Skip to content

feat: add EFS and S3 filesystem mount support (BYO agents and harness)#1436

Open
padmak30 wants to merge 1 commit into
mainfrom
feat/byo-filesystem-new
Open

feat: add EFS and S3 filesystem mount support (BYO agents and harness)#1436
padmak30 wants to merge 1 commit into
mainfrom
feat/byo-filesystem-new

Conversation

@padmak30
Copy link
Copy Markdown
Contributor

@padmak30 padmak30 commented Jun 2, 2026

Adds session storage, EFS access point, and S3 Files access point filesystem mounts across the full stack: CLI flags, TUI wizard steps, schema validation, CDK IAM permissions, and generated agent templates.

CLI (agentcore create / add agent / add harness):

  • --session-storage-mount-path, --efs-access-point-arn/--efs-mount-path, --s3-access-point-arn/--s3-mount-path flags on create and add agent
  • Harness create path wires filesystem flags through to harness.json
  • Sync validation: ARN format, paired flags, max mounts, VPC requirement in both validateCreateOptions and validateCreateHarnessOptions
  • Async validation: L1 access point exists, L2 VPC/AZ topology, L3 SG in agent create, add agent, and harness create paths
  • Level 3 SG check uses EFS/S3 ARN region (not agent region) for mount target SG queries; validation reads deployment region from aws-targets.json

TUI wizard:

  • EFS/S3 two-step ARN→path entry with add/edit/remove review screens
  • Shared useFilesystemMountState hook (generate wizard + BYO + harness)
  • Shared buildMountListItems helper
  • Session-storage advanced setting in harness wizard includes EFS/S3 steps
  • VPC warning and validation on harness EFS/S3 ARN steps
  • Harness TUI add flow forwards efsAccessPoints/s3AccessPoints to primitive

Schema:

  • FilesystemConfigurationSchema union (sessionStorage | efsAccessPoint | s3FilesAccessPoint) with z.strictObject, duplicate path detection, max-count enforcement, VPC requirement
  • EFS_ACCESS_POINT_ARN_PATTERN / S3_FILES_ACCESS_POINT_ARN_PATTERN constants shared between CLI validators and Zod schema
  • HarnessSpec gains efsAccessPoints/s3AccessPoints with VPC enforcement and duplicate mount path validation

CDK / deploy:

  • AgentCoreRuntime: typed filesystemConfigurations props (aws-cdk-lib 2.257)
  • AgentCoreHarnessRole: EFS ClientMount/ClientWrite and S3 Files ClientMount/ClientWrite IAM policies when mounts are configured
  • harness-mapper writes all three filesystem types; hasFilesystem uses correct boolean coercion; mount paths normalized (trailing slash stripped)
  • Vended cdk-stack.ts and bin/cdk.ts include new HarnessConfig fields

Templates:

  • HTTP, A2A, AGUI, MCP Python templates render file_read/file_write/ list_files filesystem tools via {{#if needsOs}} blocks
  • needsOs uses || not ?? so S3-only agents correctly generate tools
  • EFS ARN regex constants shared (single source of truth)
  • regionFromEfsArn/regionFromS3FilesArn merged into single regionFromArn

Tests:

  • filesystem-utils.test.ts: ARN format, path validation, pairing, mounts
  • filesystem-roundtrip.test.ts, filesystem-error-quality.test.ts: schema
  • harness-mapper.test.ts: EFS, S3, combined filesystem mapping
  • validate.test.ts: 16 new EFS/S3 validation cases for create path
  • harness-validate.test.ts: 12 new cases for harness create path
  • buildMountListItems.test.ts: 6 cases for mount list item builder
  • schema-mapper.test.ts: 12 filesystem configuration mapping cases
  • useFilesystemMountState.test.tsx: 15 hook handler tests
  • computeByoSteps.test.ts: filesystem step inclusion
  • useGenerateWizard.test.tsx: EFS/S3 flow, edit/remove, deselect

@padmak30 padmak30 requested a review from a team June 2, 2026 06:07
@github-actions github-actions Bot added the size/xl PR size: XL label Jun 2, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 2, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026

Package Tarball

aws-agentcore-0.16.0.tgz

How to install

gh release download pr-1436-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.16.0.tgz

github-code-quality[bot]
github-code-quality Bot found potential problems Jun 2, 2026
View reviewed changes
Comment thread src/assets/python/http/autogen/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Copy link
Copy Markdown
Contributor Author

@padmak30 padmak30 Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are false positives. The .py files under src/assets/python/ are Handlebars templates, not executable Python. The {{#if ...}}, {{#each ...}}, and {{/if}} directives are intentional — they are rendered at
project creation time by the Handlebars engine into valid Python. This pattern is pre-existing across all templates in the codebase (e.g., src/assets/python/http/strands/base/main.py).

Comment thread src/assets/python/http/googleadk/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Comment thread src/assets/python/a2a/googleadk/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Comment thread src/assets/python/http/langchain_langgraph/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Comment thread src/assets/python/http/openaiagents/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Comment thread src/assets/python/a2a/langchain_langgraph/base/main.py
@@ -1,4 +1,6 @@
{{#if needsOs}}
Comment thread src/assets/python/mcp/standalone/base/main.py
@@ -1,7 +1,65 @@
{{#if needsOs}}
@agentcore-devx-automation
Copy link
Copy Markdown
Contributor

agentcore-devx-automation Bot commented Jun 2, 2026

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 2, 2026
@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 2, 2026
@padmak30
feat: add EFS and S3 filesystem mount support (BYO agents and harness)
578752e 
Adds session storage, EFS access point, and S3 Files access point
filesystem mounts across the full stack: CLI flags, TUI wizard steps,
schema validation, CDK IAM permissions, and generated agent templates.

CLI (agentcore create / add agent / add harness):
- --session-storage-mount-path, --efs-access-point-arn/--efs-mount-path,
  --s3-access-point-arn/--s3-mount-path flags on create and add agent
- Harness create path wires filesystem flags through to harness.json
- Sync validation: ARN format, paired flags, max mounts, VPC requirement
  in both validateCreateOptions and validateCreateHarnessOptions
- Async validation: L1 access point exists, L2 VPC/AZ topology, L3 SG
  in agent create, add agent, and harness create paths
- Level 3 SG check uses EFS/S3 ARN region (not agent region) for mount
  target SG queries; validation reads deployment region from aws-targets.json

TUI wizard:
- EFS/S3 two-step ARN→path entry with add/edit/remove review screens
- Shared useFilesystemMountState hook (generate wizard + BYO + harness)
- Shared buildMountListItems helper
- Session-storage advanced setting in harness wizard includes EFS/S3 steps
- VPC warning and validation on harness EFS/S3 ARN steps
- Harness TUI add flow forwards efsAccessPoints/s3AccessPoints to primitive

Schema:
- FilesystemConfigurationSchema union (sessionStorage | efsAccessPoint |
  s3FilesAccessPoint) with z.strictObject, duplicate path detection,
  max-count enforcement, VPC requirement
- EFS_ACCESS_POINT_ARN_PATTERN / S3_FILES_ACCESS_POINT_ARN_PATTERN
  constants shared between CLI validators and Zod schema
- HarnessSpec gains efsAccessPoints/s3AccessPoints with VPC enforcement
  and duplicate mount path validation

CDK / deploy:
- AgentCoreRuntime: typed filesystemConfigurations props (aws-cdk-lib 2.257)
- AgentCoreHarnessRole: EFS ClientMount/ClientWrite and S3 Files
  ClientMount/ClientWrite IAM policies when mounts are configured
- harness-mapper writes all three filesystem types; hasFilesystem uses
  correct boolean coercion; mount paths normalized (trailing slash stripped)
- Vended cdk-stack.ts and bin/cdk.ts include new HarnessConfig fields

Templates:
- HTTP, A2A, AGUI, MCP Python templates render file_read/file_write/
  list_files filesystem tools via {{#if needsOs}} blocks
- needsOs uses || not ?? so S3-only agents correctly generate tools
- EFS ARN regex constants shared (single source of truth)
- regionFromEfsArn/regionFromS3FilesArn merged into single regionFromArn

Tests:
- filesystem-utils.test.ts: ARN format, path validation, pairing, mounts
- filesystem-roundtrip.test.ts, filesystem-error-quality.test.ts: schema
- harness-mapper.test.ts: EFS, S3, combined filesystem mapping
- validate.test.ts: 16 new EFS/S3 validation cases for create path
- harness-validate.test.ts: 12 new cases for harness create path
- buildMountListItems.test.ts: 6 cases for mount list item builder
- schema-mapper.test.ts: 12 filesystem configuration mapping cases
- useFilesystemMountState.test.tsx: 15 hook handler tests
- computeByoSteps.test.ts: filesystem step inclusion
- useGenerateWizard.test.tsx: EFS/S3 flow, edit/remove, deselect
@padmak30 padmak30 force-pushed the feat/byo-filesystem-new branch from 5e271d7 to 578752e Compare June 2, 2026 07:00
@padmak30 padmak30 deployed to e2e-testing June 2, 2026 07:00 — with GitHub Actions Active
@github-actions github-actions Bot added size/xl PR size: XL and removed size/xl PR size: XL labels Jun 2, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 35.39% 11129 / 31445
🔵 Statements 34.72% 11831 / 34071
🔵 Functions 30.13% 1869 / 6202
🔵 Branches 29.12% 7094 / 24360
Generated in workflow #3424 for commit 578752e by the Vitest Coverage Report Action

@agentcore-devx-automation
Copy link
Copy Markdown
Contributor

agentcore-devx-automation Bot commented Jun 2, 2026

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/xl PR size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@padmak30