feat: add Lambda interceptors for AgentCore gateways by aidandaly24 · Pull Request #1330 · aws/agentcore-cli

aidandaly24 · 2026-05-20T21:44:37Z

Description

Adds end-to-end support for Lambda interceptors at gateway REQUEST and RESPONSE points: a new InterceptorPrimitive, three vended templates (pass-through, jwt-scope-authorizer, tools-list-filter) for both Python and Node.js, deploy-side preflight, and logs interceptor / invoke interceptor verbs.

Primitive surface

`agentcore add interceptor --name --gateway --interception-points --template --runtime [--timeout] [--no-pass-request-headers] [--additional-policies]` for managed mode
External mode via direct `agentcore.json` edit referencing a customer-provided unqualified Lambda ARN
`agentcore remove interceptor --name` reconciles deploy state on next `agentcore deploy`
`agentcore logs interceptor --name [--follow|--since|--until]` tails CloudWatch for managed interceptors; external interceptors short-circuit to a remediation message
`agentcore invoke interceptor --name [--payload]` invokes the underlying Lambda for managed interceptors

Schema

`interceptors` array on `AgentCoreProjectSpec` with cross-field `superRefine` for cardinality (max 1 per point per gateway, max 2 per gateway) and gateway-name reference checks
Lambda ARN regex tightened to reject version/alias qualifiers
`passRequestHeaders`, `entrypoint`, `timeoutSeconds`, `runtime` are optional with consumption-time defaults so user-edited `agentcore.json` stays sparse across CLI round-trips

Deploy

`validateInterceptors()` checks managed-mode codeLocation existence and emits a masked cross-account WARN for external mode (with full `aws lambda add-permission` remediation snippet); also wired into `agentcore validate` so the pre-check works without invoking deploy
`validateGatewayTargetLambdas()` does a best-effort `lambda:GetFunction` per `lambda-function-arn` target and WARNs on any failure (NotFound, AccessDenied, throttle) so a typo'd ARN surfaces before CFN ROLLBACK
Account IDs go through `maskAccountId()` for all user-visible warning output (PII masking)

Templates

`pass-through`, `jwt-scope-authorizer`, `tools-list-filter` for Python (`pyproject.toml` + hatchling) and Node.js (`index.mjs` + `package.json`)

Bug fixes

ANSI cursor-show escape (`\x1b[?25h`) was being written to stdout on every CLI invocation by ink/cli-cursor on App unmount, corrupting machine-parseable output (broke `--json` JSON parsing). Fixed at the CLI entry by stripping cursor show/hide escapes from non-TTY stdout/stderr writes.

Out of scope (P0)

The following were deliberately excluded from this PR. None are bugs — flagged here so reviewers don't ask "where is X":

PII-redaction template — patterns are wildly customer-specific (a bank's PII isn't a hospital's). Better as a future config-driven template, or roll your own using `pass-through` as a skeleton.
Audit-logging template (OpenSearch / S3) — non-trivial destination wiring (IAM, batching, SIEM plug-in points). Ship later when there's a clearer customer ask.
Provisioned concurrency — adds CFN complexity and runs $$$ even when idle. Wait for actual latency-sensitive customer demand.
Multi-gateway shared interceptor pools — schema is currently 1 interceptor → 1 gateway. Sharing across gateways needs schema redesign (`gatewayNames: string[]` or a separate attach relation) and harder cardinality validation.
Console UX parity — separate team's mission. CLI guarantees programmatic parity, not click-for-click visual matching.
Streaming-aware first-invocation guard — shipped as commented-in code in the pass-through Node template (`if (invocationIndex > 0) { ... }`). Activating by default would change non-streaming behavior; customers opt in when needed.

Related Issue

Closes #

Documentation PR

Type of Change

New feature

Testing

I ran `npm run test:unit` and `npm run test:integ`
I ran `npm run typecheck`
I ran `npm run lint`
If I modified `src/assets/`, I ran `npm run test:update-snapshots` and committed the updated snapshots

Additionally:

End-to-end bug bash conducted across 60+ matrix cases against live AWS account, with 20+ parallel subagents covering: managed Python + Node templates × all 3 interception points, external same-account at REQUEST/RESPONSE/dual-point, cross-account preflight WARN, full deploy lifecycle (deploy → redeploy → remove → teardown), real MCP traffic with interceptor invocation proven via CloudWatch logs, JWT scope-authorizer allow/deny, RESPONSE-side `statusCode` mutation, tools-list filtering, additionalPolicies as file path AND managed ARN, IAM Sid hash uniqueness + size under 10240 bytes, schema rejects (qualifier ARN, unknown gateway, duplicate name, over-length name), --json output validity, TUI integration verified via tui-harness MCP

Checklist

I have read the CONTRIBUTING document
I have added any necessary tests that prove my fix is effective or my feature works
I have updated the documentation accordingly
I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
My changes generate no new warnings
Any dependent changes have been merged and published — depends on aws/agentcore-l3-cdk-constructs#225

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

github-actions · 2026-05-20T21:45:34Z

Package Tarball

aws-agentcore-0.17.0.tgz

How to install

gh release download pr-1330-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.17.0.tgz

agentcore-devx-automation · 2026-05-20T21:46:58Z

Claude Security Review: no high-confidence findings. (run)

agentcore-devx-automation · 2026-05-21T02:37:40Z

Claude Security Review: the review run failed before completing. See the run for details.

agentcore-devx-automation · 2026-05-21T13:59:43Z

Claude Security Review: the review run failed before completing. See the run for details.

agentcore-devx-automation · 2026-05-21T14:05:10Z

Claude Security Review: the review run failed before completing. See the run for details.

Mirror the CDK schema change: AgentCoreProjectSpecSchema.interceptors is now `.optional()` (matching the `datasets` convention) instead of `.default([])`, so an agentcore.json that doesn't use interceptors stays sparse across CLI round-trips. Consumer follow-through for the now-optional field: - InterceptorPrimitive: guard every project.interceptors access with `??= []` (mutating paths) or `?? []` (read-only paths). - AddScreen: add 'interceptor' to the AddResourceType union (the BASE_ADD_RESOURCES entry referenced a union member that the rebased upstream type definition didn't include). The schema-level superRefine cross-field checks (unknown gateway, max-2 cardinality, duplicate names) already guard with `?? []`. All 70 interceptor unit tests pass; tsc/lint/format clean.

Three test files unrelated to interceptors were swept into the feature commit by an editor autofix: - import-gateway-targets.test.ts (resolved during rebase by taking main's aws#1437 rewrite) - import-gateway-spec.test.ts (restored: main keeps the eslint-disable guarding the (gw as any) cast; dropping it would fail lint) - resolve-ui-dist-dir.test.ts (restored: main keeps the split node:fs imports) None relate to Lambda interceptors; reverting to match origin/main.

The lockfile was regenerated during rebase to add @aws-sdk/client-lambda alongside main's new @aws-sdk/client-efs / client-s3files deps; npm's output formatting differs from prettier, failing the format CI check. No dependency changes — formatting only.

agentcore-devx-automation · 2026-06-03T17:39:52Z

Claude Security Review: no high-confidence findings. (run)

agentcore-devx-automation · 2026-06-03T17:49:04Z

Claude Security Review: no high-confidence findings. (run)

…tional-policies Completes the interceptor feature surface so it matches every other GA primitive — no more TUI dead-ends. Add wizard (src/cli/tui/screens/interceptor/): - Full interactive add flow: name → gateway → interception points → mode (managed | external) → [managed: template → runtime → advanced] → confirm. - Advanced settings page (multi-select, mirrors agent BYO computeByoSteps): Lambda timeout, additional IAM policies, pass request headers — each injects its sub-step only when selected; unselected use defaults. - computeInterceptorSteps() is a pure, unit-tested step machine; honors the dynamic-step closure gotcha (explicit setStep on mode/advanced change). - Interception points persist in canonical REQUEST,RESPONSE order regardless of toggle order, for diff-stable agentcore.json. - lambda-arn input validates against the schema pattern + 170-char cap. Remove wizard: - RemoveInterceptorScreen + RemoveFlow select-interceptor path mirror the evaluator flow: select → previewRemove (shows dir + JSON diff) → confirm. - Interceptor is now a first-class entry in both the add and remove pickers. status visibility: - agentcore status renders an Interceptors section (deployed / local-only / pending-removal) with mode + interception points, via the generic diffResourceSet over mcp.interceptors. --additional-policies: - Wired the flag end to end in the add command (schema + CDK already supported it); comma-parsed, rejected in external mode, written sparsely (empty/whitespace-only input omits the field). mask.ts: corrected the stale 'Used by' comment to list only real call sites. Verified via tui-harness drive-through (add + remove end to end, on-disk agentcore.json + scaffolding asserted) plus typecheck, lint, and 4622/4623 unit tests (1 pre-existing unrelated LogsScreen timing flake that passes in isolation).

agentcore-devx-automation · 2026-06-03T19:42:24Z

Claude Security Review: no high-confidence findings. (run)

…ng footgun passRequestHeaders controls whether the gateway forwards the caller's request headers (incl. the Authorization token) to the interceptor. It was effectively undocumented and carried a silent footgun: disabling it on a header-reading interceptor (e.g. the jwt-scope-authorizer template) makes the handler receive empty headers and silently no-op, with no runtime error. - preflight: warn at deploy/validate when a managed interceptor has passRequestHeaders disabled AND its handler source reads request headers. The spec doesn't record which template was used, so the check greps the handler file rather than keying off template identity. - docs/interceptors.md: add a config-fields table and a prominent passRequestHeaders section explaining the field, the security consideration, and the header-reading-template coupling. - CLI --no-pass-request-headers help text now states the consequence. Does NOT change the default (still true) — whether the default should flip to match the service contract is a separate question pending service-team input.

agentcore-devx-automation · 2026-06-08T19:57:43Z

Claude Security Review: no high-confidence findings. (run)

aidandaly24 requested a review from a team May 20, 2026 21:44

github-actions Bot added the size/xl PR size: XL label May 20, 2026

aidandaly24 had a problem deploying to e2e-testing May 20, 2026 21:44 — with GitHub Actions Failure

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label May 20, 2026

github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 20, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label May 20, 2026

github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 20, 2026

aidandaly24 force-pushed the feat/interceptor branch from a2daa82 to dc2fe62 Compare May 21, 2026 02:35

github-actions Bot removed the size/xl PR size: XL label May 21, 2026

aidandaly24 had a problem deploying to e2e-testing May 21, 2026 02:35 — with GitHub Actions Failure

github-actions Bot added the size/xl PR size: XL label May 21, 2026

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

github-actions Bot removed the size/xl PR size: XL label May 21, 2026

aidandaly24 had a problem deploying to e2e-testing May 21, 2026 13:56 — with GitHub Actions Failure

github-actions Bot added the size/xl PR size: XL label May 21, 2026

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

github-actions Bot removed the size/xl PR size: XL label May 21, 2026

aidandaly24 had a problem deploying to e2e-testing May 21, 2026 14:02 — with GitHub Actions Failure

github-actions Bot added the size/xl PR size: XL label May 21, 2026

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label May 21, 2026

github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels May 21, 2026

aidandaly24 added 2 commits June 3, 2026 17:32

aidandaly24 force-pushed the feat/interceptor branch from c0b9ce8 to 700bc32 Compare June 3, 2026 17:33

github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels Jun 3, 2026

aidandaly24 had a problem deploying to e2e-testing June 3, 2026 17:34 — with GitHub Actions Failure

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 3, 2026

aidandaly24 temporarily deployed to e2e-testing June 3, 2026 17:37 — with GitHub Actions Inactive

github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels Jun 3, 2026

agentcore-devx-automation Bot added claude-security-reviewing Claude Code /security-review in progress and removed claude-security-reviewing Claude Code /security-review in progress labels Jun 3, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 3, 2026

github-actions Bot removed the size/xl PR size: XL label Jun 3, 2026

aidandaly24 temporarily deployed to e2e-testing June 3, 2026 19:37 — with GitHub Actions Inactive

github-actions Bot added the size/xl PR size: XL label Jun 3, 2026

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 3, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 3, 2026

github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels Jun 8, 2026

aidandaly24 temporarily deployed to e2e-testing June 8, 2026 19:56 — with GitHub Actions Inactive

agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 8, 2026

agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add Lambda interceptors for AgentCore gateways#1330

feat: add Lambda interceptors for AgentCore gateways#1330
aidandaly24 wants to merge 11 commits into
aws:mainfrom
aidandaly24:feat/interceptor

aidandaly24 commented May 20, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 20, 2026 •

edited

Loading

Uh oh!

agentcore-devx-automation Bot commented May 20, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

aidandaly24 commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Primitive surface

Schema

Deploy

Templates

Bug fixes

Out of scope (P0)

Related Issue

Documentation PR

Type of Change

Testing

Checklist

Uh oh!

github-actions Bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Package Tarball

How to install

Uh oh!

agentcore-devx-automation Bot commented May 20, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented May 21, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 3, 2026

Uh oh!

agentcore-devx-automation Bot commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

aidandaly24 commented May 20, 2026 •

edited

Loading

github-actions Bot commented May 20, 2026 •

edited

Loading