Full AWS re-platform: Cognito auth, Drizzle ORM, S3, Bedrock, Docker compose stack
amaingot lands a 64-file, ~16k-line commit that swaps every Cloudflare/Supabase dependency for AWS: Cognito for auth, RDS Postgres via Drizzle for data, S3 for storage, Bedrock for Claude. A full local dev stack (MinIO, cognito-local, smtp4dev) comes with it via docker-compose. This is the fork's defining change.
The auth swap is the most involved piece. On the frontend, amazon-cognito-identity-js sits behind a Supabase-shaped wrapper so call sites only changed imports. On the backend, aws-jwt-verify validates tokens, with a dual path: real Cognito JWTs in production, cognito-local tokens in the compose stack. Cognito Local issues non-UUID sub identifiers, so the commit derives deterministic UUIDs from them for local dev -- flagged in the commit message as something to revisit if the auth provider changes again.
Database access moves from PostgREST/Supabase client to Drizzle ORM against direct Postgres. Roughly 191 query sites across 14 backend files were rewritten; the initial migration is under backend/drizzle/. There's a note in lib/access.ts explaining why the removal of Supabase RLS is safe in this architecture -- the argument is spelled out at schema.sql:1052 if you want to evaluate it.
The Claude API path goes through @aws-sdk/client-bedrock-runtime instead of the Anthropic SDK. Per-user Claude API keys are dropped entirely -- Bedrock authenticates via IAM so there's no per-user credential. This is a destructive migration: it purges user_api_keys rows and narrows the provider check constraint to exclude Claude from the BYO-key flow. OpenAI and Gemini still support per-user keys. Any fork still offering BYO-key Claude to end users cannot adopt this change as-is.
Deployment moves from Cloudflare Workers/OpenNext to Next.js standalone in Docker, with frontend/Dockerfile, backend/Dockerfile, and a docker-compose.yml that wires Postgres 16, cognito-local, MinIO, and smtp4dev. Two Actions workflows are added: PR-time lint/build/migrate against a postgres service container, and multi-arch GHCR publish on main and v* tags.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?