feat: add agentcore import command for starter toolkit migration (#620)

* feat: add agentcore import command for starter toolkit migration

Implements a 3-phase import flow that migrates Bedrock AgentCore Starter
Toolkit projects to the agentcore-cli:

- Phase 1: Creates companion CloudFormation resources (IAM roles/policies)
- Phase 2: Imports existing AWS resources via CFN IMPORT change set
- Phase 3: User runs `agentcore deploy` to reconcile the stack

Parses .bedrock_agentcore.yaml, scaffolds CLI project structure, copies
agent source code, publishes CDK assets, and adopts pre-existing runtimes
and memories into the CLI's CloudFormation stack.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: require existing project for import, fix memory support

- Remove scaffold.ts; import now requires `agentcore create` first
- Resolve target from project's aws-targets.json (auto-select single,
  error on multiple without --target, create default from YAML if empty)
- Replace dangling Fn::GetAtt/Ref to removed primary resources with "*"
  in Phase 1 companion template (fixes IAM policy ARN validation)
- Fix memoryArn placeholder in deployed state (construct ARN from ID)
- Make --target optional (no default value)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: set up Python venv after import and fix setuptools auto-discovery

Starter toolkit projects have multiple top-level directories (model/,
mcp_client/) which causes setuptools to fail with "Multiple top-level
packages discovered". Fix by appending [tool.setuptools] py-modules = []
to pyproject.toml after copy. Also run uv venv + uv sync so agentcore
dev works immediately after import.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: import credential providers from starter toolkit YAML

Parse OAuth and API key credential providers from .bedrock_agentcore.yaml
identity config and add them to project.json during import. Fix YAML
parser to handle list items with nested key-value pairs (e.g.,
credential_providers). Fix eslint no-base-to-string errors by adding
explicit type casts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: guard memory mode check with typeof string to prevent empty YAML mode from creating invalid memory

The simple YAML parser turns bare "mode:" (no value) into an empty object {},
which is truthy and passes the existing `!== 'NO_MEMORY' && memoryConfig.mode`
check. This caused a memory with mode={} to be created, which is invalid.
Added typeof check to ensure mode is actually a string before proceeding.

Also adds comprehensive unit tests for import memory handling (35 tests).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use Array.isArray guard for VPC networkConfig subnets/securityGroups

The YAML parser creates empty objects {} for keys with no list items
(e.g., `subnets:` with nothing underneath). The previous code used
`(networkModeConfig.subnets as string[]) ?? []` which doesn't protect
against this since {} is truthy. This resulted in subnets being {} instead
of [] when the YAML had empty subnet/security_group keys under VPC mode.

Now uses Array.isArray() to ensure we always get a proper array, falling
back to [] when the parser returns a non-array value.

Also adds comprehensive VPC import tests (18 tests covering parsing,
edge cases, mixed agents, quoted values, and starter toolkit format).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: make import idempotent by only importing newly-added resources

Previously, running `agentcore import` twice with the same YAML would
attempt to re-import already-managed CloudFormation resources in Phase 2,
causing errors like "resource already exists in stack". The bug was that
agentsToImport and memoriesToImport were filtered from all parsed YAML
agents (regardless of whether they were skipped during merge), rather
than from only the newly-added ones.

Fix: track which agents/memories are actually added during the merge
step (newlyAddedAgentNames / newlyAddedMemoryNames) and filter
agentsToImport / memoriesToImport to only include those newly-added
resources.

Adds 17 unit tests covering first import, second import idempotency,
partial overlap, credential idempotency, and edge cases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: defer target resolution for undeployed starter toolkit imports

When importing a starter toolkit YAML with no physical IDs (agent_id and
memory_id are null), the import command would fail unnecessarily if no
deployment targets existed and the YAML had null account/region. This is
incorrect because the no-deploy path only needs config merge and source
copy -- no CloudFormation operations.

The fix computes hasPhysicalIds early and only performs strict target
resolution (requiring account/region) when physical IDs are present.
When no physical IDs exist, target resolution is lenient -- it uses an
existing target if available, or falls back to 'default' for stackName.

Also adds 22 unit tests covering the no-deploy path: YAML parsing of
null IDs, early return behavior, config merge, Python setup, absence of
CloudFormation operations, and target resolution edge cases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add Test Group 1 unit tests for no-memory agent import path

63 tests covering YAML parsing, toAgentEnvSpec conversion, merge logic,
source copy, Phase 1/Phase 2 template operations, findLogicalId helpers,
sanitize/toStackName, and integration for a single agent with no memory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add 30 unit tests for multi-agent import scenarios

Tests cover:
- YAML parsing with 2, 3, and similar-named agents
- Memory deduplication across shared agents
- Credential extraction from identity.credential_providers
- findLogicalIdByProperty with multiple runtimes
- findLogicalIdByProperty Fn::Sub false substring match regression test
- filterCompanionOnlyTemplate with multiple primary resources
- buildImportTemplate with multiple import targets
- Stack name sanitization and source code directory structure
- Partial import (deployed + undeployed agents mixed)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Revert "test: add 30 unit tests for multi-agent import scenarios"

This reverts commit 25a1458125d9ecdae1dd3e8c2f6e17336fc7498f.

* test: add merge-logic unit tests for CLI-native create then import scenario

16 tests covering agent/memory/credential deduplication, Set-based name
matching, toMemorySpec clamping, source copy skip logic, append-only merge
behavior, and edge cases for projects with existing agents and memories.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add merge-logic unit tests for CLI-native create then import scenario

16 tests covering agent/memory/credential deduplication, Set-based name
matching, toMemorySpec clamping, source copy skip logic, append-only merge
behavior, and edge cases for projects with existing agents and memories.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix import for container builds and multi-agent stacks

- Publish CDK assets to S3 before Phase 1 (CodeBuild needs source zip)
- Handle directory assets in publishCdkAssets (zip before upload)
- Export publishCdkAssets for use in actions.ts
- Copy Dockerfile from starter toolkit config for Container builds
- Generate fallback Dockerfile if toolkit config not found
- Preserve previously imported resources during Phase 1 UPDATE
  by merging deployed template back into companion template

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): map OAuth providers correctly and fix region mismatch

- Change toCredentialSpec() to map OAuth providers to OAuthCredentialProvider
  instead of ApiKeyCredentialProvider, so the CLI wires CLIENT_ID/CLIENT_SECRET
  env vars correctly (not API_KEY)
- Make discoveryUrl optional in OAuthCredentialSchema for imported providers
  that already exist in Identity service
- Skip Identity service create/update for OAuth providers without discoveryUrl
  during deploy (provider already exists)
- Set AWS_REGION/AWS_DEFAULT_REGION to target.region before import operations
  to prevent region mismatch when env var differs from aws-targets.json

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): handle symlinks and excluded dirs in source copy, warn on authorizer config

BUG-001: copyDirRecursive now skips symlinks and common excluded directories
(.venv, .git, __pycache__, node_modules, etc.) preventing EISDIR crash when
importing projects with virtualenvs containing symlinks like .venv/lib64 -> lib.

BUG-004: Import now warns when an agent has authorizer_configuration set in the
starter toolkit YAML, since custom JWT authorizer config is not automatically
imported and must be manually recreated via `agentcore add gateway`.

Constraint: CLI gateway model is separate from agent config, so full authorizer import requires design work
Rejected: Auto-create gateway during import | gateway-agent linking logic is complex and warrants its own feature
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): fix multi-agent memory import and skip Python setup for containers

Two fixes:
1. Memory name prefix mismatch: CDK prefixes memory names with project
   name (e.g. "myproject_Agent_mem") but import searched for unprefixed
   YAML name. Added fallback lookup with project name prefix.
2. Container agents no longer trigger unnecessary Python venv setup
   during import, since dependencies are installed inside the Docker image.

Constraint: CDK BasePrimitiveConstruct generates physicalName as ${projectName}_${name}
Rejected: Stripping prefix from CDK names | would break other CDK conventions
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(build): add jsx: automatic to esbuild config to fix TUI crash

esbuild does not read tsconfig.json, so it defaults to classic JSX
transform (React.createElement) while tsconfig specifies react-jsx
(automatic). This produces 432 bare React.createElement calls in the
bundle that reference a nonexistent React global, crashing all TUI
commands (status, deploy, etc.) with "React is not defined".

Constraint: esbuild ignores tsconfig jsx settings by default
Rejected: Adding React as external | would require React in node_modules at runtime
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): warn about memory env var mismatch after import

The Starter Toolkit injects memory ID via BEDROCK_AGENTCORE_MEMORY_ID,
but CDK constructs use MEMORY_{NAME}_ID pattern. After import, agent
code still references the old env var, causing memory to silently fail.

Add a yellow warning during import telling users the correct env var
name to update in their agent code.

Constraint: CDK env var naming is controlled by AgentCoreMemory.getEnvVarName()
Rejected: Auto-rewrite agent source code | too fragile across frameworks
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): warn about memory env var mismatch with diff-style hint

The Starter Toolkit injects memory ID via BEDROCK_AGENTCORE_MEMORY_ID,
but CDK constructs use MEMORY_{NAME}_ID pattern. After import, agent
code still references the old env var, causing memory to silently fail.

Show a git-diff-style warning during import with red/green highlighting
so users see exactly what to change in their agent code.

Constraint: CDK env var naming is controlled by AgentCoreMemory.getEnvVarName()
Rejected: Auto-rewrite agent source code | too fragile across frameworks
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tui): hide import command from interactive TUI menu

Import is a CLI-only command that requires --source flag and doesn't
have a TUI screen. Remove it from the interactive command picker.

Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): auto-bootstrap CDK environment before asset publishing

Import fails with "The specified bucket does not exist" when the AWS
account hasn't been CDK-bootstrapped. The deploy command handles this
via useCdkPreflight, but import bypasses that since it's CLI-only.

Check bootstrap status after CDK synth and auto-bootstrap if needed,
before disposing the toolkit wrapper.

Tested on two unbootstrapped accounts (509471412906, 126432121770).

Constraint: Must bootstrap before disposing toolkitWrapper since bootstrap requires it
Rejected: Prompt user to manually run cdk bootstrap | poor UX for import flow
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): resolve lint and format issues in import files

- Remove unused waitUntilChangeSetCreateComplete import
- Prefix unused assetHash with underscore
- Add eslint-disable for necessary any cast in STS credentials
- Remove unnecessary type assertion in test
- Fix prettier formatting in multi-agent test

Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tests): update tests for optional OAuth discoveryUrl schema change

OAuthCredentialProvider.discoveryUrl was made optional to support imported
providers that already exist in Identity service. Update tests to match:
- Schema test: expect success when discoveryUrl is omitted
- Pre-deploy identity tests: add discoveryUrl to fixtures that test
  update and error paths (without it, the code now skips the provider)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(tests): hoist bootstrap mocks in idempotency test to survive clearAllMocks

checkBootstrapNeeded and bootstrapEnvironment were created as inline
vi.fn() inside the vi.mock factory. vi.clearAllMocks() in beforeEach
wipes their mockResolvedValue, causing handleImport to fail in CI
where test execution order differs from local runs.

Hoist the mocks and configure them in setupCommonMocks like all other
mock functions in the file.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* logs

* fix(import): rollback config on CDK/CloudFormation phase failure

When import fails during CDK build/synth or CloudFormation phases, the
merged config (agentcore.json) was already written to disk. On retry,
the import would detect existing agents and report false success without
completing the CloudFormation import. This snapshots the original config
before merging and restores it if any later phase fails.

Constraint: Rollback only triggers after config is written (configWritten flag)
Constraint: Snapshot must be a deep clone since projectSpec is mutated in-place
Rejected: Deferred config write until after all phases | too invasive, changes control flow for all paths
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(import): map STM_ONLY memory to zero strategies

STM_ONLY memories incorrectly received a SEMANTIC strategy in the import
flow, while the CLI create flow and starter toolkit both deploy STM_ONLY
with zero strategies. This mismatch caused drift/errors during reconciliation.

Constraint: Must match CLI create flow which maps shortTerm to strategies: []
Rejected: Keep SEMANTIC for STM_ONLY | causes reconciliation drift with deployed resources
Confidence: high
Scope-risk: narrow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(import): extract custom JWT authorizer config from starter toolkit YAML

Instead of warning users to manually recreate the gateway, the import
pipeline now reads authorizer_configuration.customJWTAuthorizer from
the starter toolkit YAML and writes authorizerType/authorizerConfiguration
to agentcore.json so CDK handles it automatically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add yaml@2 and regenerate package-lock.json for CI compatibility

Resolves npm ci failure caused by missing yaml@2.8.3 transitive
dependency required by vitest/vite and lint-staged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: jesseturner21

esbuild.config.mjs

@@ -48,6 +48,7 @@ await esbuild.build({
   platform: 'node',
   format: 'esm',
   minify: true,
+  jsx: 'automatic',
   // Inject require shim for ESM compatibility with CommonJS dependencies
   banner: {
     js: `import { createRequire } from 'module'; const require = createRequire(import.meta.url);`,

package-lock.json

@@ -95,14 +95,15 @@
     "ink-spinner": "^5.0.0",
     "js-yaml": "^4.1.1",
     "react": "^19.2.3",
+    "yaml": "^2.8.3",
     "zod": "^4.3.5"
   },
   "peerDependencies": {
     "aws-cdk-lib": "^2.243.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "@aws-sdk/client-cognito-identity-provider": "^3.1017.0",
+    "@aws-sdk/client-cognito-identity-provider": "^3.1018.0",
     "@eslint/js": "^9.39.2",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "@secretlint/secretlint-rule-preset-recommend": "^11.3.0",

package.json

@@ -5,6 +5,7 @@ import { registerDev } from './commands/dev';
 import { registerEval } from './commands/eval';
 import { registerFetch } from './commands/fetch';
 import { registerHelp } from './commands/help';
+import { registerImport } from './commands/import';
 import { registerInvoke } from './commands/invoke';
 import { registerLogs } from './commands/logs';
 import { registerPackage } from './commands/package';
@@ -138,6 +139,7 @@ export function registerCommands(program: Command) {
   registerEval(program);
   registerFetch(program);
   registerHelp(program);
+  registerImport(program);
   registerInvoke(program);
   registerLogs(program);
   registerPackage(program);

src/cli/cli.ts

@@ -0,0 +1,268 @@
+/**
+ * Test Group 6: Container (Docker) Agent Import
+ */
+import { RUNTIME_TYPE_MAP } from '../constants';
+import { buildImportTemplate, filterCompanionOnlyTemplate } from '../template-utils';
+import { parseStarterToolkitYaml } from '../yaml-parser';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+function writeTempYaml(content: string): string {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'test6-'));
+  const filePath = path.join(dir, '.bedrock_agentcore.yaml');
+  fs.writeFileSync(filePath, content, 'utf-8');
+  return filePath;
+}
+
+function cleanupTempFile(filePath: string): void {
+  try {
+    fs.unlinkSync(filePath);
+    fs.rmdirSync(path.dirname(filePath));
+  } catch {
+    /* noop */
+  }
+}
+
+const AGENT_YAML_TEMPLATE = (overrides: string) => `
+default_agent: my_agent
+agents:
+  my_agent:
+    name: my_agent
+    entrypoint: main.py
+    ${overrides}
+    aws:
+      account: '111122223333'
+      region: us-east-1
+      network_configuration:
+        network_mode: PUBLIC
+      protocol_configuration:
+        server_protocol: HTTP
+      observability:
+        enabled: true
+    bedrock_agentcore:
+      agent_id: null
+`;
+
+describe('deployment_type mapping', () => {
+  const tempFiles: string[] = [];
+  afterEach(() => {
+    for (const f of tempFiles) cleanupTempFile(f);
+    tempFiles.length = 0;
+  });
+
+  it('container -> Container', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: container\n    runtime_type: PYTHON_3_12'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.build).toBe('Container');
+  });
+
+  it('direct_code_deploy -> CodeZip', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: direct_code_deploy\n    runtime_type: PYTHON_3_12'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.build).toBe('CodeZip');
+  });
+
+  it('missing -> Container (default)', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('runtime_type: PYTHON_3_12'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.build).toBe('Container');
+  });
+});
+
+describe('runtime_type handling', () => {
+  const tempFiles: string[] = [];
+  afterEach(() => {
+    for (const f of tempFiles) cleanupTempFile(f);
+    tempFiles.length = 0;
+  });
+
+  it('null -> PYTHON_3_12', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: container\n    runtime_type: null'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.runtimeVersion).toBe('PYTHON_3_12');
+  });
+
+  it('missing -> PYTHON_3_12', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: container'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.runtimeVersion).toBe('PYTHON_3_12');
+  });
+
+  it('PYTHON_3_13 -> PYTHON_3_13', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: container\n    runtime_type: PYTHON_3_13'));
+    tempFiles.push(f);
+    expect(parseStarterToolkitYaml(f).agents[0]!.runtimeVersion).toBe('PYTHON_3_13');
+  });
+
+  it('unrecognized -> PYTHON_3_12 (not python3.12)', () => {
+    const f = writeTempYaml(AGENT_YAML_TEMPLATE('deployment_type: container\n    runtime_type: some_unknown'));
+    tempFiles.push(f);
+    const rv = parseStarterToolkitYaml(f).agents[0]!.runtimeVersion;
+    expect(rv).toBe('PYTHON_3_12');
+    expect(rv).not.toBe('python3.12');
+  });
+});
+
+describe('RUNTIME_TYPE_MAP', () => {
+  it('maps known types', () => {
+    expect(RUNTIME_TYPE_MAP.PYTHON_3_10).toBe('PYTHON_3_10');
+    expect(RUNTIME_TYPE_MAP.PYTHON_3_11).toBe('PYTHON_3_11');
+    expect(RUNTIME_TYPE_MAP.PYTHON_3_12).toBe('PYTHON_3_12');
+    expect(RUNTIME_TYPE_MAP.PYTHON_3_13).toBe('PYTHON_3_13');
+  });
+
+  it('undefined for invalid keys', () => {
+    expect(RUNTIME_TYPE_MAP['null' as keyof typeof RUNTIME_TYPE_MAP]).toBeUndefined();
+    expect(RUNTIME_TYPE_MAP['undefined' as keyof typeof RUNTIME_TYPE_MAP]).toBeUndefined();
+    expect(RUNTIME_TYPE_MAP['python_3_12' as keyof typeof RUNTIME_TYPE_MAP]).toBeUndefined();
+  });
+});
+
+describe('full container agent parse', () => {
+  const tempFiles: string[] = [];
+  afterEach(() => {
+    for (const f of tempFiles) cleanupTempFile(f);
+    tempFiles.length = 0;
+  });
+
+  it('parses complete container agent with agent_id', () => {
+    const yaml = `
+default_agent: container_agent
+agents:
+  container_agent:
+    name: container_agent
+    entrypoint: main.py
+    deployment_type: container
+    runtime_type: null
+    language: python
+    aws:
+      account: '123456789012'
+      region: us-west-2
+      network_configuration:
+        network_mode: PUBLIC
+      protocol_configuration:
+        server_protocol: HTTP
+      observability:
+        enabled: true
+    bedrock_agentcore:
+      agent_id: abc123def456
+      agent_arn: arn:aws:bedrock-agentcore:us-west-2:123456789012:runtime/abc123def456
+`;
+    const f = writeTempYaml(yaml);
+    tempFiles.push(f);
+    const parsed = parseStarterToolkitYaml(f);
+    const agent = parsed.agents[0]!;
+    expect(agent.build).toBe('Container');
+    expect(agent.runtimeVersion).toBe('PYTHON_3_12');
+    expect(agent.physicalAgentId).toBe('abc123def456');
+    expect(parsed.awsTarget.account).toBe('123456789012');
+  });
+
+  it('parses container agent with VPC', () => {
+    const yaml = `
+default_agent: vpc_agent
+agents:
+  vpc_agent:
+    name: vpc_agent
+    entrypoint: main.py
+    deployment_type: container
+    runtime_type: null
+    aws:
+      account: '123456789012'
+      region: us-east-1
+      network_configuration:
+        network_mode: VPC
+        network_mode_config:
+          subnets:
+          - subnet-12345678
+          security_groups:
+          - sg-11112222
+      protocol_configuration:
+        server_protocol: MCP
+      observability:
+        enabled: false
+    bedrock_agentcore:
+      agent_id: null
+`;
+    const f = writeTempYaml(yaml);
+    tempFiles.push(f);
+    const agent = parseStarterToolkitYaml(f).agents[0]!;
+    expect(agent.build).toBe('Container');
+    expect(agent.networkMode).toBe('VPC');
+    expect(agent.networkConfig!.subnets).toContain('subnet-12345678');
+    expect(agent.protocol).toBe('MCP');
+    expect(agent.enableOtel).toBe(false);
+  });
+});
+
+describe('import template for container agents', () => {
+  it('buildImportTemplate sets DeletionPolicy: Retain', () => {
+    const deployed = {
+      AWSTemplateFormatVersion: '2010-09-09',
+      Resources: { Role: { Type: 'AWS::IAM::Role', Properties: {} } },
+    };
+    const synth = {
+      AWSTemplateFormatVersion: '2010-09-09',
+      Resources: {
+        Role: { Type: 'AWS::IAM::Role', Properties: {} },
+        RT: { Type: 'AWS::BedrockAgentCore::Runtime', Properties: { AgentRuntimeName: 'x' }, DependsOn: ['CR'] },
+        CR: { Type: 'AWS::CloudFormation::CustomResource', Properties: {} },
+      },
+    };
+    const result = buildImportTemplate(deployed, synth, ['RT']);
+    expect(result.Resources.RT).toBeDefined();
+    expect(result.Resources.RT!.DeletionPolicy).toBe('Retain');
+    expect(result.Resources.RT!.DependsOn).toBeUndefined();
+    expect(result.Resources.CR).toBeUndefined();
+  });
+
+  it('filterCompanionOnlyTemplate removes primary resources', () => {
+    const synth = {
+      AWSTemplateFormatVersion: '2010-09-09',
+      Resources: {
+        Role: { Type: 'AWS::IAM::Role', Properties: {} },
+        RT: { Type: 'AWS::BedrockAgentCore::Runtime', Properties: {} },
+        Lambda: { Type: 'AWS::Lambda::Function', Properties: {} },
+      },
+      Outputs: {
+        RTId: { Value: { 'Fn::GetAtt': ['RT', 'AgentRuntimeId'] } },
+        LambdaArn: { Value: { 'Fn::GetAtt': ['Lambda', 'Arn'] } },
+      },
+    };
+    const filtered = filterCompanionOnlyTemplate(synth);
+    expect(filtered.Resources.RT).toBeUndefined();
+    expect(filtered.Resources.Role).toBeDefined();
+    expect(filtered.Resources.Lambda).toBeDefined();
+    expect(filtered.Outputs!.RTId).toBeUndefined();
+    expect(filtered.Outputs!.LambdaArn).toBeDefined();
+  });
+});
+
+describe('container source code', () => {
+  let tempDir: string;
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test6-src-'));
+  });
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  it('may contain Dockerfile', () => {
+    fs.writeFileSync(path.join(tempDir, 'Dockerfile'), 'FROM python:3.12\n');
+    fs.writeFileSync(path.join(tempDir, 'main.py'), 'print("hi")');
+    expect(fs.readdirSync(tempDir)).toContain('Dockerfile');
+  });
+
+  it('may lack pyproject.toml', () => {
+    fs.writeFileSync(path.join(tempDir, 'Dockerfile'), 'FROM python:3.12\n');
+    expect(fs.existsSync(path.join(tempDir, 'pyproject.toml'))).toBe(false);
+  });
+});
+
+describe('defaults alignment', () => {
+  it('CLI default matches starter toolkit default', () => {
+    expect('container').toBe('container');
+  });
+});

src/cli/commands/import/__tests__/container-agent-import.test.ts

@@ -0,0 +1,39 @@
+{
+  "name": "MyProject",
+  "version": 1,
+  "agents": [
+    {
+      "type": "AgentCoreRuntime",
+      "name": "existing_agent",
+      "build": "CodeZip",
+      "entrypoint": "main.py",
+      "codeLocation": "app/existing_agent",
+      "runtimeVersion": "PYTHON_3_12",
+      "protocol": "HTTP",
+      "networkMode": "PUBLIC",
+      "instrumentation": {
+        "enableOtel": true
+      }
+    }
+  ],
+  "memories": [
+    {
+      "type": "AgentCoreMemory",
+      "name": "existing_agent_memory",
+      "eventExpiryDuration": 30,
+      "strategies": [
+        {
+          "type": "SEMANTIC"
+        }
+      ]
+    }
+  ],
+  "credentials": [
+    {
+      "type": "ApiKeyCredentialProvider",
+      "name": "my_api_key"
+    }
+  ],
+  "evaluators": [],
+  "onlineEvalConfigs": []
+}

src/cli/commands/import/__tests__/fixtures/cli-project-with-agent-and-memory.json

@@ -0,0 +1,28 @@
+default_agent: new_toolkit_agent
+agents:
+  new_toolkit_agent:
+    name: new_toolkit_agent
+    entrypoint: main.py
+    deployment_type: direct_code_deploy
+    runtime_type: PYTHON_3_12
+    source_path: null
+    aws:
+      account: '123456789012'
+      region: us-west-2
+      network_configuration:
+        network_mode: PUBLIC
+      protocol_configuration:
+        server_protocol: HTTP
+      observability:
+        enabled: true
+    bedrock_agentcore:
+      agent_id: AGENT_NEW_123
+      agent_arn: arn:aws:bedrock-agentcore:us-west-2:123456789012:runtime/AGENT_NEW_123
+      agent_session_id: null
+    memory:
+      mode: STM_AND_LTM
+      memory_id: MEM_NEW_456
+      memory_arn: arn:aws:bedrock-agentcore:us-west-2:123456789012:memory/MEM_NEW_456
+      memory_name: new_toolkit_memory
+      event_expiry_days: 60
+    api_key_credential_provider_name: new_api_key_cred