aws-cli-agent 0.5.0 → 0.6.1

package/CHANGELOG.md

@@ -4,7 +4,69 @@ All notable changes to this project are documented here.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
 versioning follows [SemVer](https://semver.org/).
 
-## [0.5.0] - 2026-05-19
+## [0.6.1] - 2026-05-31
+
+### Added
+
+- **AWS commands are highlighted in the bash script approval preview.** When the agent generates a script for execution, AWS CLI invocations now stand out from the rest of the script body with inverse-color "highlighter strips" so the mutating calls are easy to spot in a long script:
+  - Read-only AWS calls (`describe-*`, `list-*`, `get-*`, `s3 ls`, `sts get-caller-identity`, etc.) render as a **blue strip**.
+  - Mutating AWS calls (`delete-*`, `terminate-*`, `create-*`, `put-*`, `s3 rm`, `s3 cp`, etc.) render as a **yellow strip**.
+  - Everything else — shell control flow, comments, args, flags, pipelines — stays in the existing green script body color.
+
+  Detection is pattern-based, not a full shell parser: `aws <service> <verb>` is matched wherever it appears in a line (start of line, after a pipe, after `time` or `env VAR=val`, inside a `$(...)` substitution). Read-only vs. mutating classification uses the same `READ_ONLY_VERBS` / `READ_ONLY_FULL` lists that drive the per-command auto-approve decision — single source of truth, no drift between the two features. Adding a verb to either list affects both behaviors.
+
+  False positives (e.g. an `aws ec2 describe-instances` substring inside an `echo "..."` literal) get highlighted too. Accepted limitation: a real shell tokenizer would catch these, but the surrounding `echo` and quotes make them visually distinguishable in context.
+
+## [0.6.0] - 2026-05-31
+
+### Breaking
+
+- **Config schema restructured: per-provider blocks at top level.** Provider-specific fields (`model`, `apiKey`, `apiKeyEnv`) move into a top-level block named after the provider. The old top-level `model` and `apiKeyEnv` fields are gone. For Bedrock, the `model` field also moves into the existing `bedrock` block (which already held `region` and `profile`).
+
+  Old:
+  ```json
+  {
+    "provider": "anthropic",
+    "model": "claude-sonnet-4-6",
+    "apiKeyEnv": "MY_KEY",
+    "bedrock": { "region": "us-east-1" }
+  }
+  ```
+
+  New:
+  ```json
+  {
+    "provider": "anthropic",
+    "anthropic": {
+      "model": "claude-sonnet-4-6",
+      "apiKeyEnv": "MY_KEY"
+    },
+    "bedrock": {
+      "model": "us.anthropic.claude-sonnet-4-6",
+      "region": "us-east-1"
+    }
+  }
+  ```
+
+  Old configs fail to load with a clear migration message pointing at the new shape — no silent fallback.
+
+- **Strict validation of the active provider block.** When `provider` is set, the matching top-level block must exist with a `model` field. Previously the top-level `model` default kicked in if absent; now you have to be explicit. Run `aca config` to scaffold a working default.
+
+### Added
+
+- **`<provider>.apiKey` config field for Anthropic / OpenAI / Google.** Convenience for casual users who don't want to set env vars; persists to disk so see the security note in the README. Resolution order: `apiKeyEnv`-named env var → default provider env var → `<provider>.apiKey` from config → error. The env var always wins when both are set.
+- **Default config file is created with mode `0600`** (owner read/write only) so it isn't world-readable on creation. Doesn't help if you edit the file with another tool that resets permissions.
+- **Debug-level log note when the API key resolves from config** rather than an env var. Helps post-hoc forensics see what happened. The key value itself is never logged.
+- **Helpful migration error for pre-0.6 configs.** Loading a config file with top-level `model` or `apiKeyEnv` produces a side-by-side old/new shape diff instead of a cryptic zod parse failure.
+
+### Changed
+
+- **`apiKeyEnv` moves from top-level into the per-provider block.** It was a top-level field since 0.1.0; now it lives at `<provider>.apiKeyEnv`. Same semantics, just nested.
+- **`apiKeyEnv` set to an empty env var emits a warning.** Previously the fall-through to the default env var was silent — convenient until a user noticed the wrong account was being charged. Now if `<provider>.apiKeyEnv` names a variable that isn't set, `aca` prints a warning to stderr and falls back to the default env var (and then to `<provider>.apiKey`). The warning is purely informational; resolution still continues.
+
+### Fixed
+
+- **Ctrl-C inside an SSM session no longer prints "Cannot perform start session: read /dev/stdin: input/output error".** Previously, Ctrl-C delivered SIGINT to both the AWS CLI subprocess AND aca; aca's process tore down the shared stdin before the AWS CLI's own cleanup completed, producing the I/O-error message. The fix: `aca` installs a no-op SIGINT handler for the lifetime of any interactive AWS CLI subprocess, leaving the signal exclusively to the child. The AWS CLI now performs its normal clean shutdown and exits with code 0 or 130, which aca recognizes as a clean termination.
 
 ### Added
 
@@ -35,8 +97,6 @@ versioning follows [SemVer](https://semver.org/).
   With verbose off, nothing aca generates reaches the terminal — only
   the AWS CLI's verbatim output does, matching the README's promise.
 
-## [0.4.0] - 2026-05-18
-
 ### Changed
 
 - **Dependency upgrades.** Vercel AI SDK v4 → v6, zod v3 → v4, TypeScript

package/README.md

@@ -31,6 +31,7 @@ The first example is interactive — the agent runs a read-only `describe-instan
 - **Your prompts go to the model provider.** AWS CLI output is fed back to the model as part of subsequent steps. That means resource names, instance IDs, tag values, and any other data that appears in command output is transmitted to Anthropic / OpenAI / Google / Bedrock (depending on your provider choice). The provider does not retain this data beyond the request itself (and the cache TTL, ~5 minutes for cached prefixes), but **confirm this is compatible with the policies you have to respect** before pointing `aca` at sensitive accounts.
 - **Provider terms apply.** When you use a provider, you agree to that provider's terms of service. For Bedrock, that's AWS's own terms (data stays in your AWS account boundary). For Anthropic / OpenAI / Google, that's their respective enterprise / API terms. Read them.
 - **Audit log is your friend.** Every executed command — including its stdout, stderr, and exit code — lands in `audit.log` (JSONL). If you ever need to reconstruct what happened, it's all there. Don't disable `logging.auditLog` unless you have a specific reason.
+- **API keys in the config file persist to disk.** As of 0.6.0, you can put your LLM provider API key in `<provider>.apiKey` for convenience. The env var still takes precedence when both are set. Putting a key on disk is a meaningful step down from keeping it in your shell environment: backup tools, accidental `git add .` from the wrong directory, screen-sharing, and shoulder-surfing all become realistic leak vectors. The config file is created with mode 0600 by `aca config`, but that doesn't help if you edit it with another tool that resets permissions, or if you copy your `~/.config` into a dotfiles repo. Use the env var path when possible; reserve the config-file path for casual local use.
 - **No warranty.** **You use this agent at your own risk.** The authors are not responsible for unintended AWS API calls, deleted resources, exceeded budgets, or any other damage caused by using this tool. If you wouldn't run `aws` commands blindly from a script you found in someone's gist, don't run `aca` blindly either.
 
 ## Trademark & affiliation
@@ -78,7 +79,9 @@ Default contents (created by `aca config`):
 ```json
 {
   "provider": "anthropic",
-  "model": "claude-sonnet-4-5-20250929",
+  "anthropic": {
+    "model": "claude-sonnet-4-6"
+  },
   "maxSteps": 15,
   "logging": {
     "level": "error",
@@ -97,28 +100,43 @@ Default contents (created by `aca config`):
 }
 ```
 
-Optional fields (omit if you don't need them):
+A more populated config showing all four providers (you only need the block for the active provider; the others are illustrative):
 
 ```json
 {
-  "apiKeyEnv": "MY_CUSTOM_ANTHROPIC_KEY",
-  "defaultRegion": "eu-west-1",
-  "scriptFolder": "/home/me/aws-scripts",
+  "provider": "anthropic",
+  "anthropic": {
+    "model": "claude-sonnet-4-6",
+    "apiKey": "sk-ant-...",
+    "apiKeyEnv": "MY_CUSTOM_ANTHROPIC_KEY"
+  },
+  "openai": {
+    "model": "gpt-5",
+    "apiKey": "sk-..."
+  },
+  "google": {
+    "model": "gemini-2.5-pro",
+    "apiKey": "..."
+  },
   "bedrock": {
+    "model": "us.anthropic.claude-sonnet-4-6",
     "region": "us-east-1",
     "profile": "shared-services"
-  }
+  },
+  "defaultRegion": "eu-west-1",
+  "scriptFolder": "/home/me/aws-scripts"
 }
 ```
 
+Per-provider configuration lives in a top-level block named after the provider (`anthropic`, `openai`, `google`, `bedrock`). The active provider is selected by the top-level `provider` field, and its block must exist with at least a `model` set. All other provider blocks are ignored at runtime, but you can keep them populated if you switch providers often — `aca` won't read them until you change `provider`.
+
 ### Top-level keys
 
 | Key | Default | Meaning |
 |---|---|---|
-| `provider` | `anthropic` | LLM provider: `anthropic` \| `openai` \| `google` \| `bedrock` |
-| `model` | `claude-sonnet-4-5-20250929` | Model identifier (Bedrock uses fully-qualified IDs — see below) |
-| `apiKeyEnv` | — | Override the env var name that holds the API key (ignored for `bedrock`) |
-| `bedrock` | — | Bedrock-specific settings (see below). Only used when `provider = "bedrock"`. |
+| `provider` | `anthropic` | Active LLM provider: `anthropic` \| `openai` \| `google` \| `bedrock`. The matching top-level block must exist and contain a `model`. |
+| `anthropic`, `openai`, `google` | — | Per-provider blocks for the three keyed providers. See "Per-provider keys" below. |
+| `bedrock` | — | Bedrock provider block. See "Bedrock" below. |
 | `defaultRegion` | — | AWS region injected into every AWS CLI command when the agent didn't specify one |
 | `caching` | `true` | Enable prompt caching for providers that support it. See "Prompt caching" below. |
 | `maxSteps` | `15` | Hard cap on agent reasoning/tool steps per request (range 1-50) |
@@ -130,6 +148,28 @@ Optional fields (omit if you don't need them):
 | `historyLimit` | `200` | Max history entries kept in memory for context |
 | `scriptFolder` | `$XDG_DATA_HOME/aws-cli-agent/scripts` | Where saved bash scripts are written |
 
+### Per-provider keys (anthropic, openai, google)
+
+All three keyed providers accept the same three fields:
+
+| Key | Required | Meaning |
+|---|---|---|
+| `<provider>.model` | yes | Model identifier (e.g. `claude-sonnet-4-6`, `gpt-5`, `gemini-2.5-pro`). Required when this provider is active. |
+| `<provider>.apiKey` | no | API key for this provider. **SECURITY:** putting the key here persists it to disk; prefer the env var. The env var wins if both are set. |
+| `<provider>.apiKeyEnv` | no | Override the env var name read for this provider. Default names: `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GOOGLE_GENERATIVE_AI_API_KEY`. |
+
+**API key resolution order** (highest priority first):
+
+1. Env var named by `<provider>.apiKeyEnv` (if that field is set).
+2. Default env var for the provider (e.g. `ANTHROPIC_API_KEY`).
+3. `<provider>.apiKey` from the config file.
+
+If none of the above is set, the run fails with an error listing all three options.
+
+When the key is resolved from the config file instead of an env var, `aca` writes a debug-level note to `general.log` ("API key loaded from config file (no env var set)") so a forensic investigation can see what happened. The key value itself is never logged.
+
+The config file is created with file mode `0600` (owner read/write only) when `aca config` runs. If you edit it manually with another tool, `aca` won't re-permission it on read — that's on you.
+
 ### Logging
 
 ```json
@@ -160,13 +200,13 @@ aca --region eu-west-1 "list ec2 instances in my-staging"
 
 ### Bedrock
 
-When `provider = "bedrock"`, configure region and (optionally) profile via the nested `bedrock` object:
+When `provider = "bedrock"`, configure model, region, and (optionally) profile in the `bedrock` block:
 
 ```json
 {
   "provider": "bedrock",
-  "model": "us.anthropic.claude-sonnet-4-5-20250929-v1:0",
   "bedrock": {
+    "model": "us.anthropic.claude-sonnet-4-6",
     "region": "us-east-1",
     "profile": "shared-services"
   }
@@ -176,6 +216,7 @@ When `provider = "bedrock"`, configure region and (optionally) profile via the n
 - **Model IDs**: Bedrock uses fully-qualified inference-profile IDs. The `us.` / `eu.` / `apac.` prefix is required for most newer Anthropic models. Use `aws bedrock list-inference-profiles --region <region>` to discover what your account can invoke.
 - **`bedrock.profile`** is independent from operational profiles. The agent calls Bedrock under `bedrock.profile`, but each AWS CLI command it issues uses its own `--profile` (resolved from the user's prompt / history). This is the right pattern when one account holds Bedrock entitlements and other accounts hold workloads.
 - If `bedrock.region` is unset, falls back to `AWS_REGION` / `AWS_DEFAULT_REGION` env vars.
+- Bedrock uses the AWS credential chain — there's no `apiKey` field.
 
 ### Prompt caching
 

package/dist/agent.js

@@ -1,4 +1,5 @@
 import { streamText, stepCountIs } from 'ai';
+import { getActiveModel } from './config.js';
 import { createModel } from './providers.js';
 import { createTools } from './tools/index.js';
 import { FatalAwsCliError, UserCancelledError } from './errors.js';
@@ -60,8 +61,9 @@ export async function runAgent(opts) {
     // the tools array is sent at full cost on every request.
     const useCaching = config.caching && (config.provider === 'anthropic' || config.provider === 'bedrock');
     const tools = createTools({ logger, config, history, audit, record });
-    const model = createModel(config);
-    logger.info(`Starting agent (provider=${config.provider}, model=${config.model})`);
+    const model = createModel(config, logger);
+    const activeModel = getActiveModel(config);
+    logger.info(`Starting agent (provider=${config.provider}, model=${activeModel})`);
     logger.debug('User input', input);
     reasoning.beginRun(input);
     // Inline a small recent-history hint so the model has soft context even
@@ -328,7 +330,7 @@ export async function runAgent(opts) {
     usage.log({
         input,
         provider: config.provider,
-        model: config.model,
+        model: activeModel,
         steps: finalSteps.length,
         promptTokens: totalUsage?.inputTokens ?? 0,
         completionTokens: totalUsage?.outputTokens ?? 0,

package/dist/cli.js

@@ -1,6 +1,6 @@
 import { Command } from 'commander';
 import chalk from 'chalk';
-import { loadConfig, writeDefaultConfig } from './config.js';
+import { loadConfig, validateActiveProvider, writeDefaultConfig } from './config.js';
 import { Logger } from './logger.js';
 import { AuditLogger } from './audit.js';
 import { ReasoningLogger } from './reasoning.js';
@@ -9,7 +9,7 @@ import { History } from './history.js';
 import { runAgent } from './agent.js';
 import { FILES, PATHS, DEFAULT_SCRIPT_FOLDER } from './paths.js';
 import { UserCancelledError } from './errors.js';
-const VERSION = '0.5.0';
+const VERSION = '0.6.1';
 /**
  * Apply CLI flags on top of the loaded config. Flags only override; they
  * never widen or compose with each other implicitly.
@@ -103,6 +103,19 @@ export async function main(argv) {
             return;
         }
         const cfg = applyCliOverrides(loadConfig(), globalOpts);
+        // Strict validation: the active provider must have a config block with
+        // a `model` set. Deferred from loadConfig so subcommands like `paths`
+        // and `history` work even without a config file. The run command is
+        // the one that actually needs a complete provider, so we check here.
+        try {
+            validateActiveProvider(cfg);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            process.stderr.write(chalk.red('Config error: ') + msg + '\n');
+            process.exitCode = 1;
+            return;
+        }
         const logger = new Logger(cfg.logging.level);
         const audit = new AuditLogger(cfg.logging.auditLog);
         const reasoning = new ReasoningLogger({

package/dist/config.d.ts

@@ -1,14 +1,28 @@
 import { z } from 'zod';
 export declare const ConfigSchema: z.ZodObject<{
     provider: z.ZodDefault<z.ZodEnum<{
-        bedrock: "bedrock";
         anthropic: "anthropic";
         openai: "openai";
         google: "google";
+        bedrock: "bedrock";
     }>>;
-    model: z.ZodDefault<z.ZodString>;
-    apiKeyEnv: z.ZodOptional<z.ZodString>;
+    anthropic: z.ZodOptional<z.ZodObject<{
+        model: z.ZodOptional<z.ZodString>;
+        apiKey: z.ZodOptional<z.ZodString>;
+        apiKeyEnv: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    openai: z.ZodOptional<z.ZodObject<{
+        model: z.ZodOptional<z.ZodString>;
+        apiKey: z.ZodOptional<z.ZodString>;
+        apiKeyEnv: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    google: z.ZodOptional<z.ZodObject<{
+        model: z.ZodOptional<z.ZodString>;
+        apiKey: z.ZodOptional<z.ZodString>;
+        apiKeyEnv: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
     bedrock: z.ZodOptional<z.ZodObject<{
+        model: z.ZodOptional<z.ZodString>;
         region: z.ZodOptional<z.ZodString>;
         profile: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>;
@@ -38,6 +52,33 @@ export declare const ConfigSchema: z.ZodObject<{
     scriptFolder: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export type Config = z.infer<typeof ConfigSchema>;
+/**
+ * Resolve the active provider's model. The schema marks `model` optional
+ * per-block so that we can produce a single coherent error message in
+ * `validateActiveProvider` rather than zod's multi-issue tree. Call this
+ * only after validateActiveProvider has passed.
+ */
+export declare function getActiveModel(config: Config): string;
+/**
+ * Strict post-parse validation for the active provider's block. The active
+ * provider's block must exist and must contain a `model`. Pre-1.0 we treat
+ * this as a hard error rather than scaffolding defaults, so the user always
+ * knows exactly what's being called and at what cost.
+ *
+ * Call this from code paths that actually run the agent — the `run` command.
+ * Subcommands that don't need a provider (`paths`, `config`, `history`)
+ * skip this check, so a user with no config file can still use them.
+ */
+export declare function validateActiveProvider(config: Config): void;
 export declare function loadConfig(): Config;
-/** Write a default config file if none exists. Returns the path either way. */
+/**
+ * Write a default config file if none exists. Scaffolds only the active
+ * provider's block (just `model`), deliberately not creating slots for
+ * other providers (less to read) and not scaffolding `apiKey` (less
+ * temptation to put secrets on disk).
+ *
+ * Sets mode 0600 on the file. This doesn't protect against a user editing
+ * with `cp` or moving the file later, but ensures that the file as we
+ * create it isn't world-readable.
+ */
 export declare function writeDefaultConfig(): string;

package/dist/config.js

@@ -2,8 +2,8 @@ import fs from 'node:fs';
 import { z } from 'zod';
 import { FILES, PATHS } from './paths.js';
 /**
- * Logging configuration. All three keys are optional in the file; defaults
- * tilt toward "quiet but auditable" — a tool that writes to your AWS account
+ * Logging configuration. All keys are optional in the file; defaults tilt
+ * toward "quiet but auditable" — a tool that writes to your AWS account
  * should leave a paper trail by default, but shouldn't be noisy on the
  * console unless you ask.
  */
@@ -16,9 +16,6 @@ const LoggingSchema = z
     reasoningLog: z.boolean().default(false),
     usageLog: z.boolean().default(true),
 })
-    // zod v4 requires .default() to receive a fully-typed value, not `{}`.
-    // We list every field explicitly here; values must match the inner
-    // .default()s above to avoid silently changing defaults.
     .default({
     level: 'error',
     auditLog: true,
@@ -26,58 +23,72 @@ const LoggingSchema = z
     usageLog: true,
 });
 /**
- * Bedrock-specific configuration. Only meaningful when `provider = bedrock`;
- * both keys are optional within that.
+ * Per-provider configuration for the three keyed providers (Anthropic,
+ * OpenAI, Google). Each block is optional in the file — but when the
+ * top-level `provider` is set to one of these, the matching block must
+ * exist AND contain a `model`. That validation runs in the post-parse
+ * step (see `validateActiveProvider`).
+ *
+ * `apiKey` SECURITY NOTE: Putting the key here means it persists to disk.
+ * Prefer the environment variable (default name, or override via
+ * `apiKeyEnv`). The env var always wins if both are set.
+ */
+const KeyedProviderSchema = z
+    .object({
+    model: z.string().optional(),
+    apiKey: z.string().optional(),
+    apiKeyEnv: z.string().optional(),
+})
+    .optional();
+/**
+ * Bedrock has a different shape: no apiKey (uses the AWS credential chain),
+ * but adds region and profile. Like the keyed providers, this block is
+ * optional in the file but required when `provider = "bedrock"`.
  */
 const BedrockSchema = z
     .object({
+    model: z.string().optional(),
     region: z.string().optional(),
     profile: z.string().optional(),
 })
     .optional();
 export const ConfigSchema = z.object({
-    /** Which remote AI provider to call. */
+    /**
+     * Which provider is active. The matching top-level block (anthropic /
+     * openai / google / bedrock) must exist and contain a `model`. Use
+     * `aca config` to see a working default scaffold.
+     */
     provider: z
         .enum(['anthropic', 'openai', 'google', 'bedrock'])
         .default('anthropic'),
-    /** Model identifier passed to the provider. */
-    model: z.string().default('claude-sonnet-4-5-20250929'),
-    /**
-     * Optional override for the env var name that holds the API key.
-     * Ignored when provider = "bedrock" (Bedrock uses the AWS credential chain).
-     */
-    apiKeyEnv: z.string().optional(),
-    /**
-     * Bedrock provider settings (region + profile). Only used when
-     * provider = "bedrock". See providers.ts for fallback chain.
-     */
+    // Per-provider blocks. Each is independently optional; the active
+    // provider's block is validated separately for completeness.
+    anthropic: KeyedProviderSchema,
+    openai: KeyedProviderSchema,
+    google: KeyedProviderSchema,
     bedrock: BedrockSchema,
     /**
-     * Default AWS region for AWS CLI commands the agent executes. Used when the
-     * user didn't mention a region in the request and history didn't supply one.
-     * Overridable per-run with --region. Independent of `bedrock.region`.
+     * Default AWS region for AWS CLI commands the agent executes. Used when
+     * the user didn't mention a region in the request and history didn't
+     * supply one. Overridable per-run with --region. Independent of
+     * `bedrock.region` (which is for Bedrock API calls, not AWS CLI calls).
      */
     defaultRegion: z.string().optional(),
     /** Max reasoning/tool-use steps before the agent must conclude. */
     maxSteps: z.number().int().min(1).max(50).default(15),
-    /** All logging knobs live here — see LoggingSchema for details. */
+    /** All logging knobs. */
     logging: LoggingSchema,
     /**
-     * Prompt caching. When true, the system prompt + tool definitions (the
-     * long-lived prefix sent on every step) are marked cacheable for providers
-     * that support it. Cache hits cost ~10% of normal input tokens (Anthropic
-     * direct and Bedrock-via-Anthropic). OpenAI auto-caches large prompts and
-     * ignores this flag. Google Gemini's caching API isn't supported yet —
-     * this flag is silently ignored for that provider. Default true: most
-     * users invoke `aca` more than once every 5 minutes, so the cache pays
-     * for itself quickly; users running it rarely can disable it to avoid
-     * the small cache-write premium on each first call.
+     * Prompt caching. When true, the cacheable prefix is marked so providers
+     * that support it can cache hits cheaply (~10% of normal input tokens
+     * on Anthropic and Bedrock-via-Anthropic). OpenAI auto-caches large
+     * prompts and ignores this flag. Google Gemini's caching API isn't
+     * wired up yet; this flag is silently ignored for that provider.
      */
     caching: z.boolean().default(true),
     /**
-     * When true, reasoning steps are echoed to stderr in real time. Independent
-     * of `logging.reasoningLog`: you can have file logging on and console echo
-     * off, or vice versa. Overridable per-run with --verbose.
+     * Echo reasoning to stderr in real time. Independent of
+     * `logging.reasoningLog`. Override per-run with --verbose.
      */
     verbose: z.boolean().default(false),
     /** Auto-approval policy for command/script execution. */
@@ -90,25 +101,97 @@ export const ConfigSchema = z.object({
     })
         .default({ readOnly: true, all: false }),
     /**
-     * When true, every AWS CLI command runs in interactive mode (stdio inherited
-     * from the parent terminal). This is the persistent equivalent of the
-     * `--interactive` / `-i` CLI flag — useful in rare edge cases where the
-     * pattern-based auto-detection misses a command that needs a TTY. Almost
-     * always you want to leave this unset and rely on either the CLI flag for
-     * one-off invocations or the per-tool-call override the agent can set.
+     * Force every AWS CLI command into interactive (TTY) mode. Almost always
+     * leave this unset and use the --interactive / -i CLI flag instead.
      */
     forceInteractive: z.boolean().default(false),
-    /** Maximum number of history entries kept in memory. */
+    /** Max history entries kept in memory. */
     historyLimit: z.number().int().min(0).default(200),
     /**
-     * Directory where the user may save generated bash scripts (offered as an
-     * alternative to executing them inline). Defaults to
+     * Directory where generated bash scripts are saved when the user picks
+     * "Save to disk" at the prompt. Defaults to
      * $XDG_DATA_HOME/aws-cli-agent/scripts.
      */
     scriptFolder: z.string().optional(),
 });
+/**
+ * Map of provider → label used in error messages and the migration hint.
+ * Kept here (not in providers.ts) so config-load errors don't depend on
+ * the provider module.
+ */
+const PROVIDER_LABELS = {
+    anthropic: 'anthropic',
+    openai: 'openai',
+    google: 'google',
+    bedrock: 'bedrock',
+};
+/**
+ * Resolve the active provider's model. The schema marks `model` optional
+ * per-block so that we can produce a single coherent error message in
+ * `validateActiveProvider` rather than zod's multi-issue tree. Call this
+ * only after validateActiveProvider has passed.
+ */
+export function getActiveModel(config) {
+    const block = config[config.provider];
+    // model is guaranteed by validateActiveProvider.
+    return block.model;
+}
+/**
+ * Strict post-parse validation for the active provider's block. The active
+ * provider's block must exist and must contain a `model`. Pre-1.0 we treat
+ * this as a hard error rather than scaffolding defaults, so the user always
+ * knows exactly what's being called and at what cost.
+ *
+ * Call this from code paths that actually run the agent — the `run` command.
+ * Subcommands that don't need a provider (`paths`, `config`, `history`)
+ * skip this check, so a user with no config file can still use them.
+ */
+export function validateActiveProvider(config) {
+    const active = config.provider;
+    const block = config[active];
+    if (!block) {
+        throw new Error(`config.provider is "${active}" but no top-level "${PROVIDER_LABELS[active]}" ` +
+            `block was found. At minimum add: ` +
+            `{ "${active}": { "model": "<model-id>" } }. Run \`aca config\` to see a ` +
+            `working default scaffold.`);
+    }
+    if (!block.model) {
+        throw new Error(`config.${active}.model is required. Set it to the model identifier you ` +
+            `want to use (e.g. "claude-sonnet-4-6" for anthropic).`);
+    }
+}
+/**
+ * Detect the pre-0.6 config shape and produce a helpful migration error
+ * rather than the cryptic "Required" zod failures the user would otherwise
+ * get. Heuristic: a top-level `model` or top-level `apiKeyEnv` is a strong
+ * signal of an old config, since neither key exists in the new schema.
+ */
+function detectLegacyShape(raw) {
+    if (typeof raw !== 'object' || raw === null)
+        return;
+    const obj = raw;
+    if ('model' in obj || 'apiKeyEnv' in obj) {
+        throw new Error(`Config file uses the pre-0.6.0 shape (top-level "model" / "apiKeyEnv" / ` +
+            `flat "bedrock" block). The new shape moves these into per-provider blocks:\n` +
+            `\n` +
+            `  Old:                              New:\n` +
+            `    "provider": "anthropic",          "provider": "anthropic",\n` +
+            `    "model": "claude-...",            "anthropic": {\n` +
+            `    "apiKeyEnv": "MY_KEY"               "model": "claude-...",\n` +
+            `                                        "apiKeyEnv": "MY_KEY"\n` +
+            `                                      }\n` +
+            `\n` +
+            `For bedrock, move the existing "region"/"profile" alongside a new\n` +
+            `"model" field, all under the "bedrock" block.\n` +
+            `\n` +
+            `To start fresh: rename your old config, run \`aca config\`, then copy values across.`);
+    }
+}
 export function loadConfig() {
     if (!fs.existsSync(FILES.config)) {
+        // No file = pure defaults. Strict validation is deferred to callers
+        // who actually need the provider (the `run` command), so subcommands
+        // like `paths`, `config`, `history` work without a config file.
         return ConfigSchema.parse({});
     }
     let raw;
@@ -118,14 +201,41 @@ export function loadConfig() {
     catch (err) {
         throw new Error(`Config file at ${FILES.config} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
     }
+    detectLegacyShape(raw);
     return ConfigSchema.parse(raw);
 }
-/** Write a default config file if none exists. Returns the path either way. */
+/**
+ * Write a default config file if none exists. Scaffolds only the active
+ * provider's block (just `model`), deliberately not creating slots for
+ * other providers (less to read) and not scaffolding `apiKey` (less
+ * temptation to put secrets on disk).
+ *
+ * Sets mode 0600 on the file. This doesn't protect against a user editing
+ * with `cp` or moving the file later, but ensures that the file as we
+ * create it isn't world-readable.
+ */
 export function writeDefaultConfig() {
     fs.mkdirSync(PATHS.config, { recursive: true });
     if (!fs.existsSync(FILES.config)) {
-        const defaults = ConfigSchema.parse({});
-        fs.writeFileSync(FILES.config, JSON.stringify(defaults, null, 2) + '\n');
+        const defaults = {
+            provider: 'anthropic',
+            anthropic: { model: 'claude-sonnet-4-6' },
+            maxSteps: 15,
+            logging: {
+                level: 'error',
+                auditLog: true,
+                reasoningLog: false,
+                usageLog: true,
+            },
+            caching: true,
+            verbose: false,
+            autoApprove: { readOnly: true, all: false },
+            forceInteractive: false,
+            historyLimit: 200,
+        };
+        fs.writeFileSync(FILES.config, JSON.stringify(defaults, null, 2) + '\n', {
+            mode: 0o600,
+        });
     }
     return FILES.config;
 }

package/dist/errors.d.ts

@@ -47,11 +47,33 @@ export declare class FatalAwsCliError extends Error {
  */
 export declare const FATAL_AWS_EXIT_CODES: Set<number>;
 /**
- * Wrap an Inquirer prompt promise so that Ctrl-C (which Inquirer reports
- * as `ExitPromptError`) becomes our `UserCancelledError` sentinel. The
- * Inquirer error class isn't easily importable, so we detect by `.name`.
- * Re-throws any other error unchanged.
+ * Wrap an Inquirer prompt call so that:
  *
- *   const answer = await wrapPrompt(confirm({ message: '...' }));
+ *   1. The prompt's question text renders on stderr, not stdout. Critical
+ *      for `aca "..." > file.txt` — without this, the prompt would be
+ *      silently swallowed into the redirected file while the user stared
+ *      at a frozen terminal waiting for an invisible question.
+ *
+ *   2. Ctrl-C (which Inquirer reports as `ExitPromptError`) becomes our
+ *      `UserCancelledError` sentinel. The Inquirer error class isn't
+ *      easily importable, so we detect by `.name`.
+ *
+ * The `output` option lives on Inquirer's `context` parameter (the second
+ * positional argument), NOT on the config object. Spreading it into the
+ * config silently does nothing — TypeScript accepts the extra property,
+ * but at runtime Inquirer ignores it. Pass the prompt as a thunk so we
+ * can inject the context at the call site:
+ *
+ *   const ok = await wrapPrompt((ctx) =>
+ *     confirm({ message: 'Execute?', default: true }, ctx),
+ *   );
+ *
+ * The thunk pattern is slightly more verbose than `wrapPrompt(confirm(...))`
+ * was, but it's the only shape that lets us centralize the context
+ * injection. Forgetting to pass `ctx` through to the Inquirer call is
+ * impossible to do silently — TypeScript will infer ctx's type and lint
+ * unused parameters.
  */
-export declare function wrapPrompt<T>(p: Promise<T>): Promise<T>;
+export declare function wrapPrompt<T>(factory: (ctx: {
+    output: NodeJS.WritableStream;
+}) => Promise<T>): Promise<T>;

package/dist/errors.js

@@ -56,16 +56,36 @@ export class FatalAwsCliError extends Error {
  */
 export const FATAL_AWS_EXIT_CODES = new Set([252, 253, 254, 255]);
 /**
- * Wrap an Inquirer prompt promise so that Ctrl-C (which Inquirer reports
- * as `ExitPromptError`) becomes our `UserCancelledError` sentinel. The
- * Inquirer error class isn't easily importable, so we detect by `.name`.
- * Re-throws any other error unchanged.
+ * Wrap an Inquirer prompt call so that:
  *
- *   const answer = await wrapPrompt(confirm({ message: '...' }));
+ *   1. The prompt's question text renders on stderr, not stdout. Critical
+ *      for `aca "..." > file.txt` — without this, the prompt would be
+ *      silently swallowed into the redirected file while the user stared
+ *      at a frozen terminal waiting for an invisible question.
+ *
+ *   2. Ctrl-C (which Inquirer reports as `ExitPromptError`) becomes our
+ *      `UserCancelledError` sentinel. The Inquirer error class isn't
+ *      easily importable, so we detect by `.name`.
+ *
+ * The `output` option lives on Inquirer's `context` parameter (the second
+ * positional argument), NOT on the config object. Spreading it into the
+ * config silently does nothing — TypeScript accepts the extra property,
+ * but at runtime Inquirer ignores it. Pass the prompt as a thunk so we
+ * can inject the context at the call site:
+ *
+ *   const ok = await wrapPrompt((ctx) =>
+ *     confirm({ message: 'Execute?', default: true }, ctx),
+ *   );
+ *
+ * The thunk pattern is slightly more verbose than `wrapPrompt(confirm(...))`
+ * was, but it's the only shape that lets us centralize the context
+ * injection. Forgetting to pass `ctx` through to the Inquirer call is
+ * impossible to do silently — TypeScript will infer ctx's type and lint
+ * unused parameters.
  */
-export async function wrapPrompt(p) {
+export async function wrapPrompt(factory) {
     try {
-        return await p;
+        return await factory({ output: process.stderr });
     }
     catch (err) {
         if (err instanceof Error && err.name === 'ExitPromptError') {

package/dist/providers.d.ts

@@ -1,16 +1,29 @@
 import type { LanguageModel } from 'ai';
 import type { Config } from './config.js';
+import type { Logger } from './logger.js';
 /**
  * Build a LanguageModel from config.
  *
- * For anthropic / openai / google: API keys are read from environment
- * variables only — never from the config file — to keep secrets out of disk
- * state we don't own.
+ * Per-provider config lives under the matching top-level block:
+ *   config.anthropic.{model, apiKey, apiKeyEnv}
+ *   config.openai.{model, apiKey, apiKeyEnv}
+ *   config.google.{model, apiKey, apiKeyEnv}
+ *   config.bedrock.{model, region, profile}
  *
- * For bedrock: no API key is needed. Authentication uses the standard AWS
- * credential chain (env vars, AWS_PROFILE, ~/.aws/credentials, SSO, IMDS,
- * container roles). Optionally `bedrockProfile` pins a specific named profile,
- * which is useful when the account hosting Bedrock model access is different
- * from the accounts the agent operates against.
+ * For anthropic / openai / google, API key resolution order (per-provider):
+ *   1. Env var named by `<provider>.apiKeyEnv` if set in config
+ *   2. Default env var for the provider (ANTHROPIC_API_KEY etc.)
+ *   3. `<provider>.apiKey` from config (last resort — persists to disk)
+ *   4. Throw with all options listed
+ *
+ * For bedrock: no API key. The AWS credential chain (env vars, AWS_PROFILE,
+ * ~/.aws/credentials, SSO, IMDS, container roles) is used. `bedrock.profile`
+ * optionally pins a specific named profile — useful when the account hosting
+ * Bedrock model access is different from the accounts the agent operates
+ * against.
+ *
+ * The `logger` parameter is used to emit a debug-level note when the key
+ * resolves from config instead of env, so an investigator can see "this run
+ * read the key from disk" in general.log. The key itself is never logged.
  */
-export declare function createModel(config: Config): LanguageModel;
+export declare function createModel(config: Config, logger?: Logger): LanguageModel;

package/dist/providers.js

@@ -3,6 +3,10 @@ import { createOpenAI } from '@ai-sdk/openai';
 import { createGoogleGenerativeAI } from '@ai-sdk/google';
 import { createAmazonBedrock } from '@ai-sdk/amazon-bedrock';
 import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
+/**
+ * Map provider → default env-var name. Used as the second fallback in the
+ * resolution chain (see `requireKey`).
+ */
 const DEFAULT_KEY_ENV = {
     anthropic: 'ANTHROPIC_API_KEY',
     openai: 'OPENAI_API_KEY',
@@ -11,49 +15,100 @@ const DEFAULT_KEY_ENV = {
 /**
  * Build a LanguageModel from config.
  *
- * For anthropic / openai / google: API keys are read from environment
- * variables only — never from the config file — to keep secrets out of disk
- * state we don't own.
+ * Per-provider config lives under the matching top-level block:
+ *   config.anthropic.{model, apiKey, apiKeyEnv}
+ *   config.openai.{model, apiKey, apiKeyEnv}
+ *   config.google.{model, apiKey, apiKeyEnv}
+ *   config.bedrock.{model, region, profile}
+ *
+ * For anthropic / openai / google, API key resolution order (per-provider):
+ *   1. Env var named by `<provider>.apiKeyEnv` if set in config
+ *   2. Default env var for the provider (ANTHROPIC_API_KEY etc.)
+ *   3. `<provider>.apiKey` from config (last resort — persists to disk)
+ *   4. Throw with all options listed
+ *
+ * For bedrock: no API key. The AWS credential chain (env vars, AWS_PROFILE,
+ * ~/.aws/credentials, SSO, IMDS, container roles) is used. `bedrock.profile`
+ * optionally pins a specific named profile — useful when the account hosting
+ * Bedrock model access is different from the accounts the agent operates
+ * against.
  *
- * For bedrock: no API key is needed. Authentication uses the standard AWS
- * credential chain (env vars, AWS_PROFILE, ~/.aws/credentials, SSO, IMDS,
- * container roles). Optionally `bedrockProfile` pins a specific named profile,
- * which is useful when the account hosting Bedrock model access is different
- * from the accounts the agent operates against.
+ * The `logger` parameter is used to emit a debug-level note when the key
+ * resolves from config instead of env, so an investigator can see "this run
+ * read the key from disk" in general.log. The key itself is never logged.
  */
-export function createModel(config) {
+export function createModel(config, logger) {
     switch (config.provider) {
         case 'anthropic': {
-            const apiKey = requireKey(config, 'anthropic');
-            return createAnthropic({ apiKey })(config.model);
+            const block = config.anthropic; // validated upstream
+            const apiKey = requireKey('anthropic', block.apiKey, block.apiKeyEnv, logger);
+            return createAnthropic({ apiKey })(block.model);
         }
         case 'openai': {
-            const apiKey = requireKey(config, 'openai');
-            return createOpenAI({ apiKey })(config.model);
+            const block = config.openai;
+            const apiKey = requireKey('openai', block.apiKey, block.apiKeyEnv, logger);
+            return createOpenAI({ apiKey })(block.model);
         }
         case 'google': {
-            const apiKey = requireKey(config, 'google');
-            return createGoogleGenerativeAI({ apiKey })(config.model);
+            const block = config.google;
+            const apiKey = requireKey('google', block.apiKey, block.apiKeyEnv, logger);
+            return createGoogleGenerativeAI({ apiKey })(block.model);
         }
         case 'bedrock': {
-            const region = config.bedrock?.region ??
-                process.env.AWS_REGION ??
-                process.env.AWS_DEFAULT_REGION;
+            const block = config.bedrock;
+            const region = block.region ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION;
             if (!region) {
                 throw new Error('Bedrock requires a region. Set "bedrock.region" in config or AWS_REGION env var.');
             }
-            const credentialProvider = config.bedrock?.profile
-                ? fromNodeProviderChain({ profile: config.bedrock.profile })
+            const credentialProvider = block.profile
+                ? fromNodeProviderChain({ profile: block.profile })
                 : fromNodeProviderChain();
-            return createAmazonBedrock({ region, credentialProvider })(config.model);
+            return createAmazonBedrock({ region, credentialProvider })(block.model);
         }
     }
 }
-function requireKey(config, provider) {
-    const envName = config.apiKeyEnv ?? DEFAULT_KEY_ENV[provider];
-    const apiKey = process.env[envName];
-    if (!apiKey) {
-        throw new Error(`Missing API key. Set environment variable ${envName} (or override "apiKeyEnv" in config).`);
+/**
+ * Three-tier API key resolution. Returns the key (never logs it). Emits a
+ * debug-level note when the key came from config rather than env, so an
+ * investigator looking at general.log can see what happened.
+ *
+ * When `apiKeyEnv` is set in config but the named env var is empty, we emit
+ * a warning to stderr and fall through to the default env var. The warning
+ * matters because `apiKeyEnv` is an explicit user instruction ("read the
+ * key from THIS variable") — silently using a different source could send
+ * the wrong account's request to the model provider.
+ */
+function requireKey(provider, configKey, configKeyEnv, logger) {
+    // 1. Custom env var name from config takes precedence — when it's set.
+    if (configKeyEnv) {
+        const v = process.env[configKeyEnv];
+        if (v)
+            return v;
+        // The user told us where to look, but the variable is empty. This is
+        // almost always a mistake (typo'd var name, forgot to export it,
+        // wrong shell). Surface it loudly so they fix it; then fall through
+        // to the default env var so the run can still succeed if that's set.
+        process.stderr.write(`Warning: config.${provider}.apiKeyEnv names "${configKeyEnv}" but ` +
+            `that environment variable is not set. Falling back to the default ` +
+            `(${DEFAULT_KEY_ENV[provider]}) or config.${provider}.apiKey.\n`);
+        logger?.warn(`${provider}: configured apiKeyEnv "${configKeyEnv}" is not set in the environment.`);
+    }
+    // 2. Default env var for the provider.
+    const defaultEnv = DEFAULT_KEY_ENV[provider];
+    const fromDefaultEnv = process.env[defaultEnv];
+    if (fromDefaultEnv)
+        return fromDefaultEnv;
+    // 3. Config-stored key — last resort. Note it.
+    if (configKey) {
+        logger?.debug(`${provider}: API key loaded from config file (no env var set). ` +
+            `Prefer ${configKeyEnv ?? defaultEnv} env var for production use.`);
+        return configKey;
     }
-    return apiKey;
+    // 4. Nothing.
+    throw new Error(`No API key found for provider "${provider}". Set one of:\n` +
+        (configKeyEnv
+            ? `  - env var ${configKeyEnv} (named by config.${provider}.apiKeyEnv)\n`
+            : '') +
+        `  - env var ${defaultEnv} (default for ${provider})\n` +
+        `  - config.${provider}.apiKey (persists to disk — env var preferred)`);
 }

package/dist/tools/aws-cli.d.ts

@@ -1,5 +1,20 @@
 import type { Logger } from '../logger.js';
 import type { Config } from '../config.js';
+/**
+ * Read-only verb patterns. Used both to decide whether an AWS CLI call may
+ * auto-approve, and (since 0.7.0) to syntax-highlight bash scripts in the
+ * approval display — read-only verbs render in light blue, mutating in yellow.
+ *
+ * Exported so bash.ts can apply the same classification consistently. If
+ * you add a verb here, the highlighter picks it up automatically.
+ */
+export declare const READ_ONLY_VERBS: RegExp[];
+/**
+ * Full-command patterns that are read-only but don't match a verb prefix
+ * (e.g. `s3 ls`, `sts get-caller-identity` where the resource type isn't a
+ * standard verb). Same usage as READ_ONLY_VERBS.
+ */
+export declare const READ_ONLY_FULL: RegExp[];
 export declare function awsCliTool(opts: {
     logger: Logger;
     config: Config;

package/dist/tools/aws-cli.js

@@ -4,7 +4,15 @@ import { z } from 'zod';
 import { confirm } from '@inquirer/prompts';
 import chalk from 'chalk';
 import { FATAL_AWS_EXIT_CODES, FatalAwsCliError, UserCancelledError, wrapPrompt } from '../errors.js';
-const READ_ONLY_VERBS = [
+/**
+ * Read-only verb patterns. Used both to decide whether an AWS CLI call may
+ * auto-approve, and (since 0.7.0) to syntax-highlight bash scripts in the
+ * approval display — read-only verbs render in light blue, mutating in yellow.
+ *
+ * Exported so bash.ts can apply the same classification consistently. If
+ * you add a verb here, the highlighter picks it up automatically.
+ */
+export const READ_ONLY_VERBS = [
     /^describe-/,
     /^list-/,
     /^get-/,
@@ -15,7 +23,12 @@ const READ_ONLY_VERBS = [
     /^scan$/,
     /^query$/,
 ];
-const READ_ONLY_FULL = [
+/**
+ * Full-command patterns that are read-only but don't match a verb prefix
+ * (e.g. `s3 ls`, `sts get-caller-identity` where the resource type isn't a
+ * standard verb). Same usage as READ_ONLY_VERBS.
+ */
+export const READ_ONLY_FULL = [
     /^s3\s+ls(\s|$)/,
 ];
 /**
@@ -108,14 +121,40 @@ function runCaptured(cmd, args) {
  */
 function runInteractive(cmd, args) {
     return new Promise((resolve, reject) => {
+        // Detach our SIGINT handler for the duration of the child's lifetime.
+        // Background: when the user presses Ctrl-C inside an SSM session, the
+        // OS delivers SIGINT to the whole foreground process group — both the
+        // aws CLI child AND this Node process. Node's default SIGINT handler
+        // would terminate us, which tears down the inherited stdin file
+        // descriptor before the aws CLI has finished its own cleanup. The
+        // result is the aws CLI seeing "input/output error" on /dev/stdin and
+        // printing a confusing error to the user.
+        //
+        // By installing a no-op SIGINT listener, we override Node's default
+        // behavior: Node sees the signal as "handled" and doesn't terminate
+        // us. The aws CLI subprocess gets the signal too (same process group)
+        // and runs its own clean shutdown — closing the SSM session politely,
+        // exiting with code 0 or 130. We then continue normally.
+        //
+        // The listener is removed in `close` so SIGINT during normal agent
+        // reasoning still aborts the run as expected.
+        const noopSigint = () => {
+            /* deliberately empty — see comment above */
+        };
+        process.on('SIGINT', noopSigint);
         const proc = spawn(cmd, args, {
             env: process.env,
-            stdio: 'inherit', // ← the fix: child reuses parent's stdin/stdout/stderr
+            stdio: 'inherit', // child reuses parent's stdin/stdout/stderr
+        });
+        proc.on('error', (err) => {
+            process.removeListener('SIGINT', noopSigint);
+            reject(err);
+        });
+        proc.on('close', (code) => {
+            process.removeListener('SIGINT', noopSigint);
+            // We can't observe stdout/stderr — they went to the user's terminal.
+            resolve({ stdout: '', stderr: '', code: code ?? 0 });
         });
-        proc.on('error', reject);
-        proc.on('close', (code) => 
-        // We can't observe stdout/stderr — they went to the user's terminal.
-        resolve({ stdout: '', stderr: '', code: code ?? 0 }));
     });
 }
 export function awsCliTool(opts) {
@@ -165,7 +204,7 @@ export function awsCliTool(opts) {
                 if (useInteractive) {
                     process.stderr.write(`${chalk.bold('  Mode:    ')}${chalk.yellow('interactive')} (your terminal will be connected to the command)\n`);
                 }
-                const ok = await wrapPrompt(confirm({ message: 'Execute this command?', default: true }));
+                const ok = await wrapPrompt((ctx) => confirm({ message: 'Execute this command?', default: true }, ctx));
                 if (!ok) {
                     opts.logger.warn('User declined command');
                     // Record the declined call so the agent's end-of-run logic sees

package/dist/tools/bash.js

@@ -8,6 +8,7 @@ import { select } from '@inquirer/prompts';
 import chalk from 'chalk';
 import { DEFAULT_SCRIPT_FOLDER } from '../paths.js';
 import { wrapPrompt } from '../errors.js';
+import { READ_ONLY_FULL, READ_ONLY_VERBS } from './aws-cli.js';
 function runProcess(cmd, args) {
     return new Promise((resolve, reject) => {
         const proc = spawn(cmd, args, { env: process.env });
@@ -32,6 +33,109 @@ function indent(s, prefix) {
         .map((l) => prefix + l)
         .join('\n');
 }
+/**
+ * Match an `aws <service> <verb> ...` invocation anywhere within a line.
+ * The lookbehind is intentionally permissive — it matches `aws` at the
+ * start of the line, after a pipe (`| aws ...`), after `time aws ...`,
+ * after `env VAR=val aws ...`, etc. We don't try to be a full shell
+ * parser: that's overkill for a syntax-highlight feature. False positives
+ * (e.g. the literal string `"use aws ec2 ..."` inside an echo) get
+ * highlighted too, but that's preferable to false negatives — and the
+ * surrounding context usually makes them visually distinguishable.
+ *
+ * Captures three groups: service (group 1), verb (group 2), and the rest
+ * of the args up to end of line or a shell metacharacter that ends a
+ * command (group 3). We stop the arg span at `|`, `;`, `&`, `)`, and `>` /
+ * `<` redirections so we don't highlight half of the next pipeline stage.
+ */
+const AWS_CALL_RE = /\baws\s+([a-z][a-z0-9-]*)\s+([a-z][a-z0-9-]*)((?:\s+[^|;&)<>\n]*)?)/g;
+/**
+ * Decide whether an `aws <service> <verb>` invocation is read-only. Uses
+ * the same classification as the per-command auto-approve path so the
+ * highlighting matches the runtime behavior: if the highlight is light
+ * blue, the command would auto-approve with `autoApprove.readOnly: true`
+ * if it were a standalone tool call.
+ */
+function isAwsCallReadOnly(service, verb, restOfArgs) {
+    // READ_ONLY_FULL patterns match against `service verb [args...]`.
+    // We pass the same shape to mirror runtime behavior.
+    const full = `${service} ${verb}${restOfArgs}`;
+    if (READ_ONLY_FULL.some((re) => re.test(full)))
+        return true;
+    if (READ_ONLY_VERBS.some((re) => re.test(verb)))
+        return true;
+    return false;
+}
+/**
+ * Color the AWS CLI invocations inside a script. Read-only calls
+ * (describe-, list-, get-, etc.) render in light blue; mutating calls
+ * (delete-, terminate-, create-, etc.) render in yellow. Non-AWS portions
+ * of each line stay in the script body's default green wrap.
+ *
+ * Implementation note: chalk colors don't nest the way you'd hope. If we
+ * wrapped the whole script in `chalk.green()` and then embedded blue/yellow
+ * spans inside it, the inner spans' closing reset (\u001b[39m) would
+ * disable the green for the remainder of the string. To avoid that, we
+ * render each line piece by piece, explicitly re-applying green to the
+ * non-highlighted spans.
+ */
+function highlightAwsCalls(script) {
+    return script
+        .split('\n')
+        .map((line) => {
+        // Walk the line in pieces, emitting green for plain text and a
+        // distinct color for each AWS invocation. We use the regex's
+        // exec-loop position tracking to splice the line.
+        AWS_CALL_RE.lastIndex = 0;
+        let out = '';
+        let cursor = 0;
+        let m;
+        while ((m = AWS_CALL_RE.exec(line)) !== null) {
+            // The `aws` keyword itself isn't in the capture groups — find it
+            // by scanning backward from the service position.
+            const matchStart = m.index;
+            const service = m[1];
+            const verb = m[2];
+            const restOfArgs = m[3] ?? '';
+            const readOnly = isAwsCallReadOnly(service, verb, restOfArgs);
+            // Pre-`aws` text (e.g. `| `, `time `, or empty for start-of-line)
+            // stays green.
+            if (matchStart > cursor) {
+                out += chalk.green(line.slice(cursor, matchStart));
+            }
+            // The `aws <service> <verb>` triple gets the distinct color.
+            // restOfArgs (the flags and values) stays green — flags are the
+            // boring part, the verb is what the user needs to verify.
+            // Inverse (swaps fg/bg) produces a "highlighter strip" look: the
+            // background takes the color and the text shows through in the
+            // terminal's default foreground. Much more visible against the
+            // green script body than colored text alone would be — the eye
+            // snaps to a block of color faster than to a colored word.
+            // Green strip for read-only (matches the safe/discovery feel of
+            // the surrounding green script body); red strip for mutating
+            // (the classic "stop and look" signal).
+            const highlight = readOnly
+                ? chalk.inverse.blueBright
+                : chalk.inverse.yellowBright;
+            out += highlight(`aws ${service} ${verb}`);
+            if (restOfArgs.length > 0) {
+                out += chalk.green(restOfArgs);
+            }
+            cursor = matchStart + m[0].length;
+        }
+        // Trailing text after the last match stays green.
+        if (cursor < line.length) {
+            out += chalk.green(line.slice(cursor));
+        }
+        // If no AWS call was found in the line, fall through with the whole
+        // line in green — same as the old uniform-green behavior.
+        if (out === '') {
+            out = chalk.green(line);
+        }
+        return out;
+    })
+        .join('\n');
+}
 /**
  * Compute a filesystem-friendly filename for a saved script.
  * Combines a timestamp (so files sort chronologically) with a short slug
@@ -64,7 +168,11 @@ export function bashScriptTool(opts) {
             process.stderr.write('\n');
             process.stderr.write(`${chalk.bold('  Reason: ')}${purpose}\n`);
             process.stderr.write(`${chalk.bold('  Script:')}\n`);
-            process.stderr.write(chalk.green(indent(script, '    ')) + '\n');
+            // Render the script with AWS calls highlighted. Read-only calls
+            // (describe-, list-, get-, etc.) render in light blue; mutating calls
+            // (delete-, terminate-, create-, etc.) render in yellow. Everything
+            // else stays green. See highlightAwsCalls for the parser caveats.
+            process.stderr.write(highlightAwsCalls(indent(script, '    ')) + '\n');
             // The save-to-disk option respects the configured folder, or falls back
             // to the XDG default. Compute the would-be path *before* prompting so
             // the user can see exactly where it'll land.
@@ -75,7 +183,7 @@ export function bashScriptTool(opts) {
             // — auto-approving them would defeat a primary safety boundary. The
             // autoApprove flag remains in effect for individual aws CLI commands
             // (where read-only is a meaningful and enforceable category).
-            const action = await wrapPrompt(select({
+            const action = await wrapPrompt((ctx) => select({
                 message: 'What would you like to do with this script?',
                 choices: [
                     { value: 'execute', name: 'Execute now' },
@@ -83,7 +191,7 @@ export function bashScriptTool(opts) {
                     { value: 'cancel', name: 'Cancel' },
                 ],
                 default: 'execute',
-            }));
+            }, ctx));
             if (action === 'cancel') {
                 opts.logger.warn('User cancelled script');
                 // Record the cancelled call so the agent's end-of-run logic sees

package/dist/tools/prompt.js

@@ -45,28 +45,31 @@ async function askOne(q, logger) {
             if (!q.choices || q.choices.length === 0) {
                 throw new Error('kind="choice" requires non-empty `choices`.');
             }
-            const answer = await wrapPrompt(select({
+            // Capture narrowed value: TS loses the q.choices !== undefined
+            // narrowing across the closure boundary below.
+            const choices = q.choices;
+            const answer = await wrapPrompt((ctx) => select({
                 message: q.message,
-                choices: q.choices.map((c) => ({ value: c, name: c })),
+                choices: choices.map((c) => ({ value: c, name: c })),
                 default: q.defaultValue,
-            }));
+            }, ctx));
             return answer;
         }
         case 'confirm': {
             const def = (q.defaultValue ?? 'yes').toLowerCase().startsWith('y');
-            const answer = await wrapPrompt(confirm({ message: q.message, default: def }));
+            const answer = await wrapPrompt((ctx) => confirm({ message: q.message, default: def }, ctx));
             return answer ? 'yes' : 'no';
         }
         case 'secret': {
             // Inquirer's password prompt masks input. Used for short secrets like
             // MFA codes; long-lived AWS credentials should always come from the
             // user's profile, not be typed here.
-            const answer = await wrapPrompt(password({ message: q.message, mask: '*' }));
+            const answer = await wrapPrompt((ctx) => password({ message: q.message, mask: '*' }, ctx));
             return answer;
         }
         case 'text':
         default: {
-            const answer = await wrapPrompt(input({ message: q.message, default: q.defaultValue }));
+            const answer = await wrapPrompt((ctx) => input({ message: q.message, default: q.defaultValue }, ctx));
             return answer;
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-cli-agent",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "description": "Agentic AI assistant that turns natural-language requests into AWS CLI commands and runs them locally.",
   "type": "module",
   "bin": {
@@ -51,23 +51,23 @@
   },
   "homepage": "https://github.com/trstnk/aws-cli-agent#readme",
   "dependencies": {
-    "@ai-sdk/amazon-bedrock": "^4.0.106",
-    "@ai-sdk/anthropic": "^3.0.78",
-    "@ai-sdk/google": "^3.0.74",
-    "@ai-sdk/openai": "^3.0.64",
-    "@aws-sdk/credential-providers": "^3.1046.0",
-    "@inquirer/prompts": "^8.4.3",
-    "ai": "^6.0.183",
-    "chalk": "^5.4.0",
-    "commander": "^13.0.0",
+    "@ai-sdk/amazon-bedrock": "^4.0.111",
+    "@ai-sdk/anthropic": "^3.0.81",
+    "@ai-sdk/google": "^3.0.80",
+    "@ai-sdk/openai": "^3.0.67",
+    "@aws-sdk/credential-providers": "^3.1057.0",
+    "@inquirer/prompts": "^8.5.1",
+    "ai": "^6.0.193",
+    "chalk": "^5.6.2",
+    "commander": "^15.0.0",
     "zod": "^4.4.3"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "@types/node": "^25.8.0",
-    "eslint": "^10.4.0",
-    "tsx": "^4.22.0",
+    "@types/node": "^25.9.1",
+    "eslint": "^10.4.1",
+    "tsx": "^4.22.3",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.3"
+    "typescript-eslint": "^8.60.0"
   }
 }