fix: use project-scoped credential naming consistently (#111)

notgitika · web-flow · commit e0cafefe9b12 · 2026-02-06T09:01:03.000-05:00
diff --git a/src/assets/cdk/bin/cdk.ts b/src/assets/cdk/bin/cdk.ts
@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { AgentCoreStack } from '../lib/cdk-stack';
-import { ConfigIO, type AgentCoreMcpSpec, type AwsDeploymentTarget } from '@aws/agentcore-l3-cdk-constructs';
+import { ConfigIO, type AwsDeploymentTarget } from '@aws/agentcore-l3-cdk-constructs';
 import { App, type Environment } from 'aws-cdk-lib';
 import * as path from 'path';
 
@@ -23,12 +23,6 @@ async function main() {
   const spec = await configIO.readProjectSpec();
   const targets = await configIO.readAWSDeploymentTargets();
 
-  // Read MCP spec if it exists (stored separately in mcp.json)
-  let mcpSpec: AgentCoreMcpSpec | undefined;
-  if (configIO.configExists('mcp')) {
-    mcpSpec = await configIO.readMcpSpec();
-  }
-
   if (targets.length === 0) {
     throw new Error('No deployment targets configured. Please define targets in agentcore/aws-targets.json');
   }
@@ -41,7 +35,6 @@ async function main() {
 
     new AgentCoreStack(app, stackName, {
       spec,
-      mcpSpec,
       env,
       description: `AgentCore stack for ${spec.name} deployed to ${target.name} (${target.region})`,
       tags: {
diff --git a/src/assets/cdk/lib/cdk-stack.ts b/src/assets/cdk/lib/cdk-stack.ts
@@ -1,9 +1,4 @@
-import {
-  AgentCoreApplication,
-  AgentCoreMcp,
-  type AgentCoreProjectSpec,
-  type AgentCoreMcpSpec,
-} from '@aws/agentcore-l3-cdk-constructs';
+import { AgentCoreApplication, type AgentCoreProjectSpec } from '@aws/agentcore-l3-cdk-constructs';
 import { CfnOutput, Stack, type StackProps } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 
@@ -12,12 +7,6 @@ export interface AgentCoreStackProps extends StackProps {
    * The AgentCore project specification containing agents, memories, and credentials.
    */
   spec: AgentCoreProjectSpec;
-
-  /**
-   * Optional MCP specification for gateways and runtime tools.
-   * MCP is stored separately in mcp.json.
-   */
-  mcpSpec?: AgentCoreMcpSpec;
 }
 
 /**
@@ -30,28 +19,16 @@ export class AgentCoreStack extends Stack {
   /** The AgentCore application containing all agent environments */
   public readonly application: AgentCoreApplication;
 
-  /** The MCP construct if MCP is configured */
-  public readonly mcp?: AgentCoreMcp;
-
   constructor(scope: Construct, id: string, props: AgentCoreStackProps) {
     super(scope, id, props);
 
-    const { spec, mcpSpec } = props;
+    const { spec } = props;
 
     // Create AgentCoreApplication with all agents
     this.application = new AgentCoreApplication(this, 'Application', {
       spec,
     });
 
-    // Instantiate AgentCoreMcp if MCP spec is provided
-    if (mcpSpec) {
-      this.mcp = new AgentCoreMcp(this, 'Mcp', {
-        projectName: spec.name,
-        mcpSpec,
-        agentCoreApplication: this.application,
-      });
-    }
-
     // Stack-level output
     new CfnOutput(this, 'StackNameOutput', {
       description: 'Name of the CloudFormation Stack',
diff --git a/src/cli/commands/add/actions.ts b/src/cli/commands/add/actions.ts
@@ -110,6 +110,8 @@ export async function handleAddAgent(options: ValidatedAddAgentOptions): Promise
 
 async function handleCreatePath(options: ValidatedAddAgentOptions, configBaseDir: string): Promise<AddAgentResult> {
   const projectRoot = dirname(configBaseDir);
+  const configIO = new ConfigIO({ baseDir: configBaseDir });
+  const project = await configIO.readProjectSpec();
 
   const generateConfig = {
     projectName: options.name,
@@ -121,7 +123,8 @@ async function handleCreatePath(options: ValidatedAddAgentOptions, configBaseDir
 
   const agentPath = join(projectRoot, APP_DIR, options.name);
 
-  const renderConfig = mapGenerateConfigToRenderConfig(generateConfig);
+  // Pass actual project name for credential naming in templates
+  const renderConfig = mapGenerateConfigToRenderConfig(generateConfig, project.name);
   const renderer = createRenderer(renderConfig);
   await renderer.render({ outputDir: projectRoot });
 
@@ -132,7 +135,9 @@ async function handleCreatePath(options: ValidatedAddAgentOptions, configBaseDir
   }
 
   if (options.apiKey && options.modelProvider !== 'Bedrock') {
-    const envVarName = computeDefaultCredentialEnvVarName(options.modelProvider);
+    // Use project-scoped credential name: {projectName}{modelProvider}
+    const credentialName = `${project.name}${options.modelProvider}`;
+    const envVarName = computeDefaultCredentialEnvVarName(credentialName);
     await setEnvVar(envVarName, options.apiKey, configBaseDir);
   }
 
@@ -167,7 +172,9 @@ async function handleByoPath(
   await configIO.writeProjectSpec(project);
 
   if (options.apiKey && options.modelProvider !== 'Bedrock') {
-    const envVarName = computeDefaultCredentialEnvVarName(options.modelProvider);
+    // Use project-scoped credential name: {projectName}{modelProvider}
+    const credentialName = `${project.name}${options.modelProvider}`;
+    const envVarName = computeDefaultCredentialEnvVarName(credentialName);
     await setEnvVar(envVarName, options.apiKey, configBaseDir);
   }
 
diff --git a/src/cli/commands/create/action.ts b/src/cli/commands/create/action.ts
@@ -12,6 +12,7 @@ import { getErrorMessage } from '../../errors';
 import { checkCreateDependencies } from '../../external-requirements';
 import { initGitRepo, setupPythonProject, writeEnvFile, writeGitignore } from '../../operations';
 import { mapGenerateConfigToRenderConfig, writeAgentToProject } from '../../operations/agent/generate';
+import { computeDefaultCredentialEnvVarName } from '../../operations/identity/create-identity';
 import { CDKRenderer, createRenderer } from '../../templates';
 import type { CreateResult } from './types';
 import { mkdir } from 'fs/promises';
@@ -143,24 +144,28 @@ export async function createProjectWithAgent(options: CreateWithAgentOptions): P
 
   try {
     // Build GenerateConfig for agent creation
+    // Note: In this context, agent name = project name since we're creating a project with a single agent
+    const agentName = name;
     const generateConfig = {
-      projectName: name,
+      projectName: agentName,
       sdk: framework,
       modelProvider,
       apiKey,
       memory,
       language,
     };
 
-    // Generate agent code
-    const renderConfig = mapGenerateConfigToRenderConfig(generateConfig);
+    // Generate agent code - pass actual project name for credential naming
+    const renderConfig = mapGenerateConfigToRenderConfig(generateConfig, name);
     const renderer = createRenderer(renderConfig);
     await renderer.render({ outputDir: projectRoot });
     await writeAgentToProject(generateConfig, { configBaseDir });
 
     // Store API key for non-Bedrock providers
     if (apiKey && modelProvider !== 'Bedrock') {
-      const envVarName = `AGENTCORE_IDENTITY_${modelProvider.toUpperCase()}`;
+      // Use project-scoped credential name: {projectName}{modelProvider}
+      const credentialName = `${name}${modelProvider}`;
+      const envVarName = computeDefaultCredentialEnvVarName(credentialName);
       await setEnvVar(envVarName, apiKey, configBaseDir);
     }
 
diff --git a/src/cli/operations/agent/generate/schema-mapper.ts b/src/cli/operations/agent/generate/schema-mapper.ts
@@ -8,14 +8,15 @@ import type {
   MemoryStrategy,
   ModelProvider,
 } from '../../../../schema';
-import type { AgentRenderConfig } from '../../../templates/types';
+import type { AgentRenderConfig, IdentityProviderRenderConfig } from '../../../templates/types';
 import {
   DEFAULT_MEMORY_EXPIRY_DAYS,
   DEFAULT_NETWORK_MODE,
   DEFAULT_PYTHON_ENTRYPOINT,
   DEFAULT_PYTHON_VERSION,
 } from '../../../tui/screens/generate/defaults';
 import type { GenerateConfig, MemoryOption } from '../../../tui/screens/generate/types';
+import { computeDefaultCredentialEnvVarName } from '../../identity/create-identity';
 
 /**
  * Result of mapping GenerateConfig to v2 schema.
@@ -28,10 +29,11 @@ export interface GenerateConfigMappingResult {
 }
 
 /**
- * Compute the qualified credential name for AWS resources.
+ * Compute the credential name for a model provider.
+ * Scoped to project (not agent) to avoid conflicts across projects.
  * Format: {projectName}{providerName}
  */
-function computeQualifiedCredentialName(projectName: string, providerName: string): string {
+function computeCredentialName(projectName: string, providerName: string): string {
   return `${projectName}${providerName}`;
 }
 
@@ -79,7 +81,7 @@ export function mapModelProviderToCredentials(modelProvider: ModelProvider, proj
   return [
     {
       type: 'ApiKeyCredentialProvider',
-      name: computeQualifiedCredentialName(projectName, modelProvider),
+      name: computeCredentialName(projectName, modelProvider),
     },
   ];
 }
@@ -112,16 +114,41 @@ export function mapGenerateConfigToResources(config: GenerateConfig): GenerateCo
   };
 }
 
+/**
+ * Maps model provider to identity providers for template rendering.
+ */
+function mapModelProviderToIdentityProviders(
+  modelProvider: ModelProvider,
+  projectName: string
+): IdentityProviderRenderConfig[] {
+  if (modelProvider === 'Bedrock') {
+    return [];
+  }
+
+  const credentialName = computeCredentialName(projectName, modelProvider);
+  return [
+    {
+      name: credentialName,
+      envVarName: computeDefaultCredentialEnvVarName(credentialName),
+    },
+  ];
+}
+
 /**
  * Maps GenerateConfig to AgentRenderConfig for template rendering.
+ * @param config - Generate config (note: config.projectName is actually the agent name)
+ * @param actualProjectName - Optional actual project name for credential naming (defaults to config.projectName)
  */
-export function mapGenerateConfigToRenderConfig(config: GenerateConfig): AgentRenderConfig {
+export function mapGenerateConfigToRenderConfig(config: GenerateConfig, actualProjectName?: string): AgentRenderConfig {
+  // Use actualProjectName for credential naming, fallback to config.projectName (agent name) for standalone generate
+  const projectNameForCredentials = actualProjectName ?? config.projectName;
   return {
     name: config.projectName,
     sdkFramework: config.sdk,
     targetLanguage: config.language,
     modelProvider: config.modelProvider,
     hasMemory: config.memory !== 'none',
     hasIdentity: config.modelProvider !== 'Bedrock',
+    identityProviders: mapModelProviderToIdentityProviders(config.modelProvider, projectNameForCredentials),
   };
 }
diff --git a/src/cli/operations/agent/generate/write-agent-to-project.ts b/src/cli/operations/agent/generate/write-agent-to-project.ts
@@ -3,7 +3,7 @@ import type { AgentCoreProjectSpec } from '../../../../schema';
 import { SCHEMA_VERSION } from '../../../constants';
 import { AgentAlreadyExistsError } from '../../../errors';
 import type { GenerateConfig } from '../../../tui/screens/generate/types';
-import { mapGenerateConfigToResources } from './schema-mapper';
+import { mapGenerateConfigToAgent, mapGenerateInputToMemories, mapModelProviderToCredentials } from './schema-mapper';
 
 export interface WriteAgentOptions {
   configBaseDir?: string;
@@ -20,26 +20,35 @@ export interface WriteAgentOptions {
 export async function writeAgentToProject(config: GenerateConfig, options?: WriteAgentOptions): Promise<void> {
   const configBaseDir = options?.configBaseDir ?? requireConfigRoot();
   const configIO = new ConfigIO({ baseDir: configBaseDir });
-  const { agent, memories, credentials } = mapGenerateConfigToResources(config);
+
+  // Map agent config to resources
+  // Note: config.projectName is actually the agent name (GenerateConfig naming is confusing)
+  const agentName = config.projectName;
+  const agent = mapGenerateConfigToAgent(config);
+  const memories = mapGenerateInputToMemories(config.memory, agentName);
 
   if (configIO.configExists('project')) {
     const project = await configIO.readProjectSpec();
 
     // Check for duplicate agent name
-    if (project.agents.some(a => a.name === config.projectName)) {
-      throw new AgentAlreadyExistsError(config.projectName);
+    if (project.agents.some(a => a.name === agentName)) {
+      throw new AgentAlreadyExistsError(agentName);
     }
 
+    // Use actual project name for credential naming (not agent name)
+    const credentials = mapModelProviderToCredentials(config.modelProvider, project.name);
+
     // Add resources to project
     project.agents.push(agent);
     project.memories.push(...memories);
     project.credentials.push(...credentials);
 
     await configIO.writeProjectSpec(project);
   } else {
-    // Create new project
+    // Create new project - use agent name as project name (fallback for standalone generate)
+    const credentials = mapModelProviderToCredentials(config.modelProvider, agentName);
     const project: AgentCoreProjectSpec = {
-      name: config.projectName,
+      name: agentName,
       version: SCHEMA_VERSION,
       agents: [agent],
       memories,
diff --git a/src/cli/operations/identity/create-identity.ts b/src/cli/operations/identity/create-identity.ts
@@ -35,23 +35,30 @@ export async function getAllCredentialNames(): Promise<string[]> {
 /**
  * Create a credential resource and add it to the project.
  * Also writes the API key to the .env file.
+ *
+ * If the credential already exists (e.g., created during agent generation),
+ * just updates the API key in the .env file.
  */
 export async function createCredential(config: CreateCredentialConfig): Promise<Credential> {
   const configIO = new ConfigIO();
   const project = await configIO.readProjectSpec();
 
-  // Check for duplicate
-  if (project.credentials.some(c => c.name === config.name)) {
-    throw new Error(`Credential "${config.name}" already exists.`);
-  }
-
-  const credential: Credential = {
-    type: 'ApiKeyCredentialProvider',
-    name: config.name,
-  };
+  // Check if credential already exists
+  const existingCredential = project.credentials.find(c => c.name === config.name);
 
-  project.credentials.push(credential);
-  await configIO.writeProjectSpec(project);
+  let credential: Credential;
+  if (existingCredential) {
+    // updates credentital
+    credential = existingCredential;
+  } else {
+    // Create new credential entry
+    credential = {
+      type: 'ApiKeyCredentialProvider',
+      name: config.name,
+    };
+    project.credentials.push(credential);
+    await configIO.writeProjectSpec(project);
+  }
 
   // Write API key to .env file
   const envVarName = computeDefaultCredentialEnvVarName(config.name);
diff --git a/src/cli/templates/types.ts b/src/cli/templates/types.ts
@@ -1,5 +1,13 @@
 import type { ModelProvider, SDKFramework, TargetLanguage } from '../../schema';
 
+/**
+ * Identity provider info for template rendering.
+ */
+export interface IdentityProviderRenderConfig {
+  name: string;
+  envVarName: string;
+}
+
 /**
  * Configuration needed by template renderers.
  * This is separate from the v2 Agent schema which only stores runtime config.
@@ -11,4 +19,6 @@ export interface AgentRenderConfig {
   modelProvider: ModelProvider;
   hasMemory: boolean;
   hasIdentity: boolean;
+  /** Identity providers for template rendering (maps to credentials in schema) */
+  identityProviders: IdentityProviderRenderConfig[];
 }
diff --git a/src/cli/tui/screens/agent/useAddAgent.ts b/src/cli/tui/screens/agent/useAddAgent.ts
@@ -132,12 +132,14 @@ async function handleCreatePath(
 ): Promise<AddAgentCreateResult | AddAgentError> {
   // configBaseDir is the agentcore/ directory, project root is its parent
   const projectRoot = dirname(configBaseDir);
+  const configIO = new ConfigIO({ baseDir: configBaseDir });
+  const project = await configIO.readProjectSpec();
 
   const generateConfig = mapAddAgentConfigToGenerateConfig(config);
   const agentPath = join(projectRoot, config.name);
 
-  // Generate agent files
-  const renderConfig = mapGenerateConfigToRenderConfig(generateConfig);
+  // Generate agent files - pass actual project name for credential naming
+  const renderConfig = mapGenerateConfigToRenderConfig(generateConfig, project.name);
   const renderer = createRenderer(renderConfig);
   await renderer.render({ outputDir: projectRoot });
 
@@ -152,7 +154,9 @@ async function handleCreatePath(
 
   // Write API key to agentcore/.env for non-Bedrock providers
   if (config.apiKey && config.modelProvider !== 'Bedrock') {
-    const envVarName = computeDefaultCredentialEnvVarName(config.modelProvider);
+    // Use project-scoped credential name: {projectName}{modelProvider}
+    const credentialName = `${project.name}${config.modelProvider}`;
+    const envVarName = computeDefaultCredentialEnvVarName(credentialName);
     await setEnvVar(envVarName, config.apiKey, configBaseDir);
   }
 
@@ -188,7 +192,9 @@ async function handleByoPath(
 
   // Write API key to agentcore/.env for non-Bedrock providers
   if (config.apiKey && config.modelProvider !== 'Bedrock') {
-    const envVarName = computeDefaultCredentialEnvVarName(config.modelProvider);
+    // Use project-scoped credential name: {projectName}{modelProvider}
+    const credentialName = `${project.name}${config.modelProvider}`;
+    const envVarName = computeDefaultCredentialEnvVarName(credentialName);
     await setEnvVar(envVarName, config.apiKey, configBaseDir);
   }
 
diff --git a/src/cli/tui/screens/create/useCreateFlow.ts b/src/cli/tui/screens/create/useCreateFlow.ts
diff --git a/src/cli/tui/screens/generate/useGenerateFlow.ts b/src/cli/tui/screens/generate/useGenerateFlow.ts
diff --git a/src/cli/tui/screens/identity/AddIdentityFlow.tsx b/src/cli/tui/screens/identity/AddIdentityFlow.tsx
diff --git a/src/cli/tui/screens/identity/AddIdentityScreen.tsx b/src/cli/tui/screens/identity/AddIdentityScreen.tsx
