agent-claw: automated task changes

agentclaw/agentcore/.cli/deployed-state.json

@@ -0,0 +1,22 @@
+{
+  "targets": {
+    "default": {
+      "resources": {
+        "runtimes": {
+          "agent_claw_main": {
+            "runtimeId": "agentclaw_agent_claw_main-vTRGIEG6ON",
+            "runtimeArn": "arn:aws:bedrock-agentcore:us-east-1:495395224548:runtime/agentclaw_agent_claw_main-vTRGIEG6ON",
+            "roleArn": "arn:aws:iam::495395224548:role/AgentCore-agentclaw-defau-ApplicationAgentAgentClaw-Ttg8kEtQ3cJj"
+          }
+        },
+        "memories": {
+          "AgentClawMemory": {
+            "memoryId": "agentclaw_AgentClawMemory-i7Csf776AH",
+            "memoryArn": "arn:aws:bedrock-agentcore:us-east-1:495395224548:memory/agentclaw_AgentClawMemory-i7Csf776AH"
+          }
+        },
+        "stackName": "AgentCore-agentclaw-default"
+      }
+    }
+  }
+}

agentclaw/agentcore/.gitignore

@@ -0,0 +1,15 @@
+# Secrets (local environment files are never committed)
+.env.local
+
+# CDK Build Artifacts
+cdk/cdk.out/
+cdk/node_modules/
+
+# CLI Internals
+.cli/*
+
+# Ephemeral Staging
+.cache/*
+
+# Exception: Commit the State
+!.cli/deployed-state.json

agentclaw/agentcore/.llm-context/README.md

@@ -0,0 +1,16 @@
+# LLM Context Files
+
+**DO NOT EDIT THESE FILES** - They are read-only reference for AI coding assistants.
+
+## Files
+
+| File             | JSON Config        | Purpose                                   |
+| ---------------- | ------------------ | ----------------------------------------- |
+| `agentcore.ts`   | `agentcore.json`   | Project, agent, memory, credential config |
+| `mcp.ts`         | `agentcore.json`   | Gateways, targets, MCP runtime tools      |
+| `aws-targets.ts` | `aws-targets.json` | Deployment targets (account + region)     |
+
+## Usage
+
+When editing schema JSON files, reference the corresponding `.ts` file here for type definitions and validation
+constraints (marked with `@regex`, `@min`, `@max`).

agentclaw/agentcore/.llm-context/agentcore.ts

@@ -0,0 +1,403 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+/**
+ * READ-ONLY LLM CONTEXT - Do not edit this file.
+ *
+ * JSON File: agentcore/agentcore.json
+ * Purpose: Top-level project configuration with flat resource model
+ */
+
+// ─────────────────────────────────────────────────────────────────────────────
+// ROOT SCHEMA: AgentCoreProjectSpec
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface AgentCoreProjectSpec {
+  name: string; // @regex ^[A-Za-z][A-Za-z0-9]{0,22}$ @max 23 - project name
+  version: number; // Schema version (integer)
+  managedBy: 'CDK'; // Enum — infrastructure manager. Default: "CDK"
+  tags?: Record<string, string>;
+  runtimes: AgentEnvSpec[]; // Unique by name
+  memories: Memory[]; // Unique by name
+  credentials: Credential[]; // Unique by name
+  evaluators: Evaluator[]; // Unique by name — custom evaluator definitions
+  onlineEvalConfigs: OnlineEvalConfig[]; // Unique by name — online evaluation configs
+  agentCoreGateways: AgentCoreGateway[]; // Unique by name — MCP gateways
+  mcpRuntimeTools?: AgentCoreMcpRuntimeTool[]; // Unique by name — standalone MCP runtime tools (not behind a gateway)
+  unassignedTargets?: AgentCoreGatewayTarget[]; // Unique by name — targets not yet assigned to a gateway
+  policyEngines: PolicyEngine[]; // Unique by name — Cedar policy engines
+  configBundles: ConfigBundle[]; // Unique by name — configuration bundles for versioned config
+  abTests: ABTest[]; // Unique by name — A/B test experiments
+  /** @internal Auto-managed by AB test creation. Do not configure directly. */
+  httpGateways: HttpGateway[]; // Unique by name — HTTP gateways bound to a runtime
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// ENUMS
+// ─────────────────────────────────────────────────────────────────────────────
+
+type BuildType = 'CodeZip' | 'Container';
+type PythonRuntime = 'PYTHON_3_10' | 'PYTHON_3_11' | 'PYTHON_3_12' | 'PYTHON_3_13' | 'PYTHON_3_14';
+type NodeRuntime = 'NODE_18' | 'NODE_20' | 'NODE_22';
+type RuntimeVersion = PythonRuntime | NodeRuntime;
+type NetworkMode = 'PUBLIC' | 'VPC';
+interface NetworkConfig {
+  subnets: string[]; // subnet-xxx IDs
+  securityGroups: string[]; // sg-xxx IDs
+}
+
+type MemoryStrategyType = 'SEMANTIC' | 'SUMMARIZATION' | 'USER_PREFERENCE' | 'EPISODIC';
+type ModelProvider = 'Bedrock' | 'Gemini' | 'OpenAI' | 'Anthropic';
+type EvaluationLevel = 'SESSION' | 'TRACE' | 'TOOL_CALL';
+type GatewayTargetType = 'lambda' | 'mcpServer' | 'openApiSchema' | 'smithyModel' | 'apiGateway' | 'lambdaFunctionArn';
+type OutboundAuthType = 'OAUTH' | 'API_KEY' | 'NONE';
+type GatewayAuthorizerType = 'NONE' | 'AWS_IAM' | 'CUSTOM_JWT';
+type GatewayExceptionLevel = 'NONE' | 'DEBUG';
+type PolicyEngineMode = 'LOG_ONLY' | 'ENFORCE';
+type ValidationMode = 'FAIL_ON_ANY_FINDINGS' | 'IGNORE_ALL_FINDINGS';
+type ComputeHost = 'Lambda' | 'AgentCoreRuntime';
+type ABTestVariantName = 'C' | 'T1';
+
+// ─────────────────────────────────────────────────────────────────────────────
+// AGENT
+// ─────────────────────────────────────────────────────────────────────────────
+
+type ProtocolMode = 'HTTP' | 'MCP' | 'A2A' | 'AGUI';
+
+interface AgentEnvSpec {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  build: BuildType;
+  entrypoint: string; // @regex ^[a-zA-Z0-9_][a-zA-Z0-9_/.-]*\.(py|ts|js)(:[a-zA-Z_][a-zA-Z0-9_]*)?$ e.g. "main.py:handler" or "index.ts"
+  codeLocation: string; // Directory path
+  dockerfile?: string; // Custom Dockerfile name for Container builds (default: 'Dockerfile'). Must be a filename, not a path.
+  runtimeVersion?: RuntimeVersion;
+  envVars?: EnvVar[];
+  networkMode?: NetworkMode; // default 'PUBLIC'
+  networkConfig?: NetworkConfig; // Required when networkMode is 'VPC'
+  instrumentation?: Instrumentation; // OTel settings
+  protocol?: ProtocolMode; // default 'HTTP'
+  tags?: Record<string, string>;
+}
+
+interface Instrumentation {
+  enableOtel: boolean; // default true - wrap entrypoint with opentelemetry-instrument
+}
+
+interface EnvVar {
+  name: string; // @regex ^[A-Za-z_][A-Za-z0-9_]*$ @max 255
+  value: string;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// MEMORY
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface Memory {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  eventExpiryDuration: number; // @min 3 @max 365 (days)
+  strategies: MemoryStrategy[]; // Unique by type. Can be empty (short-term memory).
+  tags?: Record<string, string>;
+  encryptionKeyArn?: string;
+  executionRoleArn?: string;
+}
+
+interface MemoryStrategy {
+  type: MemoryStrategyType;
+  name?: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  description?: string;
+  namespaces?: string[];
+  reflectionNamespaces?: string[]; // EPISODIC only: namespaces for cross-episode reflections
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// CREDENTIAL
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface Credential {
+  authorizerType: 'ApiKeyCredentialProvider' | 'OAuthCredentialProvider';
+  name: string; // @regex ^[a-zA-Z0-9\-_]+$ @min 1 @max 128
+  // Additional fields for OAuthCredentialProvider:
+  discoveryUrl?: string; // OIDC discovery URL (OAuth only)
+  scopes?: string[]; // Supported scopes (OAuth only)
+  vendor?: string; // Credential provider vendor type (OAuth only, default: 'CustomOauth2')
+  managed?: boolean; // Whether auto-created by CLI (OAuth only)
+  usage?: 'inbound' | 'outbound'; // Auth direction (OAuth only)
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// EVALUATOR
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface Evaluator {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  level: EvaluationLevel;
+  description?: string;
+  config: EvaluatorConfig; // Must have either llmAsAJudge or codeBased, not both
+  tags?: Record<string, string>;
+}
+
+interface EvaluatorConfig {
+  llmAsAJudge?: LlmAsAJudgeConfig;
+  codeBased?: CodeBasedConfig;
+}
+
+interface LlmAsAJudgeConfig {
+  model: string; // Bedrock model ID or ARN
+  instructions: string; // Evaluation instructions
+  ratingScale: RatingScale; // Must have either numerical or categorical, not both
+}
+
+interface RatingScale {
+  numerical?: { value: number; label: string; definition: string }[];
+  categorical?: { label: string; definition: string }[];
+}
+
+interface CodeBasedConfig {
+  managed?: ManagedCodeBasedConfig;
+  external?: ExternalCodeBasedConfig;
+}
+
+interface ManagedCodeBasedConfig {
+  codeLocation: string;
+  entrypoint: string; // default 'lambda_function.handler'
+  timeoutSeconds: number; // @min 1 @max 300 (default 60)
+  additionalPolicies?: string[];
+}
+
+interface ExternalCodeBasedConfig {
+  lambdaArn: string; // @regex ^arn:aws[a-z-]*:lambda:[a-z0-9-]+:\d{12}:function:.+$
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// ONLINE EVAL CONFIG
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface OnlineEvalConfig {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  agent: string; // Agent name — must match a project agent
+  evaluators: string[]; // @min 1 — evaluator names, Builtin.* IDs, or evaluator ARNs
+  samplingRate: number; // @min 0.01 @max 100 (percentage)
+  description?: string; // @max 200
+  enableOnCreate?: boolean; // Whether to enable on create (default: true)
+  tags?: Record<string, string>;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GATEWAY (MCP)
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface AgentCoreGateway {
+  name: string; // @regex ^[0-9a-zA-Z](?:[0-9a-zA-Z-]*[0-9a-zA-Z])?$ @max 100
+  description?: string;
+  targets: AgentCoreGatewayTarget[]; // Gateway targets
+  authorizerType?: GatewayAuthorizerType; // default 'NONE'
+  authorizerConfiguration?: AuthorizerConfig; // Required when authorizerType is 'CUSTOM_JWT'
+  enableSemanticSearch?: boolean; // default true
+  exceptionLevel?: GatewayExceptionLevel; // default 'NONE'
+  policyEngineConfiguration?: GatewayPolicyEngineConfiguration;
+  tags?: Record<string, string>;
+}
+
+interface AuthorizerConfig {
+  customJwtAuthorizer?: {
+    discoveryUrl: string; // OIDC discovery URL (HTTPS, must end with /.well-known/openid-configuration)
+    allowedAudience?: string[];
+    allowedClients?: string[];
+    allowedScopes?: string[];
+    customClaims?: CustomClaimValidation[];
+  };
+}
+
+interface CustomClaimValidation {
+  inboundTokenClaimName: string; // @regex ^[A-Za-z0-9_.:-]+$ @max 255
+  inboundTokenClaimValueType: 'STRING' | 'STRING_ARRAY';
+  authorizingClaimMatchValue: {
+    claimMatchOperator: 'EQUALS' | 'CONTAINS' | 'CONTAINS_ANY';
+    claimMatchValue: {
+      matchValueString?: string; // @regex ^[A-Za-z0-9_.-]+$ @max 255
+      matchValueStringList?: string[]; // each @regex ^[A-Za-z0-9_.-]+$ @max 255
+    };
+  };
+}
+
+interface GatewayPolicyEngineConfiguration {
+  policyEngineName: string; // Reference to a PolicyEngine name
+  mode: PolicyEngineMode;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GATEWAY TARGET
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface AgentCoreGatewayTarget {
+  name: string;
+  targetType: GatewayTargetType;
+  toolDefinitions?: ToolDefinition[]; // Required for 'lambda' targets
+  compute?: ToolComputeConfig; // Required for 'lambda' and scaffold targets
+  endpoint?: string; // URL — required for external 'mcpServer' targets
+  outboundAuth?: OutboundAuth;
+  apiGateway?: ApiGatewayConfig; // Required for 'apiGateway' target type
+  schemaSource?: SchemaSource; // Required for 'openApiSchema' / 'smithyModel' targets
+  lambdaFunctionArn?: LambdaFunctionArnConfig; // Required for 'lambdaFunctionArn' target type
+}
+
+interface OutboundAuth {
+  type: OutboundAuthType; // default 'NONE'
+  credentialName?: string; // Required when type is not 'NONE'
+  scopes?: string[];
+}
+
+interface ToolDefinition {
+  name: string;
+  description?: string;
+  inputSchema: object; // JSON Schema
+  outputSchema?: object;
+}
+
+interface ToolComputeConfig {
+  host: ComputeHost;
+  implementation: ToolImplementationBinding;
+  // Lambda-specific:
+  nodeVersion?: NodeRuntime; // Required for TypeScript Lambda
+  pythonVersion?: PythonRuntime; // Required for Python Lambda
+  timeout?: number; // @min 1 @max 900
+  memorySize?: number; // @min 128 @max 10240
+  iamPolicy?: object; // IAM policy document
+  // AgentCoreRuntime-specific:
+  runtime?: RuntimeConfig;
+}
+
+interface ToolImplementationBinding {
+  language: 'TypeScript' | 'Python';
+  path: string;
+  handler: string;
+}
+
+interface RuntimeConfig {
+  artifact: 'CodeZip';
+  pythonVersion: PythonRuntime;
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  entrypoint: string; // Python file path with optional handler
+  codeLocation: string;
+  instrumentation?: Instrumentation;
+  networkMode?: NetworkMode; // default 'PUBLIC'
+  description?: string;
+}
+
+interface ApiGatewayConfig {
+  restApiId: string;
+  stage: string;
+  apiGatewayToolConfiguration: {
+    toolFilters: {
+      filterPath: string;
+      methods: ('GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS')[];
+    }[];
+    toolOverrides?: { name: string; path: string; method: string; description?: string }[];
+  };
+}
+
+interface LambdaFunctionArnConfig {
+  lambdaArn: string; // @max 170
+  toolSchemaFile: string;
+}
+
+type SchemaSource = { inline: { path: string } } | { s3: { uri: string; bucketOwnerAccountId?: string } };
+
+// ─────────────────────────────────────────────────────────────────────────────
+// MCP RUNTIME TOOL
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface AgentCoreMcpRuntimeTool {
+  name: string;
+  toolDefinition: ToolDefinition;
+  compute: {
+    host: 'AgentCoreRuntime'; // Only AgentCoreRuntime (Python only)
+    implementation: ToolImplementationBinding;
+    runtime?: RuntimeConfig;
+    iamPolicy?: object;
+  };
+  bindings?: McpRuntimeBinding[]; // Grant agents permission to invoke this tool
+}
+
+interface McpRuntimeBinding {
+  runtimeName: string; // Agent runtime name to bind to
+  envVarName: string; // @regex ^[A-Za-z_][A-Za-z0-9_]*$ — env var for runtime ARN
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// POLICY ENGINE
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface PolicyEngine {
+  name: string; // @regex ^[A-Za-z][A-Za-z0-9_]{0,47}$ @max 48
+  description?: string; // @max 4096
+  encryptionKeyArn?: string;
+  tags?: Record<string, string>;
+  policies: Policy[]; // Unique by name
+}
+
+interface Policy {
+  name: string; // @regex ^[A-Za-z][A-Za-z0-9_]{0,47}$ @max 48
+  description?: string; // @max 4096
+  statement: string; // Cedar policy statement
+  sourceFile?: string;
+  validationMode: ValidationMode; // default 'FAIL_ON_ANY_FINDINGS'
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// CONFIG BUNDLE
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface ConfigBundle {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,99}$ @max 100
+  description?: string; // @max 500
+  /** Component configurations keyed by component ARN or placeholder (e.g. {{runtime:<runtimeName>}}) */
+  components: Record<string, ComponentConfiguration>;
+  branchName?: string; // @max 128 — optional branch name for versioning
+  commitMessage?: string; // @max 500 — optional commit message
+}
+
+interface ComponentConfiguration {
+  configuration: Record<string, unknown>; // Freeform configuration for the component
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// AB TEST
+// ─────────────────────────────────────────────────────────────────────────────
+
+interface ABTest {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_]{0,47}$ @max 48
+  description?: string; // @max 200
+  gatewayRef: string; // Reference to the gateway (ARN or {{gateway:name}} placeholder)
+  roleArn?: string;
+  variants: [ABTestVariant, ABTestVariant]; // Exactly 2 — one 'C' (control) and one 'T1' (treatment). Weights must sum to 100.
+  evaluationConfig: {
+    onlineEvaluationConfigArn: string;
+  };
+  trafficAllocationConfig?: {
+    routeOnHeader: { headerName: string };
+  };
+  maxDurationDays?: number; // @min 1 @max 90
+  enableOnCreate?: boolean;
+}
+
+interface ABTestVariant {
+  name: ABTestVariantName;
+  weight: number; // @min 1 @max 100
+  variantConfiguration: {
+    configurationBundle: {
+      bundleArn: string;
+      bundleVersion: string;
+    };
+  };
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// HTTP GATEWAY
+// ─────────────────────────────────────────────────────────────────────────────
+
+/** @internal HTTP gateway auto-created when setting up an AB test. */
+interface HttpGateway {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9-]{0,47}$ @max 48
+  description?: string; // @max 200
+  runtimeRef: string; // Reference to a runtime name from spec.runtimes
+  roleArn?: string; // IAM role ARN — auto-created if omitted
+}

agentclaw/agentcore/.llm-context/aws-targets.ts

@@ -0,0 +1,45 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+/**
+ * READ-ONLY LLM CONTEXT - Do not edit this file.
+ *
+ * JSON File: agentcore/aws-targets.json
+ * Purpose: AWS deployment targets for AgentCore resources
+ */
+
+// ─────────────────────────────────────────────────────────────────────────────
+// ROOT SCHEMA: AwsDeploymentTargets (array)
+// ─────────────────────────────────────────────────────────────────────────────
+
+// The JSON file contains an array of deployment targets.
+// Target names must be unique within the array.
+type AwsDeploymentTargets = AwsDeploymentTarget[];
+
+interface AwsDeploymentTarget {
+  name: string; // @regex ^[a-zA-Z][a-zA-Z0-9_-]*$ @max 64 - unique identifier
+  description?: string; // @max 256
+  account: string; // @regex ^[0-9]{12}$ - AWS account ID (exactly 12 digits)
+  region: AgentCoreRegion;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// SUPPORTED REGIONS
+// https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-regions.html
+// ─────────────────────────────────────────────────────────────────────────────
+
+type AgentCoreRegion =
+  | 'ap-northeast-1'
+  | 'ap-northeast-2'
+  | 'ap-south-1'
+  | 'ap-southeast-1'
+  | 'ap-southeast-2'
+  | 'ca-central-1'
+  | 'eu-central-1'
+  | 'eu-north-1'
+  | 'eu-west-1'
+  | 'eu-west-2'
+  | 'eu-west-3'
+  | 'sa-east-1'
+  | 'us-east-1'
+  | 'us-east-2'
+  | 'us-west-2'
+  | 'us-gov-west-1';

agentclaw/agentcore/agentcore.json

@@ -0,0 +1,55 @@
+{
+  "$schema": "https://schema.agentcore.aws.dev/v1/agentcore.json",
+  "name": "agentclaw",
+  "version": 1,
+  "managedBy": "CDK",
+  "tags": {
+    "agentcore:created-by": "agentcore-cli",
+    "agentcore:project-name": "agentclaw"
+  },
+  "runtimes": [
+    {
+      "name": "agent_claw_main",
+      "build": "CodeZip",
+      "entrypoint": "main.py",
+      "codeLocation": "app/agent_claw_main/",
+      "runtimeVersion": "PYTHON_3_14",
+      "networkMode": "PUBLIC",
+      "protocol": "HTTP"
+    }
+  ],
+  "memories": [
+    {
+      "name": "AgentClawMemory",
+      "eventExpiryDuration": 30,
+      "strategies": [
+        {
+          "type": "SEMANTIC",
+          "namespaces": [
+            "/users/{actorId}/facts"
+          ]
+        },
+        {
+          "type": "SUMMARIZATION",
+          "namespaces": [
+            "/summaries/{actorId}/{sessionId}"
+          ]
+        },
+        {
+          "type": "USER_PREFERENCE",
+          "namespaces": [
+            "/users/{actorId}/preferences"
+          ]
+        }
+      ]
+    }
+  ],
+  "credentials": [],
+  "evaluators": [],
+  "onlineEvalConfigs": [],
+  "agentCoreGateways": [],
+  "policyEngines": [],
+  "configBundles": [],
+  "abTests": [],
+  "httpGateways": []
+}

agentclaw/agentcore/aws-targets.json

@@ -0,0 +1,7 @@
+[
+  {
+    "name": "default",
+    "account": "495395224548",
+    "region": "us-east-1"
+  }
+]

agentclaw/agentcore/cdk/.gitignore

@@ -0,0 +1,9 @@
+# Build output
+dist/
+
+# Dependencies
+node_modules/
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

agentclaw/agentcore/cdk/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

agentclaw/agentcore/cdk/.prettierrc

@@ -0,0 +1,8 @@
+{
+  "trailingComma": "es5",
+  "printWidth": 120,
+  "tabWidth": 2,
+  "semi": true,
+  "singleQuote": true,
+  "arrowParens": "avoid"
+}

agentclaw/agentcore/cdk/README.md

@@ -0,0 +1,26 @@
+# AgentCore CDK Project
+
+This CDK project is managed by the AgentCore CLI. It deploys your agent infrastructure into AWS using the `@aws/agentcore-cdk` L3 constructs.
+
+## Structure
+
+- `bin/cdk.ts` — Entry point. Reads project configuration from `agentcore/` and creates a stack per deployment target.
+- `lib/cdk-stack.ts` — Defines `AgentCoreStack`, which wraps the `AgentCoreApplication` L3 construct.
+- `test/cdk.test.ts` — Unit tests for stack synthesis.
+
+## Useful commands
+
+- `npm run build` compile TypeScript to JavaScript
+- `npm run test` run unit tests
+- `npx cdk synth` emit the synthesized CloudFormation template
+- `npx cdk deploy` deploy this stack to your default AWS account/region
+- `npx cdk diff` compare deployed stack with current state
+
+## Usage
+
+You typically don't need to interact with this directory directly. The AgentCore CLI handles synthesis and deployment:
+
+```bash
+agentcore deploy    # synthesizes and deploys via CDK
+agentcore status    # checks deployment status
+```

agentclaw/agentcore/cdk/bin/cdk.ts

@@ -0,0 +1,91 @@
+#!/usr/bin/env node
+import { AgentCoreStack } from '../lib/cdk-stack';
+import { ConfigIO, type AwsDeploymentTarget } from '@aws/agentcore-cdk';
+import { App, type Environment } from 'aws-cdk-lib';
+import * as path from 'path';
+import * as fs from 'fs';
+
+function toEnvironment(target: AwsDeploymentTarget): Environment {
+  return {
+    account: target.account,
+    region: target.region,
+  };
+}
+
+function sanitize(name: string): string {
+  return name.replace(/_/g, '-');
+}
+
+function toStackName(projectName: string, targetName: string): string {
+  return `AgentCore-${sanitize(projectName)}-${sanitize(targetName)}`;
+}
+
+async function main() {
+  // Config root is parent of cdk/ directory. The CLI sets process.cwd() to agentcore/cdk/.
+  const configRoot = path.resolve(process.cwd(), '..');
+  const configIO = new ConfigIO({ baseDir: configRoot });
+
+  const spec = await configIO.readProjectSpec();
+  const targets = await configIO.readAWSDeploymentTargets();
+
+  // Extract MCP configuration from project spec.
+  // Gateway fields are stored in agentcore.json but may not yet be on the
+  // AgentCoreProjectSpec type from @aws/agentcore-cdk, so we read them
+  // dynamically and cast the resulting object.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const specAny = spec as any;
+  const mcpSpec = specAny.agentCoreGateways?.length
+    ? {
+        agentCoreGateways: specAny.agentCoreGateways,
+        mcpRuntimeTools: specAny.mcpRuntimeTools,
+        unassignedTargets: specAny.unassignedTargets,
+      }
+    : undefined;
+
+  // Read deployed state for credential ARNs (populated by pre-deploy identity setup)
+  let deployedState: Record<string, unknown> | undefined;
+  try {
+    deployedState = JSON.parse(fs.readFileSync(path.join(configRoot, '.cli', 'deployed-state.json'), 'utf8'));
+  } catch {
+    // Deployed state may not exist on first deploy
+  }
+
+  if (targets.length === 0) {
+    throw new Error('No deployment targets configured. Please define targets in agentcore/aws-targets.json');
+  }
+
+  const app = new App();
+
+  for (const target of targets) {
+    const env = toEnvironment(target);
+    const stackName = toStackName(spec.name, target.name);
+
+    // Extract credentials from deployed state for this target
+    const targetState = (deployedState as Record<string, unknown>)?.targets as
+      | Record<string, Record<string, unknown>>
+      | undefined;
+    const targetResources = targetState?.[target.name]?.resources as Record<string, unknown> | undefined;
+    const credentials = targetResources?.credentials as
+      | Record<string, { credentialProviderArn: string; clientSecretArn?: string }>
+      | undefined;
+
+    new AgentCoreStack(app, stackName, {
+      spec,
+      mcpSpec,
+      credentials,
+      env,
+      description: `AgentCore stack for ${spec.name} deployed to ${target.name} (${target.region})`,
+      tags: {
+        'agentcore:project-name': spec.name,
+        'agentcore:target-name': target.name,
+      },
+    });
+  }
+
+  app.synth();
+}
+
+main().catch((error: unknown) => {
+  console.error('AgentCore CDK synthesis failed:', error instanceof Error ? error.message : error);
+  process.exitCode = 1;
+});

agentclaw/agentcore/cdk/cdk.json

@@ -0,0 +1,88 @@
+{
+  "app": "node dist/bin/cdk.js",
+  "watch": {
+    "include": ["**"],
+    "exclude": ["README.md", "cdk*.json", "tsconfig.json", "package*.json", "yarn.lock", "node_modules", "dist", "test"]
+  },
+  "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true,
+    "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/core:explicitStackTags": true,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true,
+    "@aws-cdk/core:aspectPrioritiesMutating": true,
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true,
+    "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
+    "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": true,
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
+  }
+}

agentclaw/agentcore/cdk/jest.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest',
+  },
+  setupFilesAfterEnv: ['aws-cdk-lib/testhelpers/jest-autoclean'],
+};

agentclaw/agentcore/cdk/lib/cdk-stack.ts

@@ -0,0 +1,62 @@
+import {
+  AgentCoreApplication,
+  AgentCoreMcp,
+  type AgentCoreProjectSpec,
+  type AgentCoreMcpSpec,
+} from '@aws/agentcore-cdk';
+import { CfnOutput, Stack, type StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+export interface AgentCoreStackProps extends StackProps {
+  /**
+   * The AgentCore project specification containing agents, memories, and credentials.
+   */
+  spec: AgentCoreProjectSpec;
+  /**
+   * The MCP specification containing gateways and servers.
+   */
+  mcpSpec?: AgentCoreMcpSpec;
+  /**
+   * Credential provider ARNs from deployed state, keyed by credential name.
+   */
+  credentials?: Record<string, { credentialProviderArn: string; clientSecretArn?: string }>;
+}
+
+/**
+ * CDK Stack that deploys AgentCore infrastructure.
+ *
+ * This is a thin wrapper that instantiates L3 constructs.
+ * All resource logic and outputs are contained within the L3 constructs.
+ */
+export class AgentCoreStack extends Stack {
+  /** The AgentCore application containing all agent environments */
+  public readonly application: AgentCoreApplication;
+
+  constructor(scope: Construct, id: string, props: AgentCoreStackProps) {
+    super(scope, id, props);
+
+    const { spec, mcpSpec, credentials } = props;
+
+    // Create AgentCoreApplication with all agents
+    this.application = new AgentCoreApplication(this, 'Application', {
+      spec,
+    });
+
+    // Create AgentCoreMcp if there are gateways configured
+    if (mcpSpec?.agentCoreGateways && mcpSpec.agentCoreGateways.length > 0) {
+      new AgentCoreMcp(this, 'Mcp', {
+        projectName: spec.name,
+        mcpSpec,
+        agentCoreApplication: this.application,
+        credentials,
+        projectTags: spec.tags,
+      });
+    }
+
+    // Stack-level output
+    new CfnOutput(this, 'StackNameOutput', {
+      description: 'Name of the CloudFormation Stack',
+      value: this.stackName,
+    });
+  }
+}

agentclaw/agentcore/cdk/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "agentcore-cdk-app",
+  "version": "0.1.0",
+  "bin": {
+    "cdk": "dist/bin/cdk.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "watch": "tsc -w",
+    "test": "jest",
+    "cdk": "npm run build && cdk",
+    "clean": "rm -rf dist",
+    "format": "prettier --write .",
+    "format:check": "prettier --check ."
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/node": "^24.10.1",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "aws-cdk": "2.1100.1",
+    "prettier": "^3.4.2",
+    "typescript": "~5.9.3"
+  },
+  "dependencies": {
+    "@aws/agentcore-cdk": "^0.1.0-alpha.19",
+    "aws-cdk-lib": "^2.248.0",
+    "constructs": "^10.0.0"
+  }
+}

agentclaw/agentcore/cdk/test/cdk.test.ts

@@ -0,0 +1,28 @@
+import * as cdk from 'aws-cdk-lib';
+import { Template } from 'aws-cdk-lib/assertions';
+import { AgentCoreStack } from '../lib/cdk-stack';
+
+test('AgentCoreStack synthesizes with empty spec', () => {
+  const app = new cdk.App();
+  const stack = new AgentCoreStack(app, 'TestStack', {
+    spec: {
+      name: 'testproject',
+      version: 1,
+      managedBy: 'CDK' as const,
+      runtimes: [],
+      memories: [],
+      credentials: [],
+      evaluators: [],
+      onlineEvalConfigs: [],
+      configBundles: [],
+      policyEngines: [],
+      agentCoreGateways: [],
+      mcpRuntimeTools: [],
+      unassignedTargets: [],
+    },
+  });
+  const template = Template.fromStack(stack);
+  template.hasOutput('StackNameOutput', {
+    Description: 'Name of the CloudFormation Stack',
+  });
+});

agentclaw/agentcore/cdk/tsconfig.json

@@ -0,0 +1,28 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "CommonJS",
+    "moduleResolution": "Node",
+    "lib": ["es2022"],
+    "declaration": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "noImplicitThis": true,
+    "alwaysStrict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "experimentalDecorators": true,
+    "strictPropertyInitialization": true,
+    "skipLibCheck": true,
+    "typeRoots": ["./node_modules/@types"],
+    "rootDir": ".",
+    "outDir": "dist"
+  },
+  "include": ["bin/**/*", "lib/**/*", "test/**/*"],
+  "exclude": ["node_modules", "cdk.out", "dist"]
+}