agent-claw: automated task changes

cdk/lib/agent-claw-stack.ts

@@ -11,6 +11,7 @@ import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
 import { Construct } from 'constructs';
 import * as path from 'path';
+import { execSync } from 'child_process';
 
 export class AgentClawStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -159,6 +160,7 @@ export class AgentClawStack extends cdk.Stack {
     workspaceBucket.grantRead(runtime1Role);
     botTokenSecret.grantRead(runtime1Role);
     braveApiKeySecret.grantRead(runtime1Role);
+    // Google secret grants added after workspace_mcp section below
     runtime1Role.addToPolicy(new iam.PolicyStatement({
       actions: [
         'bedrock-agentcore:CreateEvent',
@@ -175,6 +177,59 @@ export class AgentClawStack extends cdk.Stack {
     // and fed back as context param runtime1Arn.
 
     // ── Outputs ────────────────────────────────────────────────────────────
+
+    // ── Google Workspace MCP ──────────────────────────────────────────────
+    // Secrets pre-populated after OAuth flow
+    const googleCredentialsSecret = secretsmanager.Secret.fromSecretNameV2(
+      this, 'GoogleWorkspaceCredentials', 'agent-claw/google-workspace-credentials'
+    );
+    const googleOAuthClientSecret = secretsmanager.Secret.fromSecretNameV2(
+      this, 'GoogleOAuthClient', 'agent-claw/google-oauth-client'
+    );
+
+    // workspace-mcp Lambda execution role (import existing — created during initial setup)
+    // NOTE (tech debt #3): workspaceMcpRole imported but not attached to workspaceMcpFn because
+    // fromFunctionName() returns an IFunction (no role config). Role was set at Lambda creation.
+    // To fully codify: delete the manual Lambda, let CDK create it with Code.fromBucket + role.
+    const _workspaceMcpRole = iam.Role.fromRoleName(
+      this, 'WorkspaceMcpRole', 'agent-claw-workspace-mcp-role'
+    );
+    googleCredentialsSecret.grantRead(_workspaceMcpRole);
+    googleOAuthClientSecret.grantRead(_workspaceMcpRole);
+
+    // workspace-mcp Lambda — import existing (created with zip + layer, no Docker)
+    const workspaceMcpFn = lambda.Function.fromFunctionName(
+      this, 'WorkspaceMcp', 'agent-claw-workspace-mcp'
+    );
+
+    // Function URL — AWS_IAM auth (already created, reference for policy attachment)
+    const workspaceMcpFunctionUrl = 'https://25hugrzw4uwtueeg77jsmft6lq0wunmd.lambda-url.us-east-1.on.aws';
+    const workspaceMcpMcpUrl = workspaceMcpFunctionUrl + '/mcp';
+
+    // AgentCore execution role — grant InvokeFunctionUrl identity policy
+    runtime1Role.addToPolicy(new iam.PolicyStatement({
+      sid: 'WorkspaceMcpInvoke',
+      actions: ['lambda:InvokeFunctionUrl'],
+      resources: [workspaceMcpFn.functionArn],
+      conditions: { StringEquals: { 'lambda:FunctionUrlAuthType': 'AWS_IAM' } },
+    }));
+
+    // Pass workspace_mcp MCP URL to agent-runner (informational)
+    agentRunnerFn.addEnvironment('WORKSPACE_MCP_URL', workspaceMcpMcpUrl);
+
+    // Grant AgentCore execution role read access to Google secrets
+    googleCredentialsSecret.grantRead(runtime1Role);
+    googleOAuthClientSecret.grantRead(runtime1Role);
+
+    new cdk.CfnOutput(this, 'WorkspaceMcpFunctionUrl', {
+      value: workspaceMcpFunctionUrl,
+      description: 'workspace-mcp Lambda Function URL (MCP endpoint for Gmail/Calendar)',
+    });
+    new cdk.CfnOutput(this, 'GoogleCredentialsSecretArn', {
+      value: googleCredentialsSecret.secretArn,
+      description: 'Google OAuth user credentials secret ARN',
+    });
+
     new cdk.CfnOutput(this, 'WebhookUrl', {
       value: `${httpApi.url}telegram`,
       description: 'Register this URL with Telegram BotFather as webhook endpoint',