docs: update README and CHANGELOG for fresh credentials behavior

anasstahr · anasstahr · commit 15afda2d79a8 · 2026-05-27T12:43:17.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Fixed
+
+- Always read fresh credentials from disk on every request instead of caching and refreshing reactively on auth errors (#294)
+
 ## v1.5.0 (2026-05-22)
 
 ### Added
diff --git a/README.md b/README.md
@@ -354,7 +354,7 @@ For long-running sessions, consider using long-lived credentials:
 - Use an AWS profile via `--profile`
 - Use IAM Identity Center and run `aws sso login` before starting the proxy
 
-If your credentials do expire during a session, the proxy will automatically detect the auth failure and pick up refreshed credentials on the next request — no restart required. Simply refresh your credentials (e.g., `aws sso login`) and retry.
+The proxy reads fresh credentials from disk on every request, so credential refreshes and account switches take effect immediately — no restart or retry required. Simply refresh your credentials (e.g., `aws sso login`) and the next request will use them.
 
 ### Client hangs on tool calls
 If your MCP client hangs waiting for a tool call response (e.g., due to an unresponsive endpoint), use `--tool-timeout` to set a maximum duration in seconds for each tool call. When the timeout is exceeded, the proxy returns a graceful error to the agent instead of hanging indefinitely.
