agent-claw: automated task changes

agentclaw/agentcore/cdk/.gitignore

@@ -0,0 +1,9 @@
+# Build output
+dist/
+
+# Dependencies
+node_modules/
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

agentclaw/agentcore/cdk/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

agentclaw/agentcore/cdk/.prettierrc

@@ -0,0 +1,8 @@
+{
+  "trailingComma": "es5",
+  "printWidth": 120,
+  "tabWidth": 2,
+  "semi": true,
+  "singleQuote": true,
+  "arrowParens": "avoid"
+}

agentclaw/agentcore/cdk/README.md

@@ -0,0 +1,26 @@
+# AgentCore CDK Project
+
+This CDK project is managed by the AgentCore CLI. It deploys your agent infrastructure into AWS using the `@aws/agentcore-cdk` L3 constructs.
+
+## Structure
+
+- `bin/cdk.ts` — Entry point. Reads project configuration from `agentcore/` and creates a stack per deployment target.
+- `lib/cdk-stack.ts` — Defines `AgentCoreStack`, which wraps the `AgentCoreApplication` L3 construct.
+- `test/cdk.test.ts` — Unit tests for stack synthesis.
+
+## Useful commands
+
+- `npm run build` compile TypeScript to JavaScript
+- `npm run test` run unit tests
+- `npx cdk synth` emit the synthesized CloudFormation template
+- `npx cdk deploy` deploy this stack to your default AWS account/region
+- `npx cdk diff` compare deployed stack with current state
+
+## Usage
+
+You typically don't need to interact with this directory directly. The AgentCore CLI handles synthesis and deployment:
+
+```bash
+agentcore deploy    # synthesizes and deploys via CDK
+agentcore status    # checks deployment status
+```

agentclaw/agentcore/cdk/bin/cdk.ts

@@ -0,0 +1,91 @@
+#!/usr/bin/env node
+import { AgentCoreStack } from '../lib/cdk-stack';
+import { ConfigIO, type AwsDeploymentTarget } from '@aws/agentcore-cdk';
+import { App, type Environment } from 'aws-cdk-lib';
+import * as path from 'path';
+import * as fs from 'fs';
+
+function toEnvironment(target: AwsDeploymentTarget): Environment {
+  return {
+    account: target.account,
+    region: target.region,
+  };
+}
+
+function sanitize(name: string): string {
+  return name.replace(/_/g, '-');
+}
+
+function toStackName(projectName: string, targetName: string): string {
+  return `AgentCore-${sanitize(projectName)}-${sanitize(targetName)}`;
+}
+
+async function main() {
+  // Config root is parent of cdk/ directory. The CLI sets process.cwd() to agentcore/cdk/.
+  const configRoot = path.resolve(process.cwd(), '..');
+  const configIO = new ConfigIO({ baseDir: configRoot });
+
+  const spec = await configIO.readProjectSpec();
+  const targets = await configIO.readAWSDeploymentTargets();
+
+  // Extract MCP configuration from project spec.
+  // Gateway fields are stored in agentcore.json but may not yet be on the
+  // AgentCoreProjectSpec type from @aws/agentcore-cdk, so we read them
+  // dynamically and cast the resulting object.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const specAny = spec as any;
+  const mcpSpec = specAny.agentCoreGateways?.length
+    ? {
+        agentCoreGateways: specAny.agentCoreGateways,
+        mcpRuntimeTools: specAny.mcpRuntimeTools,
+        unassignedTargets: specAny.unassignedTargets,
+      }
+    : undefined;
+
+  // Read deployed state for credential ARNs (populated by pre-deploy identity setup)
+  let deployedState: Record<string, unknown> | undefined;
+  try {
+    deployedState = JSON.parse(fs.readFileSync(path.join(configRoot, '.cli', 'deployed-state.json'), 'utf8'));
+  } catch {
+    // Deployed state may not exist on first deploy
+  }
+
+  if (targets.length === 0) {
+    throw new Error('No deployment targets configured. Please define targets in agentcore/aws-targets.json');
+  }
+
+  const app = new App();
+
+  for (const target of targets) {
+    const env = toEnvironment(target);
+    const stackName = toStackName(spec.name, target.name);
+
+    // Extract credentials from deployed state for this target
+    const targetState = (deployedState as Record<string, unknown>)?.targets as
+      | Record<string, Record<string, unknown>>
+      | undefined;
+    const targetResources = targetState?.[target.name]?.resources as Record<string, unknown> | undefined;
+    const credentials = targetResources?.credentials as
+      | Record<string, { credentialProviderArn: string; clientSecretArn?: string }>
+      | undefined;
+
+    new AgentCoreStack(app, stackName, {
+      spec,
+      mcpSpec,
+      credentials,
+      env,
+      description: `AgentCore stack for ${spec.name} deployed to ${target.name} (${target.region})`,
+      tags: {
+        'agentcore:project-name': spec.name,
+        'agentcore:target-name': target.name,
+      },
+    });
+  }
+
+  app.synth();
+}
+
+main().catch((error: unknown) => {
+  console.error('AgentCore CDK synthesis failed:', error instanceof Error ? error.message : error);
+  process.exitCode = 1;
+});

agentclaw/agentcore/cdk/cdk.json

@@ -0,0 +1,88 @@
+{
+  "app": "node dist/bin/cdk.js",
+  "watch": {
+    "include": ["**"],
+    "exclude": ["README.md", "cdk*.json", "tsconfig.json", "package*.json", "yarn.lock", "node_modules", "dist", "test"]
+  },
+  "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true,
+    "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/core:explicitStackTags": true,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true,
+    "@aws-cdk/core:aspectPrioritiesMutating": true,
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true,
+    "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
+    "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": true,
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
+  }
+}

agentclaw/agentcore/cdk/jest.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest',
+  },
+  setupFilesAfterEnv: ['aws-cdk-lib/testhelpers/jest-autoclean'],
+};

agentclaw/agentcore/cdk/lib/cdk-stack.ts

@@ -0,0 +1,62 @@
+import {
+  AgentCoreApplication,
+  AgentCoreMcp,
+  type AgentCoreProjectSpec,
+  type AgentCoreMcpSpec,
+} from '@aws/agentcore-cdk';
+import { CfnOutput, Stack, type StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+export interface AgentCoreStackProps extends StackProps {
+  /**
+   * The AgentCore project specification containing agents, memories, and credentials.
+   */
+  spec: AgentCoreProjectSpec;
+  /**
+   * The MCP specification containing gateways and servers.
+   */
+  mcpSpec?: AgentCoreMcpSpec;
+  /**
+   * Credential provider ARNs from deployed state, keyed by credential name.
+   */
+  credentials?: Record<string, { credentialProviderArn: string; clientSecretArn?: string }>;
+}
+
+/**
+ * CDK Stack that deploys AgentCore infrastructure.
+ *
+ * This is a thin wrapper that instantiates L3 constructs.
+ * All resource logic and outputs are contained within the L3 constructs.
+ */
+export class AgentCoreStack extends Stack {
+  /** The AgentCore application containing all agent environments */
+  public readonly application: AgentCoreApplication;
+
+  constructor(scope: Construct, id: string, props: AgentCoreStackProps) {
+    super(scope, id, props);
+
+    const { spec, mcpSpec, credentials } = props;
+
+    // Create AgentCoreApplication with all agents
+    this.application = new AgentCoreApplication(this, 'Application', {
+      spec,
+    });
+
+    // Create AgentCoreMcp if there are gateways configured
+    if (mcpSpec?.agentCoreGateways && mcpSpec.agentCoreGateways.length > 0) {
+      new AgentCoreMcp(this, 'Mcp', {
+        projectName: spec.name,
+        mcpSpec,
+        agentCoreApplication: this.application,
+        credentials,
+        projectTags: spec.tags,
+      });
+    }
+
+    // Stack-level output
+    new CfnOutput(this, 'StackNameOutput', {
+      description: 'Name of the CloudFormation Stack',
+      value: this.stackName,
+    });
+  }
+}

agentclaw/agentcore/cdk/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "agentcore-cdk-app",
+  "version": "0.1.0",
+  "bin": {
+    "cdk": "dist/bin/cdk.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "watch": "tsc -w",
+    "test": "jest",
+    "cdk": "npm run build && cdk",
+    "clean": "rm -rf dist",
+    "format": "prettier --write .",
+    "format:check": "prettier --check ."
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/node": "^24.10.1",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "aws-cdk": "2.1100.1",
+    "prettier": "^3.4.2",
+    "typescript": "~5.9.3"
+  },
+  "dependencies": {
+    "@aws/agentcore-cdk": "^0.1.0-alpha.19",
+    "aws-cdk-lib": "^2.248.0",
+    "constructs": "^10.0.0"
+  }
+}

agentclaw/agentcore/cdk/test/cdk.test.ts

@@ -0,0 +1,28 @@
+import * as cdk from 'aws-cdk-lib';
+import { Template } from 'aws-cdk-lib/assertions';
+import { AgentCoreStack } from '../lib/cdk-stack';
+
+test('AgentCoreStack synthesizes with empty spec', () => {
+  const app = new cdk.App();
+  const stack = new AgentCoreStack(app, 'TestStack', {
+    spec: {
+      name: 'testproject',
+      version: 1,
+      managedBy: 'CDK' as const,
+      runtimes: [],
+      memories: [],
+      credentials: [],
+      evaluators: [],
+      onlineEvalConfigs: [],
+      configBundles: [],
+      policyEngines: [],
+      agentCoreGateways: [],
+      mcpRuntimeTools: [],
+      unassignedTargets: [],
+    },
+  });
+  const template = Template.fromStack(stack);
+  template.hasOutput('StackNameOutput', {
+    Description: 'Name of the CloudFormation Stack',
+  });
+});

agentclaw/agentcore/cdk/tsconfig.json

@@ -0,0 +1,28 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "CommonJS",
+    "moduleResolution": "Node",
+    "lib": ["es2022"],
+    "declaration": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "noImplicitThis": true,
+    "alwaysStrict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "experimentalDecorators": true,
+    "strictPropertyInitialization": true,
+    "skipLibCheck": true,
+    "typeRoots": ["./node_modules/@types"],
+    "rootDir": ".",
+    "outDir": "dist"
+  },
+  "include": ["bin/**/*", "lib/**/*", "test/**/*"],
+  "exclude": ["node_modules", "cdk.out", "dist"]
+}