Skip to content

feat(payments): add AgentCore Payments as first-class CLI resource #1261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aidandaly24 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(payments): add AgentCore Payments as first-class CLI resource #1261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fbee47b
feat(payments): add AgentCore Payments as first-class CLI resource
aidandaly24 Jun 2, 2026
5e9dd0d
fix(payments): route vended CDK spec access through specAny
aidandaly24 Jun 2, 2026
ab9408e
Merge remote-tracking branch 'origin/main' into feat/payments
aidandaly24 Jun 2, 2026
27065eb
ci(e2e): wire CoinbaseCDP creds into payment deploy test
aidandaly24 Jun 3, 2026
2111928
Merge remote-tracking branch 'origin/main' into feat/payments
aidandaly24 Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .github/workflows/e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ jobs:
if [ -n "$HELPERS_CHANGED" ]; then
GA_EXTRA=$(find e2e-tests -name '*.test.ts' \
| grep -v '^e2e-tests/strands-bedrock\.test\.ts$' \
| grep -v '^e2e-tests/payment-strands-bedrock\.test\.ts$' \
| grep -v '^e2e-tests/harness-' \
| tr '\n' ' ')
HARNESS_EXTRA=$(find e2e-tests -name 'harness-*.test.ts' \
Expand All @@ -131,6 +132,7 @@ jobs:
else
GA_EXTRA=$(git diff --name-only "$BASE_SHA"..HEAD -- 'e2e-tests/*.test.ts' \
| grep -v '^e2e-tests/strands-bedrock\.test\.ts$' \
| grep -v '^e2e-tests/payment-strands-bedrock\.test\.ts$' \
| grep -v '^e2e-tests/harness-' \
| tr '\n' ' ')
HARNESS_EXTRA=$(git diff --name-only "$BASE_SHA"..HEAD -- 'e2e-tests/harness-*.test.ts' \
Expand All @@ -149,7 +151,16 @@ jobs:
ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }}
OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }}
GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }}
run: npx vitest run --project e2e e2e-tests/strands-bedrock.test.ts ${{ steps.changed.outputs.ga_extra }}
# CoinbaseCDP testnet creds for payment-strands-bedrock.test.ts. Sourced from
# the same E2E secret (keys CDP_API_KEY_ID / CDP_API_KEY_SECRET / CDP_WALLET_SECRET),
# which parse-json-secrets surfaces as E2E_CDP_*; remapped here to the unprefixed
# names the test reads. Absent on forks -> test self-skips via its hasCdpCreds gate.
CDP_API_KEY_ID: ${{ env.E2E_CDP_API_KEY_ID }}
CDP_API_KEY_SECRET: ${{ env.E2E_CDP_API_KEY_SECRET }}
CDP_WALLET_SECRET: ${{ env.E2E_CDP_WALLET_SECRET }}
run:
npx vitest run --project e2e e2e-tests/strands-bedrock.test.ts e2e-tests/payment-strands-bedrock.test.ts ${{
steps.changed.outputs.ga_extra }}

- name: Install preview CLI globally
run: npm install -g "$PREVIEW_TARBALL"
Expand Down
6 changes: 4 additions & 2 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@ These options are available on all commands:

- `create` - Create new AgentCore project
- `add` - Add resources (agent, memory, credential, evaluator, online-eval, gateway, gateway-target, policy-engine,
policy)
policy, payment-manager, payment-connector)
- `remove` - Remove resources (agent, memory, credential, evaluator, online-eval, gateway, gateway-target,
policy-engine, policy, all)
policy-engine, policy, payment-manager, payment-connector, all)
- `deploy` - Deploy infrastructure to AWS
- `status` - Check deployment status
- `dev` - Local development server (CodeZip: uvicorn with hot-reload; Container: Docker build + run with volume mount)
Expand Down Expand Up @@ -88,6 +88,8 @@ Current primitives:
- `GatewayTargetPrimitive` — gateway target creation/removal with code generation
- `PolicyEnginePrimitive` — Cedar policy engine creation/removal
- `PolicyPrimitive` — Cedar policy creation/removal within policy engines
- `PaymentManagerPrimitive` — payment manager creation/removal with agent code wiring
- `PaymentConnectorPrimitive` — payment connector creation/removal with credential management

Singletons are created in `registry.ts` and wired into CLI commands via `cli.ts`. See `src/cli/AGENTS.md` for details on
adding new primitives.
Expand Down
149 changes: 117 additions & 32 deletions docs/commands.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,14 +140,14 @@ agentcore status --runtime-id abc123
agentcore status --json
```

| Flag | Description |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| `--runtime-id <id>` | Look up a specific runtime by ID |
| `--target <name>` | Select deployment target |
| `--type <type>` | Filter by resource type: `agent`, `memory`, `credential`, `gateway`, `evaluator`, `online-eval`, `policy-engine`, `policy` |
| `--state <state>` | Filter by deployment state: `deployed`, `local-only`, `pending-removal` |
| `--runtime <name>` | Filter to a specific runtime |
| `--json` | JSON output |
| Flag | Description |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| `--runtime-id <id>` | Look up a specific runtime by ID |
| `--target <name>` | Select deployment target |
| `--type <type>` | Filter by resource type: `agent`, `memory`, `credential`, `gateway`, `evaluator`, `online-eval`, `payment`, `policy-engine`, `policy` |
| `--state <state>` | Filter by deployment state: `deployed`, `local-only`, `pending-removal` |
| `--runtime <name>` | Filter to a specific runtime |
| `--json` | JSON output |

### validate

Expand Down Expand Up @@ -473,6 +473,85 @@ agentcore add gateway-target \
> `open-api-schema` requires `--outbound-auth` (`oauth` or `api-key`). `api-gateway` supports `api-key` or `none`.
> `mcp-server` supports `oauth` or `none`.

### add payment-manager

Add a payment manager to the project. See [Payments](payments.md) for full usage guide.

```bash
# Minimal (defaults: AWS_IAM, interceptor, auto-payment enabled)
agentcore add payment-manager --name MyManager

# With CUSTOM_JWT authorization
agentcore add payment-manager \
--name MyManager \
--authorizer-type CUSTOM_JWT \
--discovery-url https://cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXX/.well-known/openid-configuration \
--allowed-clients "client-id-1,client-id-2"

# With advanced options
agentcore add payment-manager \
--name MyManager \
--auto-payment true \
--default-spend-limit 25.00 \
--tool-allowlist "web_search,fetch_url" \
--network-preferences "eip155:84532"
```

| Flag | Description |
| ---------------------------------- | ----------------------------------------------------- |
| `--name <name>` | Manager name (required in non-interactive mode) |
| `--authorizer-type <type>` | `AWS_IAM` (default) or `CUSTOM_JWT` |
| `--discovery-url <url>` | OIDC discovery URL (required for CUSTOM_JWT) |
| `--allowed-clients <clients>` | Comma-separated client IDs (CUSTOM_JWT only) |
| `--allowed-audience <audience>` | Comma-separated allowed audiences (CUSTOM_JWT only) |
| `--allowed-scopes <scopes>` | Comma-separated allowed scopes (CUSTOM_JWT only) |
| `--pattern <pattern>` | `interceptor` (default) or `tool-based` |
| `--auto-payment [value]` | Enable automatic payment: `true` (default) or `false` |
| `--default-spend-limit <amount>` | Default session spend limit in USD (default: `10.00`) |
| `--tool-allowlist <tools>` | Comma-separated tool names eligible for payment |
| `--network-preferences <networks>` | Comma-separated network IDs (e.g., `eip155:84532`) |
| `--description <desc>` | Human-readable description |
| `--json` | JSON output |

### add payment-connector

Add a payment connector to an existing payment manager. See [Payments](payments.md) for credential details.

```bash
# CoinbaseCDP provider
agentcore add payment-connector \
--manager MyManager \
--name MyCDPConnector \
--provider CoinbaseCDP \
--api-key-id your-api-key-id \
--api-key-secret your-api-key-secret \
--wallet-secret your-wallet-secret

# StripePrivy provider
agentcore add payment-connector \
--manager MyManager \
--name MyStripeConnector \
--provider StripePrivy \
--app-id your-app-id \
--app-secret your-app-secret \
--authorization-private-key your-private-key \
--authorization-id your-auth-id
```

| Flag | Description |
| ----------------------------------- | ------------------------------------------ |
| `--manager <name>` | Parent payment manager (required) |
| `--name <name>` | Connector name (required) |
| `--provider <provider>` | `CoinbaseCDP` (default) or `StripePrivy` |
| `--api-key-id <id>` | Coinbase CDP API Key ID |
| `--api-key-secret <secret>` | Coinbase CDP API Key Secret |
| `--wallet-secret <secret>` | Coinbase CDP Wallet Secret |
| `--app-id <id>` | Privy App ID (StripePrivy) |
| `--app-secret <secret>` | Privy App Secret (StripePrivy) |
| `--authorization-private-key <key>` | ECDSA P-256 private key (StripePrivy) |
| `--authorization-id <id>` | Authorization key identifier (StripePrivy) |
| `--json` | JSON output |

### add credential

Add a credential to the project. Supports API key and OAuth credential types.
Expand Down Expand Up @@ -739,19 +818,22 @@ agentcore remove runtime-endpoint --name prod
agentcore remove dataset --name MyDataset
agentcore remove config-bundle --name MyBundle
agentcore remove ab-test --name PromptComparison
agentcore remove payment-manager --name MyManager -y
agentcore remove payment-connector --name MyCDPConnector --manager MyManager -y

# Reset everything
agentcore remove all -y
agentcore remove all --dry-run # Preview
```

| Flag | Description |
| ------------------- | ------------------------------------------------- |
| `--name <name>` | Resource name |
| `--engine <engine>` | Policy engine name (required for `remove policy`) |
| `-y, --yes` | Skip confirmation |
| `--dry-run` | Preview (`remove all` only) |
| `--json` | JSON output |
| Flag | Description |
| ------------------- | --------------------------------------------------------- |
| `--name <name>` | Resource name |
| `--engine <engine>` | Policy engine name (required for `remove policy`) |
| `--manager <name>` | Parent payment manager (required for `payment-connector`) |
| `-y, --yes` | Skip confirmation |
| `--dry-run` | Preview (`remove all` only) |
| `--json` | JSON output |

---

Expand Down Expand Up @@ -815,23 +897,26 @@ agentcore invoke --exec "cat /etc/os-release" --json
The prompt can come from four sources, resolved in this precedence order: `--prompt` > positional > `--prompt-file` >
piped stdin. `--prompt-file` combined with piped stdin content returns a collision error — pick one.

| Flag | Description |
| ---------------------- | ---------------------------------------------------------------- |
| `[prompt]` | Prompt text (positional argument) |
| `--prompt <text>` | Prompt text (flag, takes precedence over positional) |
| `--prompt-file <path>` | Read the prompt from a file (useful for long / structured input) |
| `--runtime <name>` | Specific runtime |
| `--target <name>` | Deployment target |
| `--session-id <id>` | Continue a specific session |
| `--user-id <id>` | User ID for runtime invocation (default: `default-user`) |
| `--stream` | Stream response in real-time |
| `--tool <name>` | MCP tool name (use with `call-tool` prompt) |
| `--input <json>` | MCP tool arguments as JSON (use with `--tool`) |
| `-H, --header <h>` | Custom header (`"Name: Value"`, repeatable) |
| `--bearer-token <t>` | Bearer token for CUSTOM_JWT auth |
| `--exec` | Execute a shell command in the runtime container |
| `--timeout <seconds>` | Timeout in seconds for `--exec` commands |
| `--json` | JSON output |
| Flag | Description |
| ------------------------------ | ---------------------------------------------------------------- |
| `[prompt]` | Prompt text (positional argument) |
| `--prompt <text>` | Prompt text (flag, takes precedence over positional) |
| `--prompt-file <path>` | Read the prompt from a file (useful for long / structured input) |
| `--runtime <name>` | Specific runtime |
| `--target <name>` | Deployment target |
| `--session-id <id>` | Continue a specific session |
| `--user-id <id>` | User ID for runtime invocation (default: `default-user`) |
| `--stream` | Stream response in real-time |
| `--tool <name>` | MCP tool name (use with `call-tool` prompt) |
| `--input <json>` | MCP tool arguments as JSON (use with `--tool`) |
| `-H, --header <h>` | Custom header (`"Name: Value"`, repeatable) |
| `--bearer-token <t>` | Bearer token for CUSTOM_JWT auth |
| `--payment-instrument-id <id>` | Payment instrument ID for x402 payments |
| `--payment-session-id <id>` | Payment session ID for budget tracking |
| `--auto-session` | Auto-create/reuse a payment session for testing |
| `--exec` | Execute a shell command in the runtime container |
| `--timeout <seconds>` | Timeout in seconds for `--exec` commands |
| `--json` | JSON output |

Piped stdin is auto-detected: when no prompt is supplied and stdin is not a TTY, the prompt is read from stdin.

Expand Down
Loading
Loading