feat: enable CloudWatch Transaction Search on deploy

After a successful deploy with agents, the CLI now checks if CloudWatch
Application Signals (which powers Transaction Search) is enabled and
auto-enables it via StartDiscovery when --yes is passed. A console URL
is added to the next-steps output so users can view traces immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jesseturner21

package-lock.json

@@ -68,13 +68,15 @@
   },
   "dependencies": {
     "@aws-cdk/toolkit-lib": "^1.16.0",
+    "@aws-sdk/client-application-signals": "^3.1003.0",
     "@aws-sdk/client-bedrock-agentcore": "^3.893.0",
     "@aws-sdk/client-bedrock-agentcore-control": "^3.893.0",
     "@aws-sdk/client-bedrock-runtime": "^3.893.0",
     "@aws-sdk/client-cloudformation": "^3.893.0",
     "@aws-sdk/client-cloudwatch-logs": "^3.893.0",
     "@aws-sdk/client-resource-groups-tagging-api": "^3.893.0",
     "@aws-sdk/client-sts": "^3.893.0",
+    "@aws-sdk/client-xray": "^3.1003.0",
     "@aws-sdk/credential-providers": "^3.893.0",
     "@commander-js/extra-typings": "^14.0.0",
     "@smithy/shared-ini-file-loader": "^4.4.2",

package.json

@@ -14,6 +14,13 @@ export {
   type GetAgentRuntimeStatusOptions,
 } from './agentcore-control';
 export { streamLogs, searchLogs, type LogEvent, type StreamLogsOptions, type SearchLogsOptions } from './cloudwatch';
+export {
+  checkTransactionSearchEnabled,
+  enableTransactionSearch,
+  buildTransactionSearchConsoleUrl,
+  type TransactionSearchStatus,
+  type TransactionSearchEnableResult,
+} from './transaction-search';
 export {
   DEFAULT_RUNTIME_USER_ID,
   invokeAgentRuntime,

src/cli/aws/index.ts

@@ -0,0 +1,76 @@
+import { getCredentialProvider } from './account';
+import {
+  ApplicationSignalsClient,
+  StartDiscoveryCommand,
+} from '@aws-sdk/client-application-signals';
+import { GetGroupsCommand, XRayClient } from '@aws-sdk/client-xray';
+
+export interface TransactionSearchStatus {
+  enabled: boolean;
+  error?: string;
+}
+
+export interface TransactionSearchEnableResult {
+  success: boolean;
+  error?: string;
+}
+
+/**
+ * Check if CloudWatch Application Signals (which powers transaction search) is enabled
+ * by attempting to list X-Ray groups. If X-Ray is accessible, the account has tracing active.
+ * We also try StartDiscovery as an idempotent check — if it succeeds, it was either already
+ * enabled or is now enabled.
+ */
+export async function checkTransactionSearchEnabled(region: string): Promise<TransactionSearchStatus> {
+  try {
+    const xrayClient = new XRayClient({
+      region,
+      credentials: getCredentialProvider(),
+    });
+    await xrayClient.send(new GetGroupsCommand({}));
+    return { enabled: true };
+  } catch (err: unknown) {
+    const code = (err as { name?: string })?.name;
+    if (code === 'AccessDeniedException' || code === 'AccessDenied') {
+      return { enabled: false, error: 'Insufficient permissions to check X-Ray status' };
+    }
+    // If the call fails for other reasons, assume not enabled / unknown
+    return { enabled: false };
+  }
+}
+
+/**
+ * Enable CloudWatch Application Signals by calling StartDiscovery.
+ * This creates the AWSServiceRoleForCloudWatchApplicationSignals service-linked role
+ * and enables transaction search in the CloudWatch console.
+ *
+ * This is an idempotent operation — calling it when already enabled is a no-op.
+ */
+export async function enableTransactionSearch(region: string): Promise<TransactionSearchEnableResult> {
+  try {
+    const client = new ApplicationSignalsClient({
+      region,
+      credentials: getCredentialProvider(),
+    });
+    await client.send(new StartDiscoveryCommand({}));
+    return { success: true };
+  } catch (err: unknown) {
+    const code = (err as { name?: string })?.name;
+    const message = (err as { message?: string })?.message ?? 'Unknown error';
+
+    if (code === 'AccessDeniedException' || code === 'AccessDenied') {
+      return {
+        success: false,
+        error: `Insufficient IAM permissions to enable Application Signals. Required: application-signals:StartDiscovery. ${message}`,
+      };
+    }
+    return { success: false, error: `Failed to enable Application Signals: ${message}` };
+  }
+}
+
+/**
+ * Build a deep-link URL to the CloudWatch Transaction Search console page.
+ */
+export function buildTransactionSearchConsoleUrl(region: string): string {
+  return `https://${region}.console.aws.amazon.com/cloudwatch/home?region=${region}#xray:traces/query`;
+}

src/cli/aws/transaction-search.ts

@@ -22,6 +22,7 @@ import {
   performStackTeardown,
   setupApiKeyProviders,
   setupOAuth2Providers,
+  setupTransactionSearch,
   synthesizeCdk,
   validateProject,
 } from '../../operations/deploy';
@@ -415,6 +416,32 @@ export async function handleDeploy(options: ValidatedDeployOptions): Promise<Dep
 
     endStep('success');
 
+    // Post-deploy: Enable CloudWatch Transaction Search (non-blocking)
+    const nextSteps = agentNames.length > 0 ? [...AGENT_NEXT_STEPS] : [...MEMORY_ONLY_NEXT_STEPS];
+    if (agentNames.length > 0) {
+      try {
+        startStep('Enable transaction search');
+        const tsResult = await setupTransactionSearch({
+          region: target.region,
+          agentNames,
+          autoConfirm: options.autoConfirm,
+        });
+        if (tsResult.error) {
+          logger.log(`Transaction search setup warning: ${tsResult.error}`, 'warn');
+        }
+        if (tsResult.consoleUrl) {
+          nextSteps.push(`View traces: ${tsResult.consoleUrl}`);
+        }
+        if (tsResult.skipped) {
+          logger.log('Transaction search setup skipped (use --yes to auto-enable)', 'info');
+        }
+        endStep('success');
+      } catch (err: unknown) {
+        logger.log(`Transaction search setup failed: ${getErrorMessage(err)}`, 'warn');
+        endStep('success'); // Non-blocking: don't mark as error
+      }
+    }
+
     logger.finalize(true);
 
     return {
@@ -423,7 +450,7 @@ export async function handleDeploy(options: ValidatedDeployOptions): Promise<Dep
       stackName,
       outputs,
       logPath: logger.getRelativeLogPath(),
-      nextSteps: agentNames.length > 0 ? AGENT_NEXT_STEPS : MEMORY_ONLY_NEXT_STEPS,
+      nextSteps,
     };
   } catch (err: unknown) {
     logger.log(getErrorMessage(err), 'error');

src/cli/commands/deploy/actions.ts

@@ -42,6 +42,13 @@ export {
   type StackTeardownResult,
 } from './teardown';
 
+// Post-deploy observability setup
+export {
+  setupTransactionSearch,
+  type TransactionSearchSetupOptions,
+  type TransactionSearchSetupResult,
+} from './post-deploy-observability';
+
 // Re-export external requirements for convenience
 export {
   checkDependencyVersions,

src/cli/operations/deploy/index.ts

@@ -0,0 +1,70 @@
+import {
+  buildTransactionSearchConsoleUrl,
+  checkTransactionSearchEnabled,
+  enableTransactionSearch,
+} from '../../aws/transaction-search';
+
+export interface TransactionSearchSetupOptions {
+  region: string;
+  agentNames: string[];
+  autoConfirm?: boolean;
+}
+
+export interface TransactionSearchSetupResult {
+  success: boolean;
+  enabled: boolean;
+  skipped: boolean;
+  consoleUrl?: string;
+  error?: string;
+}
+
+/**
+ * Post-deploy step: check if CloudWatch Transaction Search is enabled, and enable it if not.
+ * This is a non-blocking best-effort operation — failures do not fail the deploy.
+ */
+export async function setupTransactionSearch(
+  options: TransactionSearchSetupOptions
+): Promise<TransactionSearchSetupResult> {
+  const { region, agentNames, autoConfirm } = options;
+
+  if (agentNames.length === 0) {
+    return { success: true, enabled: false, skipped: true };
+  }
+
+  // Check current status
+  const status = await checkTransactionSearchEnabled(region);
+
+  if (status.enabled) {
+    return {
+      success: true,
+      enabled: true,
+      skipped: false,
+      consoleUrl: buildTransactionSearchConsoleUrl(region),
+    };
+  }
+
+  // Not enabled — attempt to enable if autoConfirm is set
+  // In the CLI (non-TUI) path, autoConfirm corresponds to --yes flag
+  // In the TUI path, we always attempt since the user has already confirmed deploy
+  if (!autoConfirm) {
+    return { success: true, enabled: false, skipped: true };
+  }
+
+  const enableResult = await enableTransactionSearch(region);
+
+  if (!enableResult.success) {
+    return {
+      success: false,
+      enabled: false,
+      skipped: false,
+      error: enableResult.error,
+    };
+  }
+
+  return {
+    success: true,
+    enabled: true,
+    skipped: false,
+    consoleUrl: buildTransactionSearchConsoleUrl(region),
+  };
+}

src/cli/operations/deploy/post-deploy-observability.ts

@@ -9,7 +9,7 @@ import {
 } from '../../../cloudformation';
 import { getErrorMessage, isChangesetInProgressError, isExpiredTokenError } from '../../../errors';
 import { ExecLogger } from '../../../logging';
-import { performStackTeardown } from '../../../operations/deploy';
+import { performStackTeardown, setupTransactionSearch } from '../../../operations/deploy';
 import { getGatewayTargetStatuses } from '../../../operations/deploy/gateway-status';
 import {
   type StackDiffSummary,
@@ -372,6 +372,28 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
             const message = error instanceof Error ? error.message : 'Unknown error';
             logger.log(`Failed to persist deployed state: ${message}`, 'warn');
           }
+
+          // Post-deploy: Enable CloudWatch Transaction Search (non-blocking)
+          const agentNames = context?.projectSpec.agents?.map((a: { name: string }) => a.name) ?? [];
+          const targetRegion = context?.awsTargets[0]?.region;
+          if (agentNames.length > 0 && targetRegion) {
+            try {
+              const tsResult = await setupTransactionSearch({
+                region: targetRegion,
+                agentNames,
+                autoConfirm: true,
+              });
+              if (tsResult.error) {
+                logger.log(`Transaction search setup warning: ${tsResult.error}`, 'warn');
+              }
+              if (tsResult.consoleUrl) {
+                logger.log(`Transaction search enabled: ${tsResult.consoleUrl}`);
+              }
+            } catch (error) {
+              const message = error instanceof Error ? error.message : 'Unknown error';
+              logger.log(`Transaction search setup failed: ${message}`, 'warn');
+            }
+          }
         }
 
         logger.endStep('success');
@@ -433,6 +455,7 @@ export function useDeployFlow(options: DeployFlowOptions = {}): DeployFlowState
     switchableIoHost,
     context?.isTeardownDeploy,
     context?.awsTargets,
+    context?.projectSpec.agents,
     diffMode,
   ]);
 

src/cli/tui/screens/deploy/useDeployFlow.ts

@@ -119,6 +119,16 @@ export const CredentialDeployedStateSchema = z.object({
 
 export type CredentialDeployedState = z.infer<typeof CredentialDeployedStateSchema>;
 
+// ============================================================================
+// Observability State
+// ============================================================================
+
+export const ObservabilityStateSchema = z.object({
+  transactionSearchEnabled: z.boolean(),
+});
+
+export type ObservabilityState = z.infer<typeof ObservabilityStateSchema>;
+
 // ============================================================================
 // Deployed Resource State
 // ============================================================================
@@ -131,6 +141,7 @@ export const DeployedResourceStateSchema = z.object({
   credentials: z.record(z.string(), CredentialDeployedStateSchema).optional(),
   stackName: z.string().optional(),
   identityKmsKeyArn: z.string().optional(),
+  observability: ObservabilityStateSchema.optional(),
 });
 
 export type DeployedResourceState = z.infer<typeof DeployedResourceStateSchema>;