High-Performance Storage**: Efficient account and usage management using native Bun SQLite.
@@ -74,15 +74,11 @@ Add the plugin to your `opencode.json` or `opencode.jsonc`:
    - Perform login directly in your terminal using `kiro-cli login`.
    - The plugin will automatically detect and import your session on startup.
    - For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the `kiro-cli` database.
-2. **Authentication via AWS SSO**:
-   - Ensure you have AWS SSO configured in `~/.aws/config` with active sessions.
-   - The plugin automatically imports credentials from `~/.aws/sso/cache` on startup.
-   - No additional configuration needed - just use your existing AWS SSO profiles.
-3. **Direct Authentication**:
+2. **Direct Authentication**:
    - Run `opencode auth login`.
    - Select `Other`, type `kiro`, and press enter.
    - Follow the instructions for **AWS Builder ID (IDC)**.
-4. Configuration will be automatically managed at `~/.config/opencode/kiro.db`.
+3. Configuration will be automatically managed at `~/.config/opencode/kiro.db`.
 
 ## Troubleshooting
 
@@ -103,7 +99,6 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
 ```json
 {
   "auto_sync_kiro_cli": true,
-  "auto_sync_aws_sso": true,
   "account_selection_strategy": "lowest-usage",
   "default_region": "us-east-1",
   "rate_limit_retry_delay_ms": 5000,
@@ -122,7 +117,6 @@ The plugin supports extensive configuration options. Edit `~/.config/opencode/ki
 ### Configuration Options
 
 - `auto_sync_kiro_cli`: Automatically sync sessions from Kiro CLI (default: `true`).
-- `auto_sync_aws_sso`: Automatically sync credentials from AWS SSO cache (default: `true`).
 - `account_selection_strategy`: Account rotation strategy (`sticky`, `round-robin`, `lowest-usage`).
 - `default_region`: AWS region (`us-east-1`, `us-west-2`).
 - `rate_limit_retry_delay_ms`: Delay between rate limit retries (1000-60000ms).

package/dist/core/auth/auth-handler.js

@@ -9,7 +9,9 @@ export class AuthHandler {
     }
     async initialize() {
         const { syncFromKiroCli } = await import('../../plugin/sync/kiro-cli.js');
-        await syncFromKiroCli();
+        if (this.config.auto_sync_kiro_cli) {
+            await syncFromKiroCli();
+        }
     }
     setAccountManager(am) {
         this.accountManager = am;

package/dist/core/request/request-handler.js

@@ -1,3 +1,4 @@
+import { signRequestWithIAM } from '../../kiro/iam';
 import { isPermanentError } from '../../plugin/health';
 import * as logger from '../../plugin/logger';
 import { transformToCodeWhisperer } from '../../plugin/request';
@@ -75,7 +76,15 @@ export class RequestHandler {
                 this.logRequest(prep, acc, apiTimestamp);
             }
             try {
-                const res = await fetch(prep.url, prep.init);
+                let finalInit = prep.init;
+                if (auth.authMethod === 'iam' && auth.awsProfile) {
+                    const signedHeaders = await signRequestWithIAM(prep.url, prep.init.method || 'POST', prep.init.headers, prep.init.body, auth.awsProfile, auth.region);
+                    finalInit = {
+                        ...prep.init,
+                        headers: signedHeaders
+                    };
+                }
+                const res = await fetch(prep.url, finalInit);
                 if (apiTimestamp) {
                     this.logResponse(res, prep, apiTimestamp);
                 }

package/dist/kiro/auth.js

@@ -6,6 +6,8 @@ export function decodeRefreshToken(refresh) {
     const authMethod = parts[parts.length - 1];
     if (authMethod === 'idc')
         return { refreshToken, clientId: parts[1], clientSecret: parts[2], authMethod: 'idc' };
+    if (authMethod === 'iam')
+        return { refreshToken, profileArn: parts[1], authMethod: 'iam' };
     if (authMethod === 'desktop')
         return { refreshToken, authMethod: 'desktop' };
     return { refreshToken, authMethod: 'desktop' };
@@ -21,5 +23,8 @@ export function encodeRefreshToken(parts) {
             throw new Error('Missing credentials');
         return `${parts.refreshToken}|${parts.clientId}|${parts.clientSecret}|idc`;
     }
+    if (parts.authMethod === 'iam') {
+        return `${parts.refreshToken}|${parts.profileArn || ''}|iam`;
+    }
     return `${parts.refreshToken}|desktop`;
 }

package/dist/kiro/iam.d.ts

@@ -0,0 +1,4 @@
+import type { KiroAuthDetails } from '../plugin/types';
+export declare function getIAMCredentials(profileName: string, region: string): Promise<import("@smithy/types").AwsCredentialIdentity>;
+export declare function signRequestWithIAM(url: string, method: string, headers: Record<string, string>, body: string, profileName: string, region: string): Promise<Record<string, string>>;
+export declare function isIAMAuth(auth: KiroAuthDetails): boolean;

package/dist/kiro/iam.js

@@ -0,0 +1,34 @@
+import { fromIni } from '@aws-sdk/credential-providers';
+import { SignatureV4 } from '@smithy/signature-v4';
+import { Sha256 } from '@aws-crypto/sha256-js';
+import { HttpRequest } from '@smithy/protocol-http';
+export async function getIAMCredentials(profileName, region) {
+    const credentials = fromIni({ profile: profileName });
+    return await credentials();
+}
+export async function signRequestWithIAM(url, method, headers, body, profileName, region) {
+    const credentials = await getIAMCredentials(profileName, region);
+    const parsedUrl = new URL(url);
+    const request = new HttpRequest({
+        method,
+        protocol: parsedUrl.protocol,
+        hostname: parsedUrl.hostname,
+        path: parsedUrl.pathname + parsedUrl.search,
+        headers: {
+            ...headers,
+            host: parsedUrl.hostname,
+        },
+        body,
+    });
+    const signer = new SignatureV4({
+        credentials,
+        region,
+        service: 'codewhisperer',
+        sha256: Sha256,
+    });
+    const signedRequest = await signer.sign(request);
+    return signedRequest.headers;
+}
+export function isIAMAuth(auth) {
+    return auth.authMethod === 'iam';
+}

package/dist/plugin/accounts.js

@@ -30,6 +30,7 @@ export class AccountManager {
             clientId: r.client_id,
             clientSecret: r.client_secret,
             profileArn: r.profile_arn,
+            awsProfile: r.aws_profile,
             refreshToken: r.refresh_token,
             accessToken: r.access_token,
             expiresAt: r.expires_at,
@@ -229,7 +230,8 @@ export class AccountManager {
             profileArn: a.profileArn,
             clientId: a.clientId,
             clientSecret: a.clientSecret,
-            email: a.email
+            email: a.email,
+            awsProfile: a.awsProfile
         };
     }
 }

package/dist/plugin/config/schema.d.ts

@@ -17,7 +17,6 @@ export declare const KiroConfigSchema: z.ZodObject<{
     auth_server_port_range: z.ZodDefault<z.ZodNumber>;
     usage_tracking_enabled: z.ZodDefault<z.ZodBoolean>;
     auto_sync_kiro_cli: z.ZodDefault<z.ZodBoolean>;
-    auto_sync_aws_sso: z.ZodDefault<z.ZodBoolean>;
     enable_log_api_request: z.ZodDefault<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     account_selection_strategy: "sticky" | "round-robin" | "lowest-usage";
@@ -32,7 +31,6 @@ export declare const KiroConfigSchema: z.ZodObject<{
     auth_server_port_range: number;
     usage_tracking_enabled: boolean;
     auto_sync_kiro_cli: boolean;
-    auto_sync_aws_sso: boolean;
     enable_log_api_request: boolean;
     $schema?: string | undefined;
 }, {
@@ -49,7 +47,6 @@ export declare const KiroConfigSchema: z.ZodObject<{
     auth_server_port_range?: number | undefined;
     usage_tracking_enabled?: boolean | undefined;
     auto_sync_kiro_cli?: boolean | undefined;
-    auto_sync_aws_sso?: boolean | undefined;
     enable_log_api_request?: boolean | undefined;
 }>;
 export type KiroConfig = z.infer<typeof KiroConfigSchema>;

package/dist/plugin/config/schema.js

@@ -15,7 +15,6 @@ export const KiroConfigSchema = z.object({
     auth_server_port_range: z.number().min(1).max(100).default(10),
     usage_tracking_enabled: z.boolean().default(true),
     auto_sync_kiro_cli: z.boolean().default(true),
-    auto_sync_aws_sso: z.boolean().default(true),
     enable_log_api_request: z.boolean().default(false)
 });
 export const DEFAULT_CONFIG = {
@@ -31,6 +30,5 @@ export const DEFAULT_CONFIG = {
     auth_server_port_range: 10,
     usage_tracking_enabled: true,
     auto_sync_kiro_cli: true,
-    auto_sync_aws_sso: true,
     enable_log_api_request: false
 };

package/dist/plugin/request.js

@@ -215,21 +215,24 @@ export function transformToCodeWhisperer(url, body, model, auth, think = false,
     const osP = os.platform(), osR = os.release(), nodeV = process.version.replace('v', ''), kiroV = KIRO_CONSTANTS.KIRO_VERSION;
     const osN = osP === 'win32' ? `windows#${osR}` : osP === 'darwin' ? `macos#${osR}` : `${osP}#${osR}`;
     const ua = `aws-sdk-js/1.0.0 ua/2.1 os/${osN} lang/js md/nodejs#${nodeV} api/codewhispererruntime#1.0.0 m/E KiroIDE-${kiroV}-${machineId}`;
+    const baseHeaders = {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+        'amz-sdk-invocation-id': crypto.randomUUID(),
+        'amz-sdk-request': 'attempt=1; max=1',
+        'x-amzn-kiro-agent-mode': 'vibe',
+        'x-amz-user-agent': `aws-sdk-js/1.0.0 KiroIDE-${kiroV}-${machineId}`,
+        'user-agent': ua,
+        Connection: 'close'
+    };
+    if (auth.authMethod !== 'iam') {
+        baseHeaders.Authorization = `Bearer ${auth.access}`;
+    }
     return {
         url: KIRO_CONSTANTS.BASE_URL.replace('{{region}}', auth.region),
         init: {
             method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                Accept: 'application/json',
-                Authorization: `Bearer ${auth.access}`,
-                'amz-sdk-invocation-id': crypto.randomUUID(),
-                'amz-sdk-request': 'attempt=1; max=1',
-                'x-amzn-kiro-agent-mode': 'vibe',
-                'x-amz-user-agent': `aws-sdk-js/1.0.0 KiroIDE-${kiroV}-${machineId}`,
-                'user-agent': ua,
-                Connection: 'close'
-            },
+            headers: baseHeaders,
             body: JSON.stringify(request)
         },
         streaming: true,

package/dist/plugin/storage/migrations.js

@@ -2,6 +2,7 @@ export function runMigrations(db) {
     migrateToUniqueRefreshToken(db);
     migrateRealEmailColumn(db);
     migrateUsageTable(db);
+    migrateAwsProfileColumn(db);
 }
 function migrateToUniqueRefreshToken(db) {
     const hasIndex = db
@@ -107,3 +108,10 @@ function migrateUsageTable(db) {
         db.run('DROP TABLE usage');
     }
 }
+function migrateAwsProfileColumn(db) {
+    const columns = db.prepare('PRAGMA table_info(accounts)').all();
+    const names = new Set(columns.map((c) => c.name));
+    if (!names.has('aws_profile')) {
+        db.run('ALTER TABLE accounts ADD COLUMN aws_profile TEXT');
+    }
+}

package/dist/plugin/storage/sqlite.js

@@ -45,20 +45,20 @@ export class KiroDatabase {
             .prepare(`
       INSERT INTO accounts (
         id, email, auth_method, region, client_id, client_secret,
-        profile_arn, refresh_token, access_token, expires_at, rate_limit_reset,
+        profile_arn, aws_profile, refresh_token, access_token, expires_at, rate_limit_reset,
         is_healthy, unhealthy_reason, recovery_time, fail_count, last_used,
         used_count, limit_count, last_sync
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
       ON CONFLICT(refresh_token) DO UPDATE SET
         id=excluded.id, email=excluded.email, auth_method=excluded.auth_method,
         region=excluded.region, client_id=excluded.client_id, client_secret=excluded.client_secret,
-        profile_arn=excluded.profile_arn, access_token=excluded.access_token, expires_at=excluded.expires_at,
+        profile_arn=excluded.profile_arn, aws_profile=excluded.aws_profile, access_token=excluded.access_token, expires_at=excluded.expires_at,
         rate_limit_reset=excluded.rate_limit_reset, is_healthy=excluded.is_healthy,
         unhealthy_reason=excluded.unhealthy_reason, recovery_time=excluded.recovery_time,
         fail_count=excluded.fail_count, last_used=excluded.last_used,
         used_count=excluded.used_count, limit_count=excluded.limit_count, last_sync=excluded.last_sync
     `)
-            .run(acc.id, acc.email, acc.authMethod, acc.region, acc.clientId || null, acc.clientSecret || null, acc.profileArn || null, acc.refreshToken, acc.accessToken, acc.expiresAt, acc.rateLimitResetTime || 0, acc.isHealthy ? 1 : 0, acc.unhealthyReason || null, acc.recoveryTime || null, acc.failCount || 0, acc.lastUsed || 0, acc.usedCount || 0, acc.limitCount || 0, acc.lastSync || 0);
+            .run(acc.id, acc.email, acc.authMethod, acc.region, acc.clientId || null, acc.clientSecret || null, acc.profileArn || null, acc.awsProfile || null, acc.refreshToken, acc.accessToken, acc.expiresAt, acc.rateLimitResetTime || 0, acc.isHealthy ? 1 : 0, acc.unhealthyReason || null, acc.recoveryTime || null, acc.failCount || 0, acc.lastUsed || 0, acc.usedCount || 0, acc.limitCount || 0, acc.lastSync || 0);
     }
     async upsertAccount(acc) {
         await withDatabaseLock(this.path, async () => {
@@ -110,6 +110,7 @@ export class KiroDatabase {
             clientId: row.client_id,
             clientSecret: row.client_secret,
             profileArn: row.profile_arn,
+            awsProfile: row.aws_profile,
             refreshToken: row.refresh_token,
             accessToken: row.access_token,
             expiresAt: row.expires_at,

package/dist/plugin/sync/iam-cli.d.ts

@@ -0,0 +1 @@
+export declare function syncIAMFromKiroCli(): Promise<void>;

package/dist/plugin/sync/iam-cli.js

@@ -0,0 +1,56 @@
+import { execSync } from 'node:child_process';
+import { createDeterministicAccountId } from '../accounts';
+import * as logger from '../logger';
+import { kiroDb } from '../storage/sqlite';
+export async function syncIAMFromKiroCli() {
+    try {
+        const output = execSync('kiro-cli whoami', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        const lines = output.split('\n').map(l => l.trim()).filter(Boolean);
+        let profileName;
+        let profileArn;
+        let region = 'us-east-1';
+        for (const line of lines) {
+            if (line.startsWith('arn:aws:codewhisperer:')) {
+                profileArn = line;
+                const match = line.match(/:([a-z]+-[a-z]+-\d+):/);
+                if (match && match[1])
+                    region = match[1];
+            }
+            else if (!line.includes('Logged in') && !line.includes('Profile:') && !line.startsWith('arn:') && !line.startsWith('http')) {
+                profileName = line;
+            }
+        }
+        if (!profileArn || !profileName) {
+            logger.debug('IAM sync: No IAM profile detected from kiro-cli whoami');
+            return;
+        }
+        const email = `iam-${profileName}@aws.amazon.com`;
+        const id = createDeterministicAccountId(email, 'iam', undefined, profileArn);
+        const existing = kiroDb.getAccounts().find((a) => a.id === id);
+        if (existing && existing.is_healthy === 1) {
+            logger.debug('IAM sync: Profile already synced and healthy');
+            return;
+        }
+        await kiroDb.upsertAccount({
+            id,
+            email,
+            authMethod: 'iam',
+            region: region,
+            profileArn,
+            awsProfile: profileName,
+            refreshToken: profileArn,
+            accessToken: 'iam-signed',
+            expiresAt: Date.now() + 3600000,
+            rateLimitResetTime: 0,
+            isHealthy: true,
+            failCount: 0,
+            usedCount: 0,
+            limitCount: 0,
+            lastSync: Date.now()
+        });
+        logger.log('IAM sync: Successfully synced IAM profile', { profileName, profileArn, region });
+    }
+    catch (e) {
+        logger.debug('IAM sync: Failed to sync from kiro-cli', e);
+    }
+}

package/dist/plugin/sync/kiro-cli.js

@@ -4,8 +4,10 @@ import { createDeterministicAccountId } from '../accounts';
 import * as logger from '../logger';
 import { kiroDb } from '../storage/sqlite';
 import { fetchUsageLimits } from '../usage';
+import { syncIAMFromKiroCli } from './iam-cli';
 import { findClientCredsRecursive, getCliDbPath, makePlaceholderEmail, normalizeExpiresAt, safeJsonParse } from './kiro-cli-parser';
 export async function syncFromKiroCli() {
+    await syncIAMFromKiroCli();
     const dbPath = getCliDbPath();
     if (!existsSync(dbPath))
         return;
@@ -13,28 +15,6 @@ export async function syncFromKiroCli() {
         const cliDb = new Database(dbPath, { readonly: true });
         cliDb.run('PRAGMA busy_timeout = 5000');
         const rows = cliDb.prepare('SELECT key, value FROM auth_kv').all();
-        // Get profile ARN from state table
-        let profileArn;
-        let profileRegion;
-        try {
-            const stateRow = cliDb
-                .prepare("SELECT value FROM state WHERE key = 'api.codewhisperer.profile'")
-                .get();
-            if (stateRow?.value) {
-                const profileData = safeJsonParse(stateRow.value);
-                profileArn = profileData?.arn;
-                // Extract region from ARN: arn:aws:codewhisperer:REGION:...
-                if (profileArn) {
-                    const arnParts = profileArn.split(':');
-                    if (arnParts.length >= 4) {
-                        profileRegion = arnParts[3];
-                    }
-                }
-            }
-        }
-        catch (e) {
-            logger.debug('Could not read profile from state table', e);
-        }
         const deviceRegRow = rows.find((r) => typeof r?.key === 'string' && r.key.includes('device-registration'));
         const deviceReg = safeJsonParse(deviceRegRow?.value);
         const regCreds = deviceReg ? findClientCredsRecursive(deviceReg) : {};
@@ -43,16 +23,10 @@ export async function syncFromKiroCli() {
                 const data = safeJsonParse(row.value);
                 if (!data)
                     continue;
-                const tokenExpiresAt = normalizeExpiresAt(data.expires_at ?? data.expiresAt) || Date.now() + 3600000;
-                // Skip expired tokens
-                if (tokenExpiresAt < Date.now()) {
-                    logger.debug('Kiro CLI sync: skipping expired token', { key: row.key });
-                    continue;
-                }
                 const isIdc = row.key.includes('odic');
                 const authMethod = isIdc ? 'idc' : 'desktop';
-                const region = profileRegion || data.region || 'us-east-1';
-                const tokenProfileArn = data.profile_arn || data.profileArn || profileArn;
+                const region = data.region || 'us-east-1';
+                const profileArn = data.profile_arn || data.profileArn;
                 const accessToken = data.access_token || data.accessToken || '';
                 const refreshToken = data.refresh_token || data.refreshToken;
                 if (!refreshToken)
@@ -63,6 +37,7 @@ export async function syncFromKiroCli() {
                     logger.warn('Kiro CLI sync: missing IDC device credentials; skipping token import');
                     continue;
                 }
+                const cliExpiresAt = normalizeExpiresAt(data.expires_at ?? data.expiresAt) || Date.now() + 3600000;
                 let usedCount = 0;
                 let limitCount = 0;
                 let email;
@@ -71,10 +46,10 @@ export async function syncFromKiroCli() {
                     const authForUsage = {
                         refresh: '',
                         access: accessToken,
-                        expires: tokenExpiresAt,
+                        expires: cliExpiresAt,
                         authMethod,
                         region,
-                        profileArn: tokenProfileArn,
+                        profileArn,
                         clientId,
                         clientSecret,
                         email: ''
@@ -97,8 +72,8 @@ export async function syncFromKiroCli() {
                 const all = kiroDb.getAccounts();
                 if (!email) {
                     let existing;
-                    if (tokenProfileArn) {
-                        existing = all.find((a) => a.auth_method === authMethod && a.profile_arn === tokenProfileArn);
+                    if (profileArn) {
+                        existing = all.find((a) => a.auth_method === authMethod && a.profile_arn === profileArn);
                     }
                     if (!existing && authMethod === 'idc' && clientId) {
                         existing = all.find((a) => a.auth_method === 'idc' && a.client_id === clientId);
@@ -107,19 +82,19 @@ export async function syncFromKiroCli() {
                         email = existing.email;
                     }
                     else {
-                        email = makePlaceholderEmail(authMethod, region, clientId, tokenProfileArn);
+                        email = makePlaceholderEmail(authMethod, region, clientId, profileArn);
                     }
                 }
-                const resolvedEmail = email || makePlaceholderEmail(authMethod, region, clientId, tokenProfileArn);
-                const id = createDeterministicAccountId(resolvedEmail, authMethod, clientId, tokenProfileArn);
+                const resolvedEmail = email || makePlaceholderEmail(authMethod, region, clientId, profileArn);
+                const id = createDeterministicAccountId(resolvedEmail, authMethod, clientId, profileArn);
                 const existingById = all.find((a) => a.id === id);
                 if (existingById &&
                     existingById.is_healthy === 1 &&
-                    existingById.expires_at >= tokenExpiresAt)
+                    existingById.expires_at >= cliExpiresAt)
                     continue;
                 if (usageOk) {
-                    const placeholderEmail = makePlaceholderEmail(authMethod, region, clientId, tokenProfileArn);
-                    const placeholderId = createDeterministicAccountId(placeholderEmail, authMethod, clientId, tokenProfileArn);
+                    const placeholderEmail = makePlaceholderEmail(authMethod, region, clientId, profileArn);
+                    const placeholderId = createDeterministicAccountId(placeholderEmail, authMethod, clientId, profileArn);
                     if (placeholderId !== id) {
                         const placeholderRow = all.find((a) => a.id === placeholderId);
                         if (placeholderRow) {
@@ -130,10 +105,10 @@ export async function syncFromKiroCli() {
                                 region: placeholderRow.region || region,
                                 clientId,
                                 clientSecret,
-                                profileArn: tokenProfileArn,
+                                profileArn,
                                 refreshToken: placeholderRow.refresh_token || refreshToken,
                                 accessToken: placeholderRow.access_token || accessToken,
-                                expiresAt: placeholderRow.expires_at || tokenExpiresAt,
+                                expiresAt: placeholderRow.expires_at || cliExpiresAt,
                                 rateLimitResetTime: 0,
                                 isHealthy: false,
                                 failCount: 10,
@@ -153,10 +128,10 @@ export async function syncFromKiroCli() {
                     region,
                     clientId,
                     clientSecret,
-                    profileArn: tokenProfileArn,
+                    profileArn,
                     refreshToken,
                     accessToken,
-                    expiresAt: tokenExpiresAt,
+                    expiresAt: cliExpiresAt,
                     rateLimitResetTime: 0,
                     isHealthy: true,
                     failCount: 0,

package/dist/plugin/token.js

@@ -2,16 +2,22 @@ import crypto from 'node:crypto';
 import { decodeRefreshToken, encodeRefreshToken } from '../kiro/auth';
 import { KiroTokenRefreshError } from './errors';
 export async function refreshAccessToken(auth) {
+    if (auth.authMethod === 'iam') {
+        return {
+            ...auth,
+            access: 'iam-signed',
+            expires: Date.now() + 3600000
+        };
+    }
     const p = decodeRefreshToken(auth.refresh);
     const isIdc = auth.authMethod === 'idc';
-    const isAwsSso = auth.authMethod === 'aws-sso';
-    const url = isIdc || isAwsSso
+    const url = isIdc
         ? `https://oidc.${auth.region}.amazonaws.com/token`
         : `https://prod.${auth.region}.auth.desktop.kiro.dev/refreshToken`;
-    if ((isIdc || isAwsSso) && (!p.clientId || !p.clientSecret)) {
+    if (isIdc && (!p.clientId || !p.clientSecret)) {
         throw new KiroTokenRefreshError('Missing creds', 'MISSING_CREDENTIALS');
     }
-    const requestBody = isIdc || isAwsSso
+    const requestBody = isIdc
         ? {
             refreshToken: p.refreshToken,
             clientId: p.clientId,
@@ -25,7 +31,7 @@ export async function refreshAccessToken(auth) {
         .createHash('sha256')
         .update(auth.profileArn || auth.clientId || 'KIRO_DEFAULT_MACHINE')
         .digest('hex');
-    const ua = isIdc || isAwsSso ? 'aws-sdk-js/1.0.0' : `KiroIDE-0.7.45-${machineId}`;
+    const ua = isIdc ? 'aws-sdk-js/1.0.0' : `KiroIDE-0.7.45-${machineId}`;
     try {
         const res = await fetch(url, {
             method: 'POST',

package/dist/plugin/types.d.ts

@@ -1,4 +1,4 @@
-export type KiroAuthMethod = 'idc' | 'desktop' | 'aws-sso';
+export type KiroAuthMethod = 'idc' | 'desktop' | 'iam';
 export type KiroRegion = 'us-east-1' | 'us-west-2';
 export interface KiroAuthDetails {
     refresh: string;
@@ -10,6 +10,7 @@ export interface KiroAuthDetails {
     clientSecret?: string;
     email?: string;
     profileArn?: string;
+    awsProfile?: string;
 }
 export interface RefreshParts {
     refreshToken: string;
@@ -26,6 +27,7 @@ export interface ManagedAccount {
     clientId?: string;
     clientSecret?: string;
     profileArn?: string;
+    awsProfile?: string;
     refreshToken: string;
     accessToken: string;
     expiresAt: number;

package/dist/plugin.js

@@ -16,22 +16,16 @@ export const createKiroPlugin = (id) => async ({ client, directory }) => {
     const authHandler = new AuthHandler(config, repository);
     const accountManager = await AccountManager.loadFromDisk(config.account_selection_strategy);
     authHandler.setAccountManager(accountManager);
-    // Sync AWS SSO before OpenCode checks for accounts
-    await authHandler.initialize();
     const requestHandler = new RequestHandler(accountManager, config, repository);
     return {
         auth: {
             provider: id,
             loader: async (getAuth) => {
                 await getAuth();
-                const region = config.default_region || 'us-east-1';
-                const baseTemplate = KIRO_CONSTANTS?.BASE_URL || 'https://q.{{region}}.amazonaws.com/generateAssistantResponse';
-                const baseURL = baseTemplate
-                    .replace('/generateAssistantResponse', '')
-                    .replace('{{region}}', region);
+                await authHandler.initialize();
                 return {
                     apiKey: '',
-                    baseURL,
+                    baseURL: KIRO_CONSTANTS.BASE_URL.replace('/generateAssistantResponse', '').replace('{{region}}', config.default_region || 'us-east-1'),
                     fetch: (input, init) => requestHandler.handle(input, init, showToast)
                 };
             },

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@kervnet/opencode-kiro-auth",
-  "version": "1.5.4",
-  "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) with IAM Identity Center profile support",
+  "version": "1.6.0",
+  "description": "OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude models with IAM auth support",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -21,17 +21,22 @@
     "ai",
     "auth"
   ],
-  "author": "tickernelz",
+  "author": "kervnet",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/tickernelz/opencode-kiro-auth.git"
+    "url": "git+https://github.com/kervnet/opencode-kiro-auth.git"
   },
   "publishConfig": {
     "access": "public"
   },
   "dependencies": {
+    "@aws-crypto/sha256-js": "^5.2.0",
+    "@aws-sdk/credential-providers": "^3.978.0",
+    "@aws-sdk/signature-v4": "^3.370.0",
     "@opencode-ai/plugin": "^0.15.30",
+    "@smithy/protocol-http": "^5.3.8",
+    "@smithy/signature-v4": "^5.3.8",
     "proper-lockfile": "^4.1.2",
     "zod": "^3.24.0"
   },

package/dist/plugin/sync/aws-sso.d.ts

@@ -1,2 +0,0 @@
-import type { ManagedAccount } from '../types';
-export declare function syncFromAwsSso(): Promise<ManagedAccount[]>;

package/dist/plugin/sync/aws-sso.js

@@ -1,50 +0,0 @@
-import { readFile, readdir } from 'node:fs/promises';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
-import { createDeterministicAccountId } from '../accounts';
-import * as logger from '../logger';
-export async function syncFromAwsSso() {
-    const accounts = [];
-    const ssoDir = join(homedir(), '.aws', 'sso', 'cache');
-    try {
-        const files = await readdir(ssoDir);
-        const jsonFiles = files.filter((f) => f.endsWith('.json') && !f.includes('.tmp'));
-        for (const file of jsonFiles) {
-            try {
-                const content = await readFile(join(ssoDir, file), 'utf-8');
-                const entry = JSON.parse(content);
-                if (!entry.accessToken || !entry.refreshToken)
-                    continue;
-                const expiresAt = new Date(entry.expiresAt).getTime();
-                if (expiresAt < Date.now())
-                    continue;
-                const id = createDeterministicAccountId(entry.startUrl, 'aws-sso', entry.clientId, undefined);
-                accounts.push({
-                    id,
-                    email: entry.startUrl,
-                    authMethod: 'aws-sso',
-                    region: (entry.region || 'us-east-1'),
-                    clientId: entry.clientId,
-                    clientSecret: entry.clientSecret,
-                    refreshToken: entry.refreshToken,
-                    accessToken: entry.accessToken,
-                    expiresAt,
-                    rateLimitResetTime: 0,
-                    isHealthy: true,
-                    failCount: 0,
-                    lastUsed: Date.now(),
-                    usedCount: 0,
-                    limitCount: 0
-                });
-            }
-            catch (err) {
-                logger.debug('Failed to parse SSO cache file', { file, error: err });
-            }
-        }
-        logger.log(`Synced ${accounts.length} AWS SSO accounts`);
-    }
-    catch (err) {
-        logger.debug('Failed to read AWS SSO cache', { error: err });
-    }
-    return accounts;
-}