Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-docker/test-invoke.py-51-69 (1)

51-69: ⚠️ Potential issue | 🟡 Minor

Inconsistent content-type checking may miss JSON responses with parameters.

Line 51 uses substring matching (in) which correctly handles content types with parameters (e.g., text/event-stream; charset=utf-8), but Line 61 uses exact equality (==) which would fail for application/json; charset=utf-8, causing such responses to fall through to the raw print branch.

Proposed fix for consistent content-type matching

-        elif response.get("contentType") == "application/json":
+        elif "application/json" in response.get("contentType", ""):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-docker/test-invoke.py`
around lines 51 - 69, The content-type check is inconsistent: the SSE branch
uses substring matching but the JSON branch uses exact equality on
response.get("contentType"), which misses parameterized types like
"application/json; charset=utf-8"; update the JSON branch to mirror the SSE
check (e.g., check if "application/json" in response.get("contentType", ""))
where response.get("contentType") is referenced so JSON responses with
parameters are handled correctly and not dropped to the raw branch.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/index.js-76-86 (1)

76-86: ⚠️ Potential issue | 🟡 Minor

Add error handling for invalid timezone.

If an invalid timezone string is provided, toLocaleString will throw a RangeError. Consider catching this and returning a user-friendly error message.

Proposed fix

     async ({ timezone }) => {
-      const now = new Date()
-      const options = {
-        timeZone: timezone || 'UTC',
-        dateStyle: 'full',
-        timeStyle: 'long',
+      try {
+        const now = new Date()
+        const options = {
+          timeZone: timezone || 'UTC',
+          dateStyle: 'full',
+          timeStyle: 'long',
+        }
+        return {
+          content: [{ type: 'text', text: now.toLocaleString('en-US', options) }],
+        }
+      } catch (error) {
+        return {
+          content: [{ type: 'text', text: `Invalid timezone: ${timezone}` }],
+          isError: true,
+        }
       }
-      return {
-        content: [{ type: 'text', text: now.toLocaleString('en-US', options) }],
-      }
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/index.js`
around lines 76 - 86, The current anonymous async handler that builds `options`
and calls `now.toLocaleString('en-US', options)` can throw a RangeError for
invalid `timezone`; wrap the `toLocaleString` call in a try/catch around the
block that builds and returns `{ content: [...] }`, catch RangeError (and
fallback for any error), and return a user-friendly error response (e.g., `{
content:[{ type:'text', text: 'Invalid timezone provided' }] }`) or a fallback
timezone; reference the anonymous async function and the `options`
object/`timezone` variable so you update that function to handle and return a
safe error message instead of throwing.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter-custom/test-invoke.js-47-52 (1)

47-52: ⚠️ Potential issue | 🟡 Minor

Use a streaming TextDecoder to avoid UTF‑8 boundary corruption.

Decoding each chunk with a fresh decoder can corrupt multi-byte characters split across chunk boundaries. Reuse one decoder with { stream: true } and flush at the end.

🛠️ Suggested fix

-    for await (const chunk of body) {
-      chunks.push(
-        typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk),
-      )
-    }
+    const decoder = new TextDecoder()
+    for await (const chunk of body) {
+      chunks.push(
+        typeof chunk === 'string'
+          ? chunk
+          : decoder.decode(chunk, { stream: true }),
+      )
+    }
+    chunks.push(decoder.decode())

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-code-interpreter-custom/test-invoke.js`
around lines 47 - 52, The current loop decodes each chunk with a new
TextDecoder, which can corrupt multi-byte UTF-8 characters split across chunks;
replace per-chunk decoding with a single persistent TextDecoder constructed with
streaming enabled, use decoder.decode(chunk, { stream: true }) inside the
for-await loop over body (for await (const chunk of body)) to append decoded
piece to chunks, and after the loop call decoder.decode() with no input to flush
remaining bytes before pushing the final string.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/package.json-16-24 (1)

16-24: ⚠️ Potential issue | 🟡 Minor

Dependency versions diverge significantly between this example and others.

This example uses @langchain/core: ^0.3.0 and zod: ^3.23.0, while nearly all other examples (11 out of 13) use @langchain/core: ^1.1.19 and zod: ^4.3.6. The langgraph-basic-dockerfile example also uses the older versions. Consider aligning to the newer versions used by most examples unless there is a specific reason to maintain legacy dependencies.

The node: "24.x" requirement is consistent with most examples in this PR (11 out of 13 use it), though the dockerfile variant permits >=20.0.0. If a broader Node version range would work here, consider using it to improve compatibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/package.json`
around lines 16 - 24, Update this example's package.json to align dependency
versions with the majority of examples: bump "@langchain/core" from "^0.3.0" to
"^1.1.19" and "zod" from "^3.23.0" to "^4.3.6" (adjust other `@langchain/`*
packages if needed for compatibility with these versions), and relax the "node"
engines constraint if you want broader compatibility (e.g., change "node":
"24.x" to a wider range such as ">=20.0.0" or match the common examples); verify
the project builds/tests after making these changes and update any code that
breaks due to the dependency upgrades.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/README.md-14-22 (1)

14-22: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks.

Line 14 and Line 41 open fences without a language, which triggers MD040. Adding language hints (e.g., text, yaml) fixes linting and improves readability.

🧩 Suggested fix

-```
+```text
 langgraph-code-interpreter/
 ├── serverless.yml     # Serverless Framework configuration
 ├── agent.py           # LangGraph agent with code interpreter
 ├── Dockerfile         # Container definition
 ├── pyproject.toml     # Python dependencies
 ├── test-invoke.py     # Validation script
 └── README.md          # This file
 ```
@@
-```
+```yaml
 ai:
   agents:
     codeAgent: https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes/arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/.../invocations
 ```

Also applies to: 41-45

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/README.md`
around lines 14 - 22, Update the two fenced code blocks in README.md to include
language identifiers: change the file-tree block that starts with
"langgraph-code-interpreter/" to open with ```text, and change the YAML-looking
block that starts with "ai:\n  agents:\n    codeAgent:" to open with ```yaml;
keep the closing ``` fences as-is so the Markdown linter (MD040) and syntax
highlighting are satisfied.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/index.js-27-28 (1)

27-28: ⚠️ Potential issue | 🟡 Minor

Avoid unconditionally overriding tool-consent bypass.

Line 27–28 forces BYPASS_TOOL_CONSENT to true even when users explicitly set it. Consider only defaulting when it’s unset so explicit configs are respected.

🛠️ Suggested fix

-// Bypass tool consent for automated deployments
-process.env.BYPASS_TOOL_CONSENT = 'true'
+// Bypass tool consent for automated deployments (only if not explicitly set)
+if (process.env.BYPASS_TOOL_CONSENT == null) {
+  process.env.BYPASS_TOOL_CONSENT = 'true'
+}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/index.js`
around lines 27 - 28, The code unconditionally sets
process.env.BYPASS_TOOL_CONSENT = 'true', which overrides any user-provided
value; modify the initialization so it only defaults when unset (e.g., check if
process.env.BYPASS_TOOL_CONSENT is undefined or empty before assigning) so
explicit user configuration is preserved; update the assignment site
(process.env.BYPASS_TOOL_CONSENT) in index.js to perform a
conditional/default-only set.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/README.md-95-104 (1)

95-104: ⚠️ Potential issue | 🟡 Minor

Add a language to the project structure code fence.
Helps markdown tooling and readability.

🛠️ Suggested fix

-```
+```text
 langgraph-streaming/
 ├── serverless.yml    # Serverless Framework configuration
 ├── index.js          # LangGraph JS agent with streaming
 ├── package.json      # npm dependencies
 ├── test-invoke.js    # Test script for streaming invocation
 └── README.md         # This file

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/README.md
around lines 95 - 104, Update the code fence in the README.md project structure
to include a language identifier for better markdown tooling (e.g., change the
opening totext); locate the block that lists the langgraph-streaming
directory and surrounding triple backticks in the README.md and add the language
token immediately after the first backticks so the fence becomes ```text while
keeping the same inner content (the tree listing and comments).

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js-139-145 (1)</summary><blockquote>

`139-145`: _⚠️ Potential issue_ | _🟡 Minor_

**Handle empty agent responses defensively.**  
If `result.messages` is empty, this access will throw. A small guard avoids a hard failure.



<details>
<summary>🛠️ Suggested fix</summary>

```diff
-      const finalMessage = result.messages[result.messages.length - 1]
-      const response = finalMessage.content
+      const finalMessage = result.messages?.[result.messages.length - 1]
+      const response =
+        finalMessage?.content ?? 'Error: Agent returned no response'
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js`
around lines 139 - 145, The code assumes result.messages has at least one
element and directly accesses finalMessage =
result.messages[result.messages.length - 1]; update the handling in the function
that builds and returns response so it defensively checks result.messages (e.g.,
if (!result.messages || result.messages.length === 0) return a sensible default
like an empty string or a fallback message) before computing finalMessage and
response; ensure any downstream use of finalMessage or response (the return path
and console.log) is guarded by that check to avoid runtime exceptions.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js-28-37 (1)</summary><blockquote>

`28-37`: _⚠️ Potential issue_ | _🟡 Minor_

**Guard invalid timezones to avoid runtime errors.**  
`toLocaleString` throws a `RangeError` for invalid timezones. Since the timezone is user-supplied, return a friendly error instead of crashing the handler.



<details>
<summary>🛠️ Suggested fix</summary>

```diff
 const getCurrentTime = tool(
   async ({ timezone }) => {
     const now = new Date()
     const options = {
       timeZone: timezone || 'UTC',
       dateStyle: 'full',
       timeStyle: 'long',
     }
-    return `Current time: ${now.toLocaleString('en-US', options)}`
+    try {
+      return `Current time: ${now.toLocaleString('en-US', options)}`
+    } catch {
+      return `Error: Invalid timezone "${timezone}"`
+    }
   },
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js`
around lines 28 - 37, The getCurrentTime tool currently calls toLocaleString
with a user-supplied timezone which can throw a RangeError for invalid
timezones; wrap the timezone handling in validation and error handling inside
the getCurrentTime function (or the tool wrapper) by attempting to construct an
Intl.DateTimeFormat or otherwise validating the timezone before calling
toLocaleString, and if it fails catch the RangeError and return a friendly error
message (e.g., "Invalid timezone: <value>") instead of letting the handler
crash; ensure you reference getCurrentTime and the tool wrapper when making this
change.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js-28-53 (1)</summary><blockquote>

`28-53`: _⚠️ Potential issue_ | _🟡 Minor_

**Default tags parameter to prevent Object.keys crash.**  
The `tags` parameter lacks a default value. If a caller omits it (or passes undefined), `Object.keys(tags)` will throw a TypeError. Defaulting to an empty object is safe and defensive.

<details>
<summary>Suggested fix</summary>

```diff
 export function compileRuntimeEndpoint(
   agentName,
   endpointName,
   config,
   runtimeLogicalId,
   context,
-  tags,
+  tags = {},
 ) {
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js`
around lines 28 - 53, The function compileRuntimeEndpoint currently calls
Object.keys(tags) but tags can be undefined; update the function signature to
default tags to an empty object (e.g., tags = {}) so Object.keys(tags) is safe,
and ensure any callers still work with the default. Locate
compileRuntimeEndpoint and modify its parameter list to set tags = {} (and
adjust any internal use of tags if needed) so the spread
"(Object.keys(tags).length > 0 && { Tags: tags })" no longer risks a TypeError.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/README.md-57-65 (1)</summary><blockquote>

`57-65`: _⚠️ Potential issue_ | _🟡 Minor_

**Update CLI command examples to match actual command syntax.**

The commands shown in the examples are incorrect:
- `sls invoke agent --agent assistant` should be `sls invoke --agent assistant` (no "agent" subcommand)
- `sls agentcore info` does not exist as a CLI command; use `sls info` for stack information instead

Update lines 57-65 in the README to use the correct command syntax.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/README.md`
around lines 57 - 65, Update the README examples to use the correct Serverless
CLI commands: replace the incorrect "sls invoke agent --agent assistant"
invocation with "sls invoke --agent assistant" (remove the extra "agent"
subcommand) and replace the reference to the non-existent "sls agentcore info"
with "sls info" when instructing users to get their runtime/stack URL; ensure
both updated command examples (the sls invoke invocation and the curl example
that references the runtime URL from `sls info`) are used in the README section
that currently shows the two examples.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/test-invoke.js-57-97 (1)</summary><blockquote>

`57-97`: _⚠️ Potential issue_ | _🟡 Minor_

**Buffer SSE lines across chunks to avoid partial event parsing.**

SSE data can be split mid-line; splitting per chunk can drop or corrupt events. Buffering preserves full lines before parsing.  


<details>
<summary>🔧 Suggested fix</summary>

```diff
-    const chunks = []
-    for await (const chunk of body) {
-      const text =
-        typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk)
+    const decoder = new TextDecoder()
+    let buffer = ''
+    const chunks = []
+    for await (const chunk of body) {
+      const text =
+        typeof chunk === 'string'
+          ? chunk
+          : decoder.decode(chunk, { stream: true })
 
-      /**
-       * Parse SSE lines and extract data payloads
-       */
-      const lines = text.split('\n')
+      /**
+       * Parse SSE lines and extract data payloads
+       */
+      buffer += text
+      const lines = buffer.split('\n')
+      buffer = lines.pop() || ''
       for (const line of lines) {
         if (line.startsWith('data: ')) {
           const data = line.slice(6)
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/test-invoke.js`
around lines 57 - 97, The SSE handler that iterates "for await (const chunk of
body)" must buffer partial lines instead of splitting each chunk independently;
add a string "buffer" before the loop, append each decoded chunk to buffer, then
extract only complete SSE lines (or complete "data: ..." entries) from buffer
for parsing and leave any trailing partial line in buffer for the next
iteration; update the parsing block that currently uses "const lines =
text.split('\n')" to consume from buffer and only process complete lines
(checking for "data: " and "[DONE]") while preserving remainder, and at the end
of the stream process any remaining buffered data into chunks.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/agent.py-163-165 (1)</summary><blockquote>

`163-165`: _⚠️ Potential issue_ | _🟡 Minor_

**Potential `IndexError` if agent returns empty messages.**

If `result["messages"]` is empty, accessing `[-1]` will raise an `IndexError`. Consider adding a guard.


<details>
<summary>🛡️ Proposed fix</summary>

```diff
         # Extract the final response
-        final_message = result["messages"][-1].content
-        logger.info(f"Response: {final_message[:200]}...")
+        messages = result.get("messages", [])
+        if not messages:
+            return {"error": "No response from agent"}
+        final_message = messages[-1].content
+        logger.info(f"Response: {final_message[:200] if final_message else ''}...")
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/agent.py`
around lines 163 - 165, The code blindly indexes result["messages"][-1] which
raises IndexError when messages is empty; update the logic in agent.py (the
block that assigns final_message and calls logger.info) to first get messages =
result.get("messages", []) and check if messages is non-empty before accessing
the last element, otherwise set a safe fallback (e.g., empty string or a "no
messages" note) and log that fallback via logger.info so the code won't crash
when the agent returns no messages.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/serverless.yml-37-49 (1)</summary><blockquote>

`37-49`: _⚠️ Potential issue_ | _🟡 Minor_

**Duplicate IAM action.**

`bedrock-agentcore:InvokeCodeInterpreter` is listed twice (lines 39 and 42). While IAM will deduplicate this, it adds unnecessary noise to the configuration.



<details>
<summary>Proposed fix</summary>

```diff
           - Effect: Allow
             Action:
               - bedrock-agentcore:InvokeCodeInterpreter
               - bedrock-agentcore:CreateCodeInterpreter
               - bedrock-agentcore:StartCodeInterpreterSession
-              - bedrock-agentcore:InvokeCodeInterpreter
               - bedrock-agentcore:StopCodeInterpreterSession
               - bedrock-agentcore:DeleteCodeInterpreter
               - bedrock-agentcore:ListCodeInterpreters
               - bedrock-agentcore:GetCodeInterpreter
               - bedrock-agentcore:GetCodeInterpreterSession
               - bedrock-agentcore:ListCodeInterpreterSessions
             Resource: !GetAtt PublicInterpreterCodeInterpreter.CodeInterpreterArn
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/serverless.yml`
around lines 37 - 49, Remove the duplicate IAM action from the policy Actions
list: locate the IAM policy block where the Action array includes multiple
bedrock-agentcore permissions (including bedrock-agentcore:InvokeCodeInterpreter
twice) and delete the redundant bedrock-agentcore:InvokeCodeInterpreter entry so
each action appears only once; ensure the Action list still contains the other
required permissions (CreateCodeInterpreter, StartCodeInterpreterSession,
StopCodeInterpreterSession, DeleteCodeInterpreter, ListCodeInterpreters,
GetCodeInterpreter, GetCodeInterpreterSession, ListCodeInterpreterSessions) and
leave the Resource reference PublicInterpreterCodeInterpreter.CodeInterpreterArn
unchanged.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md-62-68 (1)</summary><blockquote>

`62-68`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifier to fenced code block.**

The file structure diagram should have a language specified for the fenced code block, as flagged by markdownlint.


<details>
<summary>📝 Proposed fix</summary>

```diff
-```
+```text
 my-agent/
 ├── handler.py          # Entry point (artifact.entryPoint)
 ├── requirements.txt    # Dependencies
 ├── serverless.yml      # Configuration
 └── venv/              # Virtual environment (strongly recommended)
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md around
lines 62 - 68, Add a language identifier to the fenced code block that contains
the directory tree diagram so markdownlint stops flagging it; specifically
change the opening fence for the block that starts with "my-agent/" to include a
language (e.g., use "```text") so the tree diagram is annotated as plain text.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md-72-84 (1)</summary><blockquote>

`72-84`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifier to fenced code block.**

The architecture diagram should have a language specified for the fenced code block.


<details>
<summary>📝 Proposed fix</summary>

```diff
-```
+```text
 dev/index.js (main)
 ├── Detects mode (Docker vs Code)
 ├── Manages AWS credentials
 ├── Handles file watching
 ├── Provides chat interface
 └── Delegates to:
     ├── Docker mode (inline in index.js)
     │   ├── DockerBuilder (builds image)
     │   └── DockerClient (runs container)
     └── Code mode (code-mode.js)
         └── Spawns Python process directly
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md around
lines 72 - 84, The README's architecture diagram fenced code block is missing a
language identifier; update the triple-backtick fence that contains the
"dev/index.js (main) ... Delegates to: ... code-mode.js" diagram by adding a
language tag (e.g., text) after the opening so the block becomestext;
this targets the fenced block showing dev/index.js, DockerBuilder, DockerClient
and code-mode.js in the README.

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/runtime.md-1-1 (1)</summary><blockquote>

`1-1`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove leading whitespace from the opening comment.**

The file starts with leading whitespace before the HTML comment, which may cause issues with some markdown parsers or the docs site processing.


<details>
<summary>📝 Proposed fix</summary>

```diff
-  <!--
+<!--
 title: Serverless Framework - AgentCore Runtime Configuration
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/runtime.md` at line 1, The file begins
with leading whitespace before the HTML opening comment "<!--"; remove any
leading spaces or blank lines so the file starts directly with "<!--" (edit
docs/sf/providers/aws/guide/agents/runtime.md and delete the leading
whitespace/newline characters before the "<!--" token).
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/index.js-103-107 (1)</summary><blockquote>

`103-107`: _⚠️ Potential issue_ | _🟡 Minor_

**Minor typo in schema description.**

There's a trailing space before the closing parenthesis in the divisor description.


<details>
<summary>📝 Proposed fix</summary>

```diff
       b: z.number().describe('Divisor (number to divide by )'),
+      b: z.number().describe('Divisor (number to divide by)'),
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/index.js`
around lines 103 - 107, The schema object's field descriptions have a minor
formatting typo: remove the trailing space before the closing parenthesis in the
description for property b inside the schema (the z.object with properties a and
b) so "Divisor (number to divide by )" becomes "Divisor (number to divide by)";
update the description string for b accordingly.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/code-interpreter.md-219-229 (1)</summary><blockquote>

`219-229`: _⚠️ Potential issue_ | _🟡 Minor_

**Update Zod version to v4 to align with current ecosystem.**

The example specifies `"zod": "^3.23.0"`, but Zod 4 is now the current stable version (released July 2025, currently at v4.3.6). Since `npm i zod` now installs v4.x by default, update the example to `"zod": "^4.0.0"` to prevent version conflicts for users. The code shown uses only basic Zod features compatible with both versions, so no other changes are needed.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/code-interpreter.md` around lines 219 -
229, Update the dependencies JSON to use Zod v4 by changing the "zod" dependency
value from "^3.23.0" to "^4.0.0" in the shown dependencies block (the "zod" key
in the JSON snippet) so the example reflects the current ecosystem and avoids
npm installing v4 by default.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/dev.md-51-64 (1)</summary><blockquote>

`51-64`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifiers to fenced code blocks (MD040).**

markdownlint flagged the untyped fences; adding a language keeps lint clean and improves rendering.


<details>
<summary>📚 Proposed fix</summary>

```diff
-```
+```text
 Dev mode running on http://localhost:8080
@@
-```
+```

-```
+```text
 serverless dev
@@
-```
+```

-```
+```http
 POST http://localhost:<port>/invocations
@@
-```
+```

-```
+```text
 my-agent/
@@
-```
+```
```
</details>


Also applies to: 82-100, 296-304, 363-369

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/dev.md around lines 51 - 64, Add explicit
language identifiers to the untyped fenced code blocks in the referenced
markdown examples: mark the blocks that start with "Dev mode running on
http://localhost:8080" and "serverless dev" and "my-agent/" as text and mark the HTTP request block that begins with "POST http://localhost:<port>/invocations" as http; update all similar untyped
fences (also present around the other ranges mentioned) so markdownlint MD040 is
satisfied and rendering is improved.

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/dev.md-286-286 (1)</summary><blockquote>

`286-286`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove trailing space inside inline code span (MD038).**


<details>
<summary>✂️ Proposed fix</summary>

```diff
-- **Prompt**: Type messages at the `You: ` prompt
+- **Prompt**: Type messages at the `You:` prompt
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/dev.md` at line 286, The inline code span
contains a trailing space ("`You: `") which violates MD038; edit the markdown so
the inline code has no trailing space by changing the inline code token from
`You: ` to `You:` in the sentence "**Prompt**: Type messages at the `You: `
prompt" to remove the trailing whitespace inside the code span.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/commands/info.js-39-76 (1)</summary><blockquote>

`39-76`: _⚠️ Potential issue_ | _🟡 Minor_

**Show gateway info when gateways exist without shared tools.**

`collectAllTools` exposes `hasGateways`, but `showInfo` only checks `hasTools`. This hides gateway info when users define `ai.gateways` with no shared tools.


<details>
<summary>🛠️ Proposed fix</summary>

```diff
-  const { hasTools } = collectAllTools(aiConfig)
-  if (hasTools) {
+  const { hasTools, hasGateways } = collectAllTools(aiConfig)
+  if (hasTools || hasGateways) {
     log.notice('Gateway:')
-    log.notice('  Auto-created gateway for tools')
+    log.notice(
+      hasTools
+        ? '  Auto-created gateway for tools'
+        : '  Gateway configuration detected',
+    )
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/commands/info.js`
around lines 39 - 76, The showInfo function currently only reads hasTools from
collectAllTools and thus skips printing gateway info when ai.gateways exist
without shared tools; update the destructuring from collectAllTools(aiConfig) to
also get hasGateways and change the condition that prints the gateway block to
check (hasTools || hasGateways) or specifically hasGateways where appropriate so
the gateway URL lookup (provider.request + getGatewayLogicalId()) runs when
gateways are defined even if hasTools is false.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/index.js-85-90 (1)</summary><blockquote>

`85-90`: _⚠️ Potential issue_ | _🟡 Minor_

**Prevent `stopSession` failures from masking the root error.**

If `startSession`/navigation fails, an exception in `stopSession` will hide the original error.


<details>
<summary>🛠️ Proposed fix</summary>

```diff
     } finally {
-      // Stop the session - triggers recording upload to S3
-      await browserClient.stopSession()
-      console.log(
-        'Browser session stopped - recording should be uploaded to S3',
-      )
+      try {
+        // Stop the session - triggers recording upload to S3
+        await browserClient.stopSession()
+        console.log(
+          'Browser session stopped - recording should be uploaded to S3',
+        )
+      } catch (stopErr) {
+        console.warn('Failed to stop browser session cleanly:', stopErr)
+      }
     }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/index.js`
around lines 85 - 90, The finally block currently awaits
browserClient.stopSession() which can throw and mask the original error from
startSession/navigation; wrap the stopSession call in its own try/catch inside
the finally (or capture the original error before finally and rethrow it after
catching stopSession errors) so any exception from browserClient.stopSession()
is logged or handled separately (e.g., processLogger.error or console.error with
context) and does not overwrite or suppress the original exception from
startSession/navigation; locate browserClient.stopSession() in the finally block
and implement the isolated try/catch and rethrow logic around it.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/test-invoke.js-69-94 (1)</summary><blockquote>

`69-94`: _⚠️ Potential issue_ | _🟡 Minor_

**Validate ARN presence for the requested agent type.**

If `AGENT_TYPE` is `public` or `private` but the matching ARN is unset, the script can print “All tests completed” without running any test.


<details>
<summary>🛠️ Proposed fix</summary>

```diff
 async function main() {
   console.log('LangGraph Multi-Gateway Agent Test Suite')
   console.log('='.repeat(50) + '\n')

+  if (AGENT_TYPE === 'public' && !PUBLIC_ARN) {
+    console.error('Error: PUBLIC_RUNTIME_ARN must be set when AGENT_TYPE=public.')
+    process.exit(1)
+  }
+  if (AGENT_TYPE === 'private' && !PRIVATE_ARN) {
+    console.error('Error: PRIVATE_RUNTIME_ARN must be set when AGENT_TYPE=private.')
+    process.exit(1)
+  }
+
   // Test public agent
   if ((AGENT_TYPE === 'both' || AGENT_TYPE === 'public') && PUBLIC_ARN) {
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/test-invoke.js`
around lines 69 - 94, The main function currently may skip running tests if
AGENT_TYPE requests a specific type but the matching ARN is missing; add
explicit validation at the start of main (or before invoking tests) that checks
AGENT_TYPE and the corresponding PUBLIC_ARN/PRIVATE_ARN values and fails fast
with a clear error and process.exit(1) if a required ARN is unset; reference
AGENT_TYPE, PUBLIC_ARN, PRIVATE_ARN, main and invokeAgent to locate where to add
the check and update the existing final conditional so it distinguishes between
"no ARNs at all" and "requested agent type missing its ARN".
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py-41-41 (1)</summary><blockquote>

`41-41`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove unnecessary f-string prefix (Ruff F541).**

Line 41 uses an f-string without any variable interpolations (`{}`). The `f` prefix is unnecessary and should be removed:

```diff
-    print(f"🌐 Invoking LangGraph Browser Agent")
+    print("🌐 Invoking LangGraph Browser Agent")
```

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py`
at line 41, The print statement using an f-string in test-invoke.py (print(f"🌐
Invoking LangGraph Browser Agent")) has no interpolations; remove the
unnecessary f prefix so the statement becomes a regular string literal
(print("🌐 Invoking LangGraph Browser Agent")) to satisfy Ruff F541.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/codeInterpreter.js-55-70 (1)</summary><blockquote>

`55-70`: _⚠️ Potential issue_ | _🟡 Minor_

**Add default parameter `tags = {}` for safer defensive programming.**

The `Object.keys(tags)` call on line 69 should handle the edge case where `tags` is undefined. While the current codebase always provides `tags` via `mergeTags()`, adding a default parameter makes the function more robust to future changes and protects against accidental calls without the parameter.

<details>
<summary>Suggested fix</summary>

```diff
-export function compileCodeInterpreter(name, config, context, tags) {
+export function compileCodeInterpreter(name, config, context, tags = {}) {
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/codeInterpreter.js`
around lines 55 - 70, The function compileCodeInterpreter currently assumes tags
is defined and calls Object.keys(tags); update the function signature in
compileCodeInterpreter to accept a default parameter (tags = {}) so tags is
always an object, and leave the existing usage of Tags and Object.keys(tags)
intact; this change ensures resolveRole(config.role, roleLogicalId) and the
spread of ...(Object.keys(tags).length > 0 && { Tags: tags }) remain safe when
callers omit the tags argument.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/handlers/internal-lookup.js-46-68 (1)</summary><blockquote>

`46-68`: _⚠️ Potential issue_ | _🟡 Minor_

**Guard JSON parsing and normalize `userId` before `.toUpperCase()`.**

Lines 47 and 54: `JSON.parse` can throw on malformed JSON. Line 67: `userId.toUpperCase()` crashes if `userId` is a non-string truthy value (e.g., number). Add try-catch blocks around JSON.parse calls and coerce `userId` to a string before calling `.toUpperCase()`.

<details>
<summary>🛠️ Suggested guardrails</summary>

```diff
   if (typeof event === 'string') {
-    event = JSON.parse(event)
+    try {
+      event = JSON.parse(event)
+    } catch {
+      return {
+        statusCode: 400,
+        body: JSON.stringify({ error: 'Invalid JSON payload' }),
+      }
+    }
   }
 
   let userId = ''
 
   if (event.body) {
     const body =
-      typeof event.body === 'string' ? JSON.parse(event.body) : event.body
-    userId = body.userId || ''
+      typeof event.body === 'string' ? (() => {
+        try {
+          return JSON.parse(event.body)
+        } catch {
+          return {}
+        }
+      })() : event.body
+    userId = String(body.userId || '').trim() || ''
   } else {
     userId = event.userId || ''
   }
 
   if (!userId) {
     return {
       statusCode: 400,
       body: JSON.stringify({ error: 'Missing userId parameter' }),
     }
   }
 
-  const user = USERS[userId.toUpperCase()]
+  const user = USERS[String(userId).toUpperCase()]
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/handlers/internal-lookup.js`
around lines 46 - 68, Wrap both JSON.parse calls (parsing event and parsing
event.body) in try-catch blocks and return a 400 error if parsing fails to avoid
crashing on malformed JSON; ensure you validate event after parse. Normalize and
coerce userId to a string before calling .toUpperCase() (e.g., userId =
String(userId || '') ) and then check emptiness; finally use the coerced value
when looking up in USERS (USERS[userId.toUpperCase()]).
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/browser.md-73-79 (1)</summary><blockquote>

`73-79`: _⚠️ Potential issue_ | _🟡 Minor_

**Add languages to the two fenced code blocks.**

Markdownlint flags both fences; specify a language (e.g., `text`) to fix MD040.

<details>
<summary>✏️ Suggested fixes</summary>

```diff
-```
+```text
 bedrock-agentcore>=0.1.0
 strands-agents>=1.0.0
 strands-agents-tools>=0.1.0
-```
+```
```

```diff
-```
+```text
 Agent → Browser Tool → AWS Browser Service → Website → Response
-```
+```
```
</details>



Also applies to: 92-94

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/browser.md around lines 73 - 79, Add a
language identifier (e.g., "text") to the two fenced code blocks shown in the
diff so Markdownlint MD040 is satisfied: update the dependencies block
containing "bedrock-agentcore>=0.1.0 / strands-agents>=1.0.0 /
strands-agents-tools>=0.1.0" and the flow block containing "Agent → Browser Tool
→ AWS Browser Service → Website → Response" to use triple backticks with a
language (e.g., ```text) instead of plain fences; ensure the same change is
applied to the later identical block at lines 92-94.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py-47-49 (1)</summary><blockquote>

`47-49`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove the unnecessary f-string prefix on line 48.**

Line 48 contains an f-string without any placeholders, which violates Ruff rule F541. The string "Invoking Custom Code Interpreter Agent" has no variable substitutions, so the `f` prefix is unnecessary.

<details>
<summary>✏️ Suggested fix</summary>

```diff
-    print(f"Invoking Custom Code Interpreter Agent")
+    print("Invoking Custom Code Interpreter Agent")
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py`
around lines 47 - 49, The second print statement uses an unnecessary f-string
(print(f"Invoking Custom Code Interpreter Agent")) which triggers Ruff F541;
change that print call to a plain string literal (print("Invoking Custom Code
Interpreter Agent")) so no f-prefix is used while leaving the surrounding prints
(e.g., print(f"\n{'='*60}") and print(f"Runtime ARN: {RUNTIME_ARN}")) unchanged.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-docker/agent.py-33-36 (1)</summary><blockquote>

`33-36`: _⚠️ Potential issue_ | _🟡 Minor_

**Timezone argument isn’t applied**

`get_current_time` returns local time and only appends the timezone string, which can mislead tool users. Either convert using `zoneinfo` or drop the parameter.  


<details>
<summary>🕒 Suggested fix (use zoneinfo)</summary>

```diff
-from datetime import datetime
+from datetime import datetime
+from zoneinfo import ZoneInfo
@@
 `@tool`
 def get_current_time(timezone: str = "UTC") -> str:
-    """Get the current date and time."""
-    return f"Current time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')} {timezone}"
+    """Get the current date and time."""
+    try:
+        tz = ZoneInfo(timezone)
+    except Exception:
+        tz = ZoneInfo("UTC")
+        timezone = "UTC"
+    return f"Current time: {datetime.now(tz).strftime('%Y-%m-%d %H:%M:%S')} {timezone}"
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-docker/agent.py`
around lines 33 - 36, The get_current_time tool currently ignores the timezone
argument and just appends the string; update get_current_time to actually apply
the timezone using zoneinfo: import zoneinfo.ZoneInfo and call
datetime.now(tz=ZoneInfo(timezone)) (or handle invalid timezone by falling back
to UTC or raising a ValueError) so the returned timestamp reflects the requested
timezone; alternatively, if you prefer not to support timezones, remove the
timezone parameter from get_current_time and its docstring to avoid misleading
callers.
```

</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/serverless.yml-37-49 (1)

37-49: ⚠️ Potential issue | 🟡 Minor

Duplicate IAM action: InvokeCodeInterpreter appears twice.

The action bedrock-agentcore:InvokeCodeInterpreter is listed on both line 39 and line 42. Remove the duplicate entry.

🧹 Proposed fix

         statements:
           - Effect: Allow
             Action:
               - bedrock-agentcore:InvokeCodeInterpreter
               - bedrock-agentcore:CreateCodeInterpreter
               - bedrock-agentcore:StartCodeInterpreterSession
-              - bedrock-agentcore:InvokeCodeInterpreter
               - bedrock-agentcore:StopCodeInterpreterSession
               - bedrock-agentcore:DeleteCodeInterpreter
               - bedrock-agentcore:ListCodeInterpreters
               - bedrock-agentcore:GetCodeInterpreter
               - bedrock-agentcore:GetCodeInterpreterSession
               - bedrock-agentcore:ListCodeInterpreterSessions
             Resource: !GetAtt PublicInterpreterCodeInterpreter.CodeInterpreterArn

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/serverless.yml`
around lines 37 - 49, In the IAM policy actions list for the resource referenced
by PublicInterpreterCodeInterpreter.CodeInterpreterArn, remove the duplicate
"bedrock-agentcore:InvokeCodeInterpreter" entry so each action appears only once
(ensure the Actions array contains a single instance of InvokeCodeInterpreter
alongside the other bedrock-agentcore actions like CreateCodeInterpreter,
StartCodeInterpreterSession, StopCodeInterpreterSession, DeleteCodeInterpreter,
ListCodeInterpreters, GetCodeInterpreter, GetCodeInterpreterSession, and
ListCodeInterpreterSessions).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/pyproject.toml-8-8 (1)

8-8: ⚠️ Potential issue | 🟡 Minor

Lower requires-python to >=3.10.

The dependencies (bedrock-agentcore>=0.1.0, langchain>=0.3.0, langchain-aws>=0.2.0, langgraph>=0.2.0) require a minimum of Python 3.10, not 3.12. The current requirement unnecessarily excludes Python 3.10 and 3.11 users.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/pyproject.toml`
at line 8, The pyproject.toml currently sets requires-python = ">=3.12" which
unnecessarily excludes Python 3.10/3.11 users; change the requires-python
declaration to ">=3.10" so the project supports the minimum Python version
required by the dependencies (refer to the requires-python entry in the
pyproject.toml).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/test-invoke.js-76-94 (1)

76-94: ⚠️ Potential issue | 🟡 Minor

Update MCP protocol version to the latest specification.

The protocol version '2025-06-18' is outdated. Update to '2025-11-25', which is the current MCP specification and includes important updates such as OIDC Discovery support, JSON Schema 2020-12 as the default dialect, and experimental tasks support.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/test-invoke.js`
around lines 76 - 94, The testInitialize function sends an outdated MCP
protocolVersion; update the string passed in the invoke call (inside
testInitialize) from '2025-06-18' to the current '2025-11-25' so the
invoke('initialize', { protocolVersion: ... }, 1) uses the latest MCP spec
(retain clientInfo and capabilities as-is).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/README.md-24-32 (1)

24-32: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks.

Markdownlint (MD040) will flag the unlabeled fences (e.g., Line 24, Line 65, Line 87). Prefer text for outputs/trees.

📝 Suggested fix

-```
+```text
 langgraph-browser-custom/
 ├── serverless.yml      # Defines custom browser + S3 bucket + runtime
 ├── agent.py            # LangGraph agent using custom browser
 ├── test-invoke.py      # Validation test (checks S3 recordings)
 ├── Dockerfile          # Container with Playwright
 ├── pyproject.toml      # Python dependencies
 └── README.md           # This file

- +text
ai:
agents:
browserAgent: https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes/arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/xxx/invocations

browsers:
customBrowser: custom-browser-id-xxx

-```
+```text
LangGraph Custom Browser Agent - Validation Test
Recordings Bucket: langgraph-browser-custom-recordings-dev
Region: us-east-1

============================================================
CUSTOM BROWSER VALIDATION TEST
============================================================

[Step 1] Counting existing recordings in S3...
Initial recording count: 0

[Step 2] Invoking agent to browse example.com...
Agent response:
----------------------------------------
Page Title: Example Domain
Content: Example Domain
This domain is for use in illustrative examples...
----------------------------------------

Browser ID used: custom-browser-id-xxx

[Step 3] Waiting for recording to be uploaded to S3...
  Checking... (5s) - Recording count: 0
  Checking... (10s) - Recording count: 1

[Step 4] Validation Results
========================================
SUCCESS: New recording detected in S3!
  Initial count: 0
  Final count: 1
  New recordings: 1

Latest recordings:
  - browser-sessions/session-xxx/batch_1.ndjson.gz
    Size: 12345 bytes
    Modified: 2025-01-30 12:00:00

============================================================
VALIDATION PASSED
The custom browser with session recording is working correctly!
============================================================

</details>


Also applies to: 65-129

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/README.md
around lines 24 - 32, The README.md contains unlabeled fenced code blocks that
trigger Markdownlint MD040; update each unlabeled triple-backtick block (the
directory tree block, the ai/browsers YAML snippet, and the validation test
output block) to include a language identifier, e.g., change totext (or

unlabeled fences are annotated so Markdownlint no longer flags them.

docs/sf/providers/aws/guide/agents/gateway.md-78-80 (1)

78-80: ⚠️ Potential issue | 🟡 Minor

Add a language to the diagram code fence.

Markdownlint (MD040) flags the unlabeled fence at Line 78.

📝 Suggested fix

-```
+```text
 Agent → Gateway (MCP) → Target (Lambda / API / MCP Server) → Response

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/gateway.md around lines 78 - 80, The
fenced code block containing "Agent → Gateway (MCP) → Target (Lambda / API / MCP
Server) → Response" is missing a language label which triggers markdownlint
MD040; update the fence in docs/sf/providers/aws/guide/agents/gateway.md to use
a labeled code fence (e.g., add "text" after the opening backticks) so the block
becomes text ... to satisfy the linter while preserving the diagram
content.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js-138-140 (1)</summary><blockquote>

`138-140`: _⚠️ Potential issue_ | _🟡 Minor_

**Add defensive check for empty messages array.**

If `agent.invoke()` returns an empty `messages` array, accessing `result.messages[result.messages.length - 1]` will return `undefined`, and then `.content` will throw a TypeError.



<details>
<summary>🛡️ Proposed fix</summary>

```diff
       // Extract the final message from the graph result
       const finalMessage = result.messages[result.messages.length - 1]
-      const response = finalMessage.content
+      const response = finalMessage?.content || 'No response generated'
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/agent.js`
around lines 138 - 140, The code assumes result.messages always has at least one
entry; add a defensive check after agent.invoke() to handle an empty messages
array by verifying result.messages && result.messages.length > 0 before
accessing result.messages[result.messages.length - 1]; if empty, return or throw
a clear error (or set response to a safe default) instead of dereferencing
undefined; update the logic around finalMessage and response to use this guard
so agent.invoke() failures or empty results don't cause a TypeError.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/dev.md-51-65 (1)</summary><blockquote>

`51-65`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifiers to fenced code blocks.**

markdownlint flags these blocks without a language spec. Adding one improves consistency and rendering.  


<details>
<summary>✍️ Suggested updates</summary>

```diff
-```
+```text
 Dev mode running on http://localhost:8080
@@
-```
+```text
 serverless dev
@@
-```
+```http
 POST http://localhost:<port>/invocations
@@
-```
+```text
 my-agent/
 ├── agent.py              # Entry point (handler)
```
</details>


Also applies to: 82-100, 296-303, 363-369

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/dev.md` around lines 51 - 65, Update the
Markdown fenced code blocks in docs/sf/providers/aws/guide/agents/dev.md to
include language identifiers so markdownlint passes and rendering is consistent:
add "text" to runtime/plain output blocks (e.g., the "Dev mode running on
http://localhost:8080" and "serverless dev" snippets and the directory tree that
includes "agent.py"), add "http" to the HTTP request block (the "POST
http://localhost:<port>/invocations" snippet), and similarly annotate the other
untagged fenced blocks mentioned (lines around 82-100, 296-303, 363-369) with
the appropriate language identifiers.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/dev.md-286-289 (1)</summary><blockquote>

`286-289`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove trailing space inside the inline code span.**

The code span `You: ` contains a trailing space, which markdownlint flags.  


<details>
<summary>✍️ Suggested tweak</summary>

```diff
-- **Prompt**: Type messages at the `You: ` prompt
+- **Prompt**: Type messages at the `You:` prompt
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/dev.md` around lines 286 - 289, The inline
code span `You: ` in the "Prompt" bullet contains a trailing space; edit the
markdown so the code span reads `You:` (remove the trailing space) to satisfy
markdownlint — locate the bullet with "- **Prompt**: Type messages at the `You:
` prompt" and update the backticked content to `You:`.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md-62-84 (1)</summary><blockquote>

`62-84`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifiers to fenced code blocks.**

markdownlint flags the file-structure and architecture blocks as missing a language.  


<details>
<summary>✍️ Suggested update</summary>

```diff
-```
+```text
 my-agent/
 ├── handler.py          # Entry point (artifact.entryPoint)
@@
-```
+```text
 dev/index.js (main)
 ├── Detects mode (Docker vs Code)
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/README.md around
lines 62 - 84, Update the README's fenced code blocks to include a language
identifier (e.g., use text) for the file-structure block and the Architecture diagram block so markdownlint stops flagging them; locate the two triple-backtick blocks around the "my-agent/" tree and the "dev/index.js (main)" architecture list and change the opening fences to include the language specifier (e.g., text) while leaving the block contents unchanged.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/handlers/calculator.js-53-77 (1)</summary><blockquote>

`53-77`: _⚠️ Potential issue_ | _🟡 Minor_

**Tighten numeric parsing to avoid malformed inputs.**

Line 54 currently accepts strings like `1..2` or `.`; `parseFloat` will coerce/truncate, which can yield surprising results. Consider a stricter numeric pattern and a finite check.  


<details>
<summary>✅ Suggested fix (stricter numeric validation)</summary>

```diff
 function safeCalculate(expression) {
-  const match = expression.match(/^\s*([\d.]+)\s*([+\-*/])\s*([\d.]+)\s*$/)
+  const match = expression.match(
+    /^\s*(-?(?:\d+|\d*\.\d+))\s*([+\-*/])\s*(-?(?:\d+|\d*\.\d+))\s*$/,
+  )
   if (!match) {
     throw new Error(
       'Use format: "number operator number" (e.g., "2 + 3", "10 / 5")',
     )
   }

   const [, a, op, b] = match
   const left = parseFloat(a)
   const right = parseFloat(b)
+  if (!Number.isFinite(left) || !Number.isFinite(right)) {
+    throw new Error('Invalid number input')
+  }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-multi-gateway/handlers/calculator.js`
around lines 53 - 77, The safeCalculate function currently allows malformed
numeric strings (e.g., "1..2", ".") because parseFloat coerces/truncates; update
the regex used in safeCalculate to a stricter numeric pattern (e.g.,
([+-]?(?:\d+\.?\d*|\.\d+))) for both operands so only well-formed
integers/floats match, then parse with Number (or parseFloat) and validate with
Number.isFinite on left and right (reject by throwing the existing format error
or a new descriptive error) before performing operations; keep the existing
operator switch and division-by-zero check in place.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/README.md-97-104 (1)</summary><blockquote>

`97-104`: _⚠️ Potential issue_ | _🟡 Minor_

**Add a language tag to the fenced block.**

Markdownlint flags the project-structure fence without a language specifier. Consider `text` for clarity.  


<details>
<summary>✏️ Suggested fix</summary>

```diff
-```
+```text
 langgraph-streaming/
 ├── serverless.yml    # Serverless Framework configuration
 ├── index.js          # LangGraph JS agent with streaming
 ├── package.json      # npm dependencies
 ├── test-invoke.js    # Test script for streaming invocation
 └── README.md         # This file
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/README.md
around lines 97 - 104, Update the fenced code block in README.md that shows the
project structure (the block starting with and the tree listing under "langgraph-streaming/") to include a language tag (e.g., text) after the opening backticks so markdownlint stops flagging it; find the project-structure fence in the README.md and change the opening fence from to ```text to explicitly
mark the block as plain text.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py-47-49 (1)</summary><blockquote>

`47-49`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove the unused f-string prefix.**

Line 48 uses an f-string without placeholders.  


<details>
<summary>✏️ Suggested fix</summary>

```diff
-    print(f"Invoking Custom Code Interpreter Agent")
+    print("Invoking Custom Code Interpreter Agent")
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py`
around lines 47 - 49, The print statement using an unnecessary f-string should
be changed to a regular string: in the example script replace the print call
printing "Invoking Custom Code Interpreter Agent" (currently written as
print(f"Invoking Custom Code Interpreter Agent")) with print("Invoking Custom
Code Interpreter Agent") to remove the unused f-string prefix while leaving the
other prints (e.g., the one referencing RUNTIME_ARN) unchanged.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/test-invoke.py-45-47 (1)</summary><blockquote>

`45-47`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove the unused f-string prefix.**

Line 46 is an f-string without placeholders.  


<details>
<summary>✏️ Suggested fix</summary>

```diff
-    print(f"Invoking Code Interpreter Agent")
+    print("Invoking Code Interpreter Agent")
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/test-invoke.py`
around lines 45 - 47, Remove the unnecessary f-string prefix from the plain
string print statement that logs "Invoking Code Interpreter Agent" (the print
call shown between the separators and the Runtime ARN print); change
print(f"Invoking Code Interpreter Agent") to print("Invoking Code Interpreter
Agent") so it no longer uses an f-string with no placeholders.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-code/README.md-17-27 (1)</summary><blockquote>

`17-27`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifiers to fenced code blocks.**  
Keeps markdown lint clean and improves rendering consistency.  

<details>
<summary>✏️ Suggested edit</summary>

```diff
-```
+```text
 User Request → AgentCore Runtime → agent_invocation()
                                       ↓
                                    LangGraph
                                       ↓
                                Claude Sonnet 4.5
                                       ↓
                           (uses built-in tools)
                                       ↓
                                    Response
-```
+```

...

-```
+```text
 START → chatbot → [decide: use tool or respond]
            ↑            ↓
            └─── tools ←┘
-```
+```
```
</details>


Also applies to: 108-112

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-basic-code/README.md
around lines 17 - 27, Add language identifiers to the fenced code blocks
containing the ASCII diagrams so markdown lint passes and rendering is
consistent: locate the fenced block that begins with "User Request → AgentCore
Runtime → agent_invocation()" and the block that begins with "START → chatbot →
[decide: use tool or respond]" in the README and change their opening fences
from totext (and ensure any other similar ASCII diagram blocks, e.g.,
the one referenced around lines 108-112, are updated the same way).

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/runtime.md-301-305 (1)</summary><blockquote>

`301-305`: _⚠️ Potential issue_ | _🟡 Minor_

**Hyphenate the compound adjective.**  
"General-purpose" reads better here.  

<details>
<summary>✏️ Suggested edit</summary>

```diff
-| `HTTP`   | Standard HTTP requests (default) | General purpose agents, REST-like interactions |
+| `HTTP`   | Standard HTTP requests (default) | General-purpose agents, REST-like interactions |
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/runtime.md` around lines 301 - 305, Update
the table row for the `HTTP` protocol in the runtime.md content: change the
Description cell text from "General purpose agents, REST-like interactions" to
"General-purpose agents, REST-like interactions" so the compound adjective is
hyphenated; locate the `HTTP` table row in the markdown containing the
Protocol/Description/Use Case columns and edit the phrase accordingly.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js-913-924 (1)</summary><blockquote>

`913-924`: _⚠️ Potential issue_ | _🟡 Minor_

**Signal handlers registered without removal on stop.**

The `SIGINT` and `SIGTERM` handlers are registered at Lines 923-924 but never removed when `stop()` is called. If `start()` is called again (e.g., in tests or programmatic usage), duplicate handlers will accumulate.


<details>
<summary>🛠️ Proposed fix</summary>

Store the handler reference and remove it in `stop()`:

```javascript
// In constructor or as class field
`#signalHandler` = null

// In `#startChat`()
this.#signalHandler = () => { /* ... */ }
process.on('SIGINT', this.#signalHandler)
process.on('SIGTERM', this.#signalHandler)

// In stop()
if (this.#signalHandler) {
  process.off('SIGINT', this.#signalHandler)
  process.off('SIGTERM', this.#signalHandler)
  this.#signalHandler = null
}
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js` around
lines 913 - 924, The SIGINT/SIGTERM handlers added in the start logic are never
removed, causing duplicate handlers on repeated start() calls; capture the
handler function reference (e.g., store it as this.#signalHandler when creating
the signalHandler in the start code where this.#isShuttingDown and
this.#readline are used) and then remove it inside stop() by calling
process.off('SIGINT', this.#signalHandler) and process.off('SIGTERM',
this.#signalHandler), finally nulling this.#signalHandler to avoid re-use.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/commands/info.js-66-68 (1)</summary><blockquote>

`66-68`: _⚠️ Potential issue_ | _🟡 Minor_

**Gateway lookup may not find the correct output key.**

Line 67 calls `getGatewayLogicalId()` without arguments, which returns `'AgentCoreGateway'` (per the naming.js snippet). However, if the gateway was created with a specific name, the output key would be different (e.g., `AgentCoreGatewayMyGatewayUrl`).

Consider iterating through stack outputs to find any gateway URL outputs, or pass the gateway name if available.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/commands/info.js`
around lines 66 - 68, The lookup for the gateway URL using getGatewayLogicalId()
may miss outputs when a named gateway exists; update the code that sets
urlOutput (which currently calls getGatewayLogicalId() with no args) to either
pass the gateway name into getGatewayLogicalId() when available (so the expected
OutputKey like `${getGatewayLogicalId(gatewayName)}Url` is matched) or, if no
name is provided, scan stack?.Outputs for any OutputKey that matches a gateway
URL pattern (e.g., endsWith('GatewayUrl') or matches /AgentCoreGateway.*Url/)
and pick the first matching output; adjust the logic around urlOutput to use
this fallback search so named gateways are handled.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js-574-584 (1)</summary><blockquote>

`574-584`: _⚠️ Potential issue_ | _🟡 Minor_

**Process log listeners attached without cleanup tracking.**

`#streamProcessLogs()` attaches `data` event listeners to `process.stdout` and `process.stderr`, but these listeners are not removed during `stop()` or when the process restarts during a rebuild (Line 808). This could lead to duplicate listeners if `#streamProcessLogs()` is called multiple times.


<details>
<summary>🛠️ Proposed approach</summary>

Consider storing listener references and removing them before reattaching, or use `once` if appropriate for the use case.
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js` around
lines 574 - 584, `#streamProcessLogs` currently attaches persistent 'data'
listeners to the process returned by `#codeMode.getProcess`() that are never
removed, causing duplicate logs on restart; update this by capturing the
listener functions when attaching (e.g., const stdoutListener = (d) =>
this.#displayLog(d.toString()) and stderrListener similarly) and store them on
the instance, then remove them with process.stdout.off('data', stdoutListener)
and process.stderr.off('data', stderrListener) either at the start of
`#streamProcessLogs` (before reattaching) or in stop(); alternatively if
appropriate use once instead of on; ensure references match the stored listener
properties so `#displayLog` invocations stop when the process is stopped or
rebuilt.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js-248-266 (1)</summary><blockquote>

`248-266`: _⚠️ Potential issue_ | _🟡 Minor_

**Python version check could fail silently on version format mismatch.**

The version check at Line 256 uses `includes()` which may produce false positives. For example, if expected is "3.1" and installed is "Python 3.13.1", it would incorrectly pass. Consider using a more precise version comparison.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js`
around lines 248 - 266, The current `#checkPythonVersion` uses includes() which
can falsely match (e.g., "3.1" matching "3.13.1"); update the logic in async
`#checkPythonVersion` to parse numeric versions from stdout and expectedRuntime
and perform a proper numeric comparison: extract the installed version from
stdout (e.g., via regex on installedVersion to capture major.minor[.patch]),
derive expectedVersion similarly from expectedRuntime (remove "PYTHON_" and
convert underscores to dots), split both into numeric segments (major, minor,
optional patch), compare major and minor as integers (and patch if present)
instead of using includes(), and keep the existing logging behavior (use
logger.warning on mismatch and logger.debug on error). Ensure you reference
pythonCmd, execP, installedVersion, expectedVersion, and logger when making the
change.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js-650-653 (1)</summary><blockquote>

`650-653`: _⚠️ Potential issue_ | _🟡 Minor_

**Terminal operations may fail in non-TTY environments.**

Lines 651-652 call `process.stdout.clearLine(0)` and `process.stdout.cursorTo(0)` without checking if stdout is a TTY. These methods may not exist or may throw in non-TTY environments (e.g., CI pipelines, piped output).


<details>
<summary>🛠️ Proposed fix</summary>

```diff
     if (this.#readline) {
+      if (process.stdout.isTTY) {
         process.stdout.clearLine(0)
         process.stdout.cursorTo(0)
+      }
     }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/index.js` around
lines 650 - 653, The terminal-clearing calls inside the block guarded by
this.#readline can throw in non-TTY environments; update the block that contains
process.stdout.clearLine and process.stdout.cursorTo (the section referencing
this.#readline) to first verify stdout is a TTY and that the methods exist
(e.g., check process.stdout && process.stdout.isTTY and typeof
process.stdout.clearLine === 'function' and typeof process.stdout.cursorTo ===
'function') before invoking them, otherwise skip those calls so the code safely
runs in CI/piped/non-TTY environments.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js-72-72 (1)</summary><blockquote>

`72-72`: _⚠️ Potential issue_ | _🟡 Minor_

**Potential error if `tags` is undefined.**

Line 72 calls `Object.keys(tags)` but if `tags` is `undefined` or `null`, this will throw a TypeError. Consider adding a defensive check.


<details>
<summary>🛠️ Proposed fix</summary>

```diff
-      ...(Object.keys(tags).length > 0 && { Tags: tags }),
+      ...(tags && Object.keys(tags).length > 0 && { Tags: tags }),
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js` at
line 72, The spread expression uses Object.keys(tags) which will throw if tags
is null/undefined; update the condition to defensively handle missing tags
(e.g., use tags && Object.keys(tags).length > 0 or Object.keys(tags ||
{}).length > 0) so the spread only adds { Tags: tags } when tags is a defined
non-empty object; modify the expression in memory.js (the object construction
that currently uses ...(Object.keys(tags).length > 0 && { Tags: tags })) to use
the safe check (tags && Object.keys(tags).length > 0 ? { Tags: tags } : {}).
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js-207-216 (1)</summary><blockquote>

`207-216`: _⚠️ Potential issue_ | _🟡 Minor_

**Error handling condition may not correctly identify ServerlessError.**

The condition at Line 211-214 checks `error.code !== 'ENOENT'` but `ServerlessError` uses a custom `code` property (e.g., `'MISSING_LOCKFILE'`), not the Node.js `ENOENT` code. This means the ServerlessError will be re-thrown correctly, but the logic is not immediately clear.

Additionally, checking `error.message.includes('Missing lockfile')` is fragile if the error message changes.


<details>
<summary>🛠️ Proposed fix for clearer error handling</summary>

```diff
       } catch (error) {
         // Ignore if package.json missing (not a Node.js project)
         // Re-throw if it's our validation error
-        if (
-          error.code !== 'ENOENT' ||
-          error.message.includes('Missing lockfile')
-        ) {
+        if (error instanceof ServerlessError || error.code !== 'ENOENT') {
           throw error
         }
       }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js`
around lines 207 - 216, The catch block in builder.js is using error.code !==
'ENOENT' and message.includes('Missing lockfile'), which is fragile and doesn't
clearly detect the ServerlessError for a missing lockfile; update the handler in
the catch to explicitly detect the ServerlessError by checking the
ServerlessError type or its canonical code (e.g., compare error.name or
error.code to the known ServerlessError identifier like 'MISSING_LOCKFILE' or
use instanceof ServerlessError if available) and only re-throw for that case,
while treating genuine ENOENT file-not-found errors as ignored; reference the
existing catch block around the package.json/lockfile read logic and use the
same ServerlessError symbol (or its code) instead of message.includes to make
the intent explicit.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/coordinator.js-99-125 (1)</summary><blockquote>

`99-125`: _⚠️ Potential issue_ | _🟡 Minor_

**String `imageConfig` handling may skip builds unexpectedly.**

At Lines 101-105, if `imageConfig` is a string reference to `provider.ecr.images` but that image wasn't built (not in `builtImages`), the code continues to Line 108-109. However, `{ name: imageConfig }` creates an object without `path`, `repository`, or `file`, so the condition at Line 111 fails and the build is silently skipped.

This could leave users confused when their string-referenced images aren't built.


<details>
<summary>🛠️ Proposed fix to handle missing string references</summary>

```diff
     // Handle string reference to provider.ecr.images
     if (typeof imageConfig === 'string') {
       if (builtImages[imageConfig]) {
         continue // Already built above
       }
+      // String reference not found in builtImages - this is an error
+      log.warning(
+        `Image reference '${imageConfig}' not found in provider.ecr.images or builtImages`,
+      )
+      continue
     }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/coordinator.js`
around lines 99 - 125, The loop over runtimesToBuild currently treats a string
imageConfig as a reference but then silently skips builds because { name:
imageConfig } lacks path/repository/file; update the handling of imageConfig in
the for-loop so that when imageConfig is a string and not already in builtImages
you resolve that string into the real image config (e.g., look up
provider.ecr.images[imageConfig] or similar) and assign that to dockerConfig
before checking dockerConfig.path/repository/file; if the lookup fails, make the
code surface an explicit error/log and throw or skip with a clear message;
adjust references to runtimesToBuild, imageConfig, builtImages, dockerConfig,
builder.buildForRuntime, and buildMetadata accordingly.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js-230-242 (1)</summary><blockquote>

`230-242`: _⚠️ Potential issue_ | _🟡 Minor_

**Global `process.env.PATH` mutation persists beyond this instance.**

`#setupVirtualEnv()` mutates the global `process.env.PATH`, which affects the entire Node.js process and persists even after `stop()` is called. This could cause unintended side effects if multiple `AgentCoreCodeMode` instances are created or if other parts of the application rely on the original PATH.

Consider storing the modified PATH locally and passing it only to the spawned process environment instead of modifying the global state.


<details>
<summary>🛠️ Proposed fix</summary>

```diff
   `#setupVirtualEnv`() {
     if (!process.env.VIRTUAL_ENV) {
       return
     }

     const runtimeDir = os.platform() === 'win32' ? 'Scripts' : 'bin'
     const venvBinPath = path.join(process.env.VIRTUAL_ENV, runtimeDir)

-    // Prepend venv bin to PATH
-    process.env.PATH = [venvBinPath, path.delimiter, process.env.PATH].join('')
+    // Return modified PATH for use in spawned process
+    return [venvBinPath, process.env.PATH].join(path.delimiter)
+  }
+
+  `#getModifiedPath`() {
+    if (!process.env.VIRTUAL_ENV) {
+      return process.env.PATH
+    }
+
+    const runtimeDir = os.platform() === 'win32' ? 'Scripts' : 'bin'
+    const venvBinPath = path.join(process.env.VIRTUAL_ENV, runtimeDir)
+    return [venvBinPath, process.env.PATH].join(path.delimiter)
-
-    logger.debug(`Using virtual environment: ${process.env.VIRTUAL_ENV}`)
   }
```

Then use `this.#getModifiedPath()` when building `pythonEnv.PATH` in `start()`.
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js`
around lines 230 - 242, Currently `#setupVirtualEnv` mutates global
process.env.PATH; instead stop changing process.env and keep the modified PATH
on the instance (e.g., store it as this._venvPath or implement a private getter
`#getModifiedPath`() that computes the venv bin path without mutating globals).
Update start() to use the instance-modified value when constructing
pythonEnv.PATH (use this.#getModifiedPath() or this._venvPath) and remove any
assignment to process.env.PATH in `#setupVirtualEnv` so no global state is
changed; reference the AgentCoreCodeMode class, `#setupVirtualEnv`, start(), and
pythonEnv.PATH when making these changes.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/README.md-14-22 (1)</summary><blockquote>

`14-22`: _⚠️ Potential issue_ | _🟡 Minor_

**Specify languages for the fenced blocks.**

Both code fences are missing language identifiers (markdownlint MD040).
<details>
<summary>✅ Suggested fix</summary>

```diff
-```
+```text
 langgraph-code-interpreter/
 ├── serverless.yml     # Serverless Framework configuration
 ├── agent.py           # LangGraph agent with code interpreter
 ├── Dockerfile         # Container definition
 ├── pyproject.toml     # Python dependencies
 ├── test-invoke.py     # Validation script
 └── README.md          # This file
 ```
@@
-```
+```yaml
 ai:
   agents:
     codeAgent: https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes/arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/.../invocations
 ```
```
</details>



Also applies to: 41-45

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter/README.md
around lines 14 - 22, The README.md has two fenced code blocks missing language
identifiers (markdownlint MD040) — update the first tree listing block in
langgraph-code-interpreter/ to use a text fence (e.g., change totext)
and update the YAML example block (around the ai: agents: codeAgent snippet and
the block at lines ~41-45) to use a yaml fence (change toyaml); edit the
README.md file to add these language tags so the tree and YAML blocks are
explicitly marked as text and yaml respectively.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/README.md-31-35 (1)</summary><blockquote>

`31-35`: _⚠️ Potential issue_ | _🟡 Minor_

**Align the Node.js prerequisite with the package.json engine constraint.**

README says “Node.js 20+” but `package.json` pins `node: 24.x`. Please align one side to avoid confusion.
<details>
<summary>🛠️ Example (update README to match engines)</summary>

```diff
-- Node.js 20+
+- Node.js 24+
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/README.md`
around lines 31 - 35, The README's prerequisite "Node.js 20+" conflicts with
package.json's engines constraint ("node": "24.x"); update the README in
langgraph-basic/README.md to state the same Node.js requirement as package.json
(Node.js 24.x) so both documents match, or alternatively relax package.json
engines to allow 20+—ensure you reference the README entry and the package.json
engines/node field (node: 24.x) and keep both consistent.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/README.md-63-69 (1)</summary><blockquote>

`63-69`: _⚠️ Potential issue_ | _🟡 Minor_

**Add a language identifier to the project-structure code fence.**

This block is missing a fenced-code language (markdownlint MD040).
<details>
<summary>✅ Suggested fix</summary>

```diff
-```
+```text
 langgraph-basic/
 ├── serverless.yml    # Serverless Framework configuration
 ├── index.js          # LangGraph JS agent with tools
 ├── package.json      # npm dependencies
 └── README.md         # This file
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In
@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/README.md
around lines 63 - 69, The README.md code fence for the project structure is
missing a language identifier; update the triple-backtick fence that surrounds
the "langgraph-basic/ ├── serverless.yml ..." block to include a language
identifier such as "text" (e.g., change totext) so markdownlint MD040 is
satisfied and rendering is explicit; locate the fenced block in README.md that
lists the project structure and add the identifier directly after the opening
backticks.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-comprehensive/handlers/calculator.js-13-24 (1)</summary><blockquote>

`13-24`: _⚠️ Potential issue_ | _🟡 Minor_

**Guard against NaN from malformed numeric tokens in regex matches.**

The regex pattern `[\d.]+` matches tokens like `.` or `...` which parse to `NaN` and silently propagate through calculations. Add validation after parsing:

<details>
<summary>🧮 Suggested guard against NaN</summary>

```diff
   const [, a, op, b] = match
-  const left = parseFloat(a)
-  const right = parseFloat(b)
+  const left = Number(a)
+  const right = Number(b)
+  if (!Number.isFinite(left) || !Number.isFinite(right)) {
+    throw new Error('Invalid number')
+  }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-comprehensive/handlers/calculator.js`
around lines 13 - 24, In safeCalculate, after parsing the regex captures into
left and right (variables a, b -> left, right), validate that both left and
right are real numbers (use Number.isFinite or !Number.isNaN) and throw the same
user-facing error if either is invalid; keep the original format message ('Use
format: "number operator number" ...') and do not rely solely on the regex (this
prevents tokens like "." or "..." from producing NaN and leaking into
calculations).
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/index.js-28-37 (1)</summary><blockquote>

`28-37`: _⚠️ Potential issue_ | _🟡 Minor_

**Add error handling for invalid timezone inputs in getCurrentTime tool.**

Line 36 calls `toLocaleString` with a user-supplied `timeZone` option. Invalid timezone values (any non-IANA string that doesn't match a valid identifier like `"America/New_York"` or an offset format) throw `RangeError` and fail the invocation. Wrap the call in a try-catch to return a friendly error message instead.

<details>
<summary>Suggested timezone guard</summary>

```diff
   async ({ timezone }) => {
     const now = new Date()
     const options = {
       timeZone: timezone || 'UTC',
       dateStyle: 'full',
       timeStyle: 'long',
     }
-    return `Current time: ${now.toLocaleString('en-US', options)}`
+    try {
+      return `Current time: ${now.toLocaleString('en-US', options)}`
+    } catch {
+      return `Error: Invalid timezone "${timezone}"`
+    }
   },
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic/index.js`
around lines 28 - 37, The getCurrentTime tool currently calls
now.toLocaleString('en-US', options) with a user-specified timezone which can
throw a RangeError for invalid timeZone values; wrap the toLocaleString
invocation in a try-catch inside the async function for getCurrentTime, validate
or attempt to use the provided options.timeZone and on RangeError return a
friendly message like "Invalid timezone: <value>" (or fall back to 'UTC'), and
ensure the function still returns the formatted time string on success; modify
the tool function (getCurrentTime) to catch errors from toLocaleString and
handle them gracefully.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/serverless.yml.md-1599-1710 (1)</summary><blockquote>

`1599-1710`: _⚠️ Potential issue_ | _🟡 Minor_

**Avoid duplicate keys inside the same YAML example.**

The AI Agents example shows alternative forms for `role`, `memory`, `artifact.image`, and `authorizer` in the same map. Copy‑pasting this block produces invalid YAML (later keys override earlier ones). Consider splitting alternatives into separate snippets or commenting out one variant in each block.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/serverless.yml.md` around lines 1599 - 1710, The
example YAML contains duplicate map keys (role, memory, artifact.image,
authorizer) which make the snippet invalid; update the examples by separating
each alternative into distinct snippets or by commenting out alternative forms
so only one key appears per map (e.g., create separate blocks titled "role as
string" vs "role as object", "memory shared reference" vs "memory inline",
"artifact.image as URI" vs "artifact.image build object", and "authorizer: none"
vs "authorizer: custom_jwt") and ensure the symbols role, memory,
artifact.image, and authorizer are not repeated within the same YAML map.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js-28-53 (1)</summary><blockquote>

`28-53`: _⚠️ Potential issue_ | _🟡 Minor_

**Guard against undefined `tags` to avoid a TypeError.**

`Object.keys(tags)` will throw if `tags` is omitted. Defaulting to `{}` keeps compilation resilient when callers skip tags.

<details>
<summary>🛠️ Suggested fix</summary>

```diff
 export function compileRuntimeEndpoint(
   agentName,
   endpointName,
   config,
   runtimeLogicalId,
   context,
-  tags,
+  tags = {},
 ) {
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js`
around lines 28 - 53, The code in compileRuntimeEndpoint uses Object.keys(tags)
which will throw if tags is undefined; to fix, ensure tags defaults to an empty
object before use by either setting a default in the function signature (e.g.,
tags = {}) or normalizing at the top of compileRuntimeEndpoint (e.g., const
safeTags = tags || {}) and then use safeTags when computing Properties; update
the Tags spread to reference the normalized variable so Properties uses a safe
object and avoids TypeError.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/code-interpreter.md-106-108 (1)</summary><blockquote>

`106-108`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language specifier for diagram block.**

Consider adding a language specifier (e.g., `text` or `plaintext`) to the diagram code block.


<details>
<summary>Proposed fix</summary>

```diff
-```
+```text
 Agent → Code Tool → AWS Sandbox → Results
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/code-interpreter.md around lines 106 -
108, The diagram code block currently uses a plain triple-backtick fence without
a language specifier; update the block that contains the text "Agent → Code Tool
→ AWS Sandbox → Results" to use a language specifier such as "text" or
"plaintext" (i.e., change the opening fence to ```text and keep the closing

docs/sf/providers/aws/guide/agents/code-interpreter.md-86-93 (1)

86-93: ⚠️ Potential issue | 🟡 Minor

Add language specifier to fenced code block.

The requirements.txt code block should have a language specifier for consistent rendering.

Proposed fix

 **Dependencies (`requirements.txt`):**
 
-```
+```txt
 bedrock-agentcore>=0.1.0
 langchain>=0.3.0
 langchain-aws>=0.2.0
 langgraph>=0.2.0

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/code-interpreter.md around lines 86 - 93,
In the "Dependencies (requirements.txt)" fenced code block, add a language
specifier (e.g., txt) to the opening fence so the block becomes txt
followed by the four dependency lines (bedrock-agentcore, langchain,
langchain-aws, langgraph) to ensure consistent rendering.

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/code-interpreter.md-314-320 (1)</summary><blockquote>

`314-320`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language specifier to fenced code block.**

Similar to line 88, add a language specifier for the requirements.txt block.


<details>
<summary>Proposed fix</summary>

```diff
 **Dependencies (`requirements.txt`):**
 
-```
+```txt
 bedrock-agentcore>=0.1.0
 strands-agents>=1.0.0
 strands-agents-tools>=0.1.0
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/sf/providers/aws/guide/agents/code-interpreter.md around lines 314 -
320, The fenced code block under "Dependencies (requirements.txt):" is
missing a language specifier; update the triple-backtick fence that wraps the
list of packages (the requirements.txt block) to use a language tag like "txt"
(e.g., ```txt) so syntax/highlight tools treat it as a plain text requirements
file, matching the style used earlier in the doc.

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/index.js-69-70 (1)</summary><blockquote>

`69-70`: _⚠️ Potential issue_ | _🟡 Minor_

**Add defensive checks for browser context and page.**

`browser.contexts()[0]` and `context.pages()[0]` may be undefined if the browser has no contexts or pages. Consider adding existence checks to avoid runtime errors.


<details>
<summary>🛡️ Proposed fix to add null checks</summary>

```diff
       const context = browser.contexts()[0]
+      if (!context) {
+        throw new Error('No browser context available')
+      }
       const page = context.pages()[0]
+      if (!page) {
+        throw new Error('No page available in browser context')
+      }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/index.js`
around lines 69 - 70, The code assumes browser.contexts()[0] and
context.pages()[0] always exist; add defensive checks around those calls: verify
browser.contexts().length > 0 before assigning context and verify
context.pages().length > 0 before assigning page, and if missing either create a
new context/page (using browser.newContext() / context.newPage()) or handle the
error with a clear log/throw; update the variables context and page assignment
logic (the places using browser.contexts(), context.pages(), and the
context/pages variables) to use these checks so you never dereference undefined.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/agent.py-94-95 (1)</summary><blockquote>

`94-95`: _⚠️ Potential issue_ | _🟡 Minor_

**Add defensive checks for browser context and page.**

Similar to the JavaScript version, `browser.contexts[0]` and `context.pages[0]` may raise an IndexError if empty. Consider adding checks.


<details>
<summary>🛡️ Proposed fix</summary>

```diff
             # Get the page
             context = browser.contexts[0]
+            if not context:
+                raise RuntimeError("No browser context available")
             page = context.pages[0]
+            if not page:
+                raise RuntimeError("No page available in browser context")
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/agent.py`
around lines 94 - 95, The code accesses browser.contexts[0] and context.pages[0]
without checking for emptiness which can raise IndexError; update the logic
around the variables browser, context, and page so you first verify
browser.contexts is non-empty (if empty, create a new context via
browser.new_context() or raise a clear error) and then verify context.pages is
non-empty (if empty, create a new page via context.new_page() or raise a clear
error); ensure any created objects are assigned back to context and page so
downstream code uses the valid objects.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/test-invoke.py-90-91 (1)</summary><blockquote>

`90-91`: _⚠️ Potential issue_ | _🟡 Minor_

**Remove extraneous f-string prefix.**

Line 91 uses an f-string without any placeholders. Remove the `f` prefix.


<details>
<summary>Proposed fix</summary>

```diff
-    print(f"\n{'='*60}")
+    print("\n" + "="*60)
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/test-invoke.py`
around lines 90 - 91, The second print call that reads print(f"Invoking Custom
Browser Agent") uses an unnecessary f-string; change it to a plain string
literal (print("Invoking Custom Browser Agent")) so only the first print
(print(f"\n{'='*60}")) remains an f-string for its expression.
```

</details>

</blockquote></details>
<details>
<summary>docs/sf/providers/aws/guide/agents/code-interpreter.md-217-229 (1)</summary><blockquote>

`217-229`: _⚠️ Potential issue_ | _🟡 Minor_

**Update zod version in package.json example for consistency.**

The documentation shows `"zod": "^3.23.0"`, but the majority of examples across the codebase use `"zod": "^4.3.6"`. Update the documented version to match the most commonly used version in examples for consistency.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/code-interpreter.md` around lines 217 -
229, Update the package.json dependency example so the "zod" version matches the
rest of the codebase; in the Dependencies JSON block change the "zod" entry from
"^3.23.0" to "^4.3.6" (i.e., update the "zod" dependency string in the shown
package.json example).
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/browser.js-44-49 (1)</summary><blockquote>

`44-49`: _⚠️ Potential issue_ | _🟡 Minor_

**Update schema comment and reconsider SecurityGroups default logic.**

The schema comment on line 9 is inaccurate—CloudFormation does not require `SecurityGroups` to be provided; it's optional and accepts empty arrays. However, the functional concern remains: defaulting to an empty array means VPC mode won't provide actual network connectivity. If `mode: VPC` is used, explicitly require `securityGroups` to be provided, or document why an empty default is acceptable for the use case.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/browser.js`
around lines 44 - 49, Update the inaccurate schema comment to state that
CloudFormation's SecurityGroups is optional and accepts empty arrays, and change
the VPC handling logic in browser.js so that when networkMode === 'VPC' you do
not silently default SecurityGroups to an empty array; instead validate that
network.securityGroups is provided (referencing networkMode, network, and
config.VpcConfig) and either throw/emit a clear error requiring securityGroups
for VPC mode or explicitly document why an empty list is acceptable for this
code path.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js-172-185 (1)</summary><blockquote>

`172-185`: _⚠️ Potential issue_ | _🟡 Minor_

**Avoid emitting empty LifecycleConfiguration objects.**

If `lifecycle` is `{}`, the function returns an empty object, which will be truthy and included. That can yield an invalid CFN fragment. Return `null` when no properties are set.


<details>
<summary>🛠️ Suggested fix</summary>

```diff
 function buildLifecycleConfiguration(lifecycle) {
   if (!lifecycle) {
     return null
   }
 
-  return {
-    ...(lifecycle.idleRuntimeSessionTimeout !== undefined && {
-      IdleRuntimeSessionTimeout: lifecycle.idleRuntimeSessionTimeout,
-    }),
-    ...(lifecycle.maxLifetime !== undefined && {
-      MaxLifetime: lifecycle.maxLifetime,
-    }),
-  }
+  const config = {
+    ...(lifecycle.idleRuntimeSessionTimeout !== undefined && {
+      IdleRuntimeSessionTimeout: lifecycle.idleRuntimeSessionTimeout,
+    }),
+    ...(lifecycle.maxLifetime !== undefined && {
+      MaxLifetime: lifecycle.maxLifetime,
+    }),
+  }
+
+  return Object.keys(config).length > 0 ? config : null
 }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js`
around lines 172 - 185, The buildLifecycleConfiguration function can return an
empty object when lifecycle is {} which becomes a problematic truthy CFN
fragment; modify buildLifecycleConfiguration to construct the
LifecycleConfiguration object from lifecycle.idleRuntimeSessionTimeout and
lifecycle.maxLifetime into a local object (using the same property keys
IdleRuntimeSessionTimeout and MaxLifetime) and then return null if that object
has no own properties (e.g., Object.keys(...).length === 0), otherwise return
the constructed object.
```

</details>

</blockquote></details>
<details>
<summary>packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js-43-105 (1)</summary><blockquote>

`43-105`: _⚠️ Potential issue_ | _🟡 Minor_

**Guard against missing artifact objects to avoid a TypeError.**

`buildArtifact` dereferences `artifact.image`/`artifact.s3` before any validation; if `config.artifact` is undefined, this throws before the intended error path.


<details>
<summary>🛠️ Suggested fix</summary>

```diff
-function buildArtifact(artifact, options = {}) {
+function buildArtifact(artifact = {}, options = {}) {
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js`
around lines 43 - 105, The function buildArtifact currently dereferences
artifact.image and artifact.s3 without validating artifact exists; add an early
guard at the top of buildArtifact (e.g., in the function body of buildArtifact)
that checks if artifact is present and is an object (if not, throw a clear Error
like "Missing or invalid artifact: ensure config.artifact is set and packaged"),
so subsequent references to artifact.image / artifact.s3 / artifact.entryPoint
are safe and the intended error is thrown instead of a TypeError.
```

</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/test-invoke.js (1)

62-97: Unused chunks array in SSE handling.

The chunks array (Line 62) is populated but never used after the loop completes. If you intended to aggregate the streamed content for later use, consider returning or logging it. Otherwise, the accumulation can be removed to simplify the code.

♻️ Suggested simplification

   if (contentType.includes('text/event-stream')) {
-    const chunks = []
     for await (const chunk of body) {
       const text =
         typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk)

       const lines = text.split('\n')
       for (const line of lines) {
         if (line.startsWith('data: ')) {
           const data = line.slice(6)
           if (data && data !== '[DONE]') {
             try {
               const parsed = JSON.parse(data)
               if (typeof parsed === 'string') {
                 process.stdout.write(parsed)
-                chunks.push(parsed)
               } else if (parsed.text) {
                 process.stdout.write(parsed.text)
-                chunks.push(parsed.text)
               } else if (parsed.data?.text) {
                 process.stdout.write(parsed.data.text)
-                chunks.push(parsed.data.text)
               }
             } catch {
               process.stdout.write(data)
-              chunks.push(data)
             }
           }
         }
       }
     }
     console.log('\n')
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/test-invoke.js`
around lines 62 - 97, The chunks array is populated inside the SSE parsing
for-await loop but never used afterwards; either remove the chunks accumulation
(delete the chunks declaration and all chunks.push(...) calls) to simplify the
stream handler, or make use of it by returning or otherwise consuming the
aggregated result after the loop (e.g., join into a single string and return or
log it) from the surrounding function that contains the for-await block so the
collected stream is actually used; update references around the for-await (SSE
parsing) block and the chunks variable accordingly.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/index.js (1)

160-166: Replace message._getType() with the public getType() method.

LangChain provides a public getType() method on BaseMessage that returns the same type string. Use it instead of the underscore-prefixed variant:

message.getType() === 'ai'

Alternatively, for greater robustness, import and use the isAIMessage() type guard from @langchain/core/messages:

import { isAIMessage } from '@langchain/core/messages'

if (isAIMessage(message) && typeof message.content === 'string') {
  yield message.content
}

This eliminates reliance on underscore-prefixed methods and aligns with LangChain's recommended patterns.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/index.js`
around lines 160 - 166, Replace the private call message._getType() with the
public API: use message.getType() in the conditional (i.e., change
message._getType() === 'ai' to message.getType() === 'ai') or, even better,
import and use the provided type guard isAIMessage from `@langchain/core/messages`
and check isAIMessage(message) && typeof message.content === 'string' before
yielding content; update the conditional in the generator where
message._getType() is used to reference message.getType() or isAIMessage
instead.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile (2)

26-42: Consider dropping the custom non-root user to keep the example minimal.

AgentCore examples in this repo intentionally keep Dockerfiles simple; the extra user setup adds noise without much practical benefit for these samples.

♻️ Simplify the example Dockerfile

-# Create non-root user for security
-RUN groupadd --gid 1001 nodejs && \
-    useradd --uid 1001 --gid nodejs --shell /bin/bash --create-home agent
-
 # Copy dependencies from deps stage
 COPY --from=deps /app/node_modules ./node_modules
@@
-# Switch to non-root user
-USER agent

Based on learnings: "In the serverless/serverless repository, Dockerfiles for AWS Bedrock AgentCore examples are intentionally simple. AgentCore Runtime manages container execution in sandboxed microVMs, which provide isolation. Therefore, non-root user directives are not necessary in these example Dockerfiles and would only complicate the examples without practical security benefit."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile`
around lines 26 - 42, The Dockerfile includes a custom non-root user setup
(groupadd --gid 1001 nodejs, useradd --uid 1001 --gid nodejs ... agent) and a
USER agent switch which add unnecessary noise for these AgentCore examples;
remove the groupadd/useradd block and the final USER agent line so the example
remains minimal and uses the default image user, keeping other parts (COPY
steps, ENV NODE_ENV/PORT, and dependency COPY) unchanged.

---

13-17: Remove non-root user directives to keep the example intentionally simple.

AgentCore Runtime manages container execution in sandboxed microVMs, which provide isolation. The non-root user setup (lines 26–28 and 42) is unnecessary complexity for this example. Simplify by removing the groupadd, useradd, and USER directives:

Suggested simplification

-# Create non-root user for security
-RUN groupadd --gid 1001 nodejs && \
-    useradd --uid 1001 --gid nodejs --shell /bin/bash --create-home agent
-
 # Copy dependencies from deps stage
 COPY --from=deps /app/node_modules ./node_modules
 
@@ -39,8 +36,6 @@ COPY package.json ./
 ENV NODE_ENV=production
 ENV PORT=8080
 
-# Switch to non-root user
-USER agent
-
 # Expose the AgentCore runtime port
 EXPOSE 8080

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile`
around lines 13 - 17, Remove the non-root user setup from the Dockerfile by
deleting the groupadd, useradd, and USER directives (the calls that create
"node" group/user and the subsequent USER instruction) so the image runs as root
for this simplified example; ensure any chown/chmod lines referencing that user
are removed or adjusted and keep the COPY/RUN npm ci steps as-is so files remain
owned by root and the build succeeds under the simplified container user model.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py (1)

14-14: Remove unused codecs import.

The codecs module is imported but never used in this file. The response handling uses decode("utf-8") directly on the bytes object.

🧹 Proposed fix

 import boto3
-import codecs
 import json
 import os

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py`
at line 14, Remove the unused import of the codecs module: delete the line
importing "codecs" at the top of the test-invoke.py file since the file decodes
bytes with .decode("utf-8") directly and no codecs functions are used; ensure no
other references to codecs remain and run tests/lint to confirm.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/agent.py (1)

163-165: Consider using logging.exception for better stack traces.

When catching exceptions, logging.exception automatically includes the traceback, which aids debugging in production.

🧹 Suggested improvement

     except Exception as e:
-        logger.error(f"Error during agent execution: {e}")
+        logger.exception("Error during agent execution")
         return {"error": str(e)}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/agent.py`
around lines 163 - 165, The except block in the agent execution currently logs
errors with logger.error which omits the traceback; update the except in the
agent execution code (the except Exception as e handler in agent.py) to call
logger.exception("Error during agent execution") so the stack trace is included,
and retain the existing return {"error": str(e)}; ensure you don't duplicate the
exception string in the message so logger.exception captures the traceback
cleanly.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js (1)

187-209: Duplicate JSDoc comment block.

Lines 187-189 contain a duplicate/empty JSDoc comment before the actual documentation block at lines 190-195.

🧹 Remove duplicate comment

-/**
- * Build protocol configuration for the runtime
- */
 /**
  * Build protocol configuration for the runtime
  * For Runtime, ProtocolConfiguration is just a string enum: HTTP, MCP, or A2A

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js`
around lines 187 - 209, Remove the redundant/empty JSDoc block that appears
immediately before the real documentation for buildProtocolConfiguration so only
the single proper JSDoc remains; update the file by deleting the duplicate
comment lines (the stray /** ... */ just above the real JSDoc) and ensure the
documented function buildProtocolConfiguration retains the correct JSDoc block
describing parameters and return value.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py (1)

117-123: Heuristic-based validation may produce false positives.

The success indicators check for generic terms like "limit", "github", "api" which could match unrelated content. Consider tightening the validation or accepting that this is a smoke test rather than precise validation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/test-invoke.py`
around lines 117 - 123, The current heuristic in success_indicators (checking
response_text for generic tokens like "limit", "github", "api") is prone to
false positives; update the validation in the test_invoke.py to either narrow
the checks to more specific phrases or regex patterns (e.g., "rate limit
exceeded", "GitHub API", specific numeric patterns like "60 requests/minute" or
HTTP status codes like "429") or explicitly mark this as a smoke test by
replacing the heuristic with a single existence check and a comment stating it’s
non-deterministic; locate and adjust the success_indicators list and any
assertion that consumes it so the test either uses stricter substring/regex
matches against response_text or documents/relaxes the expectation as a
lightweight smoke check.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile (1)

6-22: Consider adding --no-install-recommends to reduce image size.

The explicit dependency list is correct per project conventions for deterministic builds. Adding --no-install-recommends would prevent pulling unnecessary recommended packages, reducing the final image size.

♻️ Proposed fix

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile`
around lines 6 - 22, The RUN apt-get update && apt-get install -y ... line in
the Dockerfile should include the --no-install-recommends flag to avoid
installing unnecessary recommended packages and reduce image size; update the
RUN instruction that installs libnss3, libnspr4, libatk1.0-0, etc. so apt-get
install uses --no-install-recommends (and keep the existing rm -rf
/var/lib/apt/lists/* cleanup).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile (1)

6-22: Consider adding --no-install-recommends to reduce image size.

Same as the langgraph-browser Dockerfile — adding the flag would reduce image size without affecting functionality.

♻️ Proposed fix

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile`
around lines 6 - 22, Update the Dockerfile RUN that currently uses "apt-get
update && apt-get install -y \ ..." to include the --no-install-recommends flag
in the apt-get install invocation (i.e., change to apt-get install -y
--no-install-recommends ...) while preserving the existing package list and the
trailing "&& rm -rf /var/lib/apt/lists/*" cleanup; this will reduce image size
without changing functionality.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/index.js (1)

172-187: Prefer async/await in chatbot.
Replace the Promise chain to align with project style.

♻️ Suggested refactor

-  function chatbot(state) {
+  async function chatbot(state) {
     const rawMessages = state.messages || []
@@
-    return llmWithTools.invoke(messages).then((response) => ({
-      messages: [...rawMessages, response],
-    }))
+    const response = await llmWithTools.invoke(messages)
+    return { messages: [...rawMessages, response] }
   }

Per coding guidelines: "Use async/await for asynchronous code"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/index.js`
around lines 172 - 187, The chatbot function currently returns a Promise via
.then; convert it to an async function (async function chatbot(state)) and use
await for llmWithTools.invoke(messages) instead of .then so the code matches
project style. Preserve the existing logic around rawMessages, SystemMessage and
systemMessage (keep nonSystemMessages and messages array), then await const
response = await llmWithTools.invoke(messages) and return { messages:
[...rawMessages, response] } directly from the async function. Ensure any
callers that expect a Promise continue to work since async returns a Promise.

packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js (2)

32-39: Unused agentName parameter in constructor.

The agentName parameter is destructured but never stored or used in the class. Either remove it from the constructor signature or store it if it's needed for future functionality.

♻️ Suggested fix

-  constructor({ projectPath, agentName, agentConfig, region, port }) {
+  constructor({ projectPath, agentConfig, region, port }) {
     this.#projectPath = projectPath

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js`
around lines 32 - 39, The constructor currently accepts an unused agentName;
either remove agentName from the parameter list or persist it—preferred: store
it as a private field by assigning this.#agentName = agentName in the
constructor and add the corresponding private field declaration (e.g.,
`#agentName`) to the class so other methods can reference the agent name
consistently; if you intentionally don't need it, remove agentName from the
destructured parameters in the constructor signature instead.

---

233-245: Global process.env.PATH mutation persists beyond instance lifecycle.

#setupVirtualEnv() modifies process.env.PATH globally (line 242), which persists for the entire Node.js process lifetime. If dev mode stops and restarts, or if multiple agents run sequentially, the PATH will accumulate duplicate venv entries.

Consider building the PATH locally and passing it only to the spawned process environment instead of mutating the global process.env.

♻️ Suggested refactor

-  `#setupVirtualEnv`() {
-    if (!process.env.VIRTUAL_ENV) {
-      return
-    }
-
-    const runtimeDir = os.platform() === 'win32' ? 'Scripts' : 'bin'
-    const venvBinPath = path.join(process.env.VIRTUAL_ENV, runtimeDir)
-
-    // Prepend venv bin to PATH
-    process.env.PATH = [venvBinPath, path.delimiter, process.env.PATH].join('')
-
-    logger.debug(`Using virtual environment: ${process.env.VIRTUAL_ENV}`)
-  }
+  `#getVenvPath`() {
+    if (!process.env.VIRTUAL_ENV) {
+      return process.env.PATH
+    }
+
+    const runtimeDir = os.platform() === 'win32' ? 'Scripts' : 'bin'
+    const venvBinPath = path.join(process.env.VIRTUAL_ENV, runtimeDir)
+
+    logger.debug(`Using virtual environment: ${process.env.VIRTUAL_ENV}`)
+    return `${venvBinPath}${path.delimiter}${process.env.PATH}`
+  }

Then in start(), use it when building pythonEnv:

-    // Setup virtual environment in PATH if available
-    this.#setupVirtualEnv()
     // ...
-    pythonEnv.PATH = process.env.PATH
+    pythonEnv.PATH = this.#getVenvPath()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js`
around lines 233 - 245, `#setupVirtualEnv` currently mutates the global
process.env.PATH causing persistent and duplicate venv entries; change it to
compute and return a local PATH string (or the venvBinPath) instead of writing
to process.env, and update start() to use that returned value when building the
pythonEnv passed to the spawned process (e.g., merge returned venv path with
existing env.PATH only for the child), also guard against adding duplicate
entries (check if venvBinPath is already present) so repeated starts don't
accumulate entries.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile (1)

26-42: Simplify the example Dockerfile by dropping custom user creation.
These examples are intentionally minimal; the extra user/group setup adds noise without practical benefit here. Consider removing the non-root user directives for consistency.

🧹 Proposed simplification

-# Create non-root user for security
-RUN groupadd --gid 1001 nodejs && \
-    useradd --uid 1001 --gid nodejs --shell /bin/bash --create-home agent
-
@@
-# Switch to non-root user
-USER agent

Based on learnings: "In the serverless/serverless repository, Dockerfiles for AWS Bedrock AgentCore examples are intentionally simple. AgentCore Runtime manages container execution in sandboxed microVMs, which provide isolation. Therefore, non-root user directives are not necessary in these example Dockerfiles and would only complicate the examples without practical security benefit."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile`
around lines 26 - 42, Remove the custom non-root user/group creation and
switching from this example Dockerfile to keep it minimal: delete the RUN
groupadd/useradd lines that create gid/uid 1001 and the final USER agent
directive (and any related comments about non-root user), leaving the dependency
copy, app copy, and ENV/PORT setup intact; ensure no other instructions
reference "agent" so the container runs as the default image user.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile (1)

6-22: Consider adding --no-install-recommends for smaller image size.

The static analysis tool flagged the missing --no-install-recommends flag. Adding it would reduce the image size by avoiding unnecessary recommended packages.

💡 Proposed fix

 # Install system dependencies for Playwright
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \
     libnspr4 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile`
around lines 6 - 22, The Dockerfile's RUN apt-get install command installs
packages with recommended extras; update the RUN line in the Dockerfile (the
apt-get update && apt-get install -y ... && rm -rf /var/lib/apt/lists/* block)
to include --no-install-recommends after apt-get install to avoid pulling
recommended packages and reduce image size, e.g., change "apt-get install -y" to
"apt-get install -y --no-install-recommends" while keeping the same package list
and the rm -rf cleanup.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js (1)

52-52: Consider defensive check for tags parameter.

The Object.keys(tags).length > 0 check assumes tags is always an object. If the caller passes undefined or null, this would throw. While validation is centralized upstream per project patterns, a default parameter or defensive check could add resilience.

💡 Option: Use default parameter

 export function compileRuntimeEndpoint(
   agentName,
   endpointName,
   config,
   runtimeLogicalId,
   context,
-  tags,
+  tags = {},
 ) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtimeEndpoint.js`
at line 52, The spread expression that builds the Tags property uses
Object.keys(tags).length which will throw if tags is null/undefined; update the
code to defensively handle tags—either add a default parameter (e.g., tags = {})
where the function that builds the runtime endpoint is declared, or change the
spread condition to check tags exists first (e.g., tags &&
Object.keys(tags).length > 0) before spreading { Tags: tags } so undefined/null
tags are safe; ensure you update the same expression that currently reads like
...(Object.keys(tags).length > 0 && { Tags: tags }).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package.json (1)

18-20: Consider using Node.js LTS version.

Same as noted in the multi-gateway example: Node 24.x is a non-LTS release. Consider 22.x or >=20 for broader compatibility unless a specific Node 24 feature is required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package.json`
around lines 18 - 20, Update the package.json "engines" entry to target a Node
LTS range instead of "24.x"; modify the "engines" -> "node" value (currently
"24.x") to a broader LTS-compatible spec such as "22.x" or ">=20" to improve
compatibility across environments while retaining the engines field in the same
location.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser/index.js (1)

229-237: Consider guarding against empty messages array.

If agent.invoke returns an empty messages array, accessing result.messages[result.messages.length - 1] would yield undefined, causing subsequent .content access to throw. While unlikely in normal LangGraph operation, adding a guard improves robustness.

🛡️ Optional defensive check

         const result = await agent.invoke({
           messages: [{ role: 'user', content: request.prompt }],
         })

-        const finalMessage = result.messages[result.messages.length - 1]
-        const response = finalMessage.content
+        const finalMessage = result.messages?.[result.messages.length - 1]
+        const response = finalMessage?.content || 'No response generated'
         console.log(`Response: ${String(response).substring(0, 200)}...`)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser/index.js`
around lines 229 - 237, The code assumes result.messages has at least one
element; update the agent.invoke handling to guard against an empty messages
array by checking result.messages && result.messages.length > 0 before computing
finalMessage = result.messages[result.messages.length - 1]; if empty, return or
throw a clear error (or log and return a safe default) instead of dereferencing
undefined, and ensure downstream uses of finalMessage.content (variable
response) only occur after this check.

docs/sf/providers/aws/guide/agents/README.md (1)

159-168: Consider using a specific Node.js LTS version in Dockerfile example.

The Dockerfile example uses node:20-slim which is good (Node 20 is LTS). This is consistent with the recommendation but note it differs from the 24.x engine constraint in the example package.json files. Consider aligning these for consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sf/providers/aws/guide/agents/README.md` around lines 159 - 168, The
Dockerfile example uses FROM node:20-slim while the example package.json
specifies an engine constraint of 24.x; update one to match the other for
consistency — either change the Dockerfile base image to FROM node:24-slim to
match package.json's "engines": { "node": ">=24.x" } or relax/change the
package.json engine field to ">=20.x" to match the Dockerfile; pick the
preferred LTS and make the same version string in both the Dockerfile and the
package.json engine entries so they stay consistent.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/index.js (1)

173-187: Convert chatbot function to async/await.

The function uses .then() chaining, which violates the repo guideline requiring async/await for asynchronous code in JavaScript files.

♻️ Suggested refactor

-  function chatbot(state) {
+  async function chatbot(state) {
     const rawMessages = state.messages || []
 
     // Remove existing system messages to avoid duplicates
     const nonSystemMessages = rawMessages.filter(
       (msg) => !(msg instanceof SystemMessage),
     )
 
     // Ensure SystemMessage is first
     const messages = [new SystemMessage(systemMessage), ...nonSystemMessages]
 
     // Get response from model with tools bound
-    return llmWithTools.invoke(messages).then((response) => ({
-      messages: [...rawMessages, response],
-    }))
+    const response = await llmWithTools.invoke(messages)
+    return { messages: [...rawMessages, response] }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-memory/index.js`
around lines 173 - 187, Convert the chatbot function to use async/await: mark
the chatbot function async, keep the SystemMessage filtering and prep (variables
rawMessages, nonSystemMessages, messages) unchanged, then await
llmWithTools.invoke(messages) instead of using .then() and return the same
object shape ({ messages: [...rawMessages, response] }) after awaiting; ensure
any thrown errors propagate normally (no .then usage remains in chatbot).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py (1)

14-14: Remove unused import.

The codecs module is imported but never used in this file.

📝 Proposed fix

 import boto3
-import codecs
 import json
 import os
 import uuid

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/test-invoke.py`
at line 14, Remove the unused import of the codecs module from the top of the
test-invoke.py file; specifically delete the line "import codecs" so the file no
longer contains an unused import and linter warnings disappear.

packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js (2)

180-182: Redundant fs/promises import.

fs/promises is already imported at line 165 within the same function scope. Remove the duplicate import.

♻️ Suggested fix

       // VALIDATION: Buildpacks for Node.js require a lockfile
       // If package.json exists but no lockfile, dependencies won't be installed
       try {
-        const fs = await import('fs/promises')
         const packageJsonPath = path.resolve(contextPath, 'package.json')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js`
around lines 180 - 182, In the try block of builder.js remove the redundant
dynamic import of 'fs/promises' (the const fs = await import('fs/promises')
line) since fs/promises is already imported earlier in the same function scope;
keep the existing fs/promises binding and just use it when resolving
packageJsonPath and subsequent operations (look for uses around packageJsonPath
and in the surrounding try block to ensure no duplicate import remains).

---

210-218: ServerlessError thrown at line 204 won't be re-thrown due to incorrect condition.

The condition at line 214-215 checks error.code !== 'ENOENT' OR error.message.includes('Missing lockfile'). However, ServerlessError thrown at line 204 has code === 'MISSING_LOCKFILE' (not 'ENOENT'), so the first condition error.code !== 'ENOENT' will be true, and the error will be re-thrown correctly. But the logic is confusing and the second condition is redundant.

The intent seems to be: re-throw if it's NOT a missing package.json case (ENOENT) OR if it's our validation error. The current logic works but is unnecessarily complex.

♻️ Suggested simplification

       } catch (error) {
-        // Ignore if package.json missing (not a Node.js project)
-        // Re-throw if it's our validation error
-        if (
-          error.code !== 'ENOENT' ||
-          error.message.includes('Missing lockfile')
-        ) {
+        // Re-throw all errors except missing package.json (not a Node.js project)
+        if (error.code !== 'ENOENT') {
           throw error
         }
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js`
around lines 210 - 218, The catch condition is confusing and relies on checking
error.message; replace it with an explicit check that ignores only the missing
package.json case (error.code === 'ENOENT') and re-throws all other errors
(including the ServerlessError with code 'MISSING_LOCKFILE'), e.g., change the
current if (error.code !== 'ENOENT' || error.message.includes('Missing
lockfile')) { throw error } logic to a straightforward branch that
returns/ignores when error.code === 'ENOENT' and otherwise throws the error,
using the existing error.code values rather than matching on error.message.

packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/credentials.js (1)

27-30: getRoleNameFromArn may return unexpected results for path-based role ARNs.

Role ARNs can include paths like arn:aws:iam::123456789012:role/path/to/my-role. The current implementation returns my-role (correct), but the function name suggests it extracts the role name, not the full path. This behavior is correct for the use case (getting role name for API calls), but consider documenting this behavior.

📝 Documentation improvement

 /**
  * Extract role name from a role ARN
+ * Note: For path-based role ARNs (e.g., arn:aws:iam::123:role/path/to/my-role),
+ * this returns just the role name (my-role), not the full path.
  *
  * `@param` {string} roleArn - Full IAM role ARN
  * `@returns` {string} Role name

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/credentials.js`
around lines 27 - 30, The function getRoleNameFromArn currently returns only the
final path segment (basename) for ARNs like
arn:aws:iam::123:role/path/to/my-role; add a brief JSDoc comment above
getRoleNameFromArn clarifying that it extracts and returns the role name (final
segment) not the full path, mention that this is intentional for API calls
expecting the role name, and optionally note expected input format and examples
so callers aren't surprised by path-based ARNs.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/gateway.js (2)

1-1: Remove 'use strict' directive in ES module.

ES modules are strict by default, making this directive redundant.

Suggested fix

-'use strict'
-
 /**

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/gateway.js`
at line 1, Remove the redundant "'use strict'" directive at the top of the ES
module (gateway.js); ES modules are strict by default so simply delete the "'use
strict'" string literal from the file (no other changes required).

---

184-186: Redundant optional chaining.

The conditional config.exceptionLevel && already ensures the value is truthy before accessing it, so ?. is unnecessary.

Suggested fix

       ...(config.exceptionLevel && {
-        ExceptionLevel: config.exceptionLevel?.toUpperCase(),
+        ExceptionLevel: config.exceptionLevel.toUpperCase(),
       }),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/gateway.js`
around lines 184 - 186, The conditional spread uses redundant optional chaining
on config.exceptionLevel; update the spread so it still guards with the existing
truthy check but calls toUpperCase() directly (e.g., keep the guard
"...(config.exceptionLevel && { ExceptionLevel:
config.exceptionLevel.toUpperCase(), })") to remove the unnecessary "?.",
referring to the same config.exceptionLevel and ExceptionLevel symbols in the
gateway.js diff.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile (1)

6-22: Consider adding --no-install-recommends to reduce image size.

Adding this flag prevents installation of recommended but non-essential packages, resulting in a smaller image.

Suggested fix

 # Install system dependencies for Playwright
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \
     libnspr4 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile`
around lines 6 - 22, The RUN apt-get command in the Dockerfile installs packages
without using --no-install-recommends, inflating the image; modify the RUN line
that invokes apt-get update && apt-get install -y to include
--no-install-recommends (i.e., apt-get install -y --no-install-recommends) while
keeping the existing package list and the trailing && rm -rf
/var/lib/apt/lists/* to ensure reduced image size and cleaned apt caches; no
other changes to package names are required.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js (2)

1-1: 'use strict' is unnecessary with ES modules.

ES modules are always in strict mode by default. This directive can be removed.

♻️ Suggested fix

-'use strict'
-
 /**
  * AWS::BedrockAgentCore::Memory CloudFormation Schema

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js` at
line 1, Remove the redundant "'use strict'" directive at the top of the module
(packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js)
because ES modules are strict by default; simply delete that line so the module
remains valid ES module code without the unnecessary directive.

---

51-51: Unused parameter parentRuntimeName.

The parentRuntimeName parameter is declared but not used in the function body. If this is reserved for future use or API consistency with other compilers, consider adding a comment. Otherwise, it can be removed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js` at
line 51, The function export compileMemory(name, config, context, tags,
parentRuntimeName) declares parentRuntimeName but never uses it; either remove
the parameter from the signature to eliminate the unused variable, or keep it
and add a concise explanatory comment above the function (e.g.,
"parentRuntimeName reserved for API consistency/future use") and mark it
intentionally unused (or prefix with _parentRuntimeName) to satisfy linters;
update any callers if you remove the parameter and ensure compileMemory's
exported signature remains consistent with other compiler functions if that
consistency is required.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/index.js (1)

129-141: Set Content-Type header for JSON response consistency.

The GET handler returns a JSON body but doesn't set the Content-Type header, unlike the POST error handler which uses res.json().

♻️ Suggested fix

 // GET /mcp — method not allowed per MCP spec
 app.get('/mcp', (_req, res) => {
-  res.writeHead(405).end(
-    JSON.stringify({
-      jsonrpc: '2.0',
-      error: {
-        code: -32000,
-        message: 'Method not allowed.',
-      },
-      id: null,
-    }),
-  )
+  res.status(405).json({
+    jsonrpc: '2.0',
+    error: {
+      code: -32000,
+      message: 'Method not allowed.',
+    },
+    id: null,
+  })
 })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/mcp-server/index.js`
around lines 129 - 141, The GET handler for '/mcp' sends a JSON body but doesn't
set Content-Type; update the app.get('/mcp', ...) response to include the JSON
content-type header (e.g., use res.writeHead(405, { 'Content-Type':
'application/json' }) before .end(...) or replace with
res.status(405).json(...)) so the response matches the POST handler's JSON
response behavior.

packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/coordinator.js (1)

99-105: Unreachable code: imageConfig is always an object here.

The check typeof imageConfig === 'string' at line 101 can never be true. Looking at how runtimesToBuild is populated (lines 52-56 and 65-69), imageConfig is always assigned as an object (artifactImage which is already confirmed to be an object at line 50, or { path: '.' } at line 68).

This dead code can be safely removed to improve clarity.

♻️ Suggested cleanup

   // Build images for runtimes with docker config (LOCAL BUILD ONLY)
   for (const { name, imageConfig } of runtimesToBuild) {
-    // Handle string reference to provider.ecr.images
-    if (typeof imageConfig === 'string') {
-      if (builtImages[imageConfig]) {
-        continue // Already built above
-      }
-    }
-
     // Build the image - imageConfig should have path, repository, or file
     const dockerConfig =
       typeof imageConfig === 'string' ? { name: imageConfig } : imageConfig

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/coordinator.js`
around lines 99 - 105, Remove the dead branch that checks typeof imageConfig ===
'string' inside the loop over runtimesToBuild; imageConfig is always an object
when populated, so delete the whole conditional and simply use
builtImages[imageConfig] logic based on object identity or a proper key (refer
to runtimesToBuild, imageConfig, and builtImages) — if you intended to detect
previously built images, replace the string check with a lookup using the actual
identifier used when populating runtimesToBuild (e.g., the image reference key)
or adjust builtImages to use object-derived keys before the continue.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile (1)

6-22: Add --no-install-recommends to keep the image lean.

This keeps the image smaller and aligns with the static analysis rule without changing behavior.

♻️ Proposed change

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \
     libnspr4 \
     libatk1.0-0 \
     libatk-bridge2.0-0 \
     libcups2 \
     libdrm2 \
     libxkbcommon0 \
     libxcomposite1 \
     libxdamage1 \
     libxfixes3 \
     libxrandr2 \
     libgbm1 \
     libasound2 \
     libpango-1.0-0 \
     libcairo2 \
     && rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser/Dockerfile`
around lines 6 - 22, Update the apt package install command in the Dockerfile
RUN step to avoid installing recommended packages: change the apt-get install
invocation in the RUN that includes libnss3, libnspr4, etc. to use apt-get
install -y --no-install-recommends (keeping the apt-get update and the final rm
-rf /var/lib/apt/lists/* as-is) so the image stays lean without changing the
listed packages.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package.json (1)

1-7: Mark this example package as private to prevent accidental publish.

For example packages, adding "private": true avoids accidental npm publication without affecting usage.

♻️ Suggested change

 {
   "name": "langgraph-browser-custom",
   "version": "1.0.0",
+  "private": true,
   "description": "LangGraph JS agent with custom AgentCore Browser and session recording",
   "type": "module",
   "main": "index.js",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-browser-custom/package.json`
around lines 1 - 7, Add the "private": true property to the example package.json
for the "langgraph-browser-custom" package to prevent accidental npm
publication; open the package.json (the object containing "name":
"langgraph-browser-custom", "version", "description", etc.) and insert the
top-level "private": true field alongside "type" and "main".

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/test-invoke.js (1)

48-56: Unused chunks array in streaming branch.

The chunks array collects streamed data but is never used. If it's not needed for this example, consider removing it to simplify the code.

♻️ Suggested simplification

   if (contentType.includes('text/event-stream')) {
-    const chunks = []
     for await (const chunk of body) {
       const text =
         typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk)
       process.stdout.write(text)
-      chunks.push(text)
     }
     console.log('\n')
   } else if (body && typeof body[Symbol.asyncIterator] === 'function') {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/test-invoke.js`
around lines 48 - 56, The streaming branch collects chunks into an unused array
named "chunks" when contentType.includes('text/event-stream'); remove the
"chunks" array and any pushes to it inside the for-await loop (the loop over
"body" that decodes with new TextDecoder() and calls process.stdout.write(text))
to simplify the example, leaving only the streaming decoding and output logic.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile (1)

6-22: Consider --no-install-recommends to slim the image.

This keeps the example small while preserving explicit dependency control.

Proposed tweak

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \
     libnspr4 \
     libatk1.0-0 \
     libatk-bridge2.0-0 \
     libcups2 \
     libdrm2 \
     libxkbcommon0 \
     libxcomposite1 \
     libxdamage1 \
     libxfixes3 \
     libxrandr2 \
     libgbm1 \
     libasound2 \
     libpango-1.0-0 \
     libcairo2 \
     && rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile`
around lines 6 - 22, Update the Dockerfile RUN that installs system packages to
add the apt flag --no-install-recommends so only explicit packages are
installed: modify the existing RUN line that starts with "apt-get update &&
apt-get install -y \ libnss3 ..." to use "apt-get install -y
--no-install-recommends \", keep the same package list and the trailing "&& rm
-rf /var/lib/apt/lists/*" cleanup. This ensures the install step uses the
explicit package set without pulling recommended extras.

packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js (1)

32-39: Unused constructor parameter agentName.

The agentName parameter is accepted in the constructor but never stored or used. Either remove it from the signature or store it if needed for future use (e.g., logging).

-  constructor({ projectPath, agentName, agentConfig, region, port }) {
+  constructor({ projectPath, agentConfig, region, port }) {
     this.#projectPath = projectPath
     this.#agentConfig = agentConfig

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/dev/code-mode.js`
around lines 32 - 39, The constructor currently accepts an unused agentName
parameter; either remove agentName from the constructor signature or persist it
for later use by assigning it to a private field (e.g., this.#agentName) and
update any related uses (logging or telemetry) to reference that field; locate
the constructor definition and choose one of these two fixes (remove agentName
from the parameter list in the constructor or add this.#agentName = agentName
alongside this.#projectPath / this.#agentConfig assignments) and update any
callers or docs accordingly.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js (1)

187-195: Remove duplicate JSDoc comment block.

Lines 187-189 contain an empty JSDoc, followed by the actual documentation at 190-195.

-/**
- * Build protocol configuration for the runtime
- */
 /**
  * Build protocol configuration for the runtime
  * For Runtime, ProtocolConfiguration is just a string enum: HTTP, MCP, or A2A

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/runtime.js`
around lines 187 - 195, Remove the redundant empty JSDoc block that precedes the
actual documentation for the "Build protocol configuration for the runtime"
comment; keep the full JSDoc that documents the protocol parameter and return
value (the block that explains the string enum HTTP/MCP/A2A and the
param/returns) and delete the earlier empty /** ... */ so there's only a single
JSDoc for this runtime protocol configuration logic.

packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js (1)

180-182: Minor: Redundant dynamic import of fs/promises.

fs/promises was already imported at line 165. Consider reusing the imported module instead of re-importing.

-      try {
-        const fs = await import('fs/promises')
+      try {
         const packageJsonPath = path.resolve(contextPath, 'package.json')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js`
around lines 180 - 182, The dynamic import of 'fs/promises' inside the try block
is redundant; reuse the module already imported earlier (the existing
fs/promises import symbol) instead of re-importing it. Remove the await
import('fs/promises') from the try block and reference the previously-imported
variable when resolving packageJsonPath and reading package.json (look for the
earlier fs/promises import and the variables packageJsonPath and contextPath in
this file to replace the dynamic import use). Ensure no new variable name
conflict is introduced when swapping to the existing fs/promises symbol.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/package.json (1)

1-18: Mark this example package as private to avoid accidental publish.

Since this lives under examples, consider adding "private": true so it can’t be published to npm by mistake.

Suggested change

 {
   "name": "strands-browser",
+  "private": true,
   "version": "1.0.0",
   "description": "Strands Agents SDK with AgentCore Browser for web automation",
   "type": "module",
   "main": "index.js",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/package.json`
around lines 1 - 18, Add the npm "private": true field to the example
package.json for the "strands-browser" package to prevent accidental publishes;
locate the package.json JSON object containing "name": "strands-browser" and add
the "private": true property at the top-level of that JSON object (alongside
"name", "version", "description", etc.).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/test-invoke.js (1)

48-55: Unused chunks array in event-stream branch.

The chunks array is populated on line 54 but never used after the loop—the streaming content is already written to stdout on line 53. This dead variable could confuse readers of this example.

Suggested fix

   if (contentType.includes('text/event-stream')) {
-    const chunks = []
     for await (const chunk of body) {
       const text =
         typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk)
       process.stdout.write(text)
-      chunks.push(text)
     }
     console.log('\n')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/strands-browser/test-invoke.js`
around lines 48 - 55, The example creates a dead variable `chunks` in the SSE
branch — remove the unused `chunks` array and the `chunks.push(text)` call
inside the `for await (const chunk of body)` loop (the branch where
`contentType.includes('text/event-stream')` and `process.stdout.write(text)`
already handles streaming) so the loop only decodes and writes text; ensure no
other code references `chunks`.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile (2)

26-42: Consider removing the non-root user setup to keep the example minimal.
Given the examples aim for clarity and simplicity, the user/group creation and USER switch add complexity without practical benefit in this context.

♻️ Simplify the Dockerfile (example-friendly)

-# Create non-root user for security
-RUN groupadd --gid 1001 nodejs && \
-    useradd --uid 1001 --gid nodejs --shell /bin/bash --create-home agent
-
 ...
-# Switch to non-root user
-USER agent

Based on learnings: “In the serverless/serverless repository, Dockerfiles for AWS Bedrock AgentCore examples are intentionally simple. AgentCore Runtime manages container execution in sandboxed microVMs, which provide isolation. Therefore, non-root user directives are not necessary in these example Dockerfiles and would only complicate the examples without practical security benefit.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile`
around lines 26 - 42, Remove the explicit non-root user setup to simplify the
example Dockerfile: delete the groupadd and useradd commands that create
"nodejs" and "agent" and remove the "USER agent" directive so the image runs as
the default user; keep the dependency COPYs, application COPYs (agent.js and
package.json), and ENV lines (NODE_ENV and PORT) unchanged to preserve
functionality while making the example minimal.

---

13-17: Simplify Dockerfile by removing non-root user setup.
The example Dockerfile includes non-root user directives (lines 26–28, 42), but per the intended pattern for AgentCore Runtime examples, these are unnecessary. AgentCore manages container execution in sandboxed microVMs with built-in isolation, so omitting the user setup keeps the example simpler and more focused.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/Dockerfile`
around lines 13 - 17, Remove the non-root user setup from the example Dockerfile
by deleting the commands that create/modify a user/group and switch to it (e.g.,
any RUN groupadd/useradd/chown lines and the USER directive); keep the existing
COPY package*.json ./ and RUN npm ci --omit=dev steps and any subsequent
build/runtime commands, so the image runs as the default root user as intended
for AgentCore Runtime examples.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/test-invoke.js (1)

78-81: Use for await...of loop to fully consume the stream instead of single read() call.

A single await body.read() call returns only currently buffered data or null; it doesn't guarantee the complete payload is read. This branch (lines 78-85) should follow the same pattern already used in lines 65-77 for proper stream consumption.

♻️ Suggested fix

  } else if (body && typeof body.read === 'function') {
-   const data = await body.read()
-   const text = new TextDecoder().decode(data)
+   const chunks = []
+   for await (const chunk of body) {
+     chunks.push(
+       typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk),
+     )
+   }
+   const text = chunks.join('')
    try {
      console.log(JSON.stringify(JSON.parse(text), null, 2))
    } catch {
      console.log(text)
    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-basic-dockerfile/test-invoke.js`
around lines 78 - 81, The branch that handles readable streams currently calls
await body.read() once (using body.read and TextDecoder) which can return
partial data; replace this with a for await...of loop over body to fully consume
the stream (same pattern as the earlier branch), accumulate chunks, decode them
with TextDecoder, and then parse/assign to text as before so the complete
payload is read.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/index.js (1)

154-167: Consider removing unused metadata variable.

The metadata variable from the stream destructuring is declared but never used. While this doesn't affect functionality, removing it would slightly clean up the code.

♻️ Optional refactor

-      for await (const [message, metadata] of stream) {
+      for await (const [message] of stream) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/javascript/langgraph-streaming/index.js`
around lines 154 - 167, The for-await loop destructures each item as [message,
metadata] but never uses metadata; update the loop to only destructure the used
value by changing the iteration to extract just message (e.g., for await (const
[message] of stream) or restructure to for await (const message of stream)
depending on stream item shape) in the block that contains message._getType()
and yield message.content so the unused metadata variable is removed; edit the
loop around the stream iteration in this file (references: stream, message,
metadata, message._getType).

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile (1)

6-22: Consider adding --no-install-recommends to reduce image size.

Adding this flag prevents installation of suggested packages, resulting in a smaller final image.

Suggested fix

 # Install system dependencies for Playwright
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     libnss3 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-browser-custom/Dockerfile`
around lines 6 - 22, The Dockerfile RUN command installs many packages without
suppressing recommended packages; update the RUN in the Dockerfile (the apt-get
update && apt-get install -y ... line) to include --no-install-recommends after
install -y so apt-get install uses minimal dependencies, keeping the final rm
-rf /var/lib/apt/lists/* cleanup unchanged to reduce image size.

packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js (1)

142-236: Avoid mutating caller-provided buildOptions when appending cache-from.
Repeated builds with the same config can accumulate duplicate --cache-from entries.

♻️ Suggested tweak

-    const buildOptions = dockerConfig.buildOptions || []
+    const buildOptions = [...(dockerConfig.buildOptions || [])]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/docker/builder.js`
around lines 142 - 236, The buildImage function mutates the caller-provided
dockerConfig.buildOptions when appending cache-from entries, causing duplicate
flags across repeated builds; fix by making a local copy (e.g., const
buildOptions = [...(dockerConfig.buildOptions || [])] or similar) instead of
reusing dockerConfig.buildOptions, then append the --cache-from entries to that
local array and pass the local array to this.dockerClient.buildImage; update
references to buildOptions in buildImage so the original
dockerConfig.buildOptions is never modified.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js (2)

51-51: Unused parameter parentRuntimeName.

The parentRuntimeName parameter is declared but never used in the function body. If this is reserved for future use, consider documenting that intent; otherwise, it could be removed to avoid confusion.

♻️ Suggested fix if parameter is not needed

-export function compileMemory(name, config, context, tags, parentRuntimeName) {
+export function compileMemory(name, config, context, tags) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js` at
line 51, The function compileMemory declares an unused parameter
parentRuntimeName; remove parentRuntimeName from the function signature (export
function compileMemory(name, config, context, tags)) and update any callers to
stop passing that argument, or if it must be reserved for future use, add a
short comment above compileMemory documenting that parentRuntimeName is
intentionally unused (e.g., "reserved for future use") and prefix it with an
underscore (parentRuntimeName -> _parentRuntimeName) to indicate intentional
unused status; ensure references to the symbol in this file are updated
accordingly.

---

1-1: Redundant 'use strict' in ES module.

ES modules are automatically in strict mode, so this directive is unnecessary. This is a minor nit and can be addressed if desired.

♻️ Suggested removal

-'use strict'
-
 /**
  * AWS::BedrockAgentCore::Memory CloudFormation Schema

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilers/memory.js` at
line 1, Remove the redundant "use strict" directive at the top of the ES module
(the top-level 'use strict' string literal) since ES modules are strict by
default; simply delete that literal from the module (memory.js) to clean up the
file without changing any runtime behavior.

packages/serverless/lib/plugins/aws/bedrock-agentcore/compilation/orchestrator.js (1)

669-678: Potential duplicate entries in DependsOn array.

If runtimeResource.DependsOn already exists and contains memoryLogicalId, the push will create a duplicate. While CloudFormation handles this gracefully, it's cleaner to avoid it.

🧹 Optional cleanup

   if (memoryLogicalId) {
     runtimeResource.DependsOn = runtimeResource.DependsOn || []
-    runtimeResource.DependsOn.push(memoryLogicalId)
+    if (!runtimeResource.DependsOn.includes(memoryLogicalId)) {
+      runtimeResource.DependsOn.push(memoryLogicalId)
+    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/compilation/orchestrator.js`
around lines 669 - 678, runtimeResource.DependsOn may receive duplicate
memoryLogicalId entries; update the block that initializes
runtimeResource.DependsOn and pushes memoryLogicalId (referencing
memoryLogicalId and runtimeResource.DependsOn) to ensure you only add
memoryLogicalId if it isn't already present — e.g., initialize DependsOn to an
array if falsy and conditionally push only when runtimeResource.DependsOn does
not already include memoryLogicalId; leave the template.Outputs creation
unchanged.

packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/agent.py (1)

163-165: Use logging.exception to preserve traceback.

Replace logger.error() with logger.exception() to automatically include the stack trace, which aids debugging.

🔧 Proposed fix

     except Exception as e:
-        logger.error(f"Error during agent execution: {e}")
+        logger.exception("Error during agent execution")
         return {"error": str(e)}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/bedrock-agentcore/examples/python/langgraph-code-interpreter-custom/agent.py`
around lines 163 - 165, The except block in the agent execution path currently
calls logger.error with the exception message, losing the traceback; in the
except Exception as e handler inside the function where agent execution occurs
(the block shown in agent.py), replace logger.error(f"Error during agent
execution: {e}") with logger.exception(...) so the stack trace is preserved in
logs while keeping the existing return {"error": str(e)} behavior.