Skip to content

feat(payments): Add AgentCore Payments as first-class CLI resource#1261

Open
aidandaly24 wants to merge 22 commits into
mainfrom
feat/payments
Open

feat(payments): Add AgentCore Payments as first-class CLI resource#1261
aidandaly24 wants to merge 22 commits into
mainfrom
feat/payments

Conversation

@aidandaly24
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 commented May 14, 2026

Description

Adds AgentCore Payments as a first-class resource type in the CLI. Includes:

  • agentcore add payment-manager / payment-connector commands (CLI + TUI wizard)
  • agentcore remove payment-manager / payment-connector with cascading delete
  • CDK-backed deployment via AgentCorePaymentManager + AgentCorePaymentConnector L3 constructs
  • Payment credential provider setup (imperative, same /identities/ endpoint as API key/OAuth)
  • CFN output parsing for deployed-state persistence
  • Invoke flags: --payment-instrument-id, --payment-session-id, --auto-session
  • Python agent template with x402 payment interception via SDK plugin
  • Validate command checks for payment credential completeness
  • Dev mode env var injection (AUTH_MODE for CUSTOM_JWT support)

Related Issue

Closes #

Documentation PR

Type of Change

  • New feature

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

120 new payment-specific unit tests added covering:

  • parsePaymentOutputs, PaymentManagerPrimitive, PaymentConnectorPrimitive
  • validate command payment paths, payment-env dev mode, pre-deploy credential setup
  • wirePaymentCapability template patching

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@aidandaly24 aidandaly24 requested a review from a team May 14, 2026 21:32
@github-actions github-actions Bot added the size/xl PR size: XL label May 14, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 14, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026

Package Tarball

aws-agentcore-0.13.1.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-1261-tarball/aws-agentcore-0.13.1.tgz

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 14, 2026
@github-actions github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels May 14, 2026
aidandaly24 added 17 commits May 15, 2026 10:53
@aidandaly24
feat(payments): add AgentCore Payments as first-class CLI resource
689aded 
- Payment manager + connector primitives (add, remove, validate, status)
- TUI wizard with advanced config (auto-payment, budget, tool allowlist, network prefs)
- CoinbaseCDP and StripePrivy provider support
- Imperative deploy via signed API calls (pre-CDK)
- Invoke flags: --payment-instrument-id, --payment-session-id, --auto-session
- Comprehensive validation (schema, .env.local, credential cross-refs, provider match)
- Data plane credential sanitization
- Dev/deploy env var parity (AUTO_PAYMENT, TOOL_ALLOWLIST, NETWORK_PREFERENCES)
- CDK connector env var fix (nested connectors record)
- Documentation (payments.md, commands.md, configuration.md, AGENTS.md)
- 84 tests (61 unit + 23 integration)
@aidandaly24
feat(payments): migrate payment infra from imperative to CFN constructs
11356e8 
Move PaymentManager, PaymentConnector, and IAM roles from imperative
pre-deploy creation to CFN-backed L3 CDK constructs. CredentialProvider
stays imperative (holds secrets).

- cdk-stack.ts: instantiate AgentCorePaymentManager + AgentCorePaymentConnector
  from spec.payments[], wire env vars via CFN tokens, emit CfnOutputs
- bin/cdk.ts: read spec.payments[] + credential ARNs from deployed-state
- pre-deploy-payments.ts: slim to CredentialProvider only, add migration
  detection (delete-before-create for AlreadyExists constraint)
- actions.ts: new deploy flow with migration step + post-deploy output parsing
- outputs.ts: add parsePaymentOutputs() for deployed-state population
- Payment credentials stored in same credentials key as identity providers
@aidandaly24
fix(payments): IAM partition support, least-privilege, and role name …
acf6150 
…safety

- C1: Use arnPrefix(region) instead of hardcoded arn:aws: (multi-partition)
- H1: Replace bedrock-agentcore:* with explicit read actions on ResourceRetrieval role
- H2: Truncate project name to fit IAM 64-char role name limit
- H3: Remove unused managerArn from AddPaymentDenyOptions
- Also: Use regex-based extractRoleName() for pathed role ARNs
@aidandaly24
fix(payments): template env var discovery and ProcessPaymentRole assu…
85c3c57 
…mption

- C2: Read config vars (AUTO_PAYMENT, TOOL_ALLOWLIST, NETWORK_PREFERENCES) using
  discovered manager name prefix, matching what CDK actually sets
- H4: Assume ProcessPaymentRole via STS before payment execution, enforcing
  IAM role separation (agent execution role cannot call ProcessPayment)
- Fix warning message referencing nonexistent AGENTCORE_PAYMENT_NAME env var
@aidandaly24
fix(payments): output parsing schema compliance and credential resolu…
3d61856 
…tion

- C3: Include resourceRetrievalRoleArn in required-fields guard (skip payment
  if absent instead of writing empty string that violates min(1) schema)
- M2: Resolve credentialProviderArn from deployedCredentials instead of empty string
@aidandaly24
fix(payments): JSON serialization, TUI safety, and protocol validation
2ebc4ae 
- C4/H7: Use error message strings (not Error objects) in JSON.stringify output
- H5: Reject payment flags for non-HTTP protocol agents with clear error
- H6: Fix previewRemove stillReferenced logic (exclude target connector from check)
- H8: Reset isSubmittingRef on successful creation (unblocks re-submission)
- H9: Only reveal last 4 chars of secrets when length > 8 (prevent short secret exposure)
@aidandaly24
fix(payments): medium-priority review findings
eaa6da3 
- M1: TUI deploy flow now calls parsePaymentOutputs (prevents silent state loss)
- M4: Safer type narrowing for credential provider comparison in validate
- M5: Show loading state during connector-only creation + add .catch()
- M6: Use DEFAULT_RUNTIME_USER_ID constant instead of hardcoded 'default-user'
- M7: Write env vars before spec to prevent dangling credentials on failure
- M8: Use toError() to preserve error cause chain in catch blocks
- M13: Add .catch() on connector creation promise (prevents unhandled rejection)
- M15: Import PaymentDeployedState from schema instead of local duplicate
@aidandaly24
fix(payments): close unclosed Handlebars {{#if hasMemory}} block in m…
96b0489 
…ain.py template

The hasMemory/hasPayment/hasConfigBundle nesting was missing a closing
{{/if}} for the outer hasMemory block, causing Handlebars parse errors
during agentcore create.
@aidandaly24
fix(payments): lint compliance — partition endpoints, safe parsing, n…
e6f1d0e 
…ullish coalescing

- Use serviceEndpoint() instead of hardcoded .amazonaws.com
- Type JSON.parse results as Record<string, unknown> to avoid unsafe any
- Use ?? instead of || for userId fallback
@aidandaly24
fix(payments): lint suppress react-hooks/refs in AddPaymentFlow confi…
eabfb40 
…rm handler
@aidandaly24
fix(payments): use RegExp.exec() per eslint prefer-regexp-exec
6bf2182
@aidandaly24
fix(payments): bugbash findings — 11 bugs fixed
d60a86d 
From 15-agent parallel bugbash:
- H1: Use serializeResult() in PaymentManagerPrimitive add handler (JSON {} fix)
- H2: Service principal uses dnsSuffix(region) for multi-partition
- H3: wirePaymentCapability handles BYO agent pattern (Agent() fallback)
- H4: Protocol check moved above auto-session block, autoSession in predicate
- H5: Vended CDK test fixture updated (remove configBundles, add payments)
- M1: remove-all preserves $schema and tags fields
- M2: Template derives connector/role from scoped prefix (not independent scan)
- L1: removeEnvVars writes empty string (not bare newline) when no keys remain
- L2: payment-env.ts guards processPaymentRoleArn before injection
@aidandaly24
fix(payments): remove all as any casts — add missing fields to CDK …
c33018f 
…schema

The CDK's AgentCoreProjectSpecSchema now includes $schema, configBundles,
abTests, and httpGateways fields (matching what actually exists in
agentcore.json). This eliminates all `as any` casts in the vended CDK
template and CLI remove-all handler.

Also updates L3 CDK constructs package with these schema additions.
@aidandaly24
refactor(payments): delete imperative IAM + migration code — no users…
0b9c543 
… to migrate

- Delete payment-iam.ts entirely (addPaymentDenyToExecutionRole was unnecessary
  defense-in-depth that surprises customers with unexpected IAM mutations)
- Delete migratePaymentResources, shouldMigratePayments, cleanupImperativePayment
  (migration path for users that don't exist — feature hasn't shipped)
- Delete ensureProcessPaymentRole, ensureResourceRetrievalRole, deletePaymentRoles
  (CDK constructs handle all IAM role creation)
- Simplify cleanupPaymentCredentialProviders to only handle credential providers
- Remove migration detection block from deploy actions
@aidandaly24
refactor(payments): remove dead legacy types, roleCreatedByCli, unuse…
efb0b1f 
…d params

- Delete PaymentConnectorResult, PaymentManagerResult, PaymentDeployResult (zero consumers)
- Remove roleCreatedByCli from PaymentDeployedState (CDK manages roles, field is meaningless)
- Remove unused accountId param from SetupPaymentResourcesOptions
- Remove dead migration comment from actions.ts
- Move cleanupPaymentCredentialProviders to static import (AGENTS.md: no inline imports)
@aidandaly24
fix(payments): final audit cleanup — TUI teardown leak, dead exports,…
37713cd 
… stale code

CRITICAL:
- TUI teardown now cleans up payment credential providers before stack destroy

HIGH:
- Remove dead imperative API exports from barrel (createPaymentManager, etc.)
- Fix "backward compatibility" comment (unreleased feature has no backward compat)

MEDIUM:
- Remove console.error in getOrCreatePaymentSession (silent fallthrough to create)
- Fix stale variable name processor → manager in useCreatePayment
- Fix autoPayment schema to just .optional() (no confusing default+optional combo)
- Fix connector description to mention both providers
- Fix unused catch variables (prefix with _)
@aidandaly24
fix(payments): delete dead CRUD functions + inject AUTH_MODE for CUST…
0f2523b 
…OM_JWT

Fix 1 — Delete dead code:
- Remove createPaymentManager, listPaymentManagers, deletePaymentManager,
  createPaymentConnector, deletePaymentConnector, listPaymentConnectors,
  generateClientToken and ~14 associated type interfaces from agentcore-payments.ts
- These had zero call sites (CDK constructs handle all resource creation)
- Removed ~270 lines of dead code

Fix 2 — Inject AGENTCORE_PAYMENT_{NAME}_AUTH_MODE:
- cdk-stack.ts: inject AUTH_MODE='bearer' when authorizerType is CUSTOM_JWT
- deployed-state.ts: add authorizerType to PaymentDeployedStateSchema
- outputs.ts: pass authorizerType through from spec in parsePaymentOutputs
- actions.ts + useDeployFlow.ts: include authorizerType in paymentSpecs
- payment-env.ts: read authorizerType from project spec for dev mode
- payments.py: read from prefixed env var (${_prefix}AUTH_MODE)

Without this fix, CUSTOM_JWT users always get SigV4 auth mode at runtime.
@aidandaly24
test(payments): add comprehensive test coverage for all payment paths
b82719f 
120 new tests across 7 files (6 new + 1 extended):
- parsePaymentOutputs (23): output key mapping, missing fields, multi-manager
- PaymentManagerPrimitive (20): add/remove/cascade/getRemovable/previewRemove
- PaymentConnectorPrimitive (18): add/remove/composite-key/previewRemove
- validate action.ts (9): all payment error paths in handleValidate
- payment-env (7): dev-mode env var injection + AUTH_MODE
- pre-deploy-payments (15): credential provider create/update/cleanup
- wirePaymentCapability (17): template/BYO patching, idempotency

Total suite: 4036 tests passing.
@aidandaly24
fix(payments): TUI credential propagation, dead type exports, schema …
9da01ca 
…alignment

- Fix TUI deploy bug: runPaymentPreDeploy now calls setAllCredentials so
  useDeployFlow.persistDeployedState has correct connector ARNs
- Remove export from 9 dead type interfaces in agentcore-payments.ts
- Rename PaymentCredentialProviderResult → PaymentCredentialProviderApiResult
  to resolve name collision with payment-types.ts
- Fix defaultSpendLimit schema mismatch: CDK now uses z.string().optional()
  matching CLI (was z.object({amount,currency}) — incompatible)
- Remove dead PaymentCredentialProviderResult re-export from barrel
@aidandaly24
refactor(payments): merge credential setup into pre-deploy-identity
4e37c8f 
Payment credential providers use the same /identities/ endpoint as API key
and OAuth providers. Move setupPaymentCredentialProviders, hasPaymentCredentialProviders,
and cleanupPaymentCredentialProviders into pre-deploy-identity.ts alongside
the other credential provider operations.

- Delete pre-deploy-payments.ts (merged into pre-deploy-identity.ts)
- Delete payment-types.ts (types inlined in pre-deploy-identity.ts)
- Rename: setupPaymentResources → setupPaymentCredentialProviders
- Rename: hasPaymentManagers → hasPaymentCredentialProviders
- Update all import paths and barrel exports
- Update test imports
@aidandaly24
chore: remove bugbash test artifacts from branch
59d48ee
@github-actions github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels May 15, 2026
@aidandaly24
fix(payments): bugbash findings — 9 bugs fixed
6c8d16b 
- H2: remove abTests/httpGateways from vended cdk.test.ts (not in CDK schema)
- H3: fix double-blank-lines in wirePaymentCapability (regex captured newlines)
- H4: import PAYMENT_SYSTEM_PROMPT and use it in wired Agent constructor
- M1: respect --dry-run flag in `remove all` CLI path (was destructive)
- M2: sanitize underscores from CDK logical IDs (toCdkId helper)
- M4: reject invalid --auto-payment values instead of coercing to true
- M5: require --provider explicitly (no silent CoinbaseCDP default)
- H5: add --json flag to validate command
- L9/L10: validate payment flags early (mutual exclusion, empty strings)
@github-actions github-actions Bot removed the size/xl PR size: XL label May 15, 2026
@github-actions github-actions Bot added the size/xl PR size: XL label May 15, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread src/cli/commands/validate/command.tsx
if (result.success) {
console.log(JSON.stringify({ success: true }));
} else {
console.log(JSON.stringify({ success: false, error: result.error.message }));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidandaly24 @github-advanced-security