[BE-0056] feat(serve): web UI AWS SSO sign-in for the Bedrock provider#166
Draft
0x0c wants to merge 10 commits into
Draft
[BE-0056] feat(serve): web UI AWS SSO sign-in for the Bedrock provider#1660x0c wants to merge 10 commits into
0x0c wants to merge 10 commits into
Conversation
New proposal under the AI provider configuration topic: start an AWS SSO (IAM Identity Center) sign-in from the bajutsu serve web UI to obtain the AWS credentials the Bedrock provider needs, instead of running 'aws sso login' in the shell before launching serve. Extends BE-0053 (which delegated auth to the AWS credential chain) into the UI, including remote serve (BE-0016 Tier A) via the SSO device-authorization flow. Adds a new 'AI provider configuration' section to the Proposals index in both languages and to build_roadmap_index.py. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-actions
Bot
changed the title
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add an AWS SSO (IAM Identity Center) device-authorization sign-in to the serve web UI Settings panel: enter a profile, approve the verification link in the browser, and serve sets AWS_PROFILE (in memory, never to disk) so spawned record/crawl jobs resolve Bedrock credentials through that SSO session — no serve restart on re-sign-in (each job is a fresh subprocess). - bajutsu/serve/sso.py: SsoEngine seam + types + NativeSsoEngine (boto3 sso-oidc device flow, botocore SSOTokenLoader for the token cache; boto3 imported lazily so the default serve/CLI path stays server-free). - ServeState.sso_engine injectable seam; operations sso_info / sso_login_start / sso_login_poll / sso_logout (env-only, mirroring set_provider / set_api_key). - Routes /api/sso, /api/sso/login[/<handle>], /api/sso/logout on both the stdlib and FastAPI servers (BE-0051 auth; the login/logout POSTs are admin paths). - Settings-panel UI (Bedrock only): profile + Sign in, verification URL + code, poll to completion, session status + Sign out. - tests/serve/test_http_sso.py drives the full flow via a fake engine (gate-green without AWS). docs/cli.md + ja mirror updated. The native engine's AWS calls need validation against a real IAM Identity Center; the serve wiring, operations, and UI are gate-tested through the injected fake. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0x0c
changed the title
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
0x0c
added a commit
that referenced
this pull request
Jun 21, 2026
Three open PRs were each handed BE-0056 (#166, #169, #170); none had merged, so the roadmap-id-repair workflow — which only fires when a colliding item is already on main — never ran. Resolve the collision by hand: #166 (web-ui-aws-sso-login, opened first) keeps BE-0056, and this item moves to the next free ID. BE-0057 is taken on main and BE-0058 goes to #169, so this becomes BE-0059. Regenerated the index tables. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0x0c
added a commit
that referenced
this pull request
Jun 21, 2026
Three open PRs were each handed BE-0056 (#166, #169, #170); none had merged, so the roadmap-id-repair workflow — which only fires when a colliding item is already on main — never ran. Resolve the collision by hand: #166 (web-ui-aws-sso-login, opened first) keeps BE-0056, and this item moves to the next free ID. BE-0057 is taken on main, so this item becomes BE-0058 (#170 takes BE-0059). Regenerated the index tables. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…597f # Conflicts: # bajutsu/templates/serve.js
…effect) CodeQL flagged the Protocol method '...' stubs as 'statement has no effect'. Replace them with one-line docstrings, matching the existing serve Protocols (SessionStore / LogBus / RunExecutor / ScenarioStore) — silences the finding and is the codebase convention. No behavior change (Protocol methods are never called). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…597f # Conflicts: # bajutsu/templates/serve.js
auto-merge was automatically disabled
June 21, 2026 23:16
Pull request was converted to draft
…597f # Conflicts: # bajutsu/serve/handler.py
…597f # Conflicts: # scripts/build_roadmap_index.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds AWS SSO (IAM Identity Center) sign-in to the
bajutsu serveweb UI for the Bedrock AIprovider, plus its roadmap item (BE-0056). From the Settings panel you enter a profile, approve
the verification link in your browser, and
servepoints spawnedrecord/crawljobs at theresulting SSO session — instead of running
aws sso loginin the shell before launchingserve.This PR contains both the roadmap proposal (
roadmaps/proposals/BE-0056-…) and a firstimplementation slice.
Why
BE-0053 made Bedrock a selectable provider and delegated auth to the AWS credential chain, but left
credential acquisition out of band — awkward for a remote, self-hosted
serve(BE-0016 Tier A),where
aws sso loginopens a browser on the wrong host, and for short-lived SSO sessions thatexpire with no in-UI signal.
Implementation
bajutsu/serve/sso.py—SsoEngineseam + types +NativeSsoEnginedriving the boto3sso-oidcdevice-authorization flow and persisting the token via botocore's ownSSOTokenLoader(so the cache key/format are exactly what the credential chain reads back). boto3is imported lazily, so the default serve/CLI path stays server-free (
test_import_guard).ServeState.sso_engineinjectable seam; operationssso_info/sso_login_start/sso_login_poll/sso_logout, env-only (setAWS_PROFILE, never to disk — mirrorsset_provider/set_api_key). Inherited by spawned jobs via_spawn_env, so re-sign-in needsno
serverestart (each job is a fresh subprocess that re-resolves the chain)./api/sso,/api/sso/login[/<handle>],/api/sso/logouton both the stdlib andFastAPI servers; the login/logout POSTs are admin paths (BE-0051 auth / CSRF).
completion, session status + Sign out. The link opens in your browser, so remote
serveworks.tests/serve/test_http_sso.py) drive the full start → pending → complete → status →sign-out flow via an injected fake engine — gate-green without AWS.
docs/cli.md+ ja mirror.make checkis green (ruff, mypy strict, 1000 tests, coverage 88.9%).Scope / follow-ups
can't run on the Linux gate); the wiring, operations, and UI are gate-tested through the fake.
aws configure ssoprofile; single-operator (per-user identity on a sharedserver is left to BE-0015 / BE-0016).
aws sso login), the second engine the proposal describes, is afollow-up behind the same
SsoEngineinterface.Status: Proposal; flip toAccepted, in progress/Implementedon merge.🤖 Generated with Claude Code