ministackorg/ministack v1.3.56

on GitHub

What's Changed

[1.3.56] — 2026-06-02

Added

• Cognito User Pools — CUSTOM_AUTH flow with DefineAuthChallenge / CreateAuthChallenge / VerifyAuthChallengeResponse triggers — InitiateAuth / AdminInitiateAuth / RespondToAuthChallenge / AdminRespondToAuthChallenge now run the full custom-auth state machine through the configured Lambdas. DefineAuthChallenge decides next-step / issueTokens / failAuthentication; CreateAuthChallenge builds public + private challenge parameters carried through the opaque session token; VerifyAuthChallengeResponse evaluates the answer. Session TTL honors the client's AuthSessionValidity (minutes), capped at 3 answered rounds per AWS. Unblocks passwordless / magic-link / SMS-OTP flows that previously failed with Unsupported AuthFlow: CUSTOM_AUTH. Reported by @aahoughton. Contributed by @AdigaAkhil.
• EKS Access Entries (modern IAM bindings — replace aws-auth ConfigMap) — 8 new ops at /clusters/{name}/access-entries[/{principalArn}[/access-policies[/{policyArn}]]]: CreateAccessEntry, DescribeAccessEntry, ListAccessEntries, UpdateAccessEntry, DeleteAccessEntry, AssociateAccessPolicy, DisassociateAccessPolicy, ListAssociatedAccessPolicies. accessScope validated against {cluster, namespace} with namespaces required when scope is namespace-bound; deleting an access entry cascades its associated policies. Unblocks Crossplane accessentry.eks.aws.upbound.io, Terraform aws_eks_access_entry + aws_eks_access_policy_association, and any tool using the post-1.29 EKS IAM binding API. Reported by @b-rajesh.

Fixed

• Lambda — _X_AMZN_TRACE_ID injected for TracingConfig.Mode=Active — the runtime env var the AWS X-Ray SDK reads on every segment was never being set, so aws-xray-sdk-python raised Missing AWS Lambda trace data for X-Ray on any active-tracing function. Now synthesized per invocation (Root=1-<8hex>-<24hex>;Parent=<16hex>;Sampled=1) and threaded into the warm worker pool (Python + Node bootstraps pop the event field into os.environ / process.env), the provided-runtime executor (per-spawn proc_env), and the local subprocess executor. The docker RIE executor is documented as unsupported — AWS RIE itself drops X-Ray, the pool reuses containers so a baked env would go stale — and now logs a warning when Active mode is configured on that path. Reported by @arivazhaganjeganathan-abc.
• Firehose — Lambda processor invoked in the delivery pipeline — ProcessingConfiguration.Processors[].Type=Lambda was persisted on the destination but never consulted at invocation time; records flowed straight to S3 without the configured transformation. The full AWS contract is now honored: per-batch event {invocationId, deliveryStreamArn, region, records:[{recordId, approximateArrivalTimestamp, data}]}, response {records:[{recordId, result, data}]} with result ∈ {Ok, Dropped, ProcessingFailed}. Ok → transformed data written downstream; Dropped / ProcessingFailed → omitted; Lambda not-found / crash / malformed body → records pass through unchanged (best-effort per AWS). Applies to both PutRecord / PutRecordBatch and KinesisStreamAsSource fan-out. Reported by @arivazhaganjeganathan-abc.
• Cognito CUSTOM_AUTH — issueTokens on the cap-boundary attempt now wins over MaxAttempts — a correct answer on the 3rd round (cap boundary) was being silently rejected with Max authentication attempts exceeded because the cap check fired before the issueTokens branch. The cap is meant to prevent a NEXT (4th) round, not penalize success on the boundary. Reordered: failAuthentication → issueTokens → max-attempts → next round. Applies to both RespondToAuthChallenge and AdminRespondToAuthChallenge.
• DynamoDB — AWS-canonical error-message parity across 24 operations — PutItem set-duplicates now include the collection contents (Input collection [a, a] contains duplicates.); UpdateItem syntax errors carry token-context (token: "INVALID", near: "INVALID SYNTAX"); Query empty KeyConditionExpression short-circuits before unused-EAV; Scan Limit=0 quotes the value (Value '0' at 'limit'); Scan Segment negative path returns the standard 1 validation error detected envelope with lowercase segment; redundant-parentheses check pre-fires on FilterExpression / KeyConditionExpression so empty tables still reject (rather than silently passing); begins_with non-string operand pre-validated at parse time. BatchExecuteStatement per-statement Error.Code now drops the Exception suffix to match BatchStatementErrorCodeEnum (DuplicateItem / ResourceNotFound). TransactGetItems reports per-action missing-key errors via TransactionCanceledException cancellation reasons (not a request-level error). CreateTable >2 KeySchema error dumps the Java-toString KeySchemaElement(attributeName=…, keyType=…) shape. GetItem / TransactGetItems ProjectionExpression parses syntactically + rejects reserved keywords up front. UpdateItem pre-rejects mutation of hash / range key attributes regardless of whether the item exists. BatchWriteItem / TransactWriteItems / TransactGetItems size-exceeded errors include the AWS-shape Java-toString dump in the envelope.