Skip to content

feat: smart credential detection for multi-agent projects#182

Merged
aidandaly24 merged 3 commits into
mainfrom
feature/smart-multi-agent-credentials
Feb 9, 2026
Merged

feat: smart credential detection for multi-agent projects#182
aidandaly24 merged 3 commits into
mainfrom
feature/smart-multi-agent-credentials

Conversation

@aidandaly24

@aidandaly24 aidandaly24 commented Feb 9, 2026

Copy link
Copy Markdown
Contributor

Description

Implements smart credential detection for multi-agent projects. When adding a new agent with a non-Bedrock model provider:

  • Same API key as existing agent → Reuses the project-scoped credential ({projectName}{provider})
  • Different API key → Creates an agent-scoped credential ({projectName}{agentName}{provider})

Fixes Issue #148, #162, and #169

Deploy Flow Fixes:

Problem: After destroy and redeploy, credentials weren't being recreated because:

  1. Mainline only showed missing credentials in the prompt - if .env.local had the key, it was skipped
  2. If provider already existed, mainline returned 'exists' without updating - stale credentials persisted

Solution:

  • getAllCredentials() - Shows ALL credentials in prompt, not just missing ones
  • Always update provider on deploy - ensures credentials stay in sync with .env.local
  • Added updateApiKeyProvider() to update existing providers

Other Fixes:

  • getAgentScopedCredentials() - Cleans up agent-scoped credentials on agent removal
  • Fixed double-execution bugs in useCdkPreflight and CredentialSourcePrompt

Related Issues

Documentation PR

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:all
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Note: typecheck and lint have pre-existing failures in mainline unrelated to this PR.

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@github-actions

github-actions Bot commented Feb 9, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 7.21% 468 / 6482
🔵 Statements 6.9% 476 / 6897
🔵 Functions 4.18% 56 / 1338
🔵 Branches 5.06% 189 / 3731
Generated in workflow #169 for commit 78f54fd by the Vitest Coverage Report Action

@aidandaly24 aidandaly24 force-pushed the feature/smart-multi-agent-credentials branch 3 times, most recently from 8cf7e1a to 5b444ef Compare February 9, 2026 02:08
@aidandaly24

Copy link
Copy Markdown
Contributor Author

/strands review this PR. DO NOT MAKE ANY CHANGES TO THE CODE UNDER ANY CIRCUMSTANCES

Comment thread src/cli/operations/agent/generate/write-agent-to-project.ts
Comment thread src/cli/operations/identity/create-identity.ts
Comment thread src/cli/operations/remove/remove-agent.ts Outdated
@aidandaly24 aidandaly24 force-pushed the feature/smart-multi-agent-credentials branch from cd39a61 to 959b709 Compare February 9, 2026 18:12
@aidandaly24 aidandaly24 requested a review from a team February 9, 2026 18:12
- Add resolveCredentialStrategy() to detect same vs different API keys
- Same key reuses project-scoped credential, different key creates agent-scoped
- Clean up agent-scoped credentials on agent removal
- Fix deploy flow: always update credentials on deploy (not just manual entry)
- Add getAllCredentials() for credential prompt, updateApiKeyProvider() for updates
- Fix double-execution bugs in useCdkPreflight and CredentialSourcePrompt
- Add unit and integration tests
- Add non-null assertions for credentials[0] after length check
- Fix credential type 'ApiKey' -> 'ApiKeyCredentialProvider' in tests
- Fix result.agentName -> result.providerName in useCdkPreflight
- Check ALL existing credentials for matching API key (not just project-scoped)
- Agent3 can now reuse Agent2's credential if they share the same key
- Preserve credentials on agent removal for potential reuse
- If agent re-added with different key, credential is updated
@aidandaly24 aidandaly24 force-pushed the feature/smart-multi-agent-credentials branch from 959b709 to 78f54fd Compare February 9, 2026 18:32
Comment thread src/cli/operations/remove/remove-agent.ts
@aidandaly24 aidandaly24 merged commit c13775a into main Feb 9, 2026
17 checks passed
@aidandaly24 aidandaly24 deleted the feature/smart-multi-agent-credentials branch February 9, 2026 18:50
@agentcore-cli-automation

Copy link
Copy Markdown

Reviewed this PR. Since it's already merged, sharing feedback here for reference:

Already flagged in existing comments (no need to repeat):

  • Dead code concern on remove-agent.ts (getAgentScopedCredentials / CREDENTIAL_PROVIDERS are exported but never called — removeAgent() no longer removes credentials). Consider removing both in a follow-up since the credential-preservation-on-removal behavior was adopted.

Minor additional observations (non-blocking, follow-up if desired):

  1. CREDENTIAL_PROVIDERS in remove-agent.ts duplicates the non-Bedrock values from the ModelProvider schema (src/schema/constants.ts). If a new provider is added to the schema, this list will silently go out of sync. Since the function is currently unused, this can be cleaned up when/if it's wired in.
  2. In resolveCredentialStrategy, the loop iterates existingCredentials without filtering by type === 'ApiKeyCredentialProvider'. It's benign today (non-API-key credentials won't have matching env vars), but would be clearer/safer with an explicit type filter.
  3. The deploy flow now calls updateApiKeyProvider unconditionally on every deploy when the provider exists. This is a reasonable design (.env.local as source of truth), but adds an API call per credential per deploy even when nothing changed. Worth monitoring if users report it.

Tests look good — integration tests use real tmp dirs rather than fs mocks, and the unit-test mocking of getEnvVar is appropriate since it's a file-I/O boundary.

No telemetry gap — this change is covered by the existing command-level withCommandRun instrumentation (and no new command was added).

LGTM overall. Nothing here would have blocked merge.

jariy17 pushed a commit that referenced this pull request May 21, 2026
The app token needs `owner: aws` to generate a token scoped to all
repos the app is installed on, not just the current repo. Without this,
the token can't clone the CDK repo.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants