Replace AgentCore toolkit with CDK, fix vulnerabilities, cleanup improvements

Author: ggChris2

README.md

@@ -74,7 +74,7 @@ The numbers in the following flow correspond to an autonomous agent executing st
 
 6. **Payment Authorization:** The agent calls `make_payment`. The tool verifies sufficient balance exists and sets `auth:true` in session storage. This marks the user's intent to proceed with payment but does not transfer funds
 
-7. **Initial x402 Request:** The agent calls `generate_image` again. The tool finds auth: true and creates an x402 HTTP client using the CDP AgentKit wallet's dynamically exported private key. The client sends a POST request to Amazon API Gateway without an `PAYMENT-SIGNATURE` header.
+7. **Initial x402 Request:** The agent calls `generate_image` again. The tool finds `auth:true` and creates an x402 HTTP client using the CDP AgentKit wallet's dynamically exported private key. The client sends a POST request to Amazon API Gateway without an `PAYMENT-SIGNATURE` header.
 
 8. **402 Payment Required:** AWS Lambda receives the request and returns `HTTP 402` with payment requirements. The response includes the USDC amount in wei, seller wallet address, USDC contract address, and `EIP-712` domain parameters (name: 'USDC', version: '2', chainId: 84532).
 
@@ -150,9 +150,8 @@ Agentic maintains warm WebSocket connections, eliminating connection establishme
 4. AWS CLI configured with credentials
 5. USDC on Base Sepolia for testing (obtain from [Circle Faucet](https://faucet.circle.com/))
 6. WalletConnect Project ID from [Reown Cloud](https://cloud.reown.com)
-7. Python 3.11 or later (required for AgentCore CLI, installed in Step 5.3)
-8. CDP API credentials from [Coinbase Developer Platform](https://portal.cdp.coinbase.com)
-9. Bash shell (Windows users: use WSL or Git Bash)
+7. CDP API credentials from [Coinbase Developer Platform](https://portal.cdp.coinbase.com)
+8. Bash shell (Windows users: use WSL or Git Bash)
 
 #### Clone Repository
 
@@ -462,36 +461,30 @@ APP_ID=$(aws amplify list-apps --query "apps[?name=='ai-content-monetization'].a
 aws amplify delete-app --app-id $APP_ID
 ```
 
-**2. Delete AgentCore Runtime and Memory (if deployed):**
+**2. Delete Agentic CDK stack:**
 
 ```bash
-cd agentic
-source venv/bin/activate
-agentcore destroy
+cd agentic/cdk && cdk destroy --force && cd ../..
 ```
 
-**3. Delete ECR repository (if created):**
+**3. Delete Serverless CDK stack:**
 
 ```bash
-aws ecr delete-repository --repository-name bedrock-agentcore-agent --force
-```
-
-**4. Delete Agentic CDK stack:**
-
-```bash
-cd cdk && cdk destroy --force && cd ../..
+cd serverless && cdk destroy --force && cd ..
 ```
 
-**5. Delete Serverless CDK stack:**
+**4. Delete CloudWatch log groups:**
 
 ```bash
-cd serverless && cdk destroy --force && cd ..
+for prefix in "/aws/lambda/AiContent" "/aws/lambda/X402" "/aws/codebuild/X402" "/aws/bedrock-agentcore/runtimes/x402_payment_agent"; do
+  aws logs describe-log-groups --log-group-name-prefix "$prefix" --query 'logGroups[*].logGroupName' --output text | xargs -n1 aws logs delete-log-group --log-group-name 2>/dev/null
+done
 ```
 
-**6. Clean up local files:**
+**5. Clean up local files:**
 
 ```bash
-rm -rf node_modules/ dist/ serverless/node_modules/ serverless/cdk.out/ serverless/outputs.json serverless/lib/*.js serverless/lib/*.d.ts serverless/bin/*.js serverless/bin/*.d.ts agentic/cdk/node_modules/ agentic/cdk/cdk.out/ agentic/venv/ agentic/.bedrock_agentcore/ agentic/.bedrock_agentcore.yaml
+rm -rf node_modules/ dist/ serverless/node_modules/ serverless/cdk.out/ serverless/outputs.json serverless/lib/*.js serverless/lib/*.d.ts serverless/bin/*.js serverless/bin/*.d.ts agentic/cdk/node_modules/ agentic/cdk/cdk.out/ agentic/lambda/node_modules/
 ```
 
 ## Troubleshooting

agentic/.env-sample

@@ -13,11 +13,16 @@ USDC_CONTRACT=0x036CbD53842c5426634e7929541eC2318f3dCF7e
 # Seller Wallet (receives payments)
 SELLER_WALLET=your_seller_wallet_address
 
-# Gateway URL (set after CDK deployment without trailing slash)
-GATEWAY_URL=https://your-api-gateway-url.execute-api.us-east-1.amazonaws.com
-
 # AWS Region
 AWS_REGION=us-east-1
 
-# AgentCore Memory (BEDROCK_AGENTCORE_MEMORY_ID automatically set after AgentCore Runtime deployment)
+# ============================================================================
+# AUTO-GENERATED BY CDK (do not set manually)
+# These values are automatically set after running 'cdk deploy' via agentic-export.sh
+# ============================================================================
+
+# Gateway URL (set after CDK deployment without trailing slash)
+GATEWAY_URL=
 
+# AgentCore Memory ID (automatically created by CDK)
+BEDROCK_AGENTCORE_MEMORY_ID=

agentic/README.md

@@ -34,7 +34,7 @@ The numbers in the following flow correspond to an autonomous agent executing st
 
 6. **Payment Authorization:** The agent calls `make_payment`. The tool verifies sufficient balance exists and sets `auth:true` in session storage. This marks the user's intent to proceed with payment but does not transfer funds
 
-7. **Initial x402 Request:** The agent calls `generate_image` again. The tool finds auth: true and creates an x402 HTTP client using the CDP AgentKit wallet's dynamically exported private key. The client sends a POST request to Amazon API Gateway without an `PAYMENT-SIGNATURE` header.
+7. **Initial x402 Request:** The agent calls `generate_image` again. The tool finds `auth:true` and creates an x402 HTTP client using the CDP AgentKit wallet's dynamically exported private key. The client sends a POST request to Amazon API Gateway without an `PAYMENT-SIGNATURE` header.
 
 8. **402 Payment Required:** AWS Lambda receives the request and returns `HTTP 402` with payment requirements. The response includes the USDC amount in wei, seller wallet address, USDC contract address, and `EIP-712` domain parameters (name: 'USDC', version: '2', chainId: 84532).
 

agentic/agentic-export.sh

@@ -1,40 +1,75 @@
 #!/bin/bash
 
-# Export CDK stack outputs to agentic .env file
+# Export CDK stack outputs to agentic .env file and root .env file
 STACK_NAME="X402GatewayStack"
 ENV_FILE=".env"
+ROOT_ENV_FILE="../.env"
 
 echo "Fetching CDK outputs from $STACK_NAME..."
 
 # Get stack outputs
 GATEWAY_URL=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
   --query "Stacks[0].Outputs[?OutputKey=='ApiUrl'].OutputValue" --output text)
 
+MEMORY_ID=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
+  --query "Stacks[0].Outputs[?OutputKey=='MemoryId'].OutputValue" --output text)
+
+AGENT_RUNTIME_ARN=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" \
+  --query "Stacks[0].Outputs[?OutputKey=='AgentRuntimeArn'].OutputValue" --output text)
+
 if [ -z "$GATEWAY_URL" ] || [ "$GATEWAY_URL" == "None" ]; then
-  echo "Error: Could not retrieve stack outputs. Ensure the stack is deployed."
+  echo "Error: Could not retrieve GATEWAY_URL. Ensure the stack is deployed."
   exit 1
 fi
 
-# Remove trailing slash
+# Remove trailing slash from GATEWAY_URL
 GATEWAY_URL="${GATEWAY_URL%/}"
 
 echo "Retrieved outputs:"
 echo "  GATEWAY_URL: $GATEWAY_URL"
+echo "  BEDROCK_AGENTCORE_MEMORY_ID: $MEMORY_ID"
+echo "  AGENT_RUNTIME_ARN: $AGENT_RUNTIME_ARN"
 
 # Check if .env exists
 if [ ! -f "$ENV_FILE" ]; then
-  echo "Error: $ENV_FILE not found. Run 'cp .env.sample .env' first."
+  echo "Error: $ENV_FILE not found. Run 'cp .env-sample .env' first."
   exit 1
 fi
 
-# Update .env file
-if grep -q "^GATEWAY_URL=" "$ENV_FILE"; then
-  sed -i.bak "s|^GATEWAY_URL=.*|GATEWAY_URL=${GATEWAY_URL}|" "$ENV_FILE"
-else
-  echo "GATEWAY_URL=${GATEWAY_URL}" >> "$ENV_FILE"
+# Update agentic/.env file
+update_env_var() {
+  local file=$1
+  local key=$2
+  local value=$3
+  
+  if grep -q "^${key}=" "$file" 2>/dev/null; then
+    sed -i.bak "s|^${key}=.*|${key}=${value}|" "$file"
+  else
+    echo "${key}=${value}" >> "$file"
+  fi
+}
+
+# Update GATEWAY_URL in agentic/.env
+update_env_var "$ENV_FILE" "GATEWAY_URL" "$GATEWAY_URL"
+
+# Update BEDROCK_AGENTCORE_MEMORY_ID in agentic/.env
+if [ -n "$MEMORY_ID" ] && [ "$MEMORY_ID" != "None" ]; then
+  update_env_var "$ENV_FILE" "BEDROCK_AGENTCORE_MEMORY_ID" "$MEMORY_ID"
+fi
+
+# Update AGENT_RUNTIME_ARN in root .env (for serverless stack)
+if [ -n "$AGENT_RUNTIME_ARN" ] && [ "$AGENT_RUNTIME_ARN" != "None" ]; then
+  if [ -f "$ROOT_ENV_FILE" ]; then
+    update_env_var "$ROOT_ENV_FILE" "AGENT_RUNTIME_ARN" "$AGENT_RUNTIME_ARN"
+    echo ""
+    echo "AGENT_RUNTIME_ARN exported to $ROOT_ENV_FILE"
+  else
+    echo "Warning: $ROOT_ENV_FILE not found. AGENT_RUNTIME_ARN not exported to root."
+  fi
 fi
 
-rm -f "${ENV_FILE}.bak"
+# Clean up backup files
+rm -f "${ENV_FILE}.bak" "${ROOT_ENV_FILE}.bak" 2>/dev/null
 
 echo ""
-echo "GATEWAY_URL exported to $ENV_FILE"
+echo "GATEWAY_URL and BEDROCK_AGENTCORE_MEMORY_ID exported to $ENV_FILE"

agentic/cdk/cdk.json

@@ -1,3 +1,25 @@
 {
-  "app": "node stack.js"
+  "app": "node stack.js",
+  "watch": {
+    "include": ["**"],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "node_modules",
+      "**/*.d.ts",
+      "**/*.js.map"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false
+  }
 }

agentic/cdk/package-lock.json

@@ -3,16 +3,16 @@
   "version": "1.0.0",
   "scripts": {
     "deploy": "cdk deploy --require-approval never",
-    "destroy": "cdk destroy"
+    "destroy": "cdk destroy",
+    "synth": "cdk synth"
   },
   "devDependencies": {
     "esbuild": "^0.25.0"
   },
   "dependencies": {
-    "aws-cdk-lib": "^2.100.0",
+    "aws-cdk-lib": "^2.220.0",
     "constructs": "^10.0.0",
     "cdk-nag": "^2.28.0",
-    "dotenv": "^16.4.5",
-    "hono": "^4.0.0"
+    "dotenv": "^16.4.5"
   }
 }