Skip to content

feat(payments): Add AgentCore Payments as first-class CLI resource#1261

Open
aidandaly24 wants to merge 22 commits into
mainfrom
feat/payments
Open

feat(payments): Add AgentCore Payments as first-class CLI resource#1261
aidandaly24 wants to merge 22 commits into
mainfrom
feat/payments

Conversation

@aidandaly24
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 commented May 14, 2026

Description

Adds AgentCore Payments as a first-class resource type in the CLI. Includes:

  • agentcore add payment-manager / payment-connector commands (CLI + TUI wizard)
  • agentcore remove payment-manager / payment-connector with cascading delete
  • CDK-backed deployment via AgentCorePaymentManager + AgentCorePaymentConnector L3 constructs
  • Payment credential provider setup (imperative, same /identities/ endpoint as API key/OAuth)
  • CFN output parsing for deployed-state persistence
  • Invoke flags: --payment-instrument-id, --payment-session-id, --auto-session
  • Python agent template with x402 payment interception via SDK plugin
  • Validate command checks for payment credential completeness
  • Dev mode env var injection (AUTH_MODE for CUSTOM_JWT support)

Related Issue

Closes #

Documentation PR

Type of Change

  • New feature

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

120 new payment-specific unit tests added covering:

  • parsePaymentOutputs, PaymentManagerPrimitive, PaymentConnectorPrimitive
  • validate command payment paths, payment-env dev mode, pre-deploy credential setup
  • wirePaymentCapability template patching

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@aidandaly24 aidandaly24 requested a review from a team May 14, 2026 21:32
@github-actions github-actions Bot added the size/xl PR size: XL label May 14, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 14, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026

Package Tarball

aws-agentcore-0.13.1.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-1261-tarball/aws-agentcore-0.13.1.tgz

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 14, 2026
@github-actions github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels May 14, 2026
aidandaly24 added 17 commits May 15, 2026 10:53
@aidandaly24
feat(payments): add AgentCore Payments as first-class CLI resource
689aded 
- Payment manager + connector primitives (add, remove, validate, status)
- TUI wizard with advanced config (auto-payment, budget, tool allowlist, network prefs)
- CoinbaseCDP and StripePrivy provider support
- Imperative deploy via signed API calls (pre-CDK)
- Invoke flags: --payment-instrument-id, --payment-session-id, --auto-session
- Comprehensive validation (schema, .env.local, credential cross-refs, provider match)
- Data plane credential sanitization
- Dev/deploy env var parity (AUTO_PAYMENT, TOOL_ALLOWLIST, NETWORK_PREFERENCES)
- CDK connector env var fix (nested connectors record)
- Documentation (payments.md, commands.md, configuration.md, AGENTS.md)
- 84 tests (61 unit + 23 integration)
@aidandaly24
feat(payments): migrate payment infra from imperative to CFN constructs
11356e8 
Move PaymentManager, PaymentConnector, and IAM roles from imperative
pre-deploy creation to CFN-backed L3 CDK constructs. CredentialProvider
stays imperative (holds secrets).

- cdk-stack.ts: instantiate AgentCorePaymentManager + AgentCorePaymentConnector
  from spec.payments[], wire env vars via CFN tokens, emit CfnOutputs
- bin/cdk.ts: read spec.payments[] + credential ARNs from deployed-state
- pre-deploy-payments.ts: slim to CredentialProvider only, add migration
  detection (delete-before-create for AlreadyExists constraint)
- actions.ts: new deploy flow with migration step + post-deploy output parsing
- outputs.ts: add parsePaymentOutputs() for deployed-state population
- Payment credentials stored in same credentials key as identity providers
@aidandaly24
fix(payments): IAM partition support, least-privilege, and role name …
acf6150 
…safety

- C1: Use arnPrefix(region) instead of hardcoded arn:aws: (multi-partition)
- H1: Replace bedrock-agentcore:* with explicit read actions on ResourceRetrieval role
- H2: Truncate project name to fit IAM 64-char role name limit
- H3: Remove unused managerArn from AddPaymentDenyOptions
- Also: Use regex-based extractRoleName() for pathed role ARNs
@aidandaly24
fix(payments): template env var discovery and ProcessPaymentRole assu…
85c3c57 
…mption

- C2: Read config vars (AUTO_PAYMENT, TOOL_ALLOWLIST, NETWORK_PREFERENCES) using
  discovered manager name prefix, matching what CDK actually sets
- H4: Assume ProcessPaymentRole via STS before payment execution, enforcing
  IAM role separation (agent execution role cannot call ProcessPayment)
- Fix warning message referencing nonexistent AGENTCORE_PAYMENT_NAME env var
@aidandaly24
fix(payments): output parsing schema compliance and credential resolu…
3d61856 
…tion

- C3: Include resourceRetrievalRoleArn in required-fields guard (skip payment
  if absent instead of writing empty string that violates min(1) schema)
- M2: Resolve credentialProviderArn from deployedCredentials instead of empty string
@aidandaly24
fix(payments): JSON serialization, TUI safety, and protocol validation
2ebc4ae 
- C4/H7: Use error message strings (not Error objects) in JSON.stringify output
- H5: Reject payment flags for non-HTTP protocol agents with clear error
- H6: Fix previewRemove stillReferenced logic (exclude target connector from check)
- H8: Reset isSubmittingRef on successful creation (unblocks re-submission)
- H9: Only reveal last 4 chars of secrets when length > 8 (prevent short secret exposure)
@aidandaly24
fix(payments): medium-priority review findings
eaa6da3 
- M1: TUI deploy flow now calls parsePaymentOutputs (prevents silent state loss)
- M4: Safer type narrowing for credential provider comparison in validate
- M5: Show loading state during connector-only creation + add .catch()
- M6: Use DEFAULT_RUNTIME_USER_ID constant instead of hardcoded 'default-user'
- M7: Write env vars before spec to prevent dangling credentials on failure
- M8: Use toError() to preserve error cause chain in catch blocks
- M13: Add .catch() on connector creation promise (prevents unhandled rejection)
- M15: Import PaymentDeployedState from schema instead of local duplicate
@aidandaly24
fix(payments): close unclosed Handlebars {{#if hasMemory}} block in m…
96b0489 
…ain.py template

The hasMemory/hasPayment/hasConfigBundle nesting was missing a closing
{{/if}} for the outer hasMemory block, causing Handlebars parse errors
during agentcore create.
@aidandaly24
fix(payments): lint compliance — partition endpoints, safe parsing, n…
e6f1d0e 
…ullish coalescing

- Use serviceEndpoint() instead of hardcoded .amazonaws.com
- Type JSON.parse results as Record<string, unknown> to avoid unsafe any
- Use ?? instead of || for userId fallback
@aidandaly24
fix(payments): lint suppress react-hooks/refs in AddPaymentFlow confi…
eabfb40 
…rm handler
@aidandaly24
fix(payments): use RegExp.exec() per eslint prefer-regexp-exec
6bf2182
@aidandaly24
fix(payments): bugbash findings — 11 bugs fixed
d60a86d 
From 15-agent parallel bugbash:
- H1: Use serializeResult() in PaymentManagerPrimitive add handler (JSON {} fix)
- H2: Service principal uses dnsSuffix(region) for multi-partition
- H3: wirePaymentCapability handles BYO agent pattern (Agent() fallback)
- H4: Protocol check moved above auto-session block, autoSession in predicate
- H5: Vended CDK test fixture updated (remove configBundles, add payments)
- M1: remove-all preserves $schema and tags fields
- M2: Template derives connector/role from scoped prefix (not independent scan)
- L1: removeEnvVars writes empty string (not bare newline) when no keys remain
- L2: payment-env.ts guards processPaymentRoleArn before injection
@aidandaly24
fix(payments): remove all as any casts — add missing fields to CDK …
c33018f 
…schema

The CDK's AgentCoreProjectSpecSchema now includes $schema, configBundles,
abTests, and httpGateways fields (matching what actually exists in
agentcore.json). This eliminates all `as any` casts in the vended CDK
template and CLI remove-all handler.

Also updates L3 CDK constructs package with these schema additions.
@aidandaly24
refactor(payments): delete imperative IAM + migration code — no users…
0b9c543 
… to migrate

- Delete payment-iam.ts entirely (addPaymentDenyToExecutionRole was unnecessary
  defense-in-depth that surprises customers with unexpected IAM mutations)
- Delete migratePaymentResources, shouldMigratePayments, cleanupImperativePayment
  (migration path for users that don't exist — feature hasn't shipped)
- Delete ensureProcessPaymentRole, ensureResourceRetrievalRole, deletePaymentRoles
  (CDK constructs handle all IAM role creation)
- Simplify cleanupPaymentCredentialProviders to only handle credential providers
- Remove migration detection block from deploy actions
@aidandaly24
refactor(payments): remove dead legacy types, roleCreatedByCli, unuse…
efb0b1f 
…d params

- Delete PaymentConnectorResult, PaymentManagerResult, PaymentDeployResult (zero consumers)
- Remove roleCreatedByCli from PaymentDeployedState (CDK manages roles, field is meaningless)
- Remove unused accountId param from SetupPaymentResourcesOptions
- Remove dead migration comment from actions.ts
- Move cleanupPaymentCredentialProviders to static import (AGENTS.md: no inline imports)
@aidandaly24
fix(payments): final audit cleanup — TUI teardown leak, dead exports,…
37713cd 
… stale code

CRITICAL:
- TUI teardown now cleans up payment credential providers before stack destroy

HIGH:
- Remove dead imperative API exports from barrel (createPaymentManager, etc.)
- Fix "backward compatibility" comment (unreleased feature has no backward compat)

MEDIUM:
- Remove console.error in getOrCreatePaymentSession (silent fallthrough to create)
- Fix stale variable name processor → manager in useCreatePayment
- Fix autoPayment schema to just .optional() (no confusing default+optional combo)
- Fix connector description to mention both providers
- Fix unused catch variables (prefix with _)
@aidandaly24
fix(payments): delete dead CRUD functions + inject AUTH_MODE for CUST…
0f2523b 
…OM_JWT

Fix 1 — Delete dead code:
- Remove createPaymentManager, listPaymentManagers, deletePaymentManager,
  createPaymentConnector, deletePaymentConnector, listPaymentConnectors,
  generateClientToken and ~14 associated type interfaces from agentcore-payments.ts
- These had zero call sites (CDK constructs handle all resource creation)
- Removed ~270 lines of dead code

Fix 2 — Inject AGENTCORE_PAYMENT_{NAME}_AUTH_MODE:
- cdk-stack.ts: inject AUTH_MODE='bearer' when authorizerType is CUSTOM_JWT
- deployed-state.ts: add authorizerType to PaymentDeployedStateSchema
- outputs.ts: pass authorizerType through from spec in parsePaymentOutputs
- actions.ts + useDeployFlow.ts: include authorizerType in paymentSpecs
- payment-env.ts: read authorizerType from project spec for dev mode
- payments.py: read from prefixed env var (${_prefix}AUTH_MODE)

Without this fix, CUSTOM_JWT users always get SigV4 auth mode at runtime.
@aidandaly24
test(payments): add comprehensive test coverage for all payment paths
b82719f 
120 new tests across 7 files (6 new + 1 extended):
- parsePaymentOutputs (23): output key mapping, missing fields, multi-manager
- PaymentManagerPrimitive (20): add/remove/cascade/getRemovable/previewRemove
- PaymentConnectorPrimitive (18): add/remove/composite-key/previewRemove
- validate action.ts (9): all payment error paths in handleValidate
- payment-env (7): dev-mode env var injection + AUTH_MODE
- pre-deploy-payments (15): credential provider create/update/cleanup
- wirePaymentCapability (17): template/BYO patching, idempotency

Total suite: 4036 tests passing.
@aidandaly24
fix(payments): TUI credential propagation, dead type exports, schema …
9da01ca 
…alignment

- Fix TUI deploy bug: runPaymentPreDeploy now calls setAllCredentials so
  useDeployFlow.persistDeployedState has correct connector ARNs
- Remove export from 9 dead type interfaces in agentcore-payments.ts
- Rename PaymentCredentialProviderResult → PaymentCredentialProviderApiResult
  to resolve name collision with payment-types.ts
- Fix defaultSpendLimit schema mismatch: CDK now uses z.string().optional()
  matching CLI (was z.object({amount,currency}) — incompatible)
- Remove dead PaymentCredentialProviderResult re-export from barrel
@aidandaly24
refactor(payments): merge credential setup into pre-deploy-identity
4e37c8f 
Payment credential providers use the same /identities/ endpoint as API key
and OAuth providers. Move setupPaymentCredentialProviders, hasPaymentCredentialProviders,
and cleanupPaymentCredentialProviders into pre-deploy-identity.ts alongside
the other credential provider operations.

- Delete pre-deploy-payments.ts (merged into pre-deploy-identity.ts)
- Delete payment-types.ts (types inlined in pre-deploy-identity.ts)
- Rename: setupPaymentResources → setupPaymentCredentialProviders
- Rename: hasPaymentManagers → hasPaymentCredentialProviders
- Update all import paths and barrel exports
- Update test imports
@aidandaly24
chore: remove bugbash test artifacts from branch
59d48ee
@github-actions github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels May 15, 2026
@aidandaly24
fix(payments): bugbash findings — 9 bugs fixed
6c8d16b 
- H2: remove abTests/httpGateways from vended cdk.test.ts (not in CDK schema)
- H3: fix double-blank-lines in wirePaymentCapability (regex captured newlines)
- H4: import PAYMENT_SYSTEM_PROMPT and use it in wired Agent constructor
- M1: respect --dry-run flag in `remove all` CLI path (was destructive)
- M2: sanitize underscores from CDK logical IDs (toCdkId helper)
- M4: reject invalid --auto-payment values instead of coercing to true
- M5: require --provider explicitly (no silent CoinbaseCDP default)
- H5: add --json flag to validate command
- L9/L10: validate payment flags early (mutual exclusion, empty strings)
@github-actions github-actions Bot removed the size/xl PR size: XL label May 15, 2026
@github-actions github-actions Bot added the size/xl PR size: XL label May 15, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread src/cli/commands/validate/command.tsx
if (result.success) {
console.log(JSON.stringify({ success: true }));
} else {
console.log(JSON.stringify({ success: false, error: result.error.message }));
Copy link
Copy Markdown
Contributor Author

@aidandaly24 aidandaly24 May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotta fix this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidandaly24 @github-advanced-security