Skip to content

feat: add policy engine and policy support#579

Open
jesseturner21 wants to merge 17 commits intoaws:mainfrom
jesseturner21:main
Open

feat: add policy engine and policy support#579
jesseturner21 wants to merge 17 commits intoaws:mainfrom
jesseturner21:main

Conversation

@jesseturner21
Copy link
Contributor

@jesseturner21 jesseturner21 commented Mar 19, 2026

Description

Adds full policy engine and policy primitive support to the AgentCore CLI, including schema definitions, CLI commands, TUI wizards, deploy pipeline integration, and removal flows.

Key changes:

  • New primitives: PolicyEnginePrimitive and PolicyPrimitive with full add/remove lifecycle
  • Schema: New Zod schemas for policy engines and policies (project spec, deployed state, MCP config)
  • TUI: Add policy engine screen, add policy wizard (with statement editor, source file, and Bedrock generation), policy engine selection in gateway wizard
  • CLI commands: add policy-engine, add policy (with --statement, --source, --generate mutually exclusive flags), remove policy-engine, remove policy
  • Deploy pipeline: Preflight validation, CloudFormation output parsing, and status display for policy engines/policies
  • Gateway integration: PolicyEngineConfiguration wiring to associate policy engines with gateways
  • Remove flow: Composite key handling for cross-engine policy name collisions, policy engine/policy removal screens
  • Tests: Integration test for add/remove policy flow, unit tests for outputs, remove hooks, and validation

Related Issue

N/A

Documentation PR

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

Note: This PR depends on the corresponding agentcore-l3-cdk-constructs PR for the CDK PolicyEngine/Policy constructs.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@jesseturner21 jesseturner21 requested a review from a team March 19, 2026 22:32
@github-actions github-actions bot added the size/xl PR size: XL label Mar 19, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 19, 2026
@jesseturner21
Copy link
Contributor Author

jesseturner21 commented Mar 19, 2026

📦 Package Tarball

aws-agentcore-0.3.0-preview.6.0.tgz

How to install

npm install https://github.com/jesseturner21/agentcore-cli/releases/download/pr-579-tarball/aws-agentcore-0.3.0-preview.6.0.tgz

Note: The automated pr-tarball workflow cannot create releases on the upstream repo from fork PRs. This tarball was uploaded to the fork repo instead.

@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 20, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 20, 2026
jesseturner21 and others added 12 commits March 22, 2026 12:48
@jesseturner21 @claude
feat: add policy engine and policy support with full deploy pipeline
9bd5e66 
Add Cedar authorization policy support to AgentCore CLI:

- Schema: PolicyEngine and Policy schemas with Zod validation
- TUI: Full add/remove wizards for policy engines and policies
  - Source methods: Cedar file, inline statement, or AI generation
  - Gateway selection for generation flow
  - Expandable text input for generation prompts
- CLI: Non-interactive add/remove commands with all flags
  - agentcore add policy-engine --name <name>
  - agentcore add policy --name <name> --engine <engine> --source/--statement/--generate
  - agentcore remove policy-engine/policy --name <name>
- Deploy: CDK construct integration, CloudFormation output parsing,
  deployed state tracking with composite engine/policy keys
- Status: Policy engines and policies shown in status command and
  ResourceGraph TUI with correct deployment state diffing
- Generation: StartPolicyGeneration + waiter integration with
  deployed engine ID and gateway ARN resolution
- Validation: Schema validation for names, statements, validation modes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: use composite key for policy removal to handle cross-engine nam…
e3f2a72 
…e collisions

Policies are nested under engines, so the same policy name can exist in
multiple engines. Switch getRemovable/remove/previewRemove to use an
"engineName/policyName" composite key so the generic TUI remove flow can
uniquely identify policies with a single string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: sync package-lock.json for npm@10 compatibility
5ac1101 
Regenerate lock file with npm@10 to resolve missing yaml@2.8.2
dependency entry that caused `npm ci` failures on Node 20.x and 22.x.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: resolve lint and formatting issues for CI
735329a 
- Merge duplicate imports in policy-generation.ts
- Use dot notation instead of bracket notation in outputs test
- Replace Array<T> with T[] in outputs.ts and useDeployFlow.ts
- Add void operator for floating promises in AddPolicyFlow
- Wrap async handlers with void for no-misused-promises
- Escape quotes in JSX text in AddPolicyScreen
- Fix prettier formatting across all changed files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: make --statement, --source, --generate mutually exclusive in add…
ba164c1 
… policy

Previously, passing multiple source flags (e.g. --statement + --source) was
silently accepted with an implicit precedence order. Now the command returns
a clear error if more than one is provided.

Also fix pre-existing type errors in dev config tests by adding the required
policyEngines field to test fixtures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: add policy engine and policy support to TUI remove flow
4ddf998 
Add interactive TUI support for removing policy engines and policies,
including menu entries, selection screens, confirmation, and success states.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: write both CLIENT_ID and CLIENT_SECRET env vars for managed OAut…
c7bc525 
…h credentials

The createManagedOAuthCredential method was only writing the client secret
with an incorrect env var name. Now correctly writes both _CLIENT_ID and
_CLIENT_SECRET suffixed env vars, matching the pattern used by CredentialPrimitive.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Hweinstock @jesseturner21
feat: add PolicyEngineConfiguration support for gateways
7a8c214
@Hweinstock @jesseturner21
feat: add policy engine selection to gateway TUI wizard
bda79c4
@Hweinstock @jesseturner21
chore: sync package-lock.json
6669565
@jesseturner21 @claude
fix: shorten disabled policy generate description to prevent truncation
0efcf5d 
The "Generate a Cedar policy" option's disabled description was too long
("Requires deployed engine — run `deploy` first") and got cut off in
narrow terminals. Shortened to "Deploy engine first".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: prevent infinite loop when pressing Escape on policy generation …
f6848fa 
…error

When the policy generation API returned an error, pressing Escape on the
review step would loop back to the loading step and re-trigger the API
call, creating an infinite loop. The root cause was the double goBack()
pattern (one immediate, one via setTimeout) suffering from stale closures
— both calls saw the same step, so the second never reached the
description step, while the first landed on loading and re-fired the
useEffect.

The fix uses a skipGeneration ref: when navigating back from review, the
ref is set to true and a single goBack() moves to the loading step. The
useEffect detects the ref, resets it, and calls goBack() again (now with
the correct step in scope) to reach the description step — without ever
starting generation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 22, 2026
@jesseturner21 @claude
chore: remove legacy McpGateway output pattern from gateway parser
7033bbd 
The CDK constructs renamed McpGateway to Gateway in PR aws#65. No deployed
stacks use the old prefix since this is pre-GA.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@jesseturner21 @claude
test: add integ tests for --statement/--source/--generate mutual excl…
850c437 
…usivity

Cover all pairwise combinations and the triple-flag case to ensure
the CLI rejects conflicting policy source flags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@jesseturner21 @claude
fix: remove unnecessary sourceFile existence check from validate
5799f8e 
The sourceFile field is metadata tracking where a policy statement
originated. The statement itself is persisted in agentcore.json, so
the original .cedar file is not needed after add. Failing validation
when the source file is cleaned up is incorrect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
jesseturner21 and others added 2 commits March 23, 2026 01:47
@jesseturner21 @claude
fix: respect --json flag in policy remove command
4517903 
The remove action always output JSON regardless of whether --json was
passed. Now matches the add command behavior: plain text by default,
JSON only when --json is specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
chore: co-locate hasPolicyEngines with other has* checks in preflight
ed2097d 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@github-actions github-actions bot removed the size/xl PR size: XL label Mar 23, 2026
@github-actions github-actions bot added the size/xl PR size: XL label Mar 23, 2026
jesseturner21
jesseturner21 commented Mar 23, 2026
View reviewed changes
Copy link
Contributor Author

@jesseturner21 jesseturner21 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One note added.

@jesseturner21
Copy link
Contributor Author

jesseturner21 commented Mar 23, 2026

The e2e tests fail because the tests pull from aws/agentcore-cdk rather than the new ones we are adding. Once both are merged e2e tests will fixed and we will ensure this before releasing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jesseturner21 @Hweinstock