Summary

• Adds a new use-case sample demonstrating role-based HR data access with automatic scope-based field redaction using Amazon Bedrock AgentCore
• Same query, same agent, different OAuth scopes — sensitive fields redacted transparently by the Response Interceptor without changing application code
• Three personas (HR Manager, HR Specialist, Employee) with different Cognito OAuth scopes controlling both tool visibility and field-level redaction

Key capabilities demonstrated

• AgentCore Gateway as a policy enforcement point with request/response interceptors
• Cedar Policy Engine for scope-based tool authorization (tools/call)
• Response Interceptor for tool discovery filtering (tools/list) and scope-based field redaction
• Multi-tenant isolation via OAuth client_id → tenant mapping in SSM (no custom JWT claims required)
• Cognito OAuth 2.0 client_credentials flow with custom scopes per persona

Test plan

• bash scripts/prereq.sh --region us-east-1 --env dev — deploys Lambda, IAM, Cognito
• python scripts/agentcore_gateway.py create — creates Gateway with interceptors and Lambda target
• python scripts/create_cedar_policies.py — attaches Cedar engine and creates 3 HR authorization policies
• bash scripts/package_runtime.sh && python scripts/agentcore_agent_runtime.py create — deploys Runtime
• python test/test_dlp_redaction.py — verifies all 4 personas pass field redaction assertions
• python test/test_agent.py --persona hr-manager --prompt "Show me John Smith's compensation" — full agent test
• streamlit run app.py — UI smoke test across all personas