From 9b0e9033f648b2372476576ad863df75f9c068db Mon Sep 17 00:00:00 2001
From: Aidan Daly <aidandal@amazon.com>
Date: Tue, 23 Jun 2026 21:44:23 +0000
Subject: [PATCH] fix(harness): --no-memory disables managed memory instead of
 omitting it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In the gated-off path, add harness --no-memory wrote a spec that omitted the
memory config entirely. The AgentCore service treats omitted memory as
'auto-provision a managed memory', so a 'no memory' harness got a managed
memory harness_<physicalName>_<hash> its execution role wasn't scoped for —
invoke then failed with AccessDenied on bedrock-agentcore:ListEvents.

CDK #287 granted permissions for the omitted case as a workaround, because the
CFN Harness resource could not express a memory opt-out then. That is no longer
true: Memory: { Disabled: {} } shipped in the CDK (#273) and the vended project
resolves ^0.1.0-alpha.19 to the latest published alpha, which has it.

buildLegacyMemoryRef now returns { mode: 'disabled' } for --no-memory instead of
undefined, a true opt-out that maps to CFN Memory: { Disabled: {} } — no memory
is created, no grant is needed. Strengthen the --no-memory integ test to assert
the spec carries memory.mode 'disabled'.

Closes #1628
---
 integ-tests/add-remove-harness.test.ts |  6 ++++++
 src/cli/primitives/HarnessPrimitive.ts | 11 +++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/integ-tests/add-remove-harness.test.ts b/integ-tests/add-remove-harness.test.ts
index 7893c5e8a..97940ff52 100644
--- a/integ-tests/add-remove-harness.test.ts
+++ b/integ-tests/add-remove-harness.test.ts
@@ -139,6 +139,12 @@ describe('integration: harness configuration options', () => {
     const configAfter = await readProjectConfig(project.projectPath);
     const memoriesAfter = (configAfter.memories ?? []).length;
     expect(memoriesAfter).toBe(memoriesBefore);
+
+    // --no-memory must write an explicit `disabled` ref, not omit memory: an omitted memory
+    // config makes the service auto-provision a managed memory the execution role can't read
+    // (AccessDenied on ListEvents at invoke). `disabled` maps to CFN Memory: { Disabled: {} }.
+    const spec = await readHarnessSpec(project.projectPath, name);
+    expect(spec.memory?.mode).toBe('disabled');
   });
 
   it('adds harness with non-bedrock model provider', async () => {
diff --git a/src/cli/primitives/HarnessPrimitive.ts b/src/cli/primitives/HarnessPrimitive.ts
index 8bbc2dceb..500b91432 100644
--- a/src/cli/primitives/HarnessPrimitive.ts
+++ b/src/cli/primitives/HarnessPrimitive.ts
@@ -1233,14 +1233,21 @@ export class HarnessPrimitive extends BasePrimitive<AddHarnessOptions, Removable
    * Legacy (gated OFF) memory ref builder — preserves pre-managed-memory behavior exactly.
    * An explicit `--memory-arn`/`--memory-name` references an existing memory; otherwise
    * `autoCreateMemoryName` (when set) points at the `${name}Memory` sibling this command auto-creates.
-   * Returns undefined when there is no memory at all (`--no-memory`).
+   * `--no-memory` emits a `disabled` ref (a true opt-out), never an omitted one.
    */
   private buildLegacyMemoryRef(
     options: AddHarnessOptions,
     autoCreateMemoryName: string | undefined
   ): HarnessMemoryRef | undefined {
     const name = options.memoryName ?? autoCreateMemoryName;
-    if (!options.memoryArn && !name) return undefined;
+    if (!options.memoryArn && !name) {
+      // `--no-memory`: the harness CFN resource now supports an explicit opt-out, so emit a
+      // `disabled` ref instead of omitting memory. An omitted Memory config makes the AgentCore
+      // service auto-provision a managed memory the execution role can't read, so invoke fails
+      // with AccessDenied on bedrock-agentcore:ListEvents. `disabled` maps to CFN Memory:
+      // { Disabled: {} }, so no memory is created and no grant is needed.
+      return options.skipMemory ? { mode: 'disabled' } : undefined;
+    }
     const tuning = this.buildRetrievalConfig(options);
     return {
       mode: 'existing',