Skip to content

Commit 8ea3afb

Browse files
github-actions[bot]jesseturner21jariy17avi-alpertnotgitika
authored
🔀 [Sync Conflict] Merge public/main → main (#165)
* feat: add GitHub Action for automated PR review via AgentCore Harness (#934) * feat: add GitHub Action for automated PR review via AgentCore Harness Adds a workflow that reviews PRs using Bedrock AgentCore Harness. The harness runs an AI agent in an isolated microVM with gh, git, and pre-cloned repos that fetches PR diffs and posts review comments. Workflow: - Triggers on PR open/reopen for agentcore-cli-devs team members - Supports manual workflow_dispatch for any PR URL - Adds/removes ai-reviewing label during review - Authenticates via GitHub OIDC to assume AWS role Files: - .github/workflows/pr-ai-review.yml — main workflow - .github/scripts/python/harness_review.py — harness invocation script - .github/scripts/python/harness_config.py — config from env vars - .github/scripts/models/ — local boto3 service model (InvokeHarness not yet in standard boto3) Required secrets: - HARNESS_AWS_ROLE_ARN — IAM role ARN for OIDC - HARNESS_ACCOUNT_ID — AWS account ID - HARNESS_ID — Harness ID * refactor: replace local service model with raw HTTP + SigV4 signing Eliminates the 220KB bundled service model by using direct HTTP requests with SigV4 authentication to invoke the harness endpoint. No extra dependencies needed — urllib3, SigV4Auth, and EventStreamBuffer are all part of botocore/boto3. Rejected: invoke_agent_runtime API | server rejects harness ARNs with ResourceNotFoundException Confidence: high Scope-risk: moderate * refactor: inline harness config into review script Remove separate harness_config.py — env vars are read directly in harness_review.py. One less file to maintain, config is still driven entirely by environment variables set in the GitHub workflow. * refactor: extract invoke_harness helper for cleaner main flow * refactor: simplify config and improve script readability - Replace HARNESS_ACCOUNT_ID + HARNESS_ID with single HARNESS_ARN env var - Extract prompts into separate .md files in .github/scripts/prompts/ - Extract stream parsing into print_stream() function - Add close_group() helper to deduplicate ::group:: bookkeeping * refactor: separate event parsing from display logic Extract parse_events() generator to handle binary stream decoding, keeping print_stream() focused on formatting and log groups. * docs: add explanatory comments to harness review functions * refactor: derive region from HARNESS_ARN instead of separate env var Eliminates HARNESS_REGION env var — the region is extracted from the ARN directly, so there's no risk of a mismatch causing confusing SigV4 auth errors. * chore: rename label to agentcore-harness-reviewing * refactor: move auth check to job level so entire review is skipped early Split into authorize + ai-review jobs. The ai-review job only runs if the PR author is authorized (team member or write access) or if triggered via workflow_dispatch. Removes repeated if conditions from every step. * chore: exclude AI prompt templates from prettier Prompt markdown files use intentional formatting that prettier would reflow, breaking the prompt structure. * fix: buffer streaming text to avoid per-token log lines in GitHub Actions (#946) Each text delta from the harness was printed individually with flush, creating a separate log line per token. Now text is buffered and flushed as complete lines at block boundaries. * fix: allow code-based evaluators in online eval configs (#947) * fix: allow code-based evaluators in online eval configs Remove restrictions that blocked code-based evaluators from being used in online evaluation configs. The service now supports code-based evaluators for online evaluation. Changes: - Remove code-based evaluator block in OnlineEvalConfigPrimitive - Remove code-based evaluator validation in schema superRefine - Remove code-based evaluator filter in TUI evaluator picker * style: fix prettier formatting * fix: add TTY detection before TUI fallbacks to prevent agent/CI hangs (#949) * fix: add TTY detection before TUI fallbacks to prevent agent/CI hangs When commands are invoked without flags in non-interactive environments (CI, piped stdin, agent automation), the CLI falls through to Ink TUI rendering which hangs indefinitely. Add a requireTTY() guard at every TUI entry point that checks process.stdout.isTTY and exits with a helpful error message directing users to --help for non-interactive flags. Closes #685 * fix: check both stdin and stdout isTTY in requireTTY guard The hang from #685 is caused by stdin not being a TTY (Ink reads keyboard input from stdin), not stdout. Check both stdin and stdout so the guard fires for piped stdin, redirected stdout, and CI environments where both are non-TTY. * fix: agentcore dev not working in windows (#951) * fix: use pull_request_target for fork PR support (#958) * fix: make label step non-blocking for fork PRs Fork PRs get read-only GITHUB_TOKEN regardless of workflow permissions, causing the addLabels API call to fail with 403. This crashed the entire job before the review could run. continue-on-error lets the review proceed even when labeling fails. * fix: use pull_request_target for full write access on fork PRs pull_request gives a read-only GITHUB_TOKEN for fork PRs, preventing labels and secrets from working. pull_request_target runs in the base repo context with full permissions. This is safe because we never check out or execute fork code — the harness fetches the PR diff via the GitHub API. * fix: lower eventExpiryDuration minimum from 7 to 3 days (closes #744) (#956) The AWS CreateMemory API allows a minimum of 3 days, but the CLI schema was rejecting values below 7. Update the Zod schema, LLM compacted types, import clamping logic, and all related tests. * fix: display session ID after CLI invoke completes (#957) * fix: display session ID after CLI invoke completes (closes #664) The streaming and non-streaming invoke responses include a session ID from the runtime, but the CLI paths discarded it. Now prints the session ID and a resume command hint after invoke output. * fix: include sessionId in AGUI protocol invoke result * test: add browser tests for agent inspector (#938) * feat: add telemetry schemas and client (#941) * chore: bump version to 0.11.0 (#967) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(invoke): auto-generate session ID for bearer-token invocations (#953) Closes #840 When invoking an agent with a bearer token (OAuth/CUSTOM_JWT) and no session ID, `AgentCoreMemoryConfig` raised a Pydantic validation error because `session_id=None` is rejected. Unlike SigV4 callers, bearer-token callers do not get a server-side auto-generated runtime session ID. Two-layer fix: 1. CLI synthesizes a UUID in `invoke` action when `--bearer-token` is set and `--session-id` is missing, using the existing `generateSessionId` helper. Covers both explicit `--bearer-token` and the CUSTOM_JWT auto-fetch path. 2. Strands memory session templates (http, agui, a2a) synthesize a UUID when `session_id` is falsy before constructing AgentCoreMemoryConfig. Protects direct runtime callers (curl, custom apps) who forget the `X-Amzn-Bedrock-AgentCore-Runtime-Session-Id` header. Snapshot tests updated. * fix: show 'Computing diff changes...' step during deploy diff phase (#952) The deploy TUI appeared frozen for 5-15 seconds between preflight completion and 'Publish assets' while cdkToolkitWrapper.diff() ran silently with no step marked as running. Add a dedicated pre-deploy diff step that transitions running -> success around the diff call so StepProgress always has something to highlight. Closes #781 * test: split browser tests into its own job, fix logs path (#975) * feat(invoke): add --prompt-file and stdin support for long prompts (#974) * feat(invoke): add --prompt-file and stdin support for long prompts Long prompts hit shell argument limits (E2BIG, typically 128KB-2MB) when passed as positional args. This adds two new sources: - --prompt-file <path>: read prompt from a file - piped stdin: when no prompt is given and stdin is not a TTY, read the prompt from stdin Precedence is hybrid and backward-compatible: --prompt > positional > --prompt-file > stdin --prompt-file combined with piped stdin content returns an explicit collision error rather than silently picking one. Closes #686 * docs(invoke): document --prompt-file and stdin support * fix(import): remove experimental warning from import command (#977) The import feature has stabilized and no longer needs the experimental label. * fix: duplicate header flash and help menu truncation (closes #895, closes #637) (#955) - Return null during brief transitional phases to prevent Ink from rendering a header that gets immediately replaced by a different frame - Consolidate CreateScreen phases into a single Screen mount - Make help menu description width responsive to terminal size - Remove hardcoded 50-char description truncation limit * test: configure git in browser tests workflow (#976) * feat: add project-name option to create (#969) * Add project-name option to create * fix: address review feedback — restore name description and move backfill logic * ci: bump the github-actions group across 1 directory with 4 updates (#964) Bumps the github-actions group with 4 updates in the / directory: [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials), [actions/github-script](https://github.com/actions/github-script), [softprops/action-gh-release](https://github.com/softprops/action-gh-release) and [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action). Updates `aws-actions/configure-aws-credentials` from 5 to 6 - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v5...v6) Updates `actions/github-script` from 8 to 9 - [Commits](https://github.com/actions/github-script/compare/v8...v9) Updates `softprops/action-gh-release` from 2 to 3 - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/v2...v3) Updates `slackapi/slack-github-action` from 3.0.1 to 3.0.2 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/slackapi/slack-github-action/compare/v3.0.1...v3.0.2) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: aws-actions/configure-aws-credentials dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: slackapi/slack-github-action dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: softprops/action-gh-release dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump aws-cdk-lib (#962) Bumps the aws-cdk group with 1 update in the / directory: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib). Updates `aws-cdk-lib` from 2.248.0 to 2.250.0 - [Release notes](https://github.com/aws/aws-cdk/releases) - [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md) - [Commits](https://github.com/aws/aws-cdk/commits/v2.250.0/packages/aws-cdk-lib) --- updated-dependencies: - dependency-name: aws-cdk-lib dependency-version: 2.250.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: aws-cdk ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump postcss from 8.5.8 to 8.5.10 (#961) Bumps [postcss](https://github.com/postcss/postcss) from 8.5.8 to 8.5.10. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.8...8.5.10) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump secretlint from 11.4.1 to 12.2.0 (#916) Bumps [secretlint](https://github.com/secretlint/secretlint) from 11.4.1 to 12.2.0. - [Release notes](https://github.com/secretlint/secretlint/releases) - [Commits](https://github.com/secretlint/secretlint/compare/v11.4.1...v12.2.0) --- updated-dependencies: - dependency-name: secretlint dependency-version: 12.2.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @vitest/coverage-v8 from 4.1.2 to 4.1.5 (#915) Bumps [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) from 4.1.2 to 4.1.5. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/coverage-v8) --- updated-dependencies: - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @secretlint/secretlint-rule-preset-recommend (#914) Bumps [@secretlint/secretlint-rule-preset-recommend](https://github.com/secretlint/secretlint) from 11.4.1 to 12.2.0. - [Release notes](https://github.com/secretlint/secretlint/releases) - [Commits](https://github.com/secretlint/secretlint/compare/v11.4.1...v12.2.0) --- updated-dependencies: - dependency-name: "@secretlint/secretlint-rule-preset-recommend" dependency-version: 12.2.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the aws-sdk group across 1 directory with 14 updates (#912) Bumps the aws-sdk group with 14 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@aws-sdk/client-application-signals](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-application-signals) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-bedrock](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-bedrock-agent](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agent) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-bedrock-agentcore](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agentcore) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-bedrock-agentcore-control](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agentcore-control) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-bedrock-runtime](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-runtime) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-cloudformation](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cloudformation) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-cloudwatch-logs](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cloudwatch-logs) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-resource-groups-tagging-api](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-resource-groups-tagging-api) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-sts](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-sts) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-xray](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-xray) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/credential-providers](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/credential-providers) | `3.1036.0` | `3.1037.0` | | [@aws-sdk/client-cognito-identity-provider](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cognito-identity-provider) | `3.1036.0` | `3.1037.0` | Updates `@aws-sdk/client-application-signals` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-application-signals/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-application-signals) Updates `@aws-sdk/client-bedrock` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-bedrock) Updates `@aws-sdk/client-bedrock-agent` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agent/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-bedrock-agent) Updates `@aws-sdk/client-bedrock-agentcore` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agentcore/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-bedrock-agentcore) Updates `@aws-sdk/client-bedrock-agentcore-control` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agentcore-control/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-bedrock-agentcore-control) Updates `@aws-sdk/client-bedrock-runtime` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-runtime/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-bedrock-runtime) Updates `@aws-sdk/client-cloudformation` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cloudformation/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-cloudformation) Updates `@aws-sdk/client-cloudwatch-logs` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cloudwatch-logs/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-cloudwatch-logs) Updates `@aws-sdk/client-resource-groups-tagging-api` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-resource-groups-tagging-api/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-resource-groups-tagging-api) Updates `@aws-sdk/client-s3` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-s3) Updates `@aws-sdk/client-sts` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-sts/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-sts) Updates `@aws-sdk/client-xray` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-xray/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-xray) Updates `@aws-sdk/credential-providers` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-providers/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/packages/credential-providers) Updates `@aws-sdk/client-cognito-identity-provider` from 3.1036.0 to 3.1037.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cognito-identity-provider/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1037.0/clients/client-cognito-identity-provider) --- updated-dependencies: - dependency-name: "@aws-sdk/client-application-signals" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agent" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agentcore" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agentcore-control" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-runtime" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cloudformation" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cloudwatch-logs" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cognito-identity-provider" dependency-version: 3.1034.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-resource-groups-tagging-api" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-sts" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-xray" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/credential-providers" dependency-version: 3.1034.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump hono from 4.12.12 to 4.12.14 (#868) Bumps [hono](https://github.com/honojs/hono) from 4.12.12 to 4.12.14. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](https://github.com/honojs/hono/compare/v4.12.12...v4.12.14) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.14 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump esbuild from 0.27.4 to 0.28.0 (#862) Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.4 to 0.28.0. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.27.4...v0.28.0) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.28.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: speed up CI and fix mock cleanup gaps (#989) * test: speed up CI and fix mock cleanup gaps - Node 20 only on PRs (full matrix on main) - 3-way vitest sharding for unit tests with blob report merging - Pre-bundle heavy deps (AWS SDK, Smithy, zod, commander) via deps.optimizer - Exclude tui-harness from unit test project (not production code) - Add afterEach(vi.restoreAllMocks) to 3 files with mock cleanup gaps - Move inline consoleSpy.mockRestore() to afterEach in logs-eval tests - Skip PTY tests when node-pty spawn is unavailable * style: fix prettier formatting in build-and-test.yml * fix: enable include-hidden-files for blob artifact upload upload-artifact@v7 defaults include-hidden-files to false, which skips the .vitest-reports directory. Also fail loudly if no files found. * feat: runtime endpoint support in AgentCore CLI (#979) * feat: add runtime endpoint support to AgentCore CLI - Schema: endpoints field on AgentEnvSpec, runtimeVersion in deployed state - Primitive: RuntimeEndpointPrimitive with add/remove/preview - TUI: Add and Remove flows with multi-field form - Status: endpoints nested under agents with deployment badges - Deploy: parseRuntimeEndpointOutputs + buildDeployedState pipeline * fix: correct output key prefix for runtime endpoint parsing The CFN output keys include the AgentEnvironment construct prefix (Agent{PascalName}) which was missing from the parser pattern. * fix: remove .omc state files and unused useCallback import - Remove .omc/ from git tracking, add to .gitignore - Remove unused useCallback import in AddRuntimeEndpointScreen.tsx * fix: shorten runtime endpoint description to prevent TUI overflow The description "Named endpoint (version alias) for a runtime" was too long and wrapped to the next line in the Add Resource menu. Shortened to "Named endpoint for a runtime". * fix: validate runtime endpoint version is a positive integer - Add explicit Number.isInteger check before schema validation - Change Commander parser from parseInt to Number so floats like 3.5 are caught instead of silently truncated * fix: use agent/endpoint composite key to prevent React key collision Endpoint names can collide across runtimes (e.g., both have "prod"). Changed React key from epName to agent.name/epName to prevent duplicate key warnings that pollute the TUI viewport. * fix: render runtime endpoints in status --type runtime-endpoint When filtering by --type runtime-endpoint, agents array is empty so the agents section (which nests endpoints) never renders. Added a standalone Runtime Endpoints section that shows when endpoints exist but agents don't (i.e., when type-filtering). * fix: add runtime-endpoint to status --help --type documentation The --type option help text was missing runtime-endpoint from the list of valid resource types. * fix: return richer JSON response from add runtime-endpoint add now returns { success, endpointName, agent, version } instead of sparse { success: true }, matching the richer response shape from remove runtime-endpoint. * fix: validate endpoint version against deployed runtime version - TUI: show "Current deployed version: N" and valid range (1-N) - TUI: reject version exceeding latest deployed version - CLI: check deployed-state.json for max version, reject if exceeded - If runtime not deployed, only positive integer check applies * chore: remove planning and bug bash docs from PR * fix: use composite key and parentName for endpoint identification - Add parentName field to ResourceStatusEntry for structured parent linking - Use runtimeName/endpointName composite key in remove/preview/getRemovable - Status command filters endpoints by parentName instead of parsing detail string - React keys use structured parentName/name instead of display strings * test: add comprehensive unit tests for RuntimeEndpointPrimitive 23 tests covering add(), remove(), previewRemove(), getRemovable(): - Runtime lookup, duplicate detection, version validation - Composite key removal targeting correct runtime - Empty endpoints dict cleanup - Version validation against deployed state - Richer JSON response shape * fix: remove dead findGatewayTargetReferences stub * fix: use BasePrimitive configIO instead of ad-hoc ConfigIO in add() * fix: use Number() instead of parseInt in TUI version validation * chore: fix prettier formatting * fix: use T[] instead of Array<T> to satisfy eslint array-type rule * feat: add gateway import command with executionRoleArn support (#855) * feat: add gateway import command and unhide import from TUI Add `agentcore import gateway --arn <arn>` to import existing AWS gateways (with all targets) into a local CLI project. Also remove import from the HIDDEN_FROM_TUI list so it appears in the interactive TUI. - Add AWS SDK wrappers for gateway/target list/get APIs - Add import-gateway.ts with multi-resource CFN import support - Add resourceName schema field to preserve actual AWS gateway name during import - Register gateway in TUI ImportSelectScreen and ImportProgressScreen - Extend ARN pattern, deployed state, and CFN constants for gateway type * fix: expand ARN input to show full resource ARN and add gateway support The ARN text input was truncating long ARNs. Use the expandable prop to wrap text across multiple lines. Also add gateway to the ARN validation pattern and resource type labels. * refactor: remove --name and --yes flags from import gateway command Remove --name (confusing local rename) and --yes (no prompts to confirm) from the gateway import command. The gateway's AWS name is used directly. * feat: add e2e tests for import gateway command Add end-to-end tests that create a real AWS gateway with an MCP server target, import it via `agentcore import gateway --arn`, and verify the resulting agentcore.json fields and deployed-state.json entries. New files: - e2e-tests/fixtures/import/setup_gateway.py: creates gateway + target - e2e-tests/fixtures/import/common.py: gateway wait helpers - e2e-tests/fixtures/import/cleanup_resources.py: gateway cleanup Constraint: Tests follow the existing import-resources.test.ts pattern Confidence: high Scope-risk: narrow * chore: gitignore bugbash-resources.json and .omc/ * feat: preserve gateway executionRoleArn during import Extract roleArn from the AWS GetGateway response and map it to executionRoleArn in agentcore.json. On deploy, CDK uses iam.Role.fromRoleArn() instead of creating a new role, keeping the original permissions intact. Constraint: imported roles use mutable: false so CDK cannot modify them Rejected: always create new role | breaks permissions on re-import Confidence: high Scope-risk: narrow * refactor: export internal gateway import functions for unit testing Add @internal exports for toGatewayTargetSpec, resolveOutboundAuth, toGatewaySpec, and buildCredentialArnMap to enable direct unit testing of the pure mapping functions in import-gateway.ts. Confidence: high Scope-risk: narrow * test: add unit tests for mcpServer target mapping and credential resolution Bugbash coverage for toGatewayTargetSpec and resolveOutboundAuth: - mcpServer with no auth, OAuth, and API_KEY credentials - Credential resolution warnings when ARNs not in project - Targets with no MCP configuration - OAuth scopes pass-through and empty scopes omission 8 tests, all passing. Confidence: high Scope-risk: narrow * test: add unit tests for apiGateway, openApiSchema, smithyModel, lambda target mapping Bugbash coverage for toGatewayTargetSpec non-mcpServer target types: - apiGateway: restApiId, stage, toolFilters, toolOverrides mapping - openApiSchema: S3 URI mapping, missing URI warning - smithyModel: S3 URI mapping, missing URI warning - lambda: S3 tool schema to lambdaFunctionArn mapping, missing ARN, inline-only schema warning, progress messages - Unrecognized target type warning 13 tests, all passing. Confidence: high Scope-risk: narrow * test: add unit tests for toGatewaySpec gateway-level field mapping Bugbash coverage for toGatewaySpec AWS-to-CLI schema mapping: - Authorizer types: NONE, AWS_IAM, CUSTOM_JWT with all JWT fields - CUSTOM_JWT customClaims with full claim structure - Semantic search: SEMANTIC/KEYWORD/missing protocolConfiguration - Exception level: DEBUG/undefined/other values - Policy engine: ARN name extraction, mode preservation - Optional fields: resourceName, description, tags, executionRoleArn - Edge cases: empty tags object omitted, empty JWT arrays omitted 23 tests, all passing. Confidence: high Scope-risk: narrow * test: add unit tests for handleImportGateway full flow validation Bugbash coverage for the main gateway import flow: - Happy path: successful import with --arn, config written, result verified - Rollback: pipeline failure restores original config, noResources error - Duplicate detection: name collision, resource ID already tracked - Name validation: invalid name regex, --name override preserves resourceName - Auto-select: single gateway auto-selected, multiple gateways error, no gateways error - Target mapping: skipped targets warning, non-READY gateway continues 12 tests, all passing. Confidence: high Scope-risk: narrow * test: add unit tests for buildCredentialArnMap and CFN template matching Bugbash coverage for credential resolution and CFN resource matching: - buildCredentialArnMap: reads ARN-to-name map from deployed state, handles multiple credentials, empty/missing state, thrown errors - findLogicalIdByProperty: gateway by Name property, resourceName fallback, target by Name, Fn::Join/Fn::Sub intrinsic function patterns, regex boundary check prevents false substring matches - findLogicalIdsByType: single gateway fallback, single target fallback, multiple targets prevent fallback 14 tests, all passing. Confidence: high Scope-risk: narrow * fix: exclude already-deployed logical IDs when building import resource list When a project already contains an imported resource (gateway + target, agent, memory, etc.), a subsequent import of a different resource that shares a Name with the deployed one caused buildResourcesToImport to resolve the OLD logical ID via findLogicalIdByProperty. The resulting CFN change set then failed with "Resources [...] passed in ResourceToImport are already in a stack and cannot be imported." Thread the deployed template into every buildResourcesToImport callback and skip logical IDs already present in the stack during both the name lookup and the single-candidate fallback. Constraint: GatewayTarget has no structural parent ref in Properties — only the physical-ID tuple (GatewayIdentifier, TargetId), so scoping the synth search by parent gateway is not available. Rejected: Parse Fn::Ref/Fn::GetAtt from GatewayIdentifier | brittle intrinsic traversal Rejected: Match by physical TargetId | synth template has no physical ID for new resources Rejected: Strip deployed resources from synth before lookup | breaks buildImportTemplate Confidence: high Scope-risk: narrow Directive: new callbacks into executeCdkImportPipeline must accept and honor the deployedTemplate arg Not-tested: multi-region / cross-stack-identifier collisions * fix(import): translate AccessDenied on GetGateway to a friendly not-found error When importing a gateway by a well-formed but nonexistent ARN, the BedrockAgentCore control plane returns AccessDenied (not ResourceNotFound) for bedrock-agentcore:GetGateway. The CLI surfaced the raw SDK error — which is misleading when the caller has full Admin access and the gateway simply doesn't exist. Catch AccessDenied from getGatewayDetail and return a targeted failure with guidance: the gateway is likely nonexistent / the ARN is malformed / the caller lacks GetGateway. Point the user at list-gateways so they can confirm. Constraint: AWS returns AccessDenied instead of ResourceNotFound for nonexistent gateway IDs; we cannot distinguish the two server-side Rejected: Client-side ARN existence probe via ListGateways | extra latency on the happy path and still racy Confidence: high Scope-risk: narrow Directive: Do not swallow other error classes here — only AccessDenied is reinterpreted * fix(import): detect AWS_REGION / ARN region mismatch before import Previously when a user ran import with AWS_REGION=us-west-2 against a us-east-1 ARN, and no deployment targets existed yet, the CLI silently synthesized a default target from the ARN's region and proceeded — so the user would unknowingly import from a different region than they intended, leaving agentcore.json pointed at the wrong region and causing cross-region CFN errors on later deploy. Short-circuit resolveImportTarget when AWS_REGION (or AWS_DEFAULT_REGION) is set and disagrees with the ARN's region, and ask the user to reconcile explicitly. Constraint: Must fail fast before any side effects (writing aws-targets.json, calling GetGateway) Rejected: Warn-and-continue | a silent cross-region import is exactly the failure mode we're preventing Confidence: high Scope-risk: narrow Directive: Only throw when both env region AND ARN region are present — do not require AWS_REGION to be set * fix(import): allow re-import of resource after remove without CDK pipeline After `agentcore remove gateway`, the gateway entry remains in deployed-state.json (correctly, since CFN still manages it) but is removed from agentcore.json. A subsequent `agentcore import gateway` would reject with "already imported" because the dedup check only looked at deployed-state. Now, when a resource exists in deployed-state but not in agentcore.json, the import skips the CDK pipeline and just re-adds the resource to agentcore.json. Applies to both the gateway-specific and generic import orchestrators. * style: fix prettier formatting for import-utils and ArnInputScreen * fix(import): address PR review blockers B4, B6, B7, H2, H5, H7, H8 - B4: Hard-fail when credential provider ARN is not found in deployed state instead of silently dropping outboundAuth - B7: Preserve outboundAuth on lambda→lambdaFunctionArn mapping and allow OAUTH/NONE auth types for lambdaFunctionArn targets - H2: Remove re-import fast path; run full CDK pipeline so out-of-band targets are properly imported. Treat noResources as success for re-imports since all resources are already in the CFN stack - H5: Replace hardcoded arn:aws: with partition-agnostic arn:[^:]+: in ARN validation and region extraction regexes - H7/H8: Add regex validation and max length for executionRoleArn, use GatewayNameSchema for resourceName, add refine ensuring both fields are set together or both omitted * fix(import): remove credential ARN from error messages to resolve CodeQL alert CodeQL flagged clear-text logging of credential provider ARNs. The target name provides sufficient context for the user to identify the issue. * fix(import): remove resourceName/executionRoleArn co-variance refine (#996) The refine required both fields to be set together, but resourceName is always needed on import (to preserve the AWS name) while executionRoleArn is only present when the gateway has a custom role. Gateways without a custom role (service auto-creates one) fail the refine because resourceName is set but executionRoleArn is not. Keep the individual field validations (GatewayNameSchema for resourceName, regex for executionRoleArn). * fix(e2e): separate gateway import test and add PR-changed test detection (#999) Split gateway import e2e tests into their own file so they can run independently with faster setup (only setup_gateway.py instead of all 4 resource scripts). Update the PR e2e workflow to detect changed test files and include them alongside the strands-bedrock baseline, using only the main CDK source to reduce CI time. Constraint: PR workflow must always run strands-bedrock as a baseline Rejected: Keep gateway in combined suite | setup creates unnecessary resources when running gateway-only Confidence: high Scope-risk: narrow * fix(e2e): add debug logging for gateway import CI failures (#1001) * fix(e2e): add debug logging for gateway import failures Print the import log file and CloudFormation stack events when the gateway import test fails to help diagnose IMPORT_ROLLBACK_IN_PROGRESS errors in CI. Confidence: high Scope-risk: narrow * fix(e2e): add shared debug logging for all import test failures Add dumpImportDebugInfo to e2e-helper that prints the import log file and CloudFormation stack events when an import fails. Used by both import-resources and import-gateway tests to diagnose CI failures. Confidence: high Scope-risk: narrow * chore: bump version to 0.12.0 (#1002) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * test: remove 44 render-only and framework-testing tests (#998) * test: remove 44 render-only and framework-testing tests Delete TUI component test files that only verify prop passthrough or framework behavior (Ink rendering, setInterval lifecycle) without testing any application logic: - Cursor.test.tsx (5 tests): setInterval/clearInterval assertions - Header.test.tsx (4 tests): title/subtitle string presence - HelpText.test.tsx (2 tests): static string rendering - AwsTargetConfigUI.test.tsx (7 tests): help text string lookups - ConfirmReview.test.tsx (6 tests): field label rendering - LogLink.test.tsx (4 tests): prop passthrough - ScreenHeader.test.tsx (3 tests): prop passthrough - FatalError.test.tsx (5 tests): prop passthrough Trim Panel.test.tsx (6→3) and Screen.test.tsx (8→3), keeping only tests that verify real logic: border structure, responsive width adaptation, keyboard exit handling, and exitEnabled guard. Remove tautological expect(true).toBe(true) tests from assets.snapshot.test.ts; use describe.skipIf for empty asset dirs. Kept all tests in StepIndicator, ScreenLayout, TwoColumn, NextSteps, LogPanel, PathInput, and useFetchAccessFlow — audit flagged some as framework tests but they verify real conditional/interaction logic. * fix: restore AwsTargetConfigUI tests — pure function, not render test getAwsConfigHelpText is a switch over AwsConfigPhase that maps states to help strings. The undefined return for loading/terminal phases is a contract consumed by DeployScreen.tsx via ?? HELP_TEXT.EXIT. These tests guard that fallback, not framework rendering behavior. * fix(import): use GatewayNameSchema for gateway import name validation (#1011) The import gateway command used NAME_REGEX which only allowed underscores and max 48 chars, rejecting valid gateway names with hyphens like "agentcore-gateway". Switch to GatewayNameSchema which matches the actual AWS API: alphanumeric with hyphens, up to 100 chars. Constraint: AWS CreateGateway API allows [0-9a-zA-Z] with hyphens Rejected: Updating NAME_REGEX | it is shared with other import commands that have different naming rules Confidence: high Scope-risk: narrow * feat: add CloudWatch traces API for web UI (#997) * fix: remove CONFIG_DIR exclusion from zip stage to preserve dependency agentcore/ packages (#1015) PR #844 correctly removed the flat name-based agentcore exclusion and threaded rootDir through copySourceTree, but the same CONFIG_DIR check remained in collectFiles/collectFilesSync (the zip stage). Since the zip stage operates on the staging directory — not the project root — the check incorrectly stripped any top-level agentcore/ Python package installed by uv (e.g., langgraph_checkpoint_aws/agentcore/) from the deployment artifact, causing ModuleNotFoundError at runtime. The CONFIG_DIR exclusion is only needed in copySourceTree (which copies from the project root into staging). By the time we zip, the project config dir was already filtered out — the only agentcore/ in staging is a legitimate dependency package. Closes #843 * ci: add coordinated main + preview release workflow (#995) * ci: add coordinated main + preview release workflow Adds a single workflow_dispatch that releases both branches together, ensuring they stay in sync on npm. * fix: address review — bump script compat, pre-publish verification, drop unused artifacts - Preview bump now uses `prerelease --prerelease-tag preview` which the bump-version.ts script actually accepts - Added verify-merges job that checks both main and preview have the expected versions before either publish runs (prevents drift) - Both publish jobs now depend on verify-merges instead of each other, so neither publishes unless both PRs are confirmed merged - Removed upload-artifact steps from test jobs since publish jobs rebuild from source post-merge * fix: auto-rebase preview onto main in preflight step Instead of failing when preview isn't rebased, the workflow now rebases automatically. If there are conflicts, it aborts and directs the user to resolve manually. * ci: add sync-preview workflow, simplify release preflight - New sync-preview.yml: runs on every push to main, auto-rebases preview onto main. Silently skips on conflicts (no failure). - Release workflow preflight reverted to a simple check — relies on sync-preview having already done the rebase. * fix: use merge instead of rebase for preview sync Rebase overwrites preview-specific values (package version, tests). Merge preserves preview's divergent files and only conflicts when both branches touch the same lines. * fix: concurrency control, conflict notifications, CDK tag TODO - Add concurrency group to sync-preview to prevent parallel race - On merge conflict, auto-create a GitHub issue (deduplicated) instead of silently skipping - Add TODO comment for CDK preview dist-tag in prepare-preview * fix: create PR with conflict markers instead of issue on merge conflict On conflict, sync-preview now: - Creates a branch with the merge conflict markers committed - Opens a PR targeting preview with resolution instructions - Tags the original commit author for visibility - Deduplicates (skips if a sync PR is already open) * chore(deps): bump the aws-sdk group with 14 updates (#1024) Bumps the aws-sdk group with 14 updates: | Package | From | To | | --- | --- | --- | | [@aws-sdk/client-application-signals](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-application-signals) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-bedrock](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-bedrock-agent](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agent) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-bedrock-agentcore](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agentcore) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-bedrock-agentcore-control](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-agentcore-control) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-bedrock-runtime](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-bedrock-runtime) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-cloudformation](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cloudformation) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-cloudwatch-logs](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cloudwatch-logs) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-resource-groups-tagging-api](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-resource-groups-tagging-api) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-sts](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-sts) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-xray](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-xray) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/credential-providers](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/credential-providers) | `3.1037.0` | `3.1038.0` | | [@aws-sdk/client-cognito-identity-provider](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-cognito-identity-provider) | `3.1037.0` | `3.1038.0` | Updates `@aws-sdk/client-application-signals` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-application-signals/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-application-signals) Updates `@aws-sdk/client-bedrock` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-bedrock) Updates `@aws-sdk/client-bedrock-agent` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agent/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-bedrock-agent) Updates `@aws-sdk/client-bedrock-agentcore` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agentcore/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-bedrock-agentcore) Updates `@aws-sdk/client-bedrock-agentcore-control` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-agentcore-control/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-bedrock-agentcore-control) Updates `@aws-sdk/client-bedrock-runtime` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-bedrock-runtime/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-bedrock-runtime) Updates `@aws-sdk/client-cloudformation` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cloudformation/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-cloudformation) Updates `@aws-sdk/client-cloudwatch-logs` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cloudwatch-logs/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-cloudwatch-logs) Updates `@aws-sdk/client-resource-groups-tagging-api` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-resource-groups-tagging-api/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-resource-groups-tagging-api) Updates `@aws-sdk/client-s3` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-s3) Updates `@aws-sdk/client-sts` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-sts/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-sts) Updates `@aws-sdk/client-xray` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-xray/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-xray) Updates `@aws-sdk/credential-providers` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-providers/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/packages/credential-providers) Updates `@aws-sdk/client-cognito-identity-provider` from 3.1037.0 to 3.1038.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-cognito-identity-provider/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1038.0/clients/client-cognito-identity-provider) --- updated-dependencies: - dependency-name: "@aws-sdk/client-application-signals" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agent" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agentcore" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-agentcore-control" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-bedrock-runtime" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cloudformation" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cloudwatch-logs" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-resource-groups-tagging-api" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-sts" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-xray" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/credential-providers" dependency-version: 3.1038.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk - dependency-name: "@aws-sdk/client-cognito-identity-provider" dependency-version: 3.1038.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: aws-sdk ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the aws-cdk group with 2 updates (#1025) Bumps the aws-cdk group with 2 updates: [@aws-cdk/toolkit-lib](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/@aws-cdk/toolkit-lib) and [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib). Updates `@aws-cdk/toolkit-lib` from 1.24.0 to 1.25.0 - [Release notes](https://github.com/aws/aws-cdk-cli/releases) - [Commits](https://github.com/aws/aws-cdk-cli/commits/@aws-cdk/toolkit-lib@v1.25.0/packages/@aws-cdk/toolkit-lib) Updates `aws-cdk-lib` from 2.250.0 to 2.251.0 - [Release notes](https://github.com/aws/aws-cdk/releases) - [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md) - [Commits](https://github.com/aws/aws-cdk/commits/v2.251.0/packages/aws-cdk-lib) --- updated-dependencies: - dependency-name: "@aws-cdk/toolkit-lib" dependency-version: 1.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-cdk - dependency-name: aws-cdk-lib dependency-version: 2.251.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: aws-cdk ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump @opentelemetry/resources from 2.6.1 to 2.7.0 (#1026) Bumps [@opentelemetry/resources](https://github.com/open-telemetry/opentelemetry-js) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/v2.6.1...v2.7.0) --- updated-dependencies: - dependency-name: "@opentelemetry/resources" dependency-version: 2.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @secretlint/secretlint-rule-preset-recommend (#1028) Bumps [@secretlint/secretlint-rule-preset-recommend](https://github.com/secretlint/secretlint) from 12.2.0 to 12.3.1. - [Release notes](https://github.com/secretlint/secretlint/releases) - [Commits](https://github.com/secretlint/secretlint/compare/v12.2.0...v12.3.1) --- updated-dependencies: - dependency-name: "@secretlint/secretlint-rule-preset-recommend" dependency-version: 12.3.1 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump secretlint from 12.2.0 to 12.3.1 (#1029) Bumps [secretlint](https://github.com/secretlint/secretlint) from 12.2.0 to 12.3.1. - [Release notes](https://github.com/secretlint/secretlint/releases) - [Commits](https://github.com/secretlint/secretlint/compare/v12.2.0...v12.3.1) --- updated-dependencies: - dependency-name: secretlint dependency-version: 12.3.1 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump @opentelemetry/sdk-metrics from 2.6.1 to 2.7.0 (#1030) Bumps [@opentelemetry/sdk-metrics](https://github.com/open-telemetry/opentelemetry-js) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/v2.6.1...v2.7.0) --- updated-dependencies: - dependency-name: "@opentelemetry/sdk-metrics" dependency-version: 2.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(ci): update snapshots after CDK version sync in release workflow (#1033) The release workflow syncs @aws/agentcore-cdk to the latest npm version in the asset template, but never updates the snapshot file. This causes the asset snapshot test to fail because the snapshot still holds the old version string. * fix(ci): enable coverage collection in sharded unit test runs (#1034) The coverage report on PRs was empty (0/0 Unknown%) because the sharded unit-test jobs ran without --coverage. Without that flag, V8 coverage data is never collected, so the blob reports contain no coverage maps. The merge-reports step then merges undefined entries and produces empty results. Also fixes the coverage report action referencing a nonexistent vitest.unit.config.ts (should be vitest.config.ts). * fix(ci): move snapshot update after build in release workflow (#1036) Move `npm run test:update-snapshots` from inside the CDK sync step (before build) to its own step after `npm run build`. The test suite needs built artifacts to pass — running it before the build caused 18 test failures. * fix(ci): install uv in release workflow prepare steps (#1038) The create.test.ts tests require uv for Python project scaffolding. The Build and Test workflow installs it via astral-sh/setup-uv, but the release workflow's prepare steps were missing it, causing test failures during the snapshot update step. * chore: bump version to 0.12.1 * fix: remove CDK version auto-sync from release workflow and restore caret range (#1044) Remove the auto-sync step that bumped @aws/agentcore-cdk during releases — version updates will be managed manually via PRs. Restore the caret range (^0.1.0-alpha.19) in the asset and snapshot that was dropped by the auto-sync in #1042. * fix: add Accept header to HTTP protocol invocation proxy (#1051) The dev web UI proxy for HTTP protocol agents doesn't include an Accept header when forwarding requests to /invocations. The bedrock-agentcore runtime SDK checks for Accept: text/event-stream before enabling SSE streaming (via @fastify/sse reply.sse), so streaming handlers always get a 406 response in the inspector. A2A and AGUI protocol paths already send the header correctly — this brings HTTP in line with them. Using "text/event-stream, */*" so streaming agents get SSE enabled while non-streaming agents can respond in whatever format they need. * feat: add telemetry audit mode with FileSystemSink (#1014) * feat: add FilesystemSink for telemetry audit mode * feat: instrument help.modes with telemetry, add audit integ test * refactor: move harness resources to .github/harness/ (#992) * refactor: move harness resources to .github/harness/ Move PR reviewer harness files into a dedicated .github/harness/ directory, separate from the general .github/scripts/ used by Strands workflows. - Move harness_review.py, prompts/ to .github/harness/ - Add Dockerfile for the harness container (dual-token: CLONE_TOKEN for git clones, GITHUB_TOKEN for gh CLI/PR comments) - Add README documenting the harness directory - Update pr-ai-review workflow to reference new path - Update .prettierignore for new prompts location * fix(harness): update Dockerfile comment to accurately describe token handling Tokens are baked into image layers at build time — the previous comment incorrectly implied they were not stored. Updated to make the security posture explicit: the image itself must be treated as a secret. * refactor(harness): use boto3 invoke_harness instead of raw SigV4 HTTP Replace manual SigV4 signing + urllib3 + EventStreamBuffer parsing with the native boto3 bedrock-agentcore client's invoke_harness method. This simplifies the code significantly and leverages the typed event stream response from the SDK. Rejected: keep raw HTTP approach | boto3 now supports invoke_harness natively Confidence: high Scope-risk: narrow Co-Authored-By: Claude Opus 4.6 <noreply@anth…
1 parent 04aa12e commit 8ea3afb

344 files changed

Lines changed: 38300 additions & 2454 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/harness/Dockerfile

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
FROM public.ecr.aws/docker/library/python:3.12-slim
2+
3+
# Install system dependencies
4+
RUN apt-get update && apt-get install -y \
5+
git \
6+
curl \
7+
jq \
8+
&& rm -rf /var/lib/apt/lists/*
9+
10+
# Install GitHub CLI
11+
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
12+
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
13+
> /etc/apt/sources.list.d/github-cli.list \
14+
&& apt-get update \
15+
&& apt-get install -y gh \
16+
&& rm -rf /var/lib/apt/lists/*
17+
18+
# Tokens are baked into the image at build time. This image must be treated as a
19+
# secret and stored only in a registry with equivalent access controls.
20+
ARG CLONE_TOKEN
21+
ARG GITHUB_TOKEN
22+
23+
# Configure git to use clone token for HTTPS clones
24+
RUN git config --global url."https://${CLONE_TOKEN}@github.com/".insteadOf "https://github.com/"
25+
26+
# Persist gh CLI auth so GITHUB_TOKEN doesn't need to be in the environment
27+
RUN mkdir -p /root/.config/gh \
28+
&& echo "github.com:" > /root/.config/gh/hosts.yml \
29+
&& echo " oauth_token: ${GITHUB_TOKEN}" >> /root/.config/gh/hosts.yml \
30+
&& echo " user: agentcore-cli-automation" >> /root/.config/gh/hosts.yml \
31+
&& echo " git_protocol: https" >> /root/.config/gh/hosts.yml
32+
33+
WORKDIR /opt/workspace

.github/harness/README.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# Harness Resources
2+
3+
Container and scripts for AI-powered automation via
4+
[AgentCore Harness](https://docs.aws.amazon.com/bedrock/latest/userguide/agentcore.html).
5+
6+
## Structure
7+
8+
```
9+
harness/
10+
├── Dockerfile # Container image for the harness runtime
11+
├── harness_review.py # Invokes the harness to review PRs (SigV4 + event stream)
12+
└── prompts/
13+
├── system.md # System prompt (workspace context)
14+
└── review.md # PR review task prompt
15+
```
16+
17+
## Current: PR Reviewer
18+
19+
Reviews pull requests on open/reopen via `.github/workflows/pr-ai-review.yml`.
20+
21+
### Dual-token setup
22+
23+
The Dockerfile takes two build args:
24+
25+
- **`CLONE_TOKEN`** — baked into git config for cloning private repos
26+
- **`GITHUB_TOKEN`** — baked into `gh` CLI auth for posting PR comments
27+
28+
### Building the container
29+
30+
```bash
31+
finch build \
32+
--build-arg CLONE_TOKEN=<pat-for-cloning> \
33+
--build-arg GITHUB_TOKEN=<pat-for-gh-api> \
34+
-t pr-reviewer .github/harness/
35+
```
36+
37+
## Future: Tester
38+
39+
This directory will also house a harness-based test runner.

.github/harness/harness_review.py

Lines changed: 200 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,200 @@
1+
"""Invoke Bedrock AgentCore Harness to review a GitHub PR.
2+
3+
Reads PR_URL from the environment. Streams harness output to stdout.
4+
Uses the boto3 bedrock-agentcore client's invoke_harness API.
5+
"""
6+
7+
import json
8+
import os
9+
import sys
10+
import time
11+
import uuid
12+
13+
import boto3
14+
15+
# ANSI color codes
16+
CYAN = "\033[36m"
17+
YELLOW = "\033[33m"
18+
GREEN = "\033[32m"
19+
RED = "\033[31m"
20+
DIM = "\033[2m"
21+
RESET = "\033[0m"
22+
23+
SCRIPTS_DIR = os.path.dirname(__file__)
24+
25+
26+
def read_prompt(filename):
27+
"""Read a prompt template from the prompts directory."""
28+
path = os.path.join(SCRIPTS_DIR, "prompts", filename)
29+
with open(path) as f:
30+
return f.read()
31+
32+
33+
def invoke_harness_streaming(harness_arn, session_id, system_prompt, messages, model_id, region):
34+
"""Call invoke_harness via boto3 and return the event stream."""
35+
client = boto3.client("bedrock-agentcore", region_name=region)
36+
response = client.invoke_harness(
37+
harnessArn=harness_arn,
38+
runtimeSessionId=session_id,
39+
systemPrompt=[{"text": system_prompt}],
40+
messages=messages,
41+
model={"bedrockModelConfig": {"modelId": model_id}},
42+
)
43+
return response["stream"]
44+
45+
46+
def parse_events(event_stream):
47+
"""Yield (event_type, payload) tuples from the boto3 event stream."""
48+
for event in event_stream:
49+
if "contentBlockStart" in event:
50+
yield "contentBlockStart", event["contentBlockStart"]
51+
elif "contentBlockDelta" in event:
52+
yield "contentBlockDelta", event["contentBlockDelta"]
53+
elif "contentBlockStop" in event:
54+
yield "contentBlockStop", event["contentBlockStop"]
55+
elif "messageStop" in event:
56+
yield "messageStop", event["messageStop"]
57+
elif "internalServerException" in event:
58+
yield "internalServerException", event["internalServerException"]
59+
elif "runtimeClientError" in event:
60+
yield "runtimeClientError", event["runtimeClientError"]
61+
62+
63+
def print_stream(event_stream):
64+
"""Display harness events with GitHub Actions log groups.
65+
66+
The harness streams events as the agent works:
67+
contentBlockStart — a new block begins (text or tool call)
68+
contentBlockDelta — incremental chunks of text or tool input JSON
69+
contentBlockStop — block complete, we now have full tool input to display
70+
messageStop — agent finished
71+
internalServerException — server error
72+
73+
Tool calls are wrapped in ::group::/::endgroup:: for collapsible sections
74+
in the GitHub Actions log UI. Agent reasoning text is printed inline in dim.
75+
"""
76+
start_time = time.time()
77+
iteration = 0
78+
tool_name = None
79+
tool_input = ""
80+
tool_start = 0.0
81+
in_group = False
82+
text_buffer = ""
83+
84+
def close_group():
85+
nonlocal in_group
86+
if in_group:
87+
print("::endgroup::", flush=True)
88+
in_group = False
89+
90+
def flush_text():
91+
nonlocal text_buffer
92+
if text_buffer:
93+
for line in text_buffer.splitlines():
94+
print(f"{DIM}{line}{RESET}", flush=True)
95+
text_buffer = ""
96+
97+
for event_type, payload in parse_events(event_stream):
98+
99+
if event_type == "contentBlockStart":
100+
start = payload.get("start", {})
101+
if "toolUse" in start:
102+
tool_name = start["toolUse"].get("name", "unknown")
103+
tool_input = ""
104+
tool_start = time.time()
105+
iteration += 1
106+
107+
elif event_type == "contentBlockDelta":
108+
delta = payload.get("delta", {})
109+
if "text" in delta:
110+
close_group()
111+
text_buffer += delta["text"]
112+
if "toolUse" in delta:
113+
tool_input += delta["toolUse"].get("input", "")
114+
115+
elif event_type == "contentBlockStop":
116+
flush_text()
117+
if tool_name:
118+
elapsed = time.time() - tool_start
119+
try:
120+
parsed = json.loads(tool_input)
121+
except (json.JSONDecodeError, TypeError):
122+
parsed = tool_input
123+
124+
close_group()
125+
126+
cmd = parsed.get("command") if isinstance(parsed, dict) else None
127+
header = f"{CYAN}[{iteration}]{RESET} {YELLOW}{tool_name}{RESET} {DIM}({elapsed:.1f}s){RESET}"
128+
if cmd:
129+
header += f": $ {cmd}"
130+
131+
print(f"::group::{header}", flush=True)
132+
in_group = True
133+
134+
if isinstance(parsed, dict):
135+
for k, v in parsed.items():
136+
if k != "command":
137+
print(f" {DIM}{k}:{RESET} {str(v)[:300]}", flush=True)
138+
139+
tool_name = None
140+
tool_input = ""
141+
142+
elif event_type == "messageStop":
143+
flush_text()
144+
close_group()
145+
if payload.get("stopReason") == "end_turn":
146+
total = time.time() - start_time
147+
print(f"\n\n{GREEN}{'=' * 50}", flush=True)
148+
print(f" Done ({int(total // 60)}m {int(total % 60)}s)", flush=True)
149+
print(f"{'=' * 50}{RESET}", flush=True)
150+
151+
elif event_type == "internalServerException":
152+
close_group()
153+
print(f"\n{RED}ERROR: {payload}{RESET}", file=sys.stderr)
154+
sys.exit(1)
155+
156+
elif event_type == "runtimeClientError":
157+
close_group()
158+
print(f"\n{RED}ERROR: {payload.get('message', payload)}{RESET}", file=sys.stderr)
159+
sys.exit(1)
160+
161+
close_group()
162+
total = time.time() - start_time
163+
print(f"\n{GREEN}Review complete.{RESET} {DIM}({iteration} tool calls, {int(total)}s total){RESET}")
164+
165+
166+
# --- Main ---
167+
168+
# All config comes from environment variables (set via GitHub secrets/workflow)
169+
MODEL_ID = os.environ.get("HARNESS_MODEL_ID", "us.anthropic.claude-opus-4-7")
170+
HARNESS_ARN = os.environ.get("HARNESS_ARN", "")
171+
PR_URL = os.environ.get("PR_URL", "")
172+
173+
for name, val in [("HARNESS_ARN", HARNESS_ARN), ("PR_URL", PR_URL)]:
174+
if not val:
175+
print(f"{RED}ERROR: {name} environment variable is required{RESET}", file=sys.stderr)
176+
sys.exit(1)
177+
178+
# Extract region from the ARN (arn:aws:bedrock-agentcore:{region}:{account}:harness/{id})
179+
REGION = HARNESS_ARN.split(":")[3]
180+
SESSION_ID = str(uuid.uuid4()).upper()
181+
182+
print(f"{CYAN}Session:{RESET} {SESSION_ID}")
183+
print(f"{CYAN}PR:{RESET} {PR_URL}")
184+
print(f"{CYAN}Harness:{RESET} {HARNESS_ARN}")
185+
print()
186+
187+
SYSTEM_PROMPT = read_prompt("system.md")
188+
REVIEW_PROMPT = read_prompt("review.md").format(pr_url=PR_URL)
189+
190+
messages = [{"role": "user", "content": [{"text": REVIEW_PROMPT}]}]
191+
192+
try:
193+
event_stream = invoke_harness_streaming(
194+
HARNESS_ARN, SESSION_ID, SYSTEM_PROMPT, messages, MODEL_ID, REGION
195+
)
196+
except Exception as e:
197+
print(f"{RED}ERROR: Failed to invoke harness: {e}{RESET}", file=sys.stderr)
198+
sys.exit(1)
199+
200+
print_stream(event_stream)

.github/harness/prompts/review.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
Review this GitHub PR: {pr_url}
2+
3+
You have tools to fetch the PR diff, read files, search the web, and post comments on the PR.
4+
5+
You have these repos cloned locally for context:
6+
7+
- /opt/workspace/agentcore-cli — aws/agentcore-cli
8+
- /opt/workspace/agentcore-l3-cdk-constructs — aws/agentcore-l3-cdk-constructs
9+
10+
Before reviewing, read all existing comments on the PR to understand what has already been discussed. Do not repeat or
11+
re-post issues that have already been raised in existing comments.
12+
13+
Review the PR. If there are any serious issues that require code changes before merging, post a comment on the PR for
14+
each issue explaining the problem. If there are multiple ways to fix an issue, list the options so the author can
15+
choose. Skip style nits and minor suggestions — only flag things that actually need to change.
16+
17+
If all serious issues have already been raised in existing comments, or if you found no new issues, post a single
18+
comment on the PR saying it looks good to merge (or that all issues have already been flagged).

.github/harness/prompts/system.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# AgentCore CLI Development Workspace
2+
3+
This workspace contains two repos for developing and testing the AgentCore CLI.
4+
5+
## Repositories
6+
7+
### agentcore-cli/ (`aws/agentcore-cli`)
8+
9+
The terminal experience for creating, developing, and deploying AI agents to AgentCore. Node.js/TypeScript CLI built
10+
with Ink (React-based TUI).
11+
12+
### agentcore-l3-cdk-constructs/ (`aws/agentcore-l3-cdk-constructs`)
13+
14+
AWS CDK L3 constructs for declaring and deploying AgentCore infrastructure. Used by agentcore-cli to vend CDK projects
15+
when users run `agentcore create`.
16+
17+
## How they relate
18+
19+
`agentcore-cli` is the main product. It vends CDK projects using constructs from `agentcore-l3-cdk-constructs`.
20+
21+
## Testing with a bundled distribution
22+
23+
Run `npm run bundle` in `agentcore-cli/` to create a tar distribution that includes the packaged
24+
`agentcore-l3-cdk-constructs`. You can then install it globally with `npm install -g <path-to-tar>` to test the CLI
25+
end-to-end.

0 commit comments

Comments
 (0)