feat: launch telemetry

[Hweinstock]

Description

This is a composite PR of a few changes.

• add config command, see feat: add config command with dot-notation support #1387 for more info.
• fix some misc bugs related to telemetry. Ex. .json file extension is misleading for .jsonl files, invalid configs silently overwritten. (ex. [bug]: invalid agentcore config is silently overwritten. #1337).
• publish telemetry endpoint to config.
• add documentation in the help command for how to manage telemetry settings and use audit mode.
• fix a bug where telemetry notice showed every time when config is malformed.
• address some testing gaps in telemetry/config.

Future Work (non-launch blocking):

• add a page to docs/ for how to use telemetry audit mode.

Related Issue

Closes #

Documentation PR

Will follow-up with telemetry documentation.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (please describe):

Testing

How have you tested the change?

• I ran npm run test:unit and npm run test:integ
• I ran npm run typecheck
• I ran npm run lint
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

[github-actions]

Package Tarball

aws-agentcore-0.16.0.tgz

How to install

gh release download pr-1430-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.16.0.tgz

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[agentcore-cli-automation]

Overall the launch-telemetry changes look solid — moving telemetry preferences under a generic config command, adding a Result-based read API, and validating endpoints/UUIDs are good cleanups. I flagged a few items below that I think need to be addressed before merging — primarily missing telemetry instrumentation on the new config command itself (which is required per src/cli/telemetry/README.md), and stale entries in COMMAND_SCHEMAS for the removed telemetry enable/disable subcommands.

[agentcore-cli-automation]

Missing telemetry instrumentation for the new config command.

This PR is titled "launch telemetry" and the README at src/cli/telemetry/README.md requires every new top-level command to (a) declare an attribute schema in src/cli/telemetry/schemas/command-run.ts under COMMAND_SCHEMAS, and (b) be wrapped with runCliCommand (or withCommandRunTelemetry) so a cli.command_run metric is emitted. The action handler here just runs resolveAction(...), prints, and exits — no metric is ever recorded for agentcore config ... invocations, which is precisely the kind of usage we'd want visibility into now that config is the documented way to opt in/out of telemetry.

A few options:

1. Add three command keys (config.list, config.get, config.set) to COMMAND_SCHEMAS (most likely all NoAttrs, or config.set could carry a sanitized key enum if we want to track which keys users touch most), and wrap each branch with runCliCommand.
2. Add a single config key to COMMAND_SCHEMAS and dispatch all three branches through one runCliCommand('config', ...) call, with attrs distinguishing the action.

Option 1 is more consistent with how dataset.*, import.*, etc. are modeled today.

[Hweinstock]

will follow-up with this, I don't think its a blocker and I'd like to sync the backend schemas once I have a shape.

[agentcore-cli-automation]

validateGlobalConfig returns { success: boolean; error?: z.ZodError }, which loses the discriminated union that safeParse provides. Callers like handleConfigSet only branch on success, so this works, but in the success case any caller that wants the parsed/coerced value gets nothing — and TS won't tell you that the data field is gone. Either:

1. Return z.SafeParseReturnType<unknown, GlobalConfig> (i.e., just GlobalConfigSchemaStrict.safeParse(data) typed as-is), or
2. Return an explicit Result<{ data: GlobalConfig }, ZodError> for consistency with the rest of the file.

This matters because today handleConfigSet writes partial (the user-supplied object) rather than validation.data — so if we ever add a .transform() or coercion to the schema, the validated/normalized form would be silently discarded.

[Hweinstock]

this is intentional. validate is used for validation, read is used for reading. Validate is also used to verify that new (unwritten) config shapes are valid. The purpose of the function is "is this shape a valid config", so a success boolean is sufficient.

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[Hweinstock]

note: we import and use assert here because it provides type narrowing and avoids verbosity in follow-up assertions on result types.

[Hweinstock]

note: planning to follow-up with some telemetry on the config command and make this a custom error. Could use ValidationError, but may want something more specific to the file system.

[Hweinstock]

once we have proper documentation, I'll replace the source code link with a docs link.

[Hweinstock]

this is needed for the case where a customer provides an invalid url in their config or via env var.

[Hweinstock]

note: should move these somewhere more intuitive, but OOS here.

[Hweinstock]

will follow-up with this, I don't think its a blocker and I'd like to sync the backend schemas once I have a shape.

[Hweinstock]

this is intentional. validate is used for validation, read is used for reading. Validate is also used to verify that new (unwritten) config shapes are valid. The purpose of the function is "is this shape a valid config", so a success boolean is sufficient.

[avi-alpert]

the "only" is misleading - this test checks installationId is there but not that the config only has that key

[Hweinstock]

good catch, updated.

[avi-alpert]

was this removed?

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)