feat(cli): carry ABCA solution UA on all bgagent SDK clients

CLI-local ua.ts mirror (same convention as types.ts — CLI can't import
from CDK). Component 'cli', stack name from new optional stack_name
config field (configure --stack-name), trace = process pid set once at
startup. All Cognito/SecretsManager/CloudFormation/DynamoDB client
sites migrated. Wire-capture test mirrors the CDK one via a real
Cognito client + stub requestHandler; auth.test.ts asserts the
constructor receives the customUserAgent.

Task 6 of PR #338 plan. Part of #319

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: scottschreckengaust

cli/src/auth.ts

@@ -26,6 +26,7 @@ import { loadConfig, loadCredentials, saveCredentials } from './config';
 import { debug } from './debug';
 import { CliError } from './errors';
 import { Credentials } from './types';
+import { abcaUserAgent, withAbcaTrace } from './ua';
 
 const TOKEN_REFRESH_BUFFER_MINUTES = 5;
 const TOKEN_REFRESH_BUFFER_MS = TOKEN_REFRESH_BUFFER_MINUTES * 60 * 1000;
@@ -34,7 +35,7 @@ const TOKEN_REFRESH_BUFFER_MS = TOKEN_REFRESH_BUFFER_MINUTES * 60 * 1000;
 export async function login(username: string, password: string): Promise<void> {
   const config = loadConfig();
   debug(`Cognito region: ${config.region}, client_id: ${config.client_id}, user_pool_id: ${config.user_pool_id}`);
-  const client = new CognitoIdentityProviderClient({ region: config.region });
+  const client = withAbcaTrace(new CognitoIdentityProviderClient({ region: config.region, ...abcaUserAgent() }));
 
   const result = await client.send(new InitiateAuthCommand({
     AuthFlow: AuthFlowType.USER_PASSWORD_AUTH,
@@ -100,7 +101,7 @@ function isExpired(creds: Credentials): boolean {
 
 async function refreshToken(creds: Credentials): Promise<void> {
   const config = loadConfig();
-  const client = new CognitoIdentityProviderClient({ region: config.region });
+  const client = withAbcaTrace(new CognitoIdentityProviderClient({ region: config.region, ...abcaUserAgent() }));
 
   try {
     const result = await client.send(new InitiateAuthCommand({

cli/src/bin/bgagent.ts

@@ -41,6 +41,11 @@ import { makeWatchCommand } from '../commands/watch';
 import { makeWebhookCommand } from '../commands/webhook';
 import { setVerbose } from '../debug';
 import { ApiError, CliError } from '../errors';
+import { setAbcaTrace } from '../ua';
+
+// User-Agent solution tracking (#319): the pid correlates all AWS calls
+// made by this CLI invocation.
+setAbcaTrace(String(process.pid));
 
 const program = new Command();
 

cli/src/commands/admin.ts

@@ -27,6 +27,7 @@ import { Command } from 'commander';
 import { loadConfig } from '../config';
 import { CliError } from '../errors';
 import { CliConfig } from '../types';
+import { abcaUserAgent, withAbcaTrace } from '../ua';
 
 /**
  * Generate a strong temporary password meeting Cognito's default policy:
@@ -149,7 +150,7 @@ export function makeAdminCommand(): Command {
 
         const tempPassword = opts.tempPassword ?? generateTempPassword();
 
-        const cognito = new CognitoIdentityProviderClient({ region });
+        const cognito = withAbcaTrace(new CognitoIdentityProviderClient({ region, ...abcaUserAgent() }));
         try {
           await cognito.send(new AdminCreateUserCommand({
             UserPoolId: config.user_pool_id,

cli/src/commands/configure.ts

@@ -37,6 +37,7 @@ export function makeConfigureCommand(): Command {
     .option('--region <region>', 'AWS region')
     .option('--user-pool-id <id>', 'Cognito User Pool ID')
     .option('--client-id <id>', 'Cognito App Client ID')
+    .option('--stack-name <name>', 'Deployed stack name (User-Agent solution tracking)')
     .option('--from-bundle <base64>', 'Base64 config bundle from `bgagent admin invite-user`')
     .action((opts) => {
       // --from-bundle is mutually exclusive with the individual flags. Mixing
@@ -58,6 +59,7 @@ export function makeConfigureCommand(): Command {
           ...(opts.region !== undefined ? { region: opts.region } : {}),
           ...(opts.userPoolId !== undefined ? { user_pool_id: opts.userPoolId } : {}),
           ...(opts.clientId !== undefined ? { client_id: opts.clientId } : {}),
+          ...(opts.stackName !== undefined ? { stack_name: opts.stackName } : {}),
         };
       }
       const merged: Partial<CliConfig> = {

cli/src/commands/github.ts

@@ -26,6 +26,7 @@ import {
 import { Command } from 'commander';
 import { loadConfig } from '../config';
 import { CliError } from '../errors';
+import { abcaUserAgent, withAbcaTrace } from '../ua';
 
 /** Width of the `═` banner rules printed around webhook-info output. */
 const BANNER_WIDTH = 72;
@@ -116,7 +117,7 @@ export function makeGithubCommand(): Command {
           );
         }
 
-        const sm = new SecretsManagerClient({ region });
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
 
         // Show whether a secret is already configured so the operator
         // doesn't accidentally rotate it without realising. Linear's
@@ -166,7 +167,7 @@ export function makeGithubCommand(): Command {
 // ─── Stack-output helper ─────────────────────────────────────────────────────
 
 async function getStackOutput(region: string, stackName: string, outputKey: string): Promise<string | null> {
-  const cf = new CloudFormationClient({ region });
+  const cf = withAbcaTrace(new CloudFormationClient({ region, ...abcaUserAgent() }));
   try {
     const result = await cf.send(new DescribeStacksCommand({ StackName: stackName }));
     const stack = result.Stacks?.[0];

cli/src/commands/linear.ts

@@ -45,6 +45,7 @@ import {
   StoredLinearOauthToken,
 } from '../linear-oauth';
 import { awaitOauthCallback, CALLBACK_URL } from '../oauth-callback-server';
+import { abcaUserAgent, withAbcaTrace } from '../ua';
 
 /** Default label that triggers an ABCA task when applied to a Linear issue. */
 const DEFAULT_LABEL_FILTER = 'bgagent';
@@ -597,7 +598,7 @@ export function makeLinearCommand(): Command {
 
         // ─── Step 4: Persist token to per-workspace Secrets Manager ───
         process.stdout.write('  → Storing OAuth token...');
-        const sm = new SecretsManagerClient({ region });
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
         const now = new Date().toISOString();
         const stored: StoredLinearOauthToken = {
           access_token: tokenResponse.access_token,
@@ -625,7 +626,7 @@ export function makeLinearCommand(): Command {
         console.log(` ✓ (${secretName})`);
 
         // ─── Step 5: Persist registry + user-mapping rows ─────────────
-        const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({ region }));
+        const ddb = DynamoDBDocumentClient.from(withAbcaTrace(new DynamoDBClient({ region, ...abcaUserAgent() })));
 
         // Best-effort: fetch team keys so the screenshot processor can
         // prefix-route Linear issue lookups (e.g. ABCA-42 → workspace
@@ -829,8 +830,8 @@ export function makeLinearCommand(): Command {
           );
         }
 
-        const sm = new SecretsManagerClient({ region });
-        const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({ region }));
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
+        const ddb = DynamoDBDocumentClient.from(withAbcaTrace(new DynamoDBClient({ region, ...abcaUserAgent() })));
 
         // ─── Linear OAuth app credentials ──────────────────────────────
         // Always prompt — never accept secrets via flags (shell history
@@ -1099,7 +1100,7 @@ export function makeLinearCommand(): Command {
         const config = loadConfig();
         const region = opts.region || config.region;
 
-        const sm = new SecretsManagerClient({ region });
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
         const secretName = linearOauthSecretName(slug);
 
         // ─── Read existing bundle ───────────────────────────────────
@@ -1218,8 +1219,8 @@ export function makeLinearCommand(): Command {
         const callerCognitoSub = extractCognitoSub();
 
         // ─── Resolve workspace + OAuth secret arn ──────────────────────
-        const sm = new SecretsManagerClient({ region });
-        const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({ region }));
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
+        const ddb = DynamoDBDocumentClient.from(withAbcaTrace(new DynamoDBClient({ region, ...abcaUserAgent() })));
         const registryScan = await ddb.send(new ScanCommand({
           TableName: workspaceRegistryTable!,
           FilterExpression: 'workspace_slug = :slug AND #status = :active',
@@ -1342,7 +1343,7 @@ export function makeLinearCommand(): Command {
         }
 
         const now = new Date().toISOString();
-        const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({ region }));
+        const ddb = DynamoDBDocumentClient.from(withAbcaTrace(new DynamoDBClient({ region, ...abcaUserAgent() })));
         await ddb.send(new PutCommand({
           TableName: tableName,
           Item: {
@@ -1373,7 +1374,7 @@ export function makeLinearCommand(): Command {
       .action(async (opts) => {
         const config = loadConfig();
         const region = opts.region || config.region;
-        const sm = new SecretsManagerClient({ region });
+        const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
 
         // Resolve the set of workspace slugs to query. Either an
         // explicit `--slug` (one workspace) or every Linear workspace
@@ -1908,7 +1909,7 @@ export async function autoLinkTokenOwner(args: {
     return;
   }
 
-  const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({ region: args.region }));
+  const ddb = DynamoDBDocumentClient.from(withAbcaTrace(new DynamoDBClient({ region: args.region, ...abcaUserAgent() })));
   await ddb.send(new PutCommand({
     TableName: args.userMappingTable,
     Item: {
@@ -1947,7 +1948,7 @@ function extractCognitoSub(): string {
 
 async function getStackOutput(region: string, stackName: string, outputKey: string): Promise<string | null> {
   try {
-    const cfn = new CloudFormationClient({ region });
+    const cfn = withAbcaTrace(new CloudFormationClient({ region, ...abcaUserAgent() }));
     const result = await cfn.send(new DescribeStacksCommand({ StackName: stackName }));
     const outputs = result.Stacks?.[0]?.Outputs ?? [];
     const output = outputs.find((o) => o.OutputKey === outputKey);

cli/src/commands/slack.ts

@@ -27,6 +27,7 @@ import { Command } from 'commander';
 import { ApiClient } from '../api-client';
 import { loadConfig } from '../config';
 import { formatJson } from '../format';
+import { abcaUserAgent, withAbcaTrace } from '../ua';
 
 export function makeSlackCommand(): Command {
   const slack = new Command('slack')
@@ -208,7 +209,7 @@ async function promptAndStoreCredentials(region: string, arns: SecretArns): Prom
 
     // Store in Secrets Manager.
     console.log('');
-    const sm = new SecretsManagerClient({ region });
+    const sm = withAbcaTrace(new SecretsManagerClient({ region, ...abcaUserAgent() }));
 
     const secrets = [
       { id: arns.signingSecretArn, value: signingSecret, label: 'signing secret' },
@@ -345,7 +346,7 @@ function findRepoRoot(): string {
 
 async function getStackOutput(region: string, stackName: string, outputKey: string): Promise<string | null> {
   try {
-    const cfn = new CloudFormationClient({ region });
+    const cfn = withAbcaTrace(new CloudFormationClient({ region, ...abcaUserAgent() }));
     const result = await cfn.send(new DescribeStacksCommand({ StackName: stackName }));
     const outputs = result.Stacks?.[0]?.Outputs ?? [];
     const output = outputs.find((o) => o.OutputKey === outputKey);

cli/src/types.ts

@@ -372,6 +372,8 @@ export interface CliConfig {
   readonly region: string;
   readonly user_pool_id: string;
   readonly client_id: string;
+  /** Deployed stack name for User-Agent solution tracking (#319); optional. */
+  readonly stack_name?: string;
 }
 
 /** Cached credentials stored in ~/.bgagent/credentials.json.

cli/src/ua.ts

@@ -0,0 +1,137 @@
+/**
+ *  MIT No Attribution
+ *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy of
+ *  the Software without restriction, including without limitation the rights to
+ *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ *  the Software, and to permit persons to whom the Software is furnished to do so.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ *  SOFTWARE.
+ */
+
+/**
+ * Outbound AWS SDK User-Agent solution tracking (#319) — CLI surface.
+ *
+ * Every AWS API call made by `bgagent` carries:
+ *
+ *     app/uksb-wt64nei4u6/{STACKNAME}     (only when config has stack_name)
+ *     md/uksb-wt64nei4u6#cli[#{PID}]
+ *
+ * CLI-local mirror of `cdk/src/handlers/shared/ua.ts` (the CLI package
+ * cannot import from the CDK package — same mirroring convention as
+ * `cli/src/types.ts`). Solution id, wire format, and sanitization rules
+ * must stay identical; `agent/src/ua.py` is the Python counterpart.
+ *
+ * The component label is hardcoded (`cli`); the stack name comes from the
+ * optional `stack_name` field in `~/.bgagent/config.json`. The trace handle
+ * is the CLI process pid, set once at startup in `bin/bgagent.ts` and
+ * appended per-request by the {@link withAbcaTrace} middleware.
+ */
+
+import { tryLoadConfig } from './config';
+
+/**
+ * AWS solution-tracking id for ABCA. Deploy-time counterpart (#292) lives in
+ * the CloudFormation stack description in `cdk/src/main.ts`.
+ */
+export const SOLUTION_ID = 'uksb-wt64nei4u6';
+
+/** Stable per-component label: this surface IS the bgagent CLI. */
+const COMPONENT = 'cli';
+
+/** App-id budget: 50-char value cap minus `uksb-wt64nei4u6/` (16) = 34. */
+const STACK_NAME_MAX = 34;
+
+/**
+ * RFC 7230 token charset; `/` and `#` deliberately excluded (structural
+ * separators of the scheme). Mirrors the CDK and Python implementations.
+ */
+const UA_TOKEN_SAFE = /[^A-Za-z0-9!$%&'*+\-.^_`|~]/g;
+
+let currentTrace: string | undefined;
+
+/** Replace every non-UA-token char (incl. non-ASCII) with `-`. */
+export function sanitizeUaValue(raw: string): string {
+  return raw.replace(UA_TOKEN_SAFE, '-');
+}
+
+/**
+ * Client config fragment carrying the static ABCA UA segments. Spread into
+ * every SDK client constructor: `new SecretsManagerClient({ region, ...abcaUserAgent() })`.
+ *
+ * Pair semantics (mirrors the CDK module): the `app/` segment is a
+ * single-element pair so its literal `/` separators survive the SDK's
+ * name-position escaping; the `md/` pair lets the SDK's own `name#value`
+ * join produce the `#`.
+ */
+export function abcaUserAgent(): { customUserAgent: ([string] | [string, string])[] } {
+  const pairs: ([string] | [string, string])[] = [];
+  const stackName = tryLoadConfig()?.stack_name?.trim();
+  if (stackName) {
+    // Sanitize FIRST, then clip, so a replaced char can't be re-split.
+    const clipped = sanitizeUaValue(stackName).slice(0, STACK_NAME_MAX);
+    pairs.push([`app/${SOLUTION_ID}/${clipped}`]);
+  }
+  pairs.push([`md/${SOLUTION_ID}`, COMPONENT]);
+  return { customUserAgent: pairs };
+}
+
+/** Set (or clear) the ambient trace handle (the CLI pid, set at startup). */
+export function setAbcaTrace(handle?: string): void {
+  currentTrace = handle || undefined;
+}
+
+/** Current trace handle, sanitized to UA-token-safe ASCII, or undefined. */
+export function getAbcaTrace(): string | undefined {
+  return currentTrace ? sanitizeUaValue(currentTrace) : undefined;
+}
+
+/** Structural view of a client middleware stack (avoids @smithy/types dep). */
+interface MiddlewareStackLike {
+  addRelativeTo(middleware: unknown, options: Record<string, unknown>): void;
+}
+
+/**
+ * Append `#{TRACE}` to the outgoing User-Agent headers on every request by
+ * splicing onto the static `md/` segment, after the SDK's own
+ * `getUserAgentMiddleware` has rendered the headers. Mutates only the
+ * header strings; the client and its connection pool are untouched.
+ * No-ops on clients without a middleware stack (jest constructor mocks).
+ */
+export function withAbcaTrace<T>(client: T): T {
+  const stack = (client as { middlewareStack?: MiddlewareStackLike }).middlewareStack;
+  if (!stack || typeof stack.addRelativeTo !== 'function') {
+    return client;
+  }
+  const md = `md/${SOLUTION_ID}#${COMPONENT}`;
+  stack.addRelativeTo(
+    (next: (args: unknown) => Promise<unknown>) => async (args: unknown) => {
+      const trace = getAbcaTrace();
+      const request = (args as { request?: { headers?: Record<string, string> } }).request;
+      if (trace && request?.headers) {
+        for (const header of ['user-agent', 'x-amz-user-agent']) {
+          const value = request.headers[header];
+          if (value && value.includes(md)) {
+            request.headers[header] = value.replace(md, `${md}#${trace}`);
+          }
+        }
+      }
+      return next(args);
+    },
+    {
+      name: 'abcaUaTraceMiddleware',
+      relation: 'after',
+      toMiddleware: 'getUserAgentMiddleware',
+      override: true,
+    },
+  );
+  return client;
+}

cli/test/auth.test.ts

@@ -52,6 +52,19 @@ describe('auth', () => {
   });
 
   describe('login', () => {
+    test('Cognito client carries the ABCA solution customUserAgent (#319)', async () => {
+      const { CognitoIdentityProviderClient } = jest.requireMock(
+        '@aws-sdk/client-cognito-identity-provider',
+      );
+      mockSend.mockResolvedValue({
+        AuthenticationResult: { IdToken: 'i', AccessToken: 'a', RefreshToken: 'r', ExpiresIn: 3600 },
+      });
+      await login('user', 'pass');
+      const calls = (CognitoIdentityProviderClient as jest.Mock).mock.calls;
+      const config = calls[calls.length - 1]?.[0];
+      expect(config.customUserAgent).toEqual([['md/uksb-wt64nei4u6', 'cli']]);
+    });
+
     test('saves credentials on successful login', async () => {
       mockSend.mockResolvedValue({
         AuthenticationResult: {