refactor(cli)!: unify naming without backward-compat aliases

integ-tests/add-remove-gateway.test.ts

@@ -117,7 +117,7 @@ describe('integration: add and remove gateway with OpenAPI schema target', () =>
 
     it('creates an API key credential for outbound auth', async () => {
       const result = await runCLI(
-        ['add', 'identity', '--name', 'TestApiKey', '--api-key', 'test-key-123', '--json'],
+        ['add', 'credential', '--name', 'TestApiKey', '--api-key', 'test-key-123', '--json'],
         project.projectPath
       );
       expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
@@ -238,7 +238,7 @@ describe('integration: add gateway with S3 URI schema target', () => {
       expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
 
       const credResult = await runCLI(
-        ['add', 'identity', '--name', 'S3ApiKey', '--api-key', 'test-key', '--json'],
+        ['add', 'credential', '--name', 'S3ApiKey', '--api-key', 'test-key', '--json'],
         project.projectPath
       );
       expect(credResult.exitCode, `stdout: ${credResult.stdout}, stderr: ${credResult.stderr}`).toBe(0);
@@ -304,7 +304,10 @@ describe('integration: add gateway with S3 URI and bucketOwnerAccountId', () =>
 
   it('adds a gateway and target with --schema-s3-account', async () => {
     await runCLI(['add', 'gateway', '--name', gatewayName, '--json'], project.projectPath);
-    await runCLI(['add', 'identity', '--name', 'CrossApiKey', '--api-key', 'test-key', '--json'], project.projectPath);
+    await runCLI(
+      ['add', 'credential', '--name', 'CrossApiKey', '--api-key', 'test-key', '--json'],
+      project.projectPath
+    );
 
     const result = await runCLI(
       [

integ-tests/add-remove-resources.test.ts

@@ -80,12 +80,12 @@ describe('integration: add and remove resources', () => {
     });
   });
 
-  describe('identity lifecycle', () => {
-    const identityName = `IntegId${Date.now().toString().slice(-6)}`;
+  describe('credential lifecycle', () => {
+    const credentialName = `IntegId${Date.now().toString().slice(-6)}`;
 
-    it('adds an identity resource', async () => {
+    it('adds a credential resource', async () => {
       const result = await runCLI(
-        ['add', 'identity', '--name', identityName, '--api-key', 'test-key-integ-123', '--json'],
+        ['add', 'credential', '--name', credentialName, '--api-key', 'test-key-integ-123', '--json'],
         project.projectPath
       );
 
@@ -97,12 +97,12 @@ describe('integration: add and remove resources', () => {
       const config = await readProjectConfig(project.projectPath);
       const credentials = config.credentials as Record<string, unknown>[] | undefined;
       expect(credentials, 'credentials should exist').toBeDefined();
-      const found = credentials!.some((c: Record<string, unknown>) => c.name === identityName);
-      expect(found, `Identity "${identityName}" should be in config`).toBe(true);
+      const found = credentials!.some((c: Record<string, unknown>) => c.name === credentialName);
+      expect(found, `Credential "${credentialName}" should be in config`).toBe(true);
     });
 
-    it('removes the identity resource', async () => {
-      const result = await runCLI(['remove', 'identity', '--name', identityName, '--json'], project.projectPath);
+    it('removes the credential resource', async () => {
+      const result = await runCLI(['remove', 'credential', '--name', credentialName, '--json'], project.projectPath);
 
       expect(result.exitCode, `stdout: ${result.stdout}, stderr: ${result.stderr}`).toBe(0);
       const json = JSON.parse(result.stdout);
@@ -111,8 +111,8 @@ describe('integration: add and remove resources', () => {
       // Verify config updated
       const config = await readProjectConfig(project.projectPath);
       const credentials = (config.credentials as Record<string, unknown>[] | undefined) ?? [];
-      const found = credentials.some((c: Record<string, unknown>) => c.name === identityName);
-      expect(found, `Identity "${identityName}" should be removed from config`).toBe(false);
+      const found = credentials.some((c: Record<string, unknown>) => c.name === credentialName);
+      expect(found, `Credential "${credentialName}" should be removed from config`).toBe(false);
     });
   });
 });

src/cli/commands/add/__tests__/add-identity.test.ts

@@ -5,7 +5,7 @@ import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 
-describe('add identity command', () => {
+describe('add credential command', () => {
   let testDir: string;
   let projectDir: string;
 
@@ -28,27 +28,27 @@ describe('add identity command', () => {
 
   describe('validation', () => {
     it('requires name flag', async () => {
-      const result = await runCLI(['add', 'identity', '--json'], projectDir);
+      const result = await runCLI(['add', 'credential', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
       expect(json.error.includes('--name'), `Error: ${json.error}`).toBeTruthy();
     });
 
     it('requires api-key flag', async () => {
-      const result = await runCLI(['add', 'identity', '--name', 'test', '--json'], projectDir);
+      const result = await runCLI(['add', 'credential', '--name', 'test', '--json'], projectDir);
       expect(result.exitCode).toBe(1);
       const json = JSON.parse(result.stdout);
       expect(json.success).toBe(false);
       expect(json.error.includes('--api-key'), `Error: ${json.error}`).toBeTruthy();
     });
   });
 
-  describe('identity creation', () => {
+  describe('credential creation', () => {
     it('creates credential as top-level resource', async () => {
       const identityName = `id${Date.now()}`;
       const result = await runCLI(
-        ['add', 'identity', '--name', identityName, '--api-key', 'test-key-123', '--json'],
+        ['add', 'credential', '--name', identityName, '--api-key', 'test-key-123', '--json'],
         projectDir
       );
 
@@ -65,13 +65,13 @@ describe('add identity command', () => {
     });
   });
 
-  describe('oauth identity creation', () => {
+  describe('oauth credential creation', () => {
     it('creates OAuth credential with discovery URL and scopes', async () => {
       const identityName = `oauth-${Date.now()}`;
       const result = await runCLI(
         [
           'add',
-          'identity',
+          'credential',
           '--type',
           'oauth',
           '--name',

src/cli/commands/add/__tests__/validate.test.ts

@@ -1,15 +1,15 @@
 import type {
   AddAgentOptions,
+  AddCredentialOptions,
   AddGatewayOptions,
   AddGatewayTargetOptions,
-  AddIdentityOptions,
   AddMemoryOptions,
 } from '../types.js';
 import {
   validateAddAgentOptions,
+  validateAddCredentialOptions,
   validateAddGatewayOptions,
   validateAddGatewayTargetOptions,
-  validateAddIdentityOptions,
   validateAddMemoryOptions,
 } from '../validate.js';
 import { existsSync, readFileSync } from 'fs';
@@ -75,7 +75,7 @@ const validMemoryOptions: AddMemoryOptions = {
   strategies: 'SEMANTIC,SUMMARIZATION',
 };
 
-const validIdentityOptions: AddIdentityOptions = {
+const validCredentialOptions: AddCredentialOptions = {
   name: 'test-identity',
   apiKey: 'test-key',
 };
@@ -996,25 +996,25 @@ describe('validate', () => {
     });
   });
 
-  describe('validateAddIdentityOptions', () => {
+  describe('validateAddCredentialOptions', () => {
     // AC23: Required fields validated
     it('returns error for missing required fields', () => {
-      const requiredFields: { field: keyof AddIdentityOptions; error: string }[] = [
+      const requiredFields: { field: keyof AddCredentialOptions; error: string }[] = [
         { field: 'name', error: '--name is required' },
         { field: 'apiKey', error: '--api-key is required' },
       ];
 
       for (const { field, error } of requiredFields) {
-        const opts = { ...validIdentityOptions, [field]: undefined };
-        const result = validateAddIdentityOptions(opts);
+        const opts = { ...validCredentialOptions, [field]: undefined };
+        const result = validateAddCredentialOptions(opts);
         expect(result.valid, `Should fail for missing ${String(field)}`).toBe(false);
         expect(result.error).toBe(error);
       }
     });
 
     // AC25: Valid options pass
     it('passes for valid options', () => {
-      expect(validateAddIdentityOptions(validIdentityOptions)).toEqual({ valid: true });
+      expect(validateAddCredentialOptions(validCredentialOptions)).toEqual({ valid: true });
     });
   });
 
@@ -1193,9 +1193,9 @@ describe('validate', () => {
     });
   });
 
-  describe('validateAddIdentityOptions OAuth', () => {
+  describe('validateAddCredentialOptions OAuth', () => {
     it('passes for valid OAuth identity', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com/.well-known/openid-configuration',
@@ -1206,7 +1206,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without discovery-url', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         clientId: 'client123',
@@ -1217,7 +1217,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without client-id', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com',
@@ -1228,7 +1228,7 @@ describe('validate', () => {
     });
 
     it('returns error for OAuth without client-secret', () => {
-      const result = validateAddIdentityOptions({
+      const result = validateAddCredentialOptions({
         name: 'my-oauth',
         type: 'oauth',
         discoveryUrl: 'https://auth.example.com',
@@ -1239,7 +1239,7 @@ describe('validate', () => {
     });
 
     it('still requires api-key for default type', () => {
-      const result = validateAddIdentityOptions({ name: 'my-key' });
+      const result = validateAddCredentialOptions({ name: 'my-key' });
       expect(result.valid).toBe(false);
       expect(result.error).toContain('--api-key');
     });

src/cli/commands/add/command.tsx

@@ -33,7 +33,7 @@ export function registerAdd(program: Command): Command {
     );
   });
 
-  // Subcommands (agent, memory, identity, gateway, gateway-target) are registered
+  // Subcommands (agent, memory, credential, gateway, gateway-target) are registered
   // via primitive.registerCommands() in cli.ts
 
   return addCmd;

src/cli/commands/add/types.ts

@@ -118,8 +118,8 @@ export interface AddMemoryResult {
   error?: string;
 }
 
-// Identity types (v2: credential, no owner/user concept)
-export interface AddIdentityOptions {
+// Credential types (v2: credential, no owner/user concept)
+export interface AddCredentialOptions {
   name?: string;
   type?: 'api-key' | 'oauth';
   apiKey?: string;
@@ -130,7 +130,10 @@ export interface AddIdentityOptions {
   json?: boolean;
 }
 
-export interface AddIdentityResult {
+/** @deprecated Use AddCredentialOptions */
+export type AddIdentityOptions = AddCredentialOptions;
+
+export interface AddCredentialResult {
   success: boolean;
   credentialName?: string;
   error?: string;

src/cli/commands/add/validate.ts

@@ -19,9 +19,9 @@ import { validateVpcOptions } from '../shared/vpc-utils';
 import { validateJwtAuthorizerOptions } from './auth-options';
 import type {
   AddAgentOptions,
+  AddCredentialOptions,
   AddGatewayOptions,
   AddGatewayTargetOptions,
-  AddIdentityOptions,
   AddMemoryOptions,
 } from './types';
 import { existsSync, readFileSync } from 'fs';
@@ -50,7 +50,7 @@ async function validateCredentialExists(credentialName: string): Promise<Validat
       if (availableCredentials.length === 0) {
         return {
           valid: false,
-          error: `Credential "${credentialName}" not found. No credentials are configured. Add credentials using 'agentcore add identity'.`,
+          error: `Credential "${credentialName}" not found. No credentials are configured. Add credentials using 'agentcore add credential'.`,
         };
       }
       return {
@@ -680,8 +680,8 @@ export function validateAddMemoryOptions(options: AddMemoryOptions): ValidationR
   return { valid: true };
 }
 
-// Identity validation (v2: credential resource, no owner)
-export function validateAddIdentityOptions(options: AddIdentityOptions): ValidationResult {
+// Credential validation (v2: credential resource, no owner)
+export function validateAddCredentialOptions(options: AddCredentialOptions): ValidationResult {
   if (!options.name) {
     return { valid: false, error: '--name is required' };
   }

src/cli/commands/deploy/__tests__/deploy.test.ts

@@ -18,7 +18,7 @@ describe('deploy --help', () => {
     expect(result.stdout.includes('--yes')).toBeTruthy();
     expect(result.stdout.includes('--verbose')).toBeTruthy();
     expect(result.stdout.includes('--json')).toBeTruthy();
-    expect(result.stdout.includes('--plan')).toBeTruthy();
+    expect(result.stdout.includes('--dry-run')).toBeTruthy();
   });
 });
 

src/cli/commands/deploy/command.tsx

@@ -90,7 +90,7 @@ async function handleDeployCLI(options: DeployOptions): Promise<void> {
     if (options.diff) {
       console.log(`\n✓ Diff complete for '${result.targetName}' (stack: ${result.stackName})`);
     } else if (options.plan) {
-      console.log(`\n✓ Plan complete for '${result.targetName}' (stack: ${result.stackName})`);
+      console.log(`\n✓ Dry run complete for '${result.targetName}' (stack: ${result.stackName})`);
       console.log('\nRun `agentcore deploy` to deploy.');
     } else {
       console.log(`\n✓ Deployed to '${result.targetName}' (stack: ${result.stackName})`);
@@ -136,23 +136,24 @@ export const registerDeploy = (program: Command) => {
     .option('-y, --yes', 'Auto-confirm prompts, read credentials from env [non-interactive]')
     .option('-v, --verbose', 'Show resource-level deployment events [non-interactive]')
     .option('--json', 'Output as JSON [non-interactive]')
-    .option('--plan', 'Preview deployment without deploying (dry-run) [non-interactive]')
+    .option('--dry-run', 'Preview deployment without deploying [non-interactive]')
     .option('--diff', 'Show CDK diff without deploying [non-interactive]')
     .action(
       async (cliOptions: {
         target?: string;
         yes?: boolean;
         verbose?: boolean;
         json?: boolean;
-        plan?: boolean;
+        dryRun?: boolean;
         diff?: boolean;
       }) => {
         try {
           requireProject();
-          if (cliOptions.json || cliOptions.target || cliOptions.plan || cliOptions.yes || cliOptions.verbose) {
+          if (cliOptions.json || cliOptions.target || cliOptions.dryRun || cliOptions.yes || cliOptions.verbose) {
             // CLI mode - any flag triggers non-interactive mode
             const options = {
               ...cliOptions,
+              plan: cliOptions.dryRun,
               target: cliOptions.target ?? 'default',
               progress: !cliOptions.json,
             };

src/cli/commands/remove/__tests__/remove-all.test.ts

@@ -72,7 +72,7 @@ describe('remove all command', () => {
     );
 
     // Run remove all
-    const result = await runCLI(['remove', 'all', '--force', '--json'], projectDir);
+    const result = await runCLI(['remove', 'all', '--yes', '--json'], projectDir);
     expect(result.exitCode).toBe(0);
     const json = JSON.parse(result.stdout);
     expect(json.success).toBe(true);
@@ -97,7 +97,7 @@ describe('remove all command', () => {
   });
 
   it('includes note about source code in remove all result', async () => {
-    const result = await runCLI(['remove', 'all', '--force', '--json'], projectDir);
+    const result = await runCLI(['remove', 'all', '--yes', '--json'], projectDir);
     expect(result.exitCode).toBe(0);
     const json = JSON.parse(result.stdout);
     expect(json.success).toBe(true);
@@ -120,7 +120,7 @@ describe('remove all command', () => {
     await writeFile(projectSpecPath, JSON.stringify(projectSpec, null, 2));
 
     // Run remove all
-    const result = await runCLI(['remove', 'all', '--force', '--json'], projectDir);
+    const result = await runCLI(['remove', 'all', '--yes', '--json'], projectDir);
     expect(result.exitCode).toBe(0);
     const json = JSON.parse(result.stdout);
     expect(json.success).toBe(true);