rds_ssm_connect 2.0.0 → 2.0.2

package/.github/workflows/release.yml

@@ -77,6 +77,9 @@ jobs:
           npx @yao-pkg/pkg src-tauri/binaries/gui-adapter-bundle.cjs --target ${{ matrix.sidecar_target }} -o src-tauri/binaries/gui-adapter-${{ matrix.sidecar_triple }}
           rm src-tauri/binaries/gui-adapter-bundle.cjs
 
+      - name: Download session-manager-plugin
+        run: node scripts/download-ssm-plugin.js --triple ${{ matrix.sidecar_triple }}
+
       - name: Build Tauri app
         uses: tauri-apps/tauri-action@v0
         env:

package/.github/workflows/update-homebrew.yml

@@ -64,15 +64,10 @@ jobs:
             homepage "https://github.com/yarka-guru/connection_app"
 
             depends_on macos: ">= :monterey"
-            depends_on formula: "aws-vault"
-            depends_on formula: "awscli"
 
             app "RDS SSM Connect.app"
 
             caveats <<~EOS
-              You also need the AWS Session Manager Plugin:
-                brew install --cask session-manager-plugin
-
               Ensure your AWS profiles are configured in ~/.aws/config
             EOS
 
@@ -104,9 +99,6 @@ jobs:
               end
             end
 
-            depends_on "awscli"
-            depends_on "aws-vault"
-
             def install
               system "ar", "x", cached_download
               mkdir_p "extract"
@@ -118,9 +110,6 @@ jobs:
 
             def caveats
               <<~EOS
-                You also need the AWS Session Manager Plugin:
-                  https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
-
                 Ensure your AWS profiles are configured in ~/.aws/config
 
                 On macOS, install the desktop app instead:

package/CLAUDE.md

@@ -4,34 +4,67 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-**rds_ssm_connect** is a Node.js CLI tool that enables secure connections to AWS RDS databases through AWS Systems Manager (SSM) port forwarding via bastion hosts. The tool reads AWS profiles from the user's config, retrieves database credentials from AWS Secrets Manager, and automatically sets up port forwarding through a bastion instance.
+**rds_ssm_connect** is a Node.js CLI tool and Tauri desktop app that enables secure connections to AWS RDS databases through AWS Systems Manager (SSM) port forwarding via bastion hosts. Projects are user-configurable — the tool reads AWS profiles from `~/.aws/config`, loads project definitions from `~/.rds-ssm-connect/projects.json`, retrieves database credentials from AWS Secrets Manager, and sets up port forwarding through a bastion instance.
 
 ## Key Architecture
 
 ### Entry Point
 - `connect.js` - Main executable (shebang: `#!/usr/bin/env node`)
   - Reads AWS profiles from `~/.aws/config`
-  - Uses `inquirer` for interactive environment selection
-  - Executes AWS commands via `aws-vault` wrapper
-  - Establishes SSM port forwarding session
+  - Loads project configs from `~/.rds-ssm-connect/projects.json` via `configLoader.js`
+  - Uses `inquirer` for interactive project/environment selection
+  - Includes first-run wizard when no projects are configured
+  - Uses AWS SDK v3 directly (STS, EC2, RDS, SSM, Secrets Manager, SSO OIDC)
+  - Ensures SSO session is valid before connecting (via `src/sso-login.js`)
+  - Establishes SSM port forwarding session with keepalive and auto-reconnect
 
 ### Configuration
-- `envPortMapping.js` - Multi-project configuration
-  - `PROJECT_CONFIGS` - Object containing per-project settings:
-    - `tln`: TLN/EMR project (us-east-2, Aurora clusters, `rds!cluster` secrets)
-    - `covered`: Covered Healthcare project (us-west-1, RDS instances, `rds!db` secrets)
-  - Each project defines: region, database, secretPrefix, rdsType, rdsPattern, profileFilter, envPortMapping
-  - Legacy exports maintained for backward compatibility
+- `configLoader.js` - Project config CRUD for `~/.rds-ssm-connect/projects.json`
+  - `loadProjectConfigs()` / `saveProjectConfig()` / `deleteProjectConfig()`
+  - `validateProjectConfig()` - validates required fields, region format, port format, shell-safe patterns
+  - Each project defines: name, region, database, secretPrefix, rdsType, engine, rdsPattern, profileFilter, envPortMapping, defaultPort
+
+### GUI Adapter
+- `gui-adapter.js` - JSON stdin/stdout IPC bridge for Tauri sidecar
+  - Commands: `list-projects`, `list-profiles`, `connect`, `disconnect`, `disconnect-all`, `status`, `list-project-configs`, `save-project-config`, `delete-project-config`, `sso-login`, `ping`
+  - Manages multiple simultaneous connections with strict port availability checks
+  - SSO pre-flight validation before connecting
+
+### Backend Modules (src/)
+- `aws-clients.js` - AWS SDK client factory (STS, EC2, RDS, SSM, Secrets Manager)
+- `aws-operations.js` - AWS operations (find bastion, get endpoint, get credentials, start session, etc.)
+- `credential-resolver.js` - AWS credential chain resolution (SSO, profiles)
+- `sso-login.js` - AWS SSO OIDC device authorization flow
+- `plugin-resolver.js` - Locates session-manager-plugin binary
+
+### Tauri Desktop App
+- `src-tauri/src/lib.rs` - Tauri commands (connect, disconnect, saved connections CRUD, project config CRUD, AWS profile CRUD, updates)
+- `src-tauri/tauri.conf.json` - App config, plugins, window settings, bundling
+- Session Manager Plugin is bundled as an external binary
+
+### Frontend (src/)
+- `App.svelte` - Main app shell (Svelte 5 with runes)
+- `lib/ConnectionForm.svelte` - Project/environment selector + connect button
+- `lib/ActiveConnections.svelte` - Live connection panels with credentials
+- `lib/SavedConnections.svelte` - Bookmarked connections list
+- `lib/Settings.svelte` - Project management + AWS profile CRUD + raw config editor
+- `lib/SessionStatus.svelte` - Connection status indicator
+- `lib/UpdateBanner.svelte` - In-app update notification
+- `lib/CopyButton.svelte` - Reusable copy-to-clipboard with feedback
+- `lib/ConfirmDialog.svelte` - Reusable confirmation modal
+- `lib/utils.js` - Shared utilities (clipboard, timeout, focus trap)
 
 ### Core Flow
 1. Read AWS profiles from `~/.aws/config`
-2. Prompt user to select project (TLN or Covered)
-3. Filter and prompt for environment (AWS profile) based on project
-4. Query Secrets Manager for RDS credentials (project-specific prefix)
-5. Find running bastion instance (tagged with `Name=*bastion*`)
-6. Get RDS endpoint (cluster or instance based on project config)
-7. Start SSM port forwarding session with correct remote port
-8. Display connection details for database client
+2. Load project configs from `~/.rds-ssm-connect/projects.json`
+3. Prompt user to select project (filtered by available profiles)
+4. Filter and prompt for environment (AWS profile) based on project's `profileFilter`
+5. Ensure SSO session is valid (OIDC device authorization if needed)
+6. Query Secrets Manager for RDS credentials (project-specific `secretPrefix`)
+7. Find running bastion instance (tagged with `Name=*bastion*`)
+8. Get RDS endpoint (cluster or instance based on project's `rdsType`)
+9. Start SSM port forwarding session with correct local/remote ports
+10. Display connection details for database client
 
 ## Development Commands
 
@@ -45,16 +78,24 @@ npm install
 npm test
 ```
 Tests cover:
-- AWS config parsing
-- Port mapping logic
-- Credentials validation
-- Retry configuration validation
+- Project config loading, validation, and CRUD (`configLoader.test.js`)
+- AWS operations (`aws-operations.test.js`)
+- Credential resolution (`credential-resolver.test.js`)
+- SSO login flow (`sso-login.test.js`)
+- Plugin resolution (`plugin-resolver.test.js`)
+- Port mapping and config parsing (`connect.test.js`)
 
 ### Local Testing
 ```bash
 node connect.js
 ```
 
+### Desktop App Development
+```bash
+npm run dev:gui       # Tauri dev mode (full app)
+npm run build:gui     # Build Tauri desktop app
+```
+
 ### Global Installation (for testing as installed package)
 ```bash
 npm install -g .
@@ -62,38 +103,34 @@ rds_ssm_connect
 ```
 
 ### Publishing
-Package is published to npm via GitHub Actions workflow (`.github/workflows/npm-publish.yml`) when a release is created.
+- **npm**: Published via GitHub Actions workflow (`.github/workflows/npm-publish.yml`) when a release is created
+- **Desktop**: Multi-platform builds (macOS ARM64/x64, Linux ARM64/x64, Windows x64) via `tauri-action` on git tags
 
 ## Prerequisites for Running
 
-- `aws-vault` - Required for AWS credential management
-- AWS CLI - Required for AWS API calls
 - Node.js (ES modules enabled via `"type": "module"` in package.json)
 - Properly configured `~/.aws/config` with named profiles
+- Session Manager Plugin (bundled in desktop app; CLI requires separate install)
+
+Note: aws-vault and AWS CLI are **not required** — the app uses AWS SDK v3 natively for all API calls and credential resolution.
 
 ## AWS Resource Naming Conventions
 
-The application relies on specific AWS resource naming patterns (per project):
+The application relies on AWS resource naming patterns defined per project in `~/.rds-ssm-connect/projects.json`:
 
-**TLN Project:**
-- **Secrets**: Must start with `rds!cluster`
+- **Secrets**: Must start with the project's `secretPrefix` (e.g., `rds!cluster`, `rds!db`)
 - **Bastion instances**: Must be tagged with `Name=*bastion*` and in `running` state
-- **RDS clusters**: DBClusterIdentifier must end with `-rds-aurora` and be in `available` state
-- **Region**: us-east-2
-
-**Covered Project:**
-- **Secrets**: Must start with `rds!db`
-- **Bastion instances**: Must be tagged with `Name=*bastion*` and in `running` state
-- **RDS instances**: DBInstanceIdentifier must contain `covered-db` and be in `available` state
-- **Region**: us-west-1
-- **AWS Profiles**: Must start with `covered` (e.g., `covered`, `covered-staging`)
+- **RDS clusters**: DBClusterIdentifier must match the project's `rdsPattern` and be `available` (when `rdsType` is `cluster`)
+- **RDS instances**: DBInstanceIdentifier must match the project's `rdsPattern` and be `available` (when `rdsType` is `instance`)
 
 ## Important Notes
 
-- Port assignment is based on project-specific port mappings
+- Projects are user-configurable via `~/.rds-ssm-connect/projects.json` (no hardcoded defaults)
+- Port assignment is based on project-specific `envPortMapping` with `defaultPort` fallback
 - The tool keeps the SSM session running until Ctrl+C is pressed
-- Each project has its own default port if no environment suffix matches
-- AWS region is determined by the selected project
+- AWS region is determined by the selected project's `region` field
+- SSO sessions are validated before connecting; browser opens automatically if needed
+- Desktop app bundles Session Manager Plugin as an external binary
 
 ## Error Handling & Recovery
 
@@ -106,12 +143,26 @@ The application automatically handles the race condition where a bastion instanc
 4. Verifies SSM agent is online using `describe-instance-information`
 5. Retries port forwarding with new instance (max 2 retries)
 
+### Auto-Reconnect
+When an established session drops unexpectedly (idle timeout, network issue):
+
+1. Verifies AWS credentials are still valid (avoids opening SSO tabs when user is away)
+2. Re-discovers infrastructure (bastion may have been replaced by ASG)
+3. Reconnects on the same local port (up to 3 attempts with 3s delay)
+
+### Keepalive
+Periodic TCP pings every 4 minutes prevent SSM from timing out idle connections.
+
 ### Configuration Constants
-All retry/timeout values are configurable in `RETRY_CONFIG`:
+All retry/timeout values are configurable in `RETRY_CONFIG` (`connect.js`):
 - `BASTION_WAIT_MAX_RETRIES`: 20 (time to wait for new instance)
 - `BASTION_WAIT_RETRY_DELAY_MS`: 15000 (delay between instance checks)
 - `PORT_FORWARDING_MAX_RETRIES`: 2 (connection retry attempts)
 - `SSM_AGENT_READY_WAIT_MS`: 10000 (stabilization time after agent online)
+- `KEEPALIVE_INTERVAL_MS`: 240000 (TCP ping interval, 4 minutes)
+- `AUTO_RECONNECT_MAX_RETRIES`: 3 (auto-reconnect attempts)
+- `AUTO_RECONNECT_DELAY_MS`: 3000 (delay between reconnect attempts)
+- `CREDENTIAL_CHECK_TIMEOUT_MS`: 60000 (credential validation timeout)
 
 ### Process Cleanup
-The application registers handlers for `SIGINT`, `SIGTERM`, and `exit` events to properly clean up child processes (SSM sessions) to prevent zombie processes.
+The application registers handlers for `SIGINT`, `SIGTERM`, and `exit` events to properly clean up child processes (SSM sessions) using a three-strategy kill approach (process group, individual SIGTERM, SIGKILL) to prevent zombie processes.

package/README.md

@@ -4,21 +4,22 @@ Secure database tunneling to AWS RDS through SSM port forwarding via bastion hos
 
 ## Features
 
-- **Multi-project support** — TLN (Aurora clusters, us-east-2) and Covered (RDS instances, us-west-1)
-- **Multiple simultaneous connections** with automatic port assignment
+- **User-configurable projects** — define any number of RDS projects (Aurora clusters or RDS instances, PostgreSQL or MySQL)
+- **Multiple simultaneous connections** with strict port availability checks
 - **Saved connections** — bookmark frequently used profiles with one-click connect
-- **Auto-reconnect** — handles `TargetNotConnected` errors by cycling bastion instances via ASG
+- **Auto-reconnect** — transparently reconnects on the same port if the session drops unexpectedly
+- **TargetNotConnected recovery** — cycles bastion instances via ASG when the SSM agent is disconnected
+- **SSO support** — handles AWS SSO (OIDC device authorization) with automatic browser launch
+- **Keepalive** — periodic TCP pings prevent SSM idle timeout
 - **In-app updates** — checks GitHub releases, downloads and installs signed updates
-- **Prerequisites validation** — detects missing `aws-vault` and AWS CLI on launch
 - **Keyboard shortcuts** — `Cmd/Ctrl + ,` for settings
 - **Accessible** — ARIA labels, focus trapping, keyboard navigation, screen reader support
 
 ## Prerequisites
 
-- [aws-vault](https://github.com/99designs/aws-vault) — AWS credential management
-- [AWS CLI](https://aws.amazon.com/cli/) — AWS API access
 - [Node.js](https://nodejs.org/) 22+ (CLI only)
 - AWS profiles configured in `~/.aws/config`
+- [Session Manager Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html) (bundled with desktop app; CLI requires separate install)
 
 ## Installation
 
@@ -29,12 +30,6 @@ brew tap yarka-guru/tap
 brew install --cask rds-ssm-connect
 ```
 
-This installs the desktop app along with `aws-vault` and `awscli` dependencies. You also need the [Session Manager Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html):
-
-```bash
-brew install --cask session-manager-plugin
-```
-
 Or download the `.dmg` directly from [GitHub Releases](https://github.com/yarka-guru/connection_app/releases).
 
 ### Linux
@@ -47,15 +42,10 @@ Or download the `.dmg` directly from [GitHub Releases](https://github.com/yarka-
 echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc
 eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
 
-# Install the app (includes aws-vault and awscli as dependencies)
+# Install the app
 brew tap yarka-guru/tap
 brew install yarka-guru/tap/rds-ssm-connect
 
-# Install Session Manager Plugin (ARM64)
-curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb" -o session-manager-plugin.deb
-sudo dpkg -i session-manager-plugin.deb
-# For x86_64, replace ubuntu_arm64 with ubuntu_64bit
-
 # Make brew tools visible to the desktop app
 echo 'export PATH="/home/linuxbrew/.linuxbrew/bin:$PATH"' | sudo tee /etc/profile.d/linuxbrew.sh
 # Log out and back in for this to take effect
@@ -64,41 +54,20 @@ echo 'export PATH="/home/linuxbrew/.linuxbrew/bin:$PATH"' | sudo tee /etc/profil
 #### Option B: Direct .deb install
 
 ```bash
-# 1. Download and install the app
-# ARM64:
-wget https://github.com/yarka-guru/connection_app/releases/latest/download/RDS.SSM.Connect_1.7.5_arm64.deb
-sudo dpkg -i RDS.SSM.Connect_1.7.5_arm64.deb
-# x86_64:
-# wget https://github.com/yarka-guru/connection_app/releases/latest/download/RDS.SSM.Connect_1.7.5_amd64.deb
-# sudo dpkg -i RDS.SSM.Connect_1.7.5_amd64.deb
-
-# 2. Install aws-vault
-# ARM64:
-wget https://github.com/99designs/aws-vault/releases/latest/download/aws-vault-linux-arm64 -O aws-vault
-# x86_64:
-# wget https://github.com/99designs/aws-vault/releases/latest/download/aws-vault-linux-amd64 -O aws-vault
-chmod +x aws-vault && sudo mv aws-vault /usr/local/bin/
-
-# 3. Install AWS CLI
-# ARM64:
-curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o awscliv2.zip
-# x86_64:
-# curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
-unzip awscliv2.zip && sudo ./aws/install
-
-# 4. Install Session Manager Plugin
+# Download and install the app (check GitHub Releases for the latest version)
 # ARM64:
-curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb" -o session-manager-plugin.deb
+wget https://github.com/yarka-guru/connection_app/releases/latest/download/RDS.SSM.Connect_2.0.2_arm64.deb
+sudo dpkg -i RDS.SSM.Connect_2.0.2_arm64.deb
 # x86_64:
-# curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o session-manager-plugin.deb
-sudo dpkg -i session-manager-plugin.deb
+# wget https://github.com/yarka-guru/connection_app/releases/latest/download/RDS.SSM.Connect_2.0.2_amd64.deb
+# sudo dpkg -i RDS.SSM.Connect_2.0.2_amd64.deb
 ```
 
 ### Windows
 
 Download the `.msi` or `.exe` installer from [GitHub Releases](https://github.com/yarka-guru/connection_app/releases).
 
-Prerequisites must be installed separately: [aws-vault](https://github.com/99designs/aws-vault), [AWS CLI](https://aws.amazon.com/cli/), [Session Manager Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html).
+No additional prerequisites — the app uses AWS SDK v3 natively.
 
 ### CLI (all platforms)
 
@@ -106,55 +75,100 @@ Prerequisites must be installed separately: [aws-vault](https://github.com/99des
 npm install -g rds_ssm_connect
 ```
 
+The CLI requires the [Session Manager Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html) to be installed separately.
+
 ## Usage
 
 ### Desktop App
 
 Launch the app, select a project and environment, then click **Connect**. Connection credentials are displayed inline with one-click copy buttons. Save connections for quick access later.
 
+Manage projects and AWS profiles in **Settings** (`Cmd/Ctrl + ,`).
+
 ### CLI
 
 ```bash
 rds_ssm_connect
 ```
 
-1. Select a project (TLN or Covered)
-2. Select an environment (AWS profile)
-3. The tool retrieves credentials from Secrets Manager, finds a bastion instance, and starts SSM port forwarding
-4. Use the displayed connection string with your database client (`psql`, pgAdmin, DBeaver, etc.)
+1. On first run with no projects configured, an interactive wizard walks you through creating one
+2. Select a project
+3. Select an environment (AWS profile)
+4. SSO session is validated automatically (opens browser if needed)
+5. The tool retrieves credentials from Secrets Manager, finds a bastion instance, and starts SSM port forwarding
+6. Use the displayed connection details with your database client (`psql`, `mysql`, pgAdmin, DBeaver, etc.)
 
 The tunnel stays open until you press `Ctrl+C`.
 
 ## How It Works
 
 1. Reads AWS profiles from `~/.aws/config`
-2. Filters profiles based on the selected project
-3. Queries AWS Secrets Manager for RDS credentials (project-specific prefix)
-4. Finds a running bastion instance (tagged `Name=*bastion*`)
-5. Gets the RDS endpoint (cluster or instance depending on project)
-6. Starts an SSM port forwarding session with the correct local port
-7. Displays connection details (host, port, username, password, database)
+2. Loads project configurations from `~/.rds-ssm-connect/projects.json`
+3. Filters profiles based on the selected project's `profileFilter`
+4. Ensures AWS SSO session is valid (OIDC device authorization if needed)
+5. Queries AWS Secrets Manager for RDS credentials (project-specific `secretPrefix`)
+6. Finds a running bastion instance (tagged `Name=*bastion*`)
+7. Gets the RDS endpoint (cluster or instance depending on project `rdsType`)
+8. Starts an SSM port forwarding session with the correct local/remote ports
+9. Displays connection details (host, port, username, password, database)
 
 ### Error Recovery
 
-When a bastion instance appears running but SSM agent is disconnected (`TargetNotConnected`, exit code 254):
+**TargetNotConnected** — when a bastion instance appears running but SSM agent is disconnected (exit code 254):
 
 1. Terminates the disconnected instance
 2. Waits for ASG to launch a replacement (up to 20 retries, 15s intervals)
 3. Verifies the SSM agent is online
 4. Retries port forwarding (up to 2 attempts)
 
+**Auto-reconnect** — when an established session drops unexpectedly (idle timeout, network issue):
+
+1. Verifies AWS credentials are still valid (avoids opening SSO tabs when user is away)
+2. Re-discovers infrastructure (bastion may have been replaced by ASG)
+3. Reconnects on the same local port (up to 3 attempts with 3s delay)
+
+**Keepalive** — periodic TCP pings every 4 minutes prevent SSM from timing out idle connections.
+
 ## Project Configuration
 
-| | TLN (EMR) | Covered Healthcare |
-|---|---|---|
-| Region | us-east-2 | us-west-1 |
-| Database | emr | covered_db |
-| RDS type | Aurora cluster | RDS instance |
-| Secret prefix | `rds!cluster` | `rds!db` |
-| Port range | 5432–5452 | 5460–5461 |
+Projects are stored in `~/.rds-ssm-connect/projects.json` and can be managed through the desktop app's Settings UI or the CLI's first-run wizard.
+
+Each project defines:
 
-Port assignments are based on environment suffix mappings defined in `envPortMapping.js`.
+| Field | Description | Example |
+|---|---|---|
+| `name` | Display name | `"My Project"` |
+| `region` | AWS region | `"us-east-2"` |
+| `database` | Database name | `"mydb"` |
+| `secretPrefix` | Secrets Manager prefix | `"rds!cluster"` |
+| `rdsType` | `"cluster"` or `"instance"` | `"cluster"` |
+| `engine` | `"postgres"` or `"mysql"` | `"postgres"` |
+| `rdsPattern` | RDS identifier pattern | `"my-app-rds-aurora"` |
+| `profileFilter` | AWS profile prefix filter (optional) | `"my-app"` |
+| `envPortMapping` | Environment suffix to local port mapping | `{"-staging": "5433"}` |
+| `defaultPort` | Fallback local port | `"5432"` |
+
+Example `projects.json`:
+
+```json
+{
+  "my-project": {
+    "name": "My Project",
+    "region": "us-east-2",
+    "database": "mydb",
+    "secretPrefix": "rds!cluster",
+    "rdsType": "cluster",
+    "engine": "postgres",
+    "rdsPattern": "my-app-rds-aurora",
+    "profileFilter": null,
+    "envPortMapping": {
+      "-prod": "5432",
+      "-staging": "5433"
+    },
+    "defaultPort": "5432"
+  }
+}
+```
 
 ## Development
 
@@ -177,11 +191,18 @@ npm run build:gui     # Build Tauri desktop app
 ### Architecture
 
 ```
-connect.js              CLI entry point (shebang, runs standalone)
+connect.js              CLI entry point + core connection logic
 gui-adapter.js          IPC bridge — JSON stdin/stdout protocol for Tauri sidecar
-envPortMapping.js       Multi-project configuration (regions, ports, patterns)
+configLoader.js         Project config CRUD (~/.rds-ssm-connect/projects.json)
+src/
+  aws-clients.js        AWS SDK client factory (STS, EC2, RDS, SSM, Secrets Manager)
+  aws-operations.js     AWS operations (find bastion, get endpoint, get credentials, etc.)
+  credential-resolver.js  AWS credential chain resolution (SSO, profiles)
+  sso-login.js          AWS SSO OIDC device authorization flow
+  plugin-resolver.js    Locates session-manager-plugin binary
 src-tauri/
-  src/lib.rs            Tauri commands (connect, disconnect, save, update, etc.)
+  src/lib.rs            Tauri commands (connect, disconnect, saved connections, project
+                        config CRUD, AWS profile CRUD, updates, prerequisites check)
   tauri.conf.json       App config, plugins, window settings, bundling
 src/
   App.svelte            Main app shell (Svelte 5 with runes)
@@ -193,8 +214,7 @@ src/
     SavedConnections.svelte  Bookmarked connections list
     ActiveConnections.svelte  Live connection panels with credentials
     SessionStatus.svelte    Connection status indicator
-    Settings.svelte       AWS profile management (CRUD + raw config editor)
-    PrerequisitesCheck.svelte  Missing dependency warnings
+    Settings.svelte       Project management + AWS profile CRUD + raw config editor
     UpdateBanner.svelte   In-app update notification
 ```
 
@@ -203,7 +223,7 @@ src/
 - **Frontend**: Svelte 5 (runes), Vite
 - **Desktop**: Tauri v2 (Rust)
 - **Backend**: Node.js sidecar bundled with esbuild + pkg
-- **AWS SDK**: v3 (EC2, RDS, SSM, Secrets Manager)
+- **AWS SDK**: v3 (STS, EC2, RDS, SSM, Secrets Manager, SSO OIDC)
 - **Linter**: Biome
 
 ## Publishing

package/connect.js

@@ -14,9 +14,10 @@ import {
 import { createAwsClients, destroyAwsClients } from './src/aws-clients.js'
 import * as ops from './src/aws-operations.js'
 import { findPluginBinary, spawnPlugin } from './src/plugin-resolver.js'
+import { ensureSsoSession } from './src/sso-login.js'
 
 // Package info for version checking
-const packageJson = { name: 'rds_ssm_connect', version: '1.8.3' }
+const packageJson = { name: 'rds_ssm_connect', version: '2.0.2' }
 
 // Event emitter for IPC communication
 const ipcEmitter = new EventEmitter()
@@ -962,6 +963,20 @@ async function main() {
       allEnvSuffixes.find((suffix) => ENV === suffix)
     const portNumber = envPortMapping[matchedSuffix] || defaultPort
 
+    // Ensure SSO session is valid (if SSO profile)
+    await ensureSsoSession(ENV, {
+      onEvent: (_event, data) => {
+        if (data?.message) console.log(`\u23F3 ${data.message}`)
+      },
+      onOpenUrl: (url) => {
+        console.log(`\n\uD83C\uDF10 Open this URL in your browser to authorize:\n   ${url}\n`)
+        // Try to open browser automatically
+        const { platform } = process
+        const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'start' : 'xdg-open'
+        try { spawnSync(cmd, [url], { stdio: 'ignore' }) } catch {}
+      },
+    })
+
     // Create SDK clients ONCE for this CLI session
     const clients = createAwsClients(ENV, region)
 
@@ -1021,9 +1036,10 @@ async function main() {
     } finally {
       destroyAwsClients(clients)
     }
-  } catch (_error) {
+  } catch (error) {
+    console.error(`\n\u274C ${error.message || error}`)
     setImmediate(() => {
-      throw new Error('Forcing exit due to unhandled error')
+      process.exit(1)
     })
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rds_ssm_connect",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "type": "module",
   "repository": {
     "type": "git",
@@ -14,7 +14,7 @@
     "@aws-sdk/client-sso-oidc": "^3.1000.0",
     "@aws-sdk/client-sts": "^3.1000.0",
     "@aws-sdk/credential-providers": "^3.1000.0",
-    "fast-xml-parser": "^5.3.6",
+    "fast-xml-parser": "^5.3.8",
     "glob": "^13.0.0",
     "inquirer": "^13.2.2",
     "rimraf": "^6.1.2"
@@ -35,7 +35,7 @@
     "vite": "^6.4.1"
   },
   "overrides": {
-    "fast-xml-parser": "^5.3.6"
+    "fast-xml-parser": "^5.3.8"
   },
   "bin": {
     "rds_ssm_connect": "./connect.js"

package/scripts/download-ssm-plugin.js

@@ -216,6 +216,29 @@ function extractWindowsZip(archivePath, tmpDir) {
     }
   }
 
+  // The AWS Windows zip has nested archives:
+  //   outer.zip → SessionManagerPlugin.zip → package.zip → session-manager-plugin.exe
+  // Extract all nested zips we find.
+  function expandZip(zipPath, destDir) {
+    mkdirSync(destDir, { recursive: true });
+    if (isWindows) {
+      execSync(
+        `powershell -Command "Expand-Archive -Force -Path '${zipPath}' -DestinationPath '${destDir}'"`,
+        { stdio: "pipe" },
+      );
+    } else {
+      execSync(`unzip -o "${zipPath}" -d "${destDir}"`, { stdio: "pipe" });
+    }
+  }
+
+  for (const nestedName of ["SessionManagerPlugin.zip", "package.zip"]) {
+    const found = findFileRecursive(tmpDir, nestedName);
+    if (found) {
+      const destDir = join(tmpDir, nestedName.replace(".zip", "-extracted"));
+      expandZip(found, destDir);
+    }
+  }
+
   // Search for the exe — could be in bin/ subdirectory or at root
   const candidates = [
     join(tmpDir, "bin", "session-manager-plugin.exe"),
@@ -355,12 +378,25 @@ async function processTarget(target) {
 async function main() {
   const args = process.argv.slice(2);
   const currentPlatformOnly = args.includes("--current-platform-only");
+  const tripleIndex = args.indexOf("--triple");
+  const tripleArg = tripleIndex !== -1 ? args[tripleIndex + 1] : null;
 
   // Ensure output directory exists
   mkdirSync(BINARIES_DIR, { recursive: true });
 
   let targets;
-  if (currentPlatformOnly) {
+  if (tripleArg) {
+    targets = TARGETS.filter((t) => t.triple === tripleArg);
+    if (targets.length === 0) {
+      console.error(`Error: Unknown triple "${tripleArg}".`);
+      console.error("Available triples:");
+      for (const t of TARGETS) {
+        console.error(`  - ${t.triple}`);
+      }
+      process.exit(1);
+    }
+    console.log(`Downloading for triple: ${tripleArg}\n`);
+  } else if (currentPlatformOnly) {
     targets = getTargetsForCurrentPlatform();
     if (targets.length === 0) {
       console.warn(