Skip to content

feat: add policy engine and policy support#579

Merged
jesseturner21 merged 17 commits intoaws:mainfrom
jesseturner21:main
Mar 23, 2026
Merged

feat: add policy engine and policy support#579
jesseturner21 merged 17 commits intoaws:mainfrom
jesseturner21:main

Conversation

@jesseturner21
Copy link
Copy Markdown
Contributor

@jesseturner21 jesseturner21 commented Mar 19, 2026

Description

Adds full policy engine and policy primitive support to the AgentCore CLI, including schema definitions, CLI commands, TUI wizards, deploy pipeline integration, and removal flows.

Key changes:

  • New primitives: PolicyEnginePrimitive and PolicyPrimitive with full add/remove lifecycle
  • Schema: New Zod schemas for policy engines and policies (project spec, deployed state, MCP config)
  • TUI: Add policy engine screen, add policy wizard (with statement editor, source file, and Bedrock generation), policy engine selection in gateway wizard
  • CLI commands: add policy-engine, add policy (with --statement, --source, --generate mutually exclusive flags), remove policy-engine, remove policy
  • Deploy pipeline: Preflight validation, CloudFormation output parsing, and status display for policy engines/policies
  • Gateway integration: PolicyEngineConfiguration wiring to associate policy engines with gateways
  • Remove flow: Composite key handling for cross-engine policy name collisions, policy engine/policy removal screens
  • Tests: Integration test for add/remove policy flow, unit tests for outputs, remove hooks, and validation

Related Issue

N/A

Documentation PR

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

Note: This PR depends on the corresponding agentcore-l3-cdk-constructs PR for the CDK PolicyEngine/Policy constructs.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@jesseturner21 jesseturner21 requested a review from a team March 19, 2026 22:32
@github-actions github-actions bot added the size/xl PR size: XL label Mar 19, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 19, 2026
@jesseturner21
Copy link
Copy Markdown
Contributor Author

jesseturner21 commented Mar 19, 2026

📦 Package Tarball

aws-agentcore-0.3.0-preview.6.0.tgz

How to install

npm install https://github.com/jesseturner21/agentcore-cli/releases/download/pr-579-tarball/aws-agentcore-0.3.0-preview.6.0.tgz

Note: The automated pr-tarball workflow cannot create releases on the upstream repo from fork PRs. This tarball was uploaded to the fork repo instead.

@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 20, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 20, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 22, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@github-actions github-actions bot removed the size/xl PR size: XL label Mar 23, 2026
Hweinstock
Hweinstock reviewed Mar 23, 2026
View reviewed changes
Comment thread integ-tests/add-remove-policy.test.ts
Comment thread src/cli/tui/screens/policy/AddPolicyScreen.tsx Outdated
Comment thread src/cli/primitives/PolicyEnginePrimitive.ts
Comment thread src/cli/primitives/GatewayPrimitive.ts
aidandaly24
aidandaly24 requested changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have some comments many are nit/suggestions

Comment thread src/cli/primitives/PolicyPrimitive.ts Outdated
Comment thread src/cli/primitives/PolicyPrimitive.ts
Comment thread src/cli/tui/screens/policy/AddPolicyFlow.tsx
Comment thread src/cli/aws/policy-generation.ts
Comment thread src/cli/primitives/PolicyEnginePrimitive.ts
Comment thread src/cli/tui/screens/policy/AddPolicyScreen.tsx
Comment thread src/schema/schemas/primitives/policy.ts Outdated
Comment thread src/cli/tui/screens/policy/AddPolicyScreen.tsx
Comment thread src/cli/tui/components/SelectList.tsx Outdated
Comment thread src/cli/tui/screens/policy/AddPolicyFlow.tsx
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
jesseturner21 and others added 17 commits March 23, 2026 11:39
@jesseturner21 @claude
feat: add policy engine and policy support with full deploy pipeline
33c4b00 
Add Cedar authorization policy support to AgentCore CLI:

- Schema: PolicyEngine and Policy schemas with Zod validation
- TUI: Full add/remove wizards for policy engines and policies
  - Source methods: Cedar file, inline statement, or AI generation
  - Gateway selection for generation flow
  - Expandable text input for generation prompts
- CLI: Non-interactive add/remove commands with all flags
  - agentcore add policy-engine --name <name>
  - agentcore add policy --name <name> --engine <engine> --source/--statement/--generate
  - agentcore remove policy-engine/policy --name <name>
- Deploy: CDK construct integration, CloudFormation output parsing,
  deployed state tracking with composite engine/policy keys
- Status: Policy engines and policies shown in status command and
  ResourceGraph TUI with correct deployment state diffing
- Generation: StartPolicyGeneration + waiter integration with
  deployed engine ID and gateway ARN resolution
- Validation: Schema validation for names, statements, validation modes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: use composite key for policy removal to handle cross-engine nam…
a80a005 
…e collisions

Policies are nested under engines, so the same policy name can exist in
multiple engines. Switch getRemovable/remove/previewRemove to use an
"engineName/policyName" composite key so the generic TUI remove flow can
uniquely identify policies with a single string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: sync package-lock.json for npm@10 compatibility
0bc9914 
Regenerate lock file with npm@10 to resolve missing yaml@2.8.2
dependency entry that caused `npm ci` failures on Node 20.x and 22.x.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: resolve lint and formatting issues for CI
b0197e0 
- Merge duplicate imports in policy-generation.ts
- Use dot notation instead of bracket notation in outputs test
- Replace Array<T> with T[] in outputs.ts and useDeployFlow.ts
- Add void operator for floating promises in AddPolicyFlow
- Wrap async handlers with void for no-misused-promises
- Escape quotes in JSX text in AddPolicyScreen
- Fix prettier formatting across all changed files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: make --statement, --source, --generate mutually exclusive in add…
e118d1e 
… policy

Previously, passing multiple source flags (e.g. --statement + --source) was
silently accepted with an implicit precedence order. Now the command returns
a clear error if more than one is provided.

Also fix pre-existing type errors in dev config tests by adding the required
policyEngines field to test fixtures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: add policy engine and policy support to TUI remove flow
c61bfce 
Add interactive TUI support for removing policy engines and policies,
including menu entries, selection screens, confirmation, and success states.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: write both CLIENT_ID and CLIENT_SECRET env vars for managed OAut…
f5c37ea 
…h credentials

The createManagedOAuthCredential method was only writing the client secret
with an incorrect env var name. Now correctly writes both _CLIENT_ID and
_CLIENT_SECRET suffixed env vars, matching the pattern used by CredentialPrimitive.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Hweinstock @jesseturner21
feat: add PolicyEngineConfiguration support for gateways
d642bd7
@Hweinstock @jesseturner21
feat: add policy engine selection to gateway TUI wizard
0486995
@jesseturner21 @claude
fix: shorten disabled policy generate description to prevent truncation
c9c86ca 
The "Generate a Cedar policy" option's disabled description was too long
("Requires deployed engine — run `deploy` first") and got cut off in
narrow terminals. Shortened to "Deploy engine first".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: prevent infinite loop when pressing Escape on policy generation …
7bfc445 
…error

When the policy generation API returned an error, pressing Escape on the
review step would loop back to the loading step and re-trigger the API
call, creating an infinite loop. The root cause was the double goBack()
pattern (one immediate, one via setTimeout) suffering from stale closures
— both calls saw the same step, so the second never reached the
description step, while the first landed on loading and re-fired the
useEffect.

The fix uses a skipGeneration ref: when navigating back from review, the
ref is set to true and a single goBack() moves to the loading step. The
useEffect detects the ref, resets it, and calls goBack() again (now with
the correct step in scope) to reach the description step — without ever
starting generation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
chore: remove legacy McpGateway output pattern from gateway parser
17997d6 
The CDK constructs renamed McpGateway to Gateway in PR #65. No deployed
stacks use the old prefix since this is pre-GA.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
test: add integ tests for --statement/--source/--generate mutual excl…
2f90d2b 
…usivity

Cover all pairwise combinations and the triple-flag case to ensure
the CLI rejects conflicting policy source flags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: remove unnecessary sourceFile existence check from validate
d03d32c 
The sourceFile field is metadata tracking where a policy statement
originated. The statement itself is persisted in agentcore.json, so
the original .cedar file is not needed after add. Failing validation
when the source file is cleaned up is incorrect.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: respect --json flag in policy remove command
62a73a1 
The remove action always output JSON regardless of whether --json was
passed. Now matches the add command behavior: plain text by default,
JSON only when --json is specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
chore: co-locate hasPolicyEngines with other has* checks in preflight
900810a 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: address PR review comments for policy support
d0a4df2 
- Validate --validation-mode CLI flag with ValidationModeSchema.parse()
  instead of unsafe cast (PolicyPrimitive)
- Add ambiguity check in remove/previewRemove when policy exists in
  multiple engines without --engine specified (PolicyPrimitive)
- Gate JSON output behind --json flag in policy engine remove
  (PolicyEnginePrimitive)
- Add uniqueBy validation on policies array to prevent duplicate names
  (policy schema)
- Narrow validationModeItems type to remove unnecessary cast
  (AddPolicyScreen)
- Disable reviewNav when generation error is shown (AddPolicyScreen)
- Add expandable to inline Cedar statement TextInput (AddPolicyScreen)
- Check waiter result state before proceeding (policy-generation)
- Revert SelectList wrap from truncate back to wrap

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/xl PR size: XL and removed size/xl PR size: XL labels Mar 23, 2026
@jesseturner21 jesseturner21 merged commit 4da709b into aws:main Mar 23, 2026
17 of 18 checks passed
This was referenced Mar 23, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hweinstock Hweinstock Hweinstock left review comments

@aidandaly24 aidandaly24 aidandaly24 approved these changes

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jesseturner21 @Hweinstock @aidandaly24