add AppSync read-only operations support and update AGENTS.md

whummer · claude · whummer · commit 4eb9a055cafb · 2026-01-29T14:36:54.000+01:00
Add EvaluateCode and EvaluateMappingTemplate to the list of read-only
operations for AppSync, and document guidelines for identifying
non-standard read-only operations in AGENTS.md.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/aws-proxy/AGENTS.md b/aws-proxy/AGENTS.md
@@ -32,6 +32,19 @@ To run a single test via `pytest` (say, `test_my_logic` in `test_s3.py`), use th
 TEST_PATH=tests/test_s3.py::test_my_logic make test
 ```
 
+### Read-Only Mode Support
+
+Some services have operations that are functionally read-only (don't modify state) but don't follow the standard naming conventions (`Describe*`, `Get*`, `List*`, `Query*`). When adding tests or support for a new service with `read_only: true` configuration, check the [AWS Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/) for the service and identify any operations that:
+- Are classified as "Read" access level but don't match the standard prefixes
+- Evaluate or simulate something without modifying state (e.g., `Evaluate*`, `Simulate*`, `Test*`, `Check*`, `Validate*`)
+
+If you find such operations, add them to the service-specific rules in `aws_proxy/server/aws_request_forwarder.py` in the `_is_read_request` method. This ensures that read-only proxy configurations correctly forward these operations rather than blocking them.
+
+Example services with non-standard read-only operations:
+- **AppSync**: `EvaluateCode`, `EvaluateMappingTemplate`
+- **IAM**: `SimulateCustomPolicy`, `SimulatePrincipalPolicy`
+- **Cognito**: `InitiateAuth`
+
 When adding new integration tests, consider the following:
 * Include a mix of positive and negative assertions (i.e., presence and absence of resources).
 * Include a mix of different configuration options, e.g., the `read_only: true` flag can be specified in the proxy service configuration YAML, enabling read-only mode (which should be covered by tests as well).
diff --git a/aws-proxy/aws_proxy/server/aws_request_forwarder.py b/aws-proxy/aws_proxy/server/aws_request_forwarder.py
@@ -223,6 +223,11 @@ def _is_read_request(self, context: RequestContext) -> bool:
             "PartiQLSelect",
         }:
             return True
+        if context.service.service_name == "appsync" and operation_name in {
+            "EvaluateCode",
+            "EvaluateMappingTemplate",
+        }:
+            return True
         # TODO: add more rules
         return False
 
