Aws Context Guard
@jentz/aws-context-guardv2026.05.17.1
01README
Generic AWS workflow-safety primitive. Fails closed before any AWS work runs by verifying, in order:
- AWS_PROFILE ends with a required suffix (default
-readonly). - sts:GetCallerIdentity returns the expected 12-digit account ID.
On success, persists the verified caller-identity context (account,
ARN, user ID, profile, region, verifiedAt) as a context resource that
later workflow steps can reference. AWS_REGION is captured for
reference but is not validated — region is a routing concern, not an
identity property.
Designed to be the first step of any AWS audit or read-only-recon workflow, so a misconfigured shell can never reach AWS APIs.
02Models
@jentz/aws-context-guardv2026.05.17.1aws_context_guard.ts
Global Arguments
| Argument | Type | Description |
|---|---|---|
| expectedAccountId | string | The 12-digit AWS account ID this workflow expects to be operating against. |
| requiredProfileSuffix | string | AWS_PROFILE must end with this suffix. Set to empty string to disable |
fn verify()
Verify AWS profile suffix and caller-identity account match
Resources
context(infinite)— Verified AWS caller-identity context
03Stats
A
100 / 100
Downloads
6
Archive size
271.9 KB
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types1/1earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
04Platforms
05Labels