feat: ungate AWS skills, managed memory, and read-only harness Version#1620
Merged
Merged
Conversation
github-actions
Bot
added
the
agentcore-harness-reviewing
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
Contributor
Package TarballHow to installgh release download pr-1620-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz |
Contributor
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
github-actions
Bot
removed
the
agentcore-harness-reviewing
Contributor
Author
|
Updated: harness memory is now opt-in — a harness defaults to |
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
Contributor
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
The NY-Summit AgentCore Harness CFN type is now public in all regions, so the
harness summit-preview features can be ungated. This removes the
ENABLE_GATED_FEATURES gate at the in-scope call sites only — knowledge-base,
gateway passthrough, and config-bundle branch stay gated (they were not part of
this ungating).
Ungated:
- AWS Skills: --aws-skills source on `add skill` and the TUI skill-source picker
(no longer "Coming soon").
- Managed memory: the managed/existing/disabled memory-mode union and the
managed-tuning flags. The legacy "No persistent memory" enabled/disabled TUI
screen is removed; the auto-created `${name}Memory` sibling is gone. "No memory"
(--no-memory / --memory-mode disabled) now writes { mode: 'disabled' }, which
maps to CFN Memory: { Disabled: {} } — a true opt-out instead of silently
getting a service-auto-created memory.
- Harness Version: `status` and the deploy drift note show the config version
unconditionally.
Fixes found while testing (in-scope):
- Reject --no-memory combined with managed-only flags (--memory-strategies /
--memory-event-expiry-days / --memory-encryption-key-arn) instead of silently
dropping them.
- TUI existing-memory retrieval tuning (messages count / topK / relevance) was
silently dropped; the wizard setters now write into the memory union and the
add/create flows share one toMemoryAddOptions() translation helper.
- `deploy --json` no longer emits the managed-memory heads-up notice to stdout
(it corrupted the JSON output); the notice is suppressed under --json and still
recorded in the deploy log.
Tests: ungated and corrected the integ memory-mode coverage (removed the legacy
auto-memory assertions); added unit coverage for memory-mode resolution and the
TUI translation helper; added harness-managed-memory and harness-aws-skills e2e
suites (deploy -> invoke -> memory round-trip / skills-loaded -> teardown),
verified against a real account. 5425 unit tests pass; typecheck + lint clean.
Depends on aws/agentcore-l3-cdk-constructs#289.
Per product direction, a harness gets NO memory unless the user explicitly asks
for it. Previously "say nothing" defaulted to managed memory; now it defaults to
disabled. Managed and existing remain available, but only on explicit request.
- buildMemoryRef: managed is now opt-in (only --memory-mode managed or a
managed-tuning flag); existing on --memory-arn/--memory-name/--memory-mode
existing; everything else (including no flags) → disabled. This maps to CFN
Memory: { Disabled: {} }, so the service never auto-provisions a surprise
managed memory.
- TUI: the memory-mode picker lists Disabled first (the highlighted default,
labelled "No memory (default)"); the wizard seeds disabled so accepting the
default writes disabled. Managed/Existing are explicit picks.
- create: inherits the disabled default through harnessPrimitive.add; telemetry
memory_type for the harness path is 'none' by default.
- managed-memory deploy notice now fires only for explicitly-managed memory
(disabled and omitted both opt out → no provisioning).
Tests updated to the opt-in default across unit (buildMemoryRef, memory-options,
managed-memory-notice) and integ (add-remove-harness) suites; verified end-to-end
via the CLI and the TUI memory-mode picker. 5427 unit tests pass; typecheck + lint
clean.
Pairs with aws/agentcore-l3-cdk-constructs#289 (omitted → Disabled at synth).
aidandaly24
force-pushed
the
feat/ungate-aws-skills-managed-memory-version
branch
from
40d4e11 to
b12b14e
Compare
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
Contributor
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Contributor
Coverage Report
|
avi-alpert
reviewed
Jun 24, 2026
| gatedOption(new Option('--memory-mode <mode>', 'Memory mode: managed (default), existing, or disabled')) | ||
| ) | ||
| // Managed-memory flags. | ||
| .addOption(new Option('--memory-mode <mode>', 'Memory mode: managed (default), existing, or disabled')) |
Contributor
There was a problem hiding this comment.
is the UX that a user created a harness in CLI has managed memory by default even when not specifying the memory option? for example agentcore add harness --name foo
avi-alpert
reviewed
Jun 24, 2026
| if (options.memoryMode === 'existing' && !options.memoryArn && !options.memoryName) { | ||
| return { valid: false, error: '--memory-mode existing requires --memory-arn or --memory-name' }; | ||
| } | ||
| if (managedOnlyFlags && options.memoryMode && options.memoryMode !== 'managed') { |
Contributor
There was a problem hiding this comment.
edge case missed: what if memoryMode option was skipped entirely but a user "mixed" flags, for example agentcore add harness --name foo --memory-arn arn:... --memory-strategies SEMANTIC
i dont think a validation error is thrown in this case
…ory validation Round-5 bug-bash follow-ups for the opt-in memory default. Help/notice text (was still describing the old managed-is-default behavior): - `--memory-mode` help: "disabled (default), managed, or existing" (was "managed (default), ..."). - `--no-memory`/`--memory-name`/`--memory-arn` and `create --no-harness-memory` help: drop the "auto-creating" framing (nothing is auto-created; memory is opt-in). - MANAGED_MEMORY_DEPLOY/ADD_NOTICE: no longer call managed "the default"; phrase as "you requested --memory-mode managed". - Refresh the stale "managed is the default" source comment in HarnessPrimitive.add. Validation (reject instead of silently doing the wrong thing): - `--memory-arn`/`--memory-name` + `--memory-mode managed|disabled` → conflict error (was silently downgraded to existing). - existing-only tuning flags (--memory-actor-id/--memory-messages-count/--memory-top-k/ --memory-relevance-score) given with no existing reference → error (were silently dropped). - `--memory-arn` is now format-validated (was accepted unvalidated). Other robustness (pre-existing, surfaced by the bug bash): - formatError no longer dumps the raw JS stack trace to users by default (set AGENTCORE_DEBUG=1 to see it) — config/validation errors were leaking minified dist frames. - create: route `--memory` (an agent-only option) to the agent path so it conflicts with harness-only flags instead of being silently ignored on the harness path. - TUI useMultiSelectNavigation: on confirm, drop selections for options no longer visible in `items` (switching memory mode after toggling "Memory tuning" left a stale selection that pushed a non-existent step and corrupted wizard navigation). Tests added/updated for all of the above. 5451 unit tests pass; typecheck + lint clean.
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
Contributor
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
avi-alpert
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The NY-Summit
AWS::BedrockAgentCore::HarnessCFN type is now public in all regions, so the harness summit-preview features can be ungated. This removes theENABLE_GATED_FEATURESgate at the in-scope call sites only — knowledge-base, gateway passthrough, and config-bundle branch intentionally stay gated (not part of this ungating; verified still hidden without the flag).Ungated
--aws-skillssource onadd skilland the TUI skill-source picker (no longer "Coming soon").managed/existing/disabledmemory-mode union and the managed-tuning flags. The legacy "No persistent memory" enabled/disabled TUI screen is removed, and the auto-created${name}Memorysibling is gone. "No memory" (--no-memory/--memory-mode disabled) now writes{ mode: 'disabled' }→ CFNMemory: { Disabled: {} }(a true opt-out, instead of silently getting a service-auto-created memory).statusand the deploy drift note show the config version unconditionally.Fixes found while testing (in-scope)
--no-memorycombined with managed-only flags (--memory-strategies/--memory-event-expiry-days/--memory-encryption-key-arn) instead of silently dropping them.toMemoryAddOptions()translation helper.deploy --jsonno longer emits the managed-memory heads-up notice to stdout (it corrupted the JSON output); the notice is suppressed under--jsonand still recorded in the deploy log.Related Issue
Closes #
Documentation PR
Type of Change
Testing
How have you tested the change?
npm run test:unitandnpm run test:integnpm run typechecknpm run lintsrc/assets/, I rannpm run test:update-snapshotsand committed the updated snapshots — N/A (no asset changes)Added/updated: corrected the integ memory-mode coverage (removed legacy auto-memory assertions, ungated the memory-modes describe); added unit coverage for memory-mode resolution (
HarnessPrimitive.add.memory.test.ts) and the TUI translation helper (memory-options.test.ts); addedharness-managed-memoryandharness-aws-skillse2e suites (deploy → invoke → memory round-trip / skills-loaded → teardown), verified against a real account. 5425 unit tests pass; typecheck + lint clean.Checklist
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.