Skip to content

fix(harness): --no-memory disables managed memory instead of omitting it#1629

Closed
aidandaly24 wants to merge 1 commit into
mainfrom
fix/harness-no-memory-disables-managed-memory
Closed

fix(harness): --no-memory disables managed memory instead of omitting it#1629
aidandaly24 wants to merge 1 commit into
mainfrom
fix/harness-no-memory-disables-managed-memory

Conversation

@aidandaly24

@aidandaly24 aidandaly24 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Description

agentcore add harness --no-memory (gated-off path) wrote a harness spec that omitted the memory config entirely. The AgentCore service treats an omitted memory config as "auto-provision a managed memory", so a "no memory" harness ended up with a managed memory harness_<physicalName>_<hash> it never asked for — and the execution role wasn't scoped for it, so invoke failed:

AccessDeniedException: not authorized to perform bedrock-agentcore:ListEvents
on resource memory/harness_<name>_<hash>

This is a contributing cause of the harness-custom-jwt E2E failure (that test uses --no-memory).

Background. CDK #287 made the harness role grant memory permissions for the omitted case (managedMemory = spec.memory?.mode !== 'disabled') — specifically because the CFN Harness resource couldn't express a memory opt-out at the time, so "no memory" still got a service-auto-created memory that needed the grant. That CFN limitation is gone: Memory: { Disabled: {} } shipped in the CDK (#273, alpha.20+) and the vended project resolves ^0.1.0-alpha.19 → the latest published 0.1.0-alpha.39, which has it.

Fix. buildLegacyMemoryRef now returns { mode: 'disabled' } for --no-memory instead of undefined. That maps to CFN Memory: { Disabled: {} } — no memory is provisioned, no ListEvents grant is needed, no AccessDenied. CLI-only change; the CFN disabled mapping and the schema's disabled arm are already live and ungated.

Related Issue

Closes #1628

Documentation PR

N/A

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck (clean)
  • I ran npm run lint (0 errors; 31 pre-existing warnings)
  • npm run test:integadd-remove-harness.test.ts 35/35 pass (strengthened the --no-memory test to assert spec.memory.mode === 'disabled')
  • Harness primitive unit tests — 283/283 pass

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aidandaly24
fix(harness): --no-memory disables managed memory instead of omitting it
9b0e903 
In the gated-off path, add harness --no-memory wrote a spec that omitted the
memory config entirely. The AgentCore service treats omitted memory as
'auto-provision a managed memory', so a 'no memory' harness got a managed
memory harness_<physicalName>_<hash> its execution role wasn't scoped for —
invoke then failed with AccessDenied on bedrock-agentcore:ListEvents.

CDK #287 granted permissions for the omitted case as a workaround, because the
CFN Harness resource could not express a memory opt-out then. That is no longer
true: Memory: { Disabled: {} } shipped in the CDK (#273) and the vended project
resolves ^0.1.0-alpha.19 to the latest published alpha, which has it.

buildLegacyMemoryRef now returns { mode: 'disabled' } for --no-memory instead of
undefined, a true opt-out that maps to CFN Memory: { Disabled: {} } — no memory
is created, no grant is needed. Strengthen the --no-memory integ test to assert
the spec carries memory.mode 'disabled'.

Closes #1628
@aidandaly24 aidandaly24 requested a review from a team June 23, 2026 21:44
@github-actions github-actions Bot added the size/xs PR size: XS label Jun 23, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 23, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 23, 2026
@agentcore-devx-automation

agentcore-devx-automation Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 23, 2026
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.20.2.tgz

How to install

gh release download pr-1629-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz

@aidandaly24 aidandaly24 deleted the fix/harness-no-memory-disables-managed-memory branch June 23, 2026 21:45
agentcore-cli-automation
agentcore-cli-automation approved these changes Jun 23, 2026
View reviewed changes

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to merge.

Verified the fix:

  • The legacy (gated-OFF) buildLegacyMemoryRef now correctly emits { mode: 'disabled' } for --no-memory instead of returning undefined, which prevents the AgentCore service from auto-provisioning an unwanted managed memory the harness role can't read.
  • The gated-ON path (buildMemoryRef at lines 1216–1218) already handled skipMemory correctly, so the change is correctly scoped to just the legacy path.
  • The narrowed condition (skipMemory is the only way to reach the !options.memoryArn && !name branch in legacy mode, since autoCreateMemoryName is otherwise ${name}Memory) means the : undefined fallback is effectively defensive — fine.
  • Pulled @aws/agentcore-cdk@0.1.0-alpha.39 (which the vended ^0.1.0-alpha.19 resolves to under npm prerelease semver) and confirmed it both maps mode === 'disabled'Memory: { Disabled: {} } in harness-cfn-mapping.js and gates the memory role grant via managedMemory = spec.memory?.mode !== 'disabled' in AgentCoreHarnessEnvironment.js. So the CLI-only change is sufficient end-to-end.
  • The integ-test addition asserts spec.memory?.mode === 'disabled' against a real on-disk harness.json written by the CLI — no mocking concerns.
  • No new telemetry instrumentation needed; the existing return value memoryMode: memoryRef?.mode (line 442) will now naturally report 'disabled' for this path instead of undefined, which is actually an improvement for observability.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 23, 2026
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 37.03% 13554 / 36602
🔵 Statements 36.3% 14411 / 39696
🔵 Functions 31.69% 2327 / 7343
🔵 Branches 30.78% 8926 / 28994
Generated in workflow #3788 for commit 9b0e903 by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(harness): --no-memory omits memory instead of disabling it, so the service auto-creates managed memory

2 participants

@aidandaly24 @agentcore-cli-automation