Skip to content

E2E policy test evidence (2026-03-22)#10

Open
jesseturner21 wants to merge 15 commits intomainfrom
e2e-test-evidence-20260322
Open

E2E policy test evidence (2026-03-22)#10
jesseturner21 wants to merge 15 commits intomainfrom
e2e-test-evidence-20260322

Conversation

@jesseturner21
Copy link
Owner

@jesseturner21 jesseturner21 commented Mar 22, 2026
edited
Loading

Policy E2E Test Evidence (2026-03-22)

Full end-to-end test of the policy engine lifecycle through the CLI TUI. All 13 steps completed successfully.

1. Main Menu & Add Resource

Main Menu
Add Resource Menu

2. Gateway Creation (OAuth)

Gateway Name Step
Authorizer Type Selection
Advanced Config
Confirm Review

Gateway creation success output 
✓ Added gateway: TestGateway
Gateway defined in agentcore/mcp.json. Next: Use 'add gateway-target' to route targets through this gateway.

3. Gateway Target Creation (ExaSearch MCP)

Gateway Target Selected
Target Type Selection
Name Entered
Endpoint URL
Outbound Auth None
Confirm Gateway Target

4. Agent Creation (SearchAgent - Strands/Python/Bedrock)

Agent Name
Agent Type
Framework Selection
Agent Confirm

5. First Deploy — Verified: 4 tools available, web search works

Deploy Started
Building Progress
Deploying to AWS
Deploying 6/8

Deploy completed output 
✓ Deploy to AWS Complete [████████████████████] 8/8
Deployed 1 stack(s): AgentCore-policytest-default
Gateway Targets: ExaSearch: ✓ synced

6. First Invoke — Web search works

Chat Interface
Tools Response
Web Search Top
Web Search Bottom

7. Policy Engine Creation (TestEngine → TestGateway)

Policy Selected
Name TestEngine
Attach Gateways
TestGateway Checked
Mode Selection

8. Deploy with Policy Engine (ENFORCE mode) — Tools blocked by default deny

Deploy with enforce output 
✓ Deploy to AWS Complete
Deployed 1 stack(s): AgentCore-policytest-default

9. Invoke — Default Deny Verified (only add_numbers available)

Agent response: "I don't have access to a web search tool to look up the latest AWS news. The only tool available to me is an add_numbers function."

10. Policy Generation via Natural Language

Prompt: "permit all web search calls unless the input contains Jesse Turner"

Add Policy Engine Select
Policy Name
Generate Option
Gateway Select
Natural Language Prompt
Generating Spinner
Generated Policy Review
Validation Mode
Confirm Review

Generated Cedar Policy 
permit(
  principal,
  action in [AgentCore::Action::"ExaSearch___web_search_exa",AgentCore::Action::"x_amz_bedrock_agentcore_search"],
  resource == AgentCore::Gateway::"arn:aws:bedrock-agentcore:us-west-2:325335451438:gateway/policytest-testgateway-8ckurs50xo"
) when {
  !(((context has input) && ((context.input) has query)) && (((context.input).query) like "*Jesse Turner*"))
};

11. Final Deploy with Policy

OAuth Prompt
Deploy Progress
Policy Creating

12. ✅ Invoke PERMITTED — "cloud computing" search returns results

Permitted Response

13. ✅ Invoke BLOCKED — "Jesse Turner" search restricted by policy

Blocked Response

Issues Found

Issue Severity Description
Progress bar overflow Minor UI Counter goes beyond total (6/5, 7/5...) causing String.repeat error with negative value
LOG_ONLY default UX Policy engine mode defaults to LOG_ONLY; must manually change to ENFORCE
TTY requirement Expected agentcore deploy requires interactive terminal for Ink TUI

Progress Flow

See progress.txt for the full step-by-step test log.

🤖 Generated with Claude Code

jesseturner21 and others added 15 commits March 19, 2026 18:34
@jesseturner21 @claude
feat: add policy engine and policy support with full deploy pipeline
013c73d 
Add Cedar authorization policy support to AgentCore CLI:

- Schema: PolicyEngine and Policy schemas with Zod validation
- TUI: Full add/remove wizards for policy engines and policies
  - Source methods: Cedar file, inline statement, or AI generation
  - Gateway selection for generation flow
  - Expandable text input for generation prompts
- CLI: Non-interactive add/remove commands with all flags
  - agentcore add policy-engine --name <name>
  - agentcore add policy --name <name> --engine <engine> --source/--statement/--generate
  - agentcore remove policy-engine/policy --name <name>
- Deploy: CDK construct integration, CloudFormation output parsing,
  deployed state tracking with composite engine/policy keys
- Status: Policy engines and policies shown in status command and
  ResourceGraph TUI with correct deployment state diffing
- Generation: StartPolicyGeneration + waiter integration with
  deployed engine ID and gateway ARN resolution
- Validation: Schema validation for names, statements, validation modes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: use composite key for policy removal to handle cross-engine nam…
099c408 
…e collisions

Policies are nested under engines, so the same policy name can exist in
multiple engines. Switch getRemovable/remove/previewRemove to use an
"engineName/policyName" composite key so the generic TUI remove flow can
uniquely identify policies with a single string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: sync package-lock.json for npm@10 compatibility
27457a2 
Regenerate lock file with npm@10 to resolve missing yaml@2.8.2
dependency entry that caused `npm ci` failures on Node 20.x and 22.x.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: resolve lint and formatting issues for CI
18d43d4 
- Merge duplicate imports in policy-generation.ts
- Use dot notation instead of bracket notation in outputs test
- Replace Array<T> with T[] in outputs.ts and useDeployFlow.ts
- Add void operator for floating promises in AddPolicyFlow
- Wrap async handlers with void for no-misused-promises
- Escape quotes in JSX text in AddPolicyScreen
- Fix prettier formatting across all changed files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: make --statement, --source, --generate mutually exclusive in add…
8b84484 
… policy

Previously, passing multiple source flags (e.g. --statement + --source) was
silently accepted with an implicit precedence order. Now the command returns
a clear error if more than one is provided.

Also fix pre-existing type errors in dev config tests by adding the required
policyEngines field to test fixtures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
feat: add policy engine and policy support to TUI remove flow
4c56ed6 
Add interactive TUI support for removing policy engines and policies,
including menu entries, selection screens, confirmation, and success states.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
fix: write both CLIENT_ID and CLIENT_SECRET env vars for managed OAut…
ca8cde0 
…h credentials

The createManagedOAuthCredential method was only writing the client secret
with an incorrect env var name. Now correctly writes both _CLIENT_ID and
_CLIENT_SECRET suffixed env vars, matching the pattern used by CredentialPrimitive.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Hweinstock @jesseturner21
feat: add PolicyEngineConfiguration support for gateways
ad88e2c
@Hweinstock @jesseturner21
feat: add policy engine selection to gateway TUI wizard
f4040ee
@Hweinstock
Merge branch 'aws:main' into main
9858591
@Hweinstock
chore: sync package-lock.json
c756de6
@jesseturner21 @claude
fix: shorten disabled policy generate description to prevent truncation
9accdc7 
The "Generate a Cedar policy" option's disabled description was too long
("Requires deployed engine — run `deploy` first") and got cut off in
narrow terminals. Shortened to "Deploy engine first".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21
Merge pull request #7 from jesseturner21/fix/policy-generate-descript…
b2869e9 
…ion-truncation

fix: shorten disabled policy generate description to prevent truncation
@jesseturner21 @claude
Add e2e CLI TUI test evidence for full agent lifecycle
4fd437f 
Screenshots of the complete TUI flow: create project, add agent, deploy, invoke, remove agent, deploy removal.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jesseturner21 @claude
Add policy e2e test evidence and progress flow (2026-03-22)
2969790 
Full end-to-end test of policy engine lifecycle:
- Gateway creation with OAuth (screenshots 01-10)
- Gateway target creation - ExaSearch MCP (screenshot 11)
- Agent creation - SearchAgent Strands/Python (screenshot 12)
- Deploy and invoke - 4 tools available, web search works (screenshots 13-14)
- Policy engine creation and ENFORCE mode deploy (screenshots 15-16)
- Default deny verification - tools blocked (screenshot 17)
- Natural language policy generation for Cedar (screenshot 18)
- Final deploy with policy and invoke verification (screenshots 19-21)
- Permitted: "cloud computing" search returns results
- Blocked: "Jesse Turner" search restricted by policy

Issues found: progress bar counter overflow, LOG_ONLY default mode, TTY requirement.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added the size/xl PR size: XL label Mar 22, 2026
@github-actions
Copy link

github-actions bot commented Mar 22, 2026

Package Tarball

aws-agentcore-0.3.0-preview.6.1.tgz

How to install

npm install https://github.com/jesseturner21/agentcore-cli/releases/download/pr-10-tarball/aws-agentcore-0.3.0-preview.6.1.tgz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jesseturner21 @Hweinstock