Add support of AWS profile for Bedrock

[oleksandr-soldatov]

Add AWS profile auth support for Bedrock provider

Proof (redacted):

$ aws configure export-credentials --profile <profile> --format process
{ "Version":1, "AccessKeyId":"<len 20>", "SecretAccessKey":"<len 40>",
  "SessionToken":"<len 1056>", "Expiration":"2026-05-28T00:36:44+00:00" }

$ CODEXBAR_BEDROCK_AUTH_MODE=profile AWS_PROFILE=billing \
      .build/debug/CodexBarCLI --provider bedrock --source api --format json --pretty
[
{
  "provider" : "bedrock",
  "source" : "api",
  "usage" : {
    "identity" : {
      "loginMethod" : "Spend: $<redacted>",
      "providerID" : "bedrock"
    },
    "loginMethod" : "Spend: $<redacted>",
    "primary" : null,
    "providerCost" : {
      "currencyCode" : "USD",
      "limit" : 0,
      "period" : "Monthly",
      "resetsAt" : "2026-05-31T23:00:00Z",
      "updatedAt" : "2026-05-27T12:50:28Z",
      "used" : <redacted>
    },
    "secondary" : null,
    "tertiary" : null,
    "updatedAt" : "2026-05-27T12:50:28Z"
  }
}
]

Budget window

$ CODEXBAR_BEDROCK_AUTH_MODE=profile AWS_PROFILE=<profile> \
    CODEXBAR_BEDROCK_BUDGET=<budget> CodexBarCLI --provider bedrock --source api ...
# primary window → usedPercent computed, resetDescription "Monthly budget", monthly reset

Screenshots

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 10:37 AM ET / 14:37 UTC.

Summary
Adds Bedrock AWS profile authentication through settings/config fields, AWS CLI credential and region resolution, shared API/history credential resolution, docs, and focused tests.

Reproducibility: not applicable. as a bug reproduction: this PR adds a new Bedrock auth capability. Source inspection confirms current main lacks AWS profile support, and the PR body supplies redacted after-fix CLI proof for the new path.

Review metrics: 2 noteworthy metrics.

• Changed surface: 18 files, +818/-42. The auth-provider change spans settings UI, config persistence, environment projection, subprocess credential resolution, usage/history fetching, docs, and tests.
• Focused test surface: 5 Bedrock/config test files added or extended. The PR has targeted coverage for profile auth, static-key compatibility, credential parsing, and provider-environment projection.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Risk before merge

• Merging this changes Bedrock credential precedence and introduces a persisted auth/profile mode plus AWS CLI subprocess execution for profile credentials; maintainers should explicitly accept that auth-provider surface.
• Existing users can be affected if their saved Bedrock config, launch environment, AWS_PROFILE, AWS_CLI_PATH, or AWS CLI SSO session does not match the new precedence and failure behavior.
• The latest head had no reported GitHub status contexts during review, so project validation such as focused Bedrock/config tests and make check should pass before merge.

Maintainer options:

1. Merge after auth-provider sign-off (recommended)
   Maintainers can accept the profile-auth behavior once they are comfortable with the credential precedence, AWS CLI execution path, and validation results.
2. Tighten precedence before merge
   If maintainers do not want ambient AWS_PROFILE or AWS_CLI_PATH to influence Bedrock when saved config exists, require a narrower explicit-settings-only profile mode before landing.
3. Defer profile auth
   If local AWS CLI credential execution is not a desired app responsibility, pause or close this PR and keep Bedrock on static access keys for now.

Next step before merge
No automated repair is needed; the remaining gate is maintainer auth-provider/compatibility approval plus normal validation.

Security
Cleared: The diff adds AWS CLI credential resolution through the existing subprocess runner and separated arguments, with no concrete supply-chain or secret-handling regression found beyond the merge-risk auth review.

Review details

Best possible solution:

Land this after maintainer auth-provider sign-off and normal project validation, keeping the saved-key upgrade behavior now present on the latest head.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction: this PR adds a new Bedrock auth capability. Source inspection confirms current main lacks AWS profile support, and the PR body supplies redacted after-fix CLI proof for the new path.

Is this the best way to solve the issue?

Yes, with maintainer sign-off. The shared resolver is the maintainable shape because API and history fetches use the same credential path, and the latest head now covers the saved-key upgrade case.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 83ed8e405541.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes redacted after-fix terminal output showing AWS profile credential export and CodexBarCLI returning Bedrock usage JSON; the screenshot is supplemental.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a useful provider-auth improvement with limited blast radius, but it still needs maintainer auth-provider review before merge.
• merge-risk: 🚨 compatibility: The PR changes Bedrock credential precedence and persisted config behavior for existing static-key users and ambient AWS profile environments.
• merge-risk: 🚨 auth-provider: The PR changes Bedrock credential resolution, AWS CLI profile execution, profile/session errors, and region/profile precedence.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes redacted after-fix terminal output showing AWS profile credential export and CodexBarCLI returning Bedrock usage JSON; the screenshot is supplemental.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted after-fix terminal output showing AWS profile credential export and CodexBarCLI returning Bedrock usage JSON; the screenshot is supplemental.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully and applied for the auth-sensitive provider/settings review posture and focused-test expectations. (AGENTS.md:1, 83ed8e405541)
• Current main lacks profile auth: Current main BedrockSettingsReader only knows static AWS key/session/region/budget variables, and hasCredentials requires both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. (Sources/CodexBarCore/Providers/Bedrock/BedrockSettingsReader.swift:47, 83ed8e405541)
• Latest release also lacks profile auth: The latest release tag v0.30.0 has the same static-key-only BedrockSettingsReader shape, so the PR is not obsolete by a shipped release. (Sources/CodexBarCore/Providers/Bedrock/BedrockSettingsReader.swift:47, 81cf30a6d5e1)
• PR adds profile-mode resolver: The PR head adds BedrockAuthMode, AWS_PROFILE/CODEXBAR_BEDROCK_AUTH_MODE parsing, and profile-mode credential resolution through the AWS CLI. (Sources/CodexBarCore/Providers/Bedrock/BedrockCredentialResolver.swift:21, cb0368ca64d0)
• Prior upgrade blocker appears fixed: The latest PR head now prefers saved static Bedrock keys when awsAuthMode is unset, and has a regression test for saved keys plus inherited AWS_PROFILE. (Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift:147, cb0368ca64d0)
• Regression coverage present: ProviderConfigEnvironmentTests covers profile projection, env-profile inference, saved static-key upgrade behavior, profile-mode credential scrubbing, and explicit keys mode. (Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift:199, cb0368ca64d0)

Likely related people:

• afalk42: GitHub history for the Bedrock descriptor points to the Add AWS Bedrock provider commit, which added Bedrock settings, signing, Cost Explorer fetches, docs, and regression coverage. (role: introduced Bedrock provider; confidence: high; commits: 2905c5e82e92; files: Sources/CodexBarCore/Providers/Bedrock/BedrockProviderDescriptor.swift, Sources/CodexBarCore/Providers/Bedrock/BedrockSettingsReader.swift, Sources/CodexBarCore/Providers/Bedrock/BedrockUsageStats.swift)
• steipete: Local blame/current-main history and GitHub path history show recent work across provider config projection and cost usage infrastructure that this PR extends. (role: recent adjacent contributor; confidence: high; commits: 83ed8e405541, 81cf30a6d5e1, d715648cf23d; files: Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift, Sources/CodexBarCore/CostUsageFetcher.swift, Sources/CodexBarCore/Providers/Bedrock/BedrockProviderDescriptor.swift)
• mstallone: Recent ProviderConfigEnvironment history includes OpenAI project scoping and legacy fallback preservation, which is adjacent to this PR's saved-config versus ambient-env precedence decisions. (role: adjacent config-precedence contributor; confidence: medium; commits: 807d07d0c4d2; files: Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 87f5fa1a60

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[oleksandr-soldatov]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26512419907
• Updated: 2026-05-27T13:04:34.359Z

[oleksandr-soldatov]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26514999741
• Updated: 2026-05-27T13:51:47.511Z

[oleksandr-soldatov]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26516345189
• Updated: 2026-05-27T14:12:29.315Z

[oleksandr-soldatov]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26517795950
• Updated: 2026-05-27T14:37:55.808Z