# Open Questions — Final Research Findings *Updated 2026-05-04 after research pass* --- ## Q1: Direct Code Deployment vs Container — ✅ RESOLVED **CodeZip is the default and recommended path. No Docker needed.** The AgentCore CLI scaffolds CodeZip by default: ```bash agentcore create --name MyAgent --framework Strands --model-provider Bedrock --build CodeZip agentcore deploy # AWS CodeBuild packages it; no local Docker required ``` Container mode is opt-in (`--build Container`). Q4 (ARM64 Dockerfile) is moot for initial build. --- ## Q2: Secrets in the Container — ✅ RESOLVED (with known limitation) AgentCore Runtime env vars are **plaintext only** today. GitHub issue #396 (filed ~April 2026) requests ECS-style `valueFrom` Secrets Manager references — not yet implemented. **Recommended pattern: IAM role + SDK fetch at startup** ```python import boto3, os def load_secrets(): sm = boto3.client('secretsmanager') secret = sm.get_secret_value(SecretId='openclaw/agent/keys') os.environ['BRAVE_API_KEY'] = secret['SecretString'] # etc. # Call once at module load → cached for the 6-8hr warm session load_secrets() ``` The container's IAM execution role grants Secrets Manager access. Runs once per session start — negligible cost. Don't pass secrets through the invocation payload. --- ## Q3: AgentCore Memory Pricing — ✅ RESOLVED (low risk for personal scale) **Pricing structure confirmed:** - Long-term retrieval: billed **per retrieve request** - Built-in strategy model costs (extraction + consolidation): **included in Memory pricing** (confirmed by AWS re:Post) - Storage: per GB Exact per-event and per-GB rates not yet clearly published (still preview pricing). At personal assistant scale (~100 turns/day), cost will be pennies. Validate after first test deployment. --- ## Q4: ARM64 Container Build — ✅ RESOLVED (moot, but documented) Superseded by CodeZip (Q1). If container mode ever needed: ```dockerfile FROM --platform=linux/arm64 ghcr.io/astral-sh/uv:python3.11-bookworm-slim WORKDIR /app COPY pyproject.toml uv.lock ./ RUN uv sync --frozen --no-cache COPY agent.py ./ EXPOSE 8080 CMD ["uv", "run", "uvicorn", "agent:app", "--host", "0.0.0.0", "--port", "8080"] ``` Build: `docker buildx build --platform linux/arm64 -t :latest --push .` ⚠️ Hard requirement: ARM64 only. x86 image → `ValidationException: Architecture incompatible` on CreateAgentRuntime. --- ## Q5: Region + Model — ✅ RESOLVED **Region: us-east-1** (broadest service availability, aligns with existing AWS work) **Models (Bedrock cross-region inference, `us.` prefix):** | Use | Model ID | Notes | |---|---|---| | Main agent | `us.anthropic.claude-3-7-sonnet-20250219-v1:0` | Primary workhorse | | Heartbeats | `us.anthropic.claude-3-5-haiku-20241022-v1:0` | Fast, cheap | | Experiment | `us.anthropic.claude-sonnet-4-*` | Sonnet 4 now on Bedrock (1M ctx preview) | Strands defaults to Bedrock + Sonnet when AWS creds are present. No extra config needed for basic setup. --- ## Q6: Self-Managed Memory Strategy — ⚠️ NOT SUPPORTED YET **Finding:** AgentCore CLI issue #677 (March 26, 2026): *"AgentCore memory does not currently support self-managed strategies."* Docs describe it; CLI doesn't implement it. **Impact:** The "bring your own Lambda extraction pipeline" pattern is blocked via CLI. **What still works:** - ✅ Built-in strategies: SUMMARIZATION, USER_PREFERENCE, SEMANTIC — fully supported, automatic - ✅ Strands `AgentCoreMemorySessionManager` — auto-stores turns, handles extraction - ✅ `BatchCreateMemoryRecords` API directly — works for explicit writes, bypasses CLI **Recommended mitigation:** - Use built-in strategies for automatic extraction (covers ~90% of MEMORY.md value) - Add `write_memory_record` as an agent tool that calls `BatchCreateMemoryRecords` directly - This gives explicit "remember this" control without the self-managed strategy pipeline ```python @tool def write_memory_record(content: str, namespace: str = "/curated/daniel/") -> str: """Explicitly write an important fact or lesson to long-term memory.""" memory_client.batch_create_memory_records( memoryId=MEMORY_ID, memoryRecords=[{"content": {"text": content}, "namespace": namespace}] ) return f"Written to memory: {content[:50]}..." ``` --- ## Summary | # | Question | Status | Decision | |---|---|---|---| | 1 | Direct code deploy vs container | ✅ | Use CodeZip — no Docker | | 2 | Secrets in container | ✅ | IAM role + SDK fetch at startup | | 3 | Memory pricing | ✅ | Unknown exact rates, low risk at personal scale | | 4 | ARM64 Dockerfile | ✅ | Moot (CodeZip), documented for reference | | 5 | Region + model | ✅ | us-east-1, Claude Sonnet (cross-region) | | 6 | Self-managed memory trigger | ✅ | Use built-in + BatchCreateMemoryRecords as tool | **All open questions resolved. Ready for Phase 0 spike.**