feat: add GovCloud multi-partition support (aws#908)

Add partition-aware ARN construction, endpoint URL generation, and
console URL generation to support aws-us-gov (and future aws-cn)
partitions.

- Create src/cli/aws/partition.ts with getPartition, arnPrefix,
  dnsSuffix, serviceEndpoint, and consoleDomain utilities
- Replace all hardcoded arn:aws: in ARN template literals with
  arnPrefix(region)
- Update ARN regex patterns to accept any partition (arn:[^:]+:)
- Replace hardcoded amazonaws.com in endpoint URLs with
  serviceEndpoint()
- Replace hardcoded console.aws.amazon.com with consoleDomain()
- Add us-gov-west-1 to AgentCoreRegionSchema, BEDROCK_REGIONS,
  and LLM compacted types
- Add aws-us-gov to cdk.json target-partitions
- Fix execution-role-policy.json to use partition wildcard (arn:*)
- Add 15 unit tests for partition utilities
- Document multi-partition rules and checklists in AGENTS.md

Author: aidandaly24

AGENTS.md

@@ -143,6 +143,44 @@ See `docs/TESTING.md` for details.
 - Always look for existing types before creating a new type inline.
 - Re-usable constants must be defined in a constants file in the closest sensible subdirectory.
 
+## Multi-Partition Support (GovCloud, China)
+
+The CLI supports multiple AWS partitions (commercial, GovCloud, China) through a central utility at
+`src/cli/aws/partition.ts`. This module maps region prefixes to partition-specific values.
+
+### Rules
+
+- **Never hardcode `arn:aws:`** in ARN construction. Use `arnPrefix(region)` from `src/cli/aws/partition.ts`.
+- **Never hardcode `amazonaws.com`** in endpoint URLs. Use `serviceEndpoint(service, region)` or `dnsSuffix(region)`.
+- **Never hardcode `console.aws.amazon.com`** in console URLs. Use `consoleDomain(region)`.
+- **ARN regex patterns** must use `arn:[^:]+:` (not `arn:aws:`) to match any partition.
+- **Static JSON assets** (e.g., IAM policies in `src/assets/`) cannot use TypeScript utilities — use `arn:*:` as the
+  partition wildcard since IAM evaluates it across all partitions.
+
+### Adding a New Region
+
+Update these files in the CLI repo:
+
+1. `src/schema/schemas/aws-targets.ts` — add to `AgentCoreRegionSchema` enum
+2. `src/schema/llm-compacted/aws-targets.ts` — add to `AgentCoreRegion` type union
+3. `src/schema/schemas/__tests__/aws-targets.test.ts` — add to `validRegions` array
+4. `src/cli/operations/agent/import/constants.ts` — add to `BEDROCK_REGIONS` (if applicable to Bedrock Agent import)
+
+Update these files in the CDK repo (`@aws/agentcore-cdk`):
+
+5. `src/schema/schemas/aws-targets.ts` — add to `AgentCoreRegionSchema` enum
+6. `src/schema/llm-compacted/aws-targets.ts` — add to `AgentCoreRegion` type union
+
+Then run `npm run test:update-snapshots` in the CLI repo if any asset files changed.
+
+### Adding a New Partition
+
+1. Add a new entry to `PARTITION_CONFIGS` in `src/cli/aws/partition.ts` with the region prefix, partition name, DNS
+   suffix, and console domain.
+2. Add tests for the new partition in `src/cli/aws/__tests__/partition.test.ts`.
+3. Update `src/assets/cdk/cdk.json` — add the partition to `@aws-cdk/core:target-partitions`.
+4. Run `npm run test:update-snapshots` to update asset snapshots.
+
 ## TUI Harness
 
 See `docs/tui-harness.md` for the full TUI harness usage guide (MCP tools, screen markers, examples, and error

eslint.config.mjs

@@ -7,6 +7,63 @@ import reactRefresh from 'eslint-plugin-react-refresh';
 import security from 'eslint-plugin-security';
 import tseslint from 'typescript-eslint';
 
+/** @type {import('eslint').ESLint.Plugin} */
+const partitionPlugin = {
+  rules: {
+    'no-hardcoded-arn-partition': {
+      meta: {
+        type: 'problem',
+        docs: { description: 'Disallow hardcoded arn:aws: partition in ARN construction. Use arnPrefix(region) instead.' },
+        schema: [],
+      },
+      create(context) {
+        function checkForHardcodedArn(node, value) {
+          if (/arn:aws:/.test(value)) {
+            context.report({ node, message: 'Hardcoded "arn:aws:" detected. Use arnPrefix(region) from src/cli/aws/partition.ts for multi-partition support.' });
+          }
+        }
+        return {
+          TemplateLiteral(node) {
+            for (const quasi of node.quasis) {
+              checkForHardcodedArn(node, quasi.value.raw);
+            }
+          },
+        };
+      },
+    },
+    'no-hardcoded-endpoint-tld': {
+      meta: {
+        type: 'problem',
+        docs: { description: 'Disallow hardcoded amazonaws.com in endpoint URL construction. Use serviceEndpoint() or dnsSuffix() instead.' },
+        schema: [],
+      },
+      create(context) {
+        const REGION_PATTERN = /[a-z]{2}(-[a-z]+-\d+)/;
+        function hasHardcodedEndpoint(value) {
+          return /\.amazonaws\.com/.test(value);
+        }
+        function hasHardcodedEndpointWithRegion(value) {
+          return hasHardcodedEndpoint(value) && REGION_PATTERN.test(value);
+        }
+        return {
+          TemplateLiteral(node) {
+            for (const quasi of node.quasis) {
+              if (hasHardcodedEndpoint(quasi.value.raw)) {
+                context.report({ node, message: 'Hardcoded ".amazonaws.com" in template literal. Use serviceEndpoint() or dnsSuffix() from src/cli/aws/partition.ts for multi-partition support.' });
+              }
+            }
+          },
+          Literal(node) {
+            if (typeof node.value === 'string' && hasHardcodedEndpointWithRegion(node.value)) {
+              context.report({ node, message: 'Hardcoded endpoint with region detected. Use serviceEndpoint() or dnsSuffix() from src/cli/aws/partition.ts for multi-partition support.' });
+            }
+          },
+        };
+      },
+    },
+  },
+};
+
 export default tseslint.config(
   eslint.configs.recommended,
   ...tseslint.configs.recommendedTypeChecked,
@@ -30,8 +87,11 @@ export default tseslint.config(
       'react-hooks': reactHooks,
       'react-refresh': reactRefresh,
       security,
+      partition: partitionPlugin,
     },
     rules: {
+      'partition/no-hardcoded-arn-partition': 'error',
+      'partition/no-hardcoded-endpoint-tld': 'error',
       ...importPlugin.configs.recommended.rules,
       ...react.configs.recommended.rules,
       ...security.configs.recommended.rules,
@@ -68,6 +128,8 @@ export default tseslint.config(
   {
     files: ['**/*.test.ts', '**/*.test.tsx', '**/test-utils/**', 'integ-tests/**'],
     rules: {
+      'partition/no-hardcoded-arn-partition': 'off',
+      'partition/no-hardcoded-endpoint-tld': 'off',
       '@typescript-eslint/no-unsafe-assignment': 'off',
       '@typescript-eslint/no-unsafe-member-access': 'off',
       '@typescript-eslint/no-unsafe-call': 'off',

src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap

@@ -149,7 +149,7 @@ exports[`Assets Directory Snapshots > CDK assets > cdk/cdk/cdk.json should match
     "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,

src/assets/cdk/cdk.json

@@ -9,7 +9,7 @@
     "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,

src/assets/evaluators/python-lambda/execution-role-policy.json

@@ -4,7 +4,7 @@
     {
       "Effect": "Allow",
       "Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
-      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
+      "Resource": "arn:*:logs:*:*:log-group:/aws/lambda/*"
     }
   ]
 }

src/cli/aws/__tests__/partition.test.ts

@@ -0,0 +1,76 @@
+import { arnPrefix, consoleDomain, dnsSuffix, getPartition, serviceEndpoint } from '../partition';
+import { describe, expect, it } from 'vitest';
+
+describe('getPartition', () => {
+  it('returns aws for standard commercial regions', () => {
+    expect(getPartition('us-east-1')).toBe('aws');
+    expect(getPartition('eu-west-1')).toBe('aws');
+    expect(getPartition('ap-southeast-1')).toBe('aws');
+  });
+
+  it('returns aws-us-gov for GovCloud regions', () => {
+    expect(getPartition('us-gov-west-1')).toBe('aws-us-gov');
+    expect(getPartition('us-gov-east-1')).toBe('aws-us-gov');
+  });
+
+  it('returns aws-cn for China regions', () => {
+    expect(getPartition('cn-north-1')).toBe('aws-cn');
+    expect(getPartition('cn-northwest-1')).toBe('aws-cn');
+  });
+});
+
+describe('arnPrefix', () => {
+  it('returns arn:aws for commercial regions', () => {
+    expect(arnPrefix('us-east-1')).toBe('arn:aws');
+  });
+
+  it('returns arn:aws-us-gov for GovCloud regions', () => {
+    expect(arnPrefix('us-gov-west-1')).toBe('arn:aws-us-gov');
+  });
+
+  it('returns arn:aws-cn for China regions', () => {
+    expect(arnPrefix('cn-north-1')).toBe('arn:aws-cn');
+  });
+});
+
+describe('dnsSuffix', () => {
+  it('returns amazonaws.com for commercial regions', () => {
+    expect(dnsSuffix('us-east-1')).toBe('amazonaws.com');
+  });
+
+  it('returns amazonaws.com for GovCloud regions', () => {
+    expect(dnsSuffix('us-gov-west-1')).toBe('amazonaws.com');
+  });
+
+  it('returns amazonaws.com.cn for China regions', () => {
+    expect(dnsSuffix('cn-north-1')).toBe('amazonaws.com.cn');
+  });
+});
+
+describe('serviceEndpoint', () => {
+  it('builds correct endpoint for commercial regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'us-east-1')).toBe('bedrock-agentcore.us-east-1.amazonaws.com');
+  });
+
+  it('builds correct endpoint for GovCloud regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'us-gov-west-1')).toBe('bedrock-agentcore.us-gov-west-1.amazonaws.com');
+  });
+
+  it('builds correct endpoint for China regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'cn-north-1')).toBe('bedrock-agentcore.cn-north-1.amazonaws.com.cn');
+  });
+});
+
+describe('consoleDomain', () => {
+  it('returns console.aws.amazon.com for commercial regions', () => {
+    expect(consoleDomain('us-east-1')).toBe('console.aws.amazon.com');
+  });
+
+  it('returns console.amazonaws-us-gov.com for GovCloud regions', () => {
+    expect(consoleDomain('us-gov-west-1')).toBe('console.amazonaws-us-gov.com');
+  });
+
+  it('returns console.amazonaws.cn for China regions', () => {
+    expect(consoleDomain('cn-north-1')).toBe('console.amazonaws.cn');
+  });
+});

src/cli/aws/agentcore.ts

@@ -1,6 +1,7 @@
 import { parseJsonRpcResponse } from '../../lib/utils/json-rpc';
 import { getCredentialProvider } from './account';
 import { parseAguiSSEStream } from './agui-parser';
+import { serviceEndpoint } from './partition';
 import {
   BedrockAgentCoreClient,
   EvaluateCommand,
@@ -143,11 +144,10 @@ export function extractResult(text: string): string {
 
 /**
  * Build the invoke URL for a runtime ARN.
- * Format: https://bedrock-agentcore.{REGION}.amazonaws.com/runtimes/{ESCAPED_ARN}/invocations?qualifier=DEFAULT
  */
 function buildInvokeUrl(region: string, runtimeArn: string): string {
   const escapedArn = encodeURIComponent(runtimeArn);
-  return `https://bedrock-agentcore.${region}.amazonaws.com/runtimes/${escapedArn}/invocations?qualifier=DEFAULT`;
+  return `https://${serviceEndpoint('bedrock-agentcore', region)}/runtimes/${escapedArn}/invocations?qualifier=DEFAULT`;
 }
 
 /**

src/cli/aws/bedrock-import.ts

@@ -323,7 +323,7 @@ async function fetchCollaborators(
       const aliasArn = (summary as { agentDescriptor?: { aliasArn?: string } }).agentDescriptor?.aliasArn;
       if (!aliasArn) continue;
 
-      const arnMatch = /^arn:aws:bedrock:[^:]+:[^:]+:agent-alias\/([^/]+)\/([^/]+)$/.exec(aliasArn);
+      const arnMatch = /^arn:[^:]+:bedrock:[^:]+:[^:]+:agent-alias\/([^/]+)\/([^/]+)$/.exec(aliasArn);
       if (!arnMatch) continue;
       const [, collabAgentId, collabAliasId] = arnMatch;
       if (!collabAgentId || !collabAliasId) continue;

src/cli/aws/cloudwatch.ts

@@ -1,4 +1,5 @@
 import { getCredentialProvider } from './account';
+import { arnPrefix } from './partition';
 import { CloudWatchLogsClient, FilterLogEventsCommand, StartLiveTailCommand } from '@aws-sdk/client-cloudwatch-logs';
 
 export interface LogEvent {
@@ -31,7 +32,7 @@ export async function* streamLogs(options: StreamLogsOptions): AsyncGenerator<Lo
   const { logGroupName, region, accountId, filterPattern, abortSignal } = options;
 
   // StartLiveTail requires ARN format for logGroupIdentifiers
-  const logGroupArn = `arn:aws:logs:${region}:${accountId}:log-group:${logGroupName}`;
+  const logGroupArn = `${arnPrefix(region)}:logs:${region}:${accountId}:log-group:${logGroupName}`;
 
   while (!abortSignal?.aborted) {
     const client = new CloudWatchLogsClient({

src/cli/aws/index.ts

@@ -1,5 +1,6 @@
 export { detectAwsContext, type AwsContext } from './aws-context';
 export { detectAccount, getCredentialProvider } from './account';
+export { getPartition, arnPrefix, dnsSuffix, serviceEndpoint, consoleDomain } from './partition';
 export { detectRegion, type RegionDetectionResult } from './region';
 export {
   invokeBedrockSync,