fix(pause-online-insights): reject mismatched --name and --arn#1601
fix(pause-online-insights): reject mismatched --name and --arn#1601notgitika wants to merge 1 commit into
Conversation
When both a config name and --arn were passed to `agentcore pause/resume online-insights`, the ARN silently won and the name was ignored. If they referred to different configs, the wrong config was paused with no warning. Now we cross-check: if both are provided, look up the named config and verify its configId matches the ARN's. Mismatches return a clear error explaining which config each side resolves to. Passing only one (or matching values) continues to work. Bug bash item aws#15 (P1).
github-actions
Bot
added
the
agentcore-harness-reviewing
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Package TarballHow to installgh release download pr-1601-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz |
agentcore-cli-automation
left a comment
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Nice targeted fix for a real footgun — silently picking the ARN when both were passed was the worst-of-both-worlds behavior. Two concerns worth addressing before merge around how the new cross-validation interacts with the --arn-without-project flow and how thoroughly it cross-checks the two inputs (details inline).
One side note (not introduced by this PR but now affects the new code path): in handlePauseResume, every resolution error is wrapped as ResourceNotFoundError at line 111. The mismatch error this PR adds is a validation/argument error, not a missing-resource error — there's a ValidationError class in src/lib/errors/types.ts that's a better fit and would give telemetry / error-classification downstream the right signal. Feel free to defer if you'd rather keep this PR scoped, but worth a follow-up.
| const arnResolution = parseOnlineEvalConfigArn(options.arn, options.region); | ||
| if (!arnResolution.success) return arnResolution; | ||
|
|
||
| const nameResolution = await resolveOnlineEvalConfig(options.name); |
There was a problem hiding this comment.
When both --arn and a config name are passed, this branch now calls resolveOnlineEvalConfig(options.name) → loadDeployedProjectConfig() unconditionally. But the command layer in src/cli/commands/pause/command.tsx deliberately skips requireProject() whenever --arn is present (lines 38–40 / 129–131):
if (!cliOptions.arn) {
requireProject();
}So a user running this outside a project directory with agentcore pause online-insights some-name --arn arn:... will now hit a ConfigNotFoundError from readProjectSpec() instead of either succeeding (pre-PR behavior) or getting a clear validation message. The throw falls through to the outer try/catch in command.tsx and surfaces as a generic Error: agentcore.json not found ..., which is confusing UX.
A few ways to fix:
- In
command.tsx, always callrequireProject()when anameargument is provided, even alongside--arn. That makes the contract explicit: "if you pass a name, you must be in a project." - In
resolveConfighere, catch theConfigNotFoundError(or check for project presence first) and return a clearer error like"Cannot cross-check config name "X" against --arn: not inside a project. Pass only --arn, or run from a project directory." - Make the cross-check best-effort — if the project can't be loaded, silently fall through to the ARN-only path. (Partly defeats the purpose of the fix, so probably not preferred.)
Option (1) seems cleanest and matches user intent.
| `Pass only one, or pass matching values.`, | ||
| }; | ||
| } | ||
| return arnResolution; |
There was a problem hiding this comment.
Once the configIds match, this returns arnResolution, whose region comes from the ARN (or --region override). But nameResolution.region comes from the project's awsTargets entry for the deployed target. If those disagree, that's the same class of silent name-vs-ARN inconsistency this PR is closing on the configId axis — just on the region axis instead.
Consider also comparing nameResolution.region against arnResolution.region and rejecting (or warning) on mismatch. Otherwise the surface area of "silent disagreement between name and ARN" isn't fully closed.
github-actions
Bot
removed
the
agentcore-harness-reviewing
2 participants
Summary
When both a config name argument and
--arnwere passed toagentcore pause online-insights/agentcore resume online-insights, the ARN silently won and the name was ignored. If the two referred to different configs, the wrong config was paused with no error.Now
resolveConfigcross-checks: if both are provided, the named config is looked up and itsconfigIdmust match the ARN's. Mismatches return a clear error showing which config each side resolves to. Passing only one (or matching values) is unchanged.Bug: "--arn and config name accept mismatched values without checking."