feat: smart credential detection for multi-agent projects

- Add resolveCredentialStrategy() to detect same vs different API keys
- Same key reuses project-scoped credential, different key creates agent-scoped
- Clean up agent-scoped credentials on agent removal
- Fix deploy flow: always update credentials on deploy (not just manual entry)
- Add getAllCredentials() for credential prompt, updateApiKeyProvider() for updates
- Fix double-execution bugs in useCdkPreflight and CredentialSourcePrompt
- Add unit and integration tests

Author: aidandaly24

src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap

@@ -2606,7 +2606,7 @@ exports[`Assets Directory Snapshots > Python framework assets > python/python/st
 "import os
 from typing import Optional
 
-from bedrock_agentcore.memory.integrations.strands.config import AgentCoreMemoryConfig, RetrievalConfig
+from bedrock_agentcore.memory.integrations.strands.config import AgentCoreMemoryConfig{{#if memoryProviders.[0].strategies.length}}, RetrievalConfig{{/if}}
 from bedrock_agentcore.memory.integrations.strands.session_manager import AgentCoreMemorySessionManager
 
 MEMORY_ID = os.getenv("{{memoryProviders.[0].envVarName}}")
@@ -2616,16 +2616,28 @@ def get_memory_session_manager(session_id: str, actor_id: str) -> Optional[Agent
     if not MEMORY_ID:
         return None
 
+{{#if memoryProviders.[0].strategies.length}}
+    retrieval_config = {
+{{#if (includes memoryProviders.[0].strategies "SEMANTIC")}}
+        f"/users/{actor_id}/facts": RetrievalConfig(top_k=3, relevance_score=0.5),
+{{/if}}
+{{#if (includes memoryProviders.[0].strategies "USER_PREFERENCE")}}
+        f"/users/{actor_id}/preferences": RetrievalConfig(top_k=3, relevance_score=0.5),
+{{/if}}
+{{#if (includes memoryProviders.[0].strategies "SUMMARIZATION")}}
+        f"/summaries/{actor_id}/{session_id}": RetrievalConfig(top_k=3, relevance_score=0.5),
+{{/if}}
+    }
+{{/if}}
+
     return AgentCoreMemorySessionManager(
         AgentCoreMemoryConfig(
             memory_id=MEMORY_ID,
             session_id=session_id,
             actor_id=actor_id,
-            retrieval_config={
-                f"/users/{actor_id}/facts": RetrievalConfig(top_k=3, relevance_score=0.5),
-                f"/users/{actor_id}/preferences": RetrievalConfig(top_k=3, relevance_score=0.5),
-                f"/summaries/{actor_id}/{session_id}": RetrievalConfig(top_k=3, relevance_score=0.5),
-            }
+{{#if memoryProviders.[0].strategies.length}}
+            retrieval_config=retrieval_config,
+{{/if}}
         ),
         REGION
     )

src/cli/commands/add/__tests__/multi-agent-credentials.test.ts

@@ -0,0 +1,281 @@
+/* eslint-disable security/detect-non-literal-fs-filename */
+import { runCLI } from '../../../../test-utils/index.js';
+import { randomUUID } from 'node:crypto';
+import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterAll, beforeAll, describe, expect, it } from 'vitest';
+
+/**
+ * Integration tests for multi-agent credential behavior (Option C).
+ *
+ * Tests the smart credential detection:
+ * - Same API key → reuse existing project-scoped credential
+ * - Different API key → create agent-scoped credential
+ * - Remove agent → clean up agent-scoped credentials
+ */
+describe('multi-agent credential behavior', () => {
+  let testDir: string;
+  let projectDir: string;
+  const projectName = 'MultiAgentProj';
+
+  beforeAll(async () => {
+    testDir = join(tmpdir(), `agentcore-multi-agent-cred-${randomUUID()}`);
+    await mkdir(testDir, { recursive: true });
+
+    // Create project without agent
+    const result = await runCLI(['create', '--name', projectName, '--no-agent'], testDir);
+    if (result.exitCode !== 0) {
+      throw new Error(`Failed to create project: ${result.stdout} ${result.stderr}`);
+    }
+    projectDir = join(testDir, projectName);
+  });
+
+  afterAll(async () => {
+    await rm(testDir, { recursive: true, force: true });
+  });
+
+  async function readProjectSpec() {
+    const content = await readFile(join(projectDir, 'agentcore/agentcore.json'), 'utf-8');
+    return JSON.parse(content);
+  }
+
+  async function readEnvLocal() {
+    try {
+      return await readFile(join(projectDir, 'agentcore/.env.local'), 'utf-8');
+    } catch {
+      return '';
+    }
+  }
+
+  describe('credential reuse with same API key', () => {
+    it('first agent creates project-scoped credential', async () => {
+      const result = await runCLI(
+        [
+          'add',
+          'agent',
+          '--name',
+          'Agent1',
+          '--language',
+          'Python',
+          '--framework',
+          'Strands',
+          '--model-provider',
+          'Gemini',
+          '--api-key',
+          'KEY1',
+          '--memory',
+          'none',
+          '--json',
+        ],
+        projectDir
+      );
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      expect(spec.credentials).toHaveLength(1);
+      expect(spec.credentials[0].name).toBe(`${projectName}Gemini`);
+
+      const env = await readEnvLocal();
+      expect(env).toContain('AGENTCORE_CREDENTIAL_MULTIAGENTPROJGEMINI=');
+      expect(env).toContain('KEY1');
+    });
+
+    it('second agent with same key reuses credential (no duplicate)', async () => {
+      const result = await runCLI(
+        [
+          'add',
+          'agent',
+          '--name',
+          'Agent2',
+          '--language',
+          'Python',
+          '--framework',
+          'Strands',
+          '--model-provider',
+          'Gemini',
+          '--api-key',
+          'KEY1',
+          '--memory',
+          'none',
+          '--json',
+        ],
+        projectDir
+      );
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Should still have only 1 credential (reused)
+      expect(spec.credentials).toHaveLength(1);
+      expect(spec.credentials[0].name).toBe(`${projectName}Gemini`);
+
+      // Should have 2 agents
+      expect(spec.agents).toHaveLength(2);
+    });
+  });
+
+  describe('agent-scoped credential with different API key', () => {
+    it('third agent with different key creates agent-scoped credential', async () => {
+      const result = await runCLI(
+        [
+          'add',
+          'agent',
+          '--name',
+          'Agent3',
+          '--language',
+          'Python',
+          '--framework',
+          'Strands',
+          '--model-provider',
+          'Gemini',
+          '--api-key',
+          'KEY2',
+          '--memory',
+          'none',
+          '--json',
+        ],
+        projectDir
+      );
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Should now have 2 credentials
+      expect(spec.credentials).toHaveLength(2);
+
+      const credNames = spec.credentials.map((c: { name: string }) => c.name);
+      expect(credNames).toContain(`${projectName}Gemini`);
+      expect(credNames).toContain(`${projectName}Agent3Gemini`);
+
+      // Should have 3 agents
+      expect(spec.agents).toHaveLength(3);
+
+      // .env.local should have both keys
+      const env = await readEnvLocal();
+      expect(env).toContain('AGENTCORE_CREDENTIAL_MULTIAGENTPROJGEMINI=');
+      expect(env).toContain('KEY1');
+      expect(env).toContain('AGENTCORE_CREDENTIAL_MULTIAGENTPROJAGENT3GEMINI=');
+      expect(env).toContain('KEY2');
+
+      // Generated code should reference correct credentials
+      const agent1Code = await readFile(join(projectDir, 'app/Agent1/model/load.py'), 'utf-8');
+      expect(agent1Code).toContain(`IDENTITY_PROVIDER_NAME = "${projectName}Gemini"`);
+
+      const agent3Code = await readFile(join(projectDir, 'app/Agent3/model/load.py'), 'utf-8');
+      expect(agent3Code).toContain(`IDENTITY_PROVIDER_NAME = "${projectName}Agent3Gemini"`);
+    });
+  });
+
+  describe('credential cleanup on agent removal', () => {
+    it('removing agent with agent-scoped credential cleans up credential', async () => {
+      const result = await runCLI(['remove', 'agent', '--name', 'Agent3', '--json'], projectDir);
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Should be back to 1 credential (agent-scoped removed)
+      expect(spec.credentials).toHaveLength(1);
+      expect(spec.credentials[0].name).toBe(`${projectName}Gemini`);
+
+      // Should have 2 agents
+      expect(spec.agents).toHaveLength(2);
+    });
+
+    it('removing agent with shared credential does NOT remove credential', async () => {
+      // Remove Agent2 (uses shared project-scoped credential)
+      const result = await runCLI(['remove', 'agent', '--name', 'Agent2', '--json'], projectDir);
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Credential should still exist (shared with Agent1)
+      expect(spec.credentials).toHaveLength(1);
+      expect(spec.credentials[0].name).toBe(`${projectName}Gemini`);
+
+      // Should have 1 agent
+      expect(spec.agents).toHaveLength(1);
+    });
+  });
+
+  describe('BYO (bring-your-own) agent path', () => {
+    it('BYO agent with same key reuses credential', async () => {
+      // Create a code directory for BYO agent
+      const byoDir = join(projectDir, 'app/ByoAgent');
+      await mkdir(byoDir, { recursive: true });
+      await writeFile(join(byoDir, 'main.py'), '# BYO agent');
+
+      const result = await runCLI(
+        [
+          'add',
+          'agent',
+          '--name',
+          'ByoAgent',
+          '--type',
+          'byo',
+          '--language',
+          'Python',
+          '--framework',
+          'Strands',
+          '--code-location',
+          'app/ByoAgent/',
+          '--model-provider',
+          'Gemini',
+          '--api-key',
+          'KEY1',
+          '--json',
+        ],
+        projectDir
+      );
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Should still have only 1 credential (reused)
+      expect(spec.credentials).toHaveLength(1);
+      expect(spec.credentials[0].name).toBe(`${projectName}Gemini`);
+
+      // Should have 2 agents now
+      expect(spec.agents).toHaveLength(2);
+    });
+
+    it('BYO agent with different key creates agent-scoped credential', async () => {
+      const byoDir2 = join(projectDir, 'app/ByoAgent2');
+      await mkdir(byoDir2, { recursive: true });
+      await writeFile(join(byoDir2, 'main.py'), '# BYO agent 2');
+
+      const result = await runCLI(
+        [
+          'add',
+          'agent',
+          '--name',
+          'ByoAgent2',
+          '--type',
+          'byo',
+          '--language',
+          'Python',
+          '--framework',
+          'Strands',
+          '--code-location',
+          'app/ByoAgent2/',
+          '--model-provider',
+          'Gemini',
+          '--api-key',
+          'DIFFERENT_KEY',
+          '--json',
+        ],
+        projectDir
+      );
+
+      expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
+
+      const spec = await readProjectSpec();
+      // Should have 2 credentials now
+      expect(spec.credentials).toHaveLength(2);
+      const credNames = spec.credentials.map((c: { name: string }) => c.name);
+      expect(credNames).toContain(`${projectName}Gemini`);
+      expect(credNames).toContain(`${projectName}ByoAgent2Gemini`);
+    });
+  });
+});