refactor(cli): unify identity/credential naming to 'credential'

The CLI command was 'add identity', the config key was 'credentials',
and the resource types were ApiKeyCredentialProvider / OAuthCredentialProvider.
Three different names for the same concept. This unifies everything under
'credential' — CLI commands, resource type, labels, validation, and docs.

The old 'identity' command name is preserved as a hidden alias for
backward compatibility.

Constraint: Must maintain backward compat for existing scripts using 'agentcore add identity'
Rejected: Keep 'identity' as primary | 'credential' is already the config term and more precise
Confidence: high
Scope-risk: moderate

Author: jesseturner21

src/cli/commands/add/__tests__/add-identity.test.ts

@@ -5,7 +5,7 @@ import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 
-describe('add identity command', () => {
+describe('add credential command', () => {
   let testDir: string;
   let projectDir: string;
 
@@ -28,27 +28,27 @@ describe('add identity command', () => {
 
   describe('validation', () => {
     it('requires name flag', async () => {
-      const result = await runCLI(['add', 'identity', '--json'], projectDir);
+      const result = await runCLI(['add', 'credential', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
       expect(json.error.includes('--name'), `Error: ${json.error}`).toBeTruthy();
     });
 
     it('requires api-key flag', async () => {
-      const result = await runCLI(['add', 'identity', '--name', 'test', '--json'], projectDir);
+      const result = await runCLI(['add', 'credential', '--name', 'test', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
       expect(json.error.includes('--api-key'), `Error: ${json.error}`).toBeTruthy();
     });
   });
 
-  describe('identity creation', () => {
+  describe('credential creation', () => {
     it('creates credential as top-level resource', async () => {
       const identityName = `id${Date.now()}`;
       const result = await runCLI(
-        ['add', 'identity', '--name', identityName, '--api-key', 'test-key-123', '--json'],
+        ['add', 'credential', '--name', identityName, '--api-key', 'test-key-123', '--json'],
         projectDir
       );
 
@@ -65,13 +65,13 @@ describe('add identity command', () => {
     });
   });
 
-  describe('oauth identity creation', () => {
+  describe('oauth credential creation', () => {
     it('creates OAuth credential with discovery URL and scopes', async () => {
       const identityName = `oauth-${Date.now()}`;
       const result = await runCLI(
         [
           'add',
-          'identity',
+          'credential',
           '--type',
           'oauth',
           '--name',

src/cli/commands/add/__tests__/validate.test.ts

@@ -1,15 +1,15 @@
 import type {
   AddAgentOptions,
+  AddCredentialOptions,
   AddGatewayOptions,
   AddGatewayTargetOptions,
-  AddIdentityOptions,
   AddMemoryOptions,
 } from '../types.js';
 import {
   validateAddAgentOptions,
+  validateAddCredentialOptions,
   validateAddGatewayOptions,
   validateAddGatewayTargetOptions,
-  validateAddIdentityOptions,
   validateAddMemoryOptions,
 } from '../validate.js';
 import { existsSync, readFileSync } from 'fs';
@@ -75,7 +75,7 @@ const validMemoryOptions: AddMemoryOptions = {
   strategies: 'SEMANTIC,SUMMARIZATION',
 };
 
-const validIdentityOptions: AddIdentityOptions = {
+const validCredentialOptions: AddCredentialOptions = {
   name: 'test-identity',
   apiKey: 'test-key',
 };
@@ -996,25 +996,25 @@ describe('validate', () => {
     });
   });
 
-  describe('validateAddIdentityOptions', () => {
+  describe('validateAddCredentialOptions', () => {
     // AC23: Required fields validated
     it('returns error for missing required fields', () => {
-      const requiredFields: { field: keyof AddIdentityOptions; error: string }[] = [
+      const requiredFields: { field: keyof AddCredentialOptions; error: string }[] = [
         { field: 'name', error: '--name is required' },
         { field: 'apiKey', error: '--api-key is required' },
       ];
 
       for (const { field, error } of requiredFields) {
-        const opts = { ...validIdentityOptions, [field]: undefined };
-        const result = validateAddIdentityOptions(opts);
+        const opts = { ...validCredentialOptions, [field]: undefined };
+        const result = validateAddCredentialOptions(opts);
         expect(result.valid, `Should fail for missing ${String(field)}`).toBe(false);
         expect(result.error).toBe(error);
       }
     });
 
     // AC25: Valid options pass
     it('passes for valid options', () => {
-      expect(validateAddIdentityOptions(validIdentityOptions)).toEqual({ valid: true });
+      expect(validateAddCredentialOptions(validCredentialOptions)).toEqual({ valid: true });
     });
   });
 
@@ -1193,9 +1193,9 @@ describe('validate', () => {
     });
   });
 
-  describe('validateAddIdentityOptions OAuth', () => {
+  describe('validateAddCredentialOptions OAuth', () => {
     it('passes for valid OAuth identity', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com/.well-known/openid-configuration',
@@ -1206,7 +1206,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without discovery-url', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         clientId: 'client123',
@@ -1217,7 +1217,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without client-id', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com',
@@ -1228,7 +1228,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without client-secret', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com',
@@ -1239,7 +1239,7 @@ describe('validate', () => {
     });
 
     it('still requires api-key for default type', () => {
-      const result = validateAddIdentityOptions({ name: 'my-key' });
+      const result = validateAddCredentialOptions({ name: 'my-key' });
       expect(result.valid).toBe(false);
       expect(result.error).toContain('--api-key');
     });

src/cli/commands/add/command.tsx

@@ -33,7 +33,7 @@ export function registerAdd(program: Command): Command {
     );
   });
 
-  // Subcommands (agent, memory, identity, gateway, gateway-target) are registered
+  // Subcommands (agent, memory, credential, gateway, gateway-target) are registered
   // via primitive.registerCommands() in cli.ts
 
   return addCmd;

src/cli/commands/add/types.ts

@@ -118,8 +118,8 @@ export interface AddMemoryResult {
   error?: string;
 }
 
-// Identity types (v2: credential, no owner/user concept)
-export interface AddIdentityOptions {
+// Credential types (v2: credential, no owner/user concept)
+export interface AddCredentialOptions {
   name?: string;
   type?: 'api-key' | 'oauth';
   apiKey?: string;
@@ -130,7 +130,10 @@ export interface AddIdentityOptions {
   json?: boolean;
 }
 
-export interface AddIdentityResult {
+/** @deprecated Use AddCredentialOptions */
+export type AddIdentityOptions = AddCredentialOptions;
+
+export interface AddCredentialResult {
   success: boolean;
   credentialName?: string;
   error?: string;

src/cli/commands/add/validate.ts

@@ -19,9 +19,9 @@ import { validateVpcOptions } from '../shared/vpc-utils';
 import { validateJwtAuthorizerOptions } from './auth-options';
 import type {
   AddAgentOptions,
+  AddCredentialOptions,
   AddGatewayOptions,
   AddGatewayTargetOptions,
-  AddIdentityOptions,
   AddMemoryOptions,
 } from './types';
 import { existsSync, readFileSync } from 'fs';
@@ -50,7 +50,7 @@ async function validateCredentialExists(credentialName: string): Promise<Validat
       if (availableCredentials.length === 0) {
         return {
           valid: false,
-          error: `Credential "${credentialName}" not found. No credentials are configured. Add credentials using 'agentcore add identity'.`,
+          error: `Credential "${credentialName}" not found. No credentials are configured. Add credentials using 'agentcore add credential'.`,
         };
       }
       return {
@@ -680,8 +680,8 @@ export function validateAddMemoryOptions(options: AddMemoryOptions): ValidationR
   return { valid: true };
 }
 
-// Identity validation (v2: credential resource, no owner)
-export function validateAddIdentityOptions(options: AddIdentityOptions): ValidationResult {
+// Credential validation (v2: credential resource, no owner)
+export function validateAddCredentialOptions(options: AddCredentialOptions): ValidationResult {
   if (!options.name) {
     return { valid: false, error: '--name is required' };
   }

src/cli/commands/remove/__tests__/remove-identity.test.ts

@@ -5,7 +5,7 @@ import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 
-describe('remove identity command', () => {
+describe('remove credential command', () => {
   let testDir: string;
   let projectDir: string;
   const identityName = 'TestIdentity';
@@ -24,7 +24,7 @@ describe('remove identity command', () => {
 
     // Add identity as top-level credential
     result = await runCLI(
-      ['add', 'identity', '--name', identityName, '--api-key', 'test-key-123', '--json'],
+      ['add', 'credential', '--name', identityName, '--api-key', 'test-key-123', '--json'],
       projectDir
     );
     if (result.exitCode !== 0) {
@@ -38,15 +38,15 @@ describe('remove identity command', () => {
 
   describe('validation', () => {
     it('requires name flag', async () => {
-      const result = await runCLI(['remove', 'identity', '--json'], projectDir);
+      const result = await runCLI(['remove', 'credential', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
       expect(json.error.includes('--name'), `Error: ${json.error}`).toBeTruthy();
     });
 
     it('rejects non-existent identity', async () => {
-      const result = await runCLI(['remove', 'identity', '--name', 'nonexistent', '--json'], projectDir);
+      const result = await runCLI(['remove', 'credential', '--name', 'nonexistent', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
@@ -58,9 +58,9 @@ describe('remove identity command', () => {
     it('removes credential without dependents', async () => {
       // Add a temp credential to remove
       const tempId = `tempId${Date.now()}`;
-      await runCLI(['add', 'identity', '--name', tempId, '--api-key', 'temp-key', '--json'], projectDir);
+      await runCLI(['add', 'credential', '--name', tempId, '--api-key', 'temp-key', '--json'], projectDir);
 
-      const result = await runCLI(['remove', 'identity', '--name', tempId, '--json'], projectDir);
+      const result = await runCLI(['remove', 'credential', '--name', tempId, '--json'], projectDir);
       expect(result.exitCode, `stdout: ${result.stdout}`).toBe(0);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(true);
@@ -72,7 +72,7 @@ describe('remove identity command', () => {
     });
 
     it('removes the setup credential', async () => {
-      const result = await runCLI(['remove', 'identity', '--name', identityName, '--json'], projectDir);
+      const result = await runCLI(['remove', 'credential', '--name', identityName, '--json'], projectDir);
       expect(result.exitCode, `stdout: ${result.stdout}`).toBe(0);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(true);

src/cli/commands/remove/__tests__/validate.test.ts

@@ -21,7 +21,7 @@ describe('validateRemoveOptions', () => {
   });
 
   it('returns valid with no json and no name', () => {
-    expect(validateRemoveOptions({ resourceType: 'identity' })).toEqual({ valid: true });
+    expect(validateRemoveOptions({ resourceType: 'credential' })).toEqual({ valid: true });
   });
 });
 

src/cli/commands/remove/command.tsx

@@ -95,7 +95,7 @@ export const registerRemove = (program: Command): Command => {
       }
     });
 
-  // Resource subcommands (agent, memory, identity, gateway, mcp-tool) are registered
+  // Resource subcommands (agent, memory, credential, gateway, mcp-tool) are registered
   // via primitive.registerCommands() in cli.ts
 
   // Catch-all for TUI fallback when no subcommand is specified.

src/cli/commands/remove/types.ts

@@ -3,7 +3,7 @@ export type ResourceType =
   | 'gateway'
   | 'gateway-target'
   | 'memory'
-  | 'identity'
+  | 'credential'
   | 'evaluator'
   | 'online-eval'
   | 'policy-engine'

src/cli/logging/remove-logger.ts

@@ -10,7 +10,7 @@ export interface RemoveLoggerOptions {
   resourceType:
     | 'agent'
     | 'memory'
-    | 'identity'
+    | 'credential'
     | 'gateway'
     | 'gateway-target'
     | 'evaluator'