Skip to content

fix(payment-manager): warn when auto-payment is enabled by default#1556

Merged
aidandaly24 merged 6 commits into
mainfrom
fix/payments-security
Jun 29, 2026
Merged

fix(payment-manager): warn when auto-payment is enabled by default#1556
aidandaly24 merged 6 commits into
mainfrom
fix/payments-security

Conversation

@aidandaly24

@aidandaly24 aidandaly24 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Description

Surfaces a prominent warning when a payment manager is configured with auto-payment enabled (the default), so the behavior is never enabled silently.

What auto-payment does: the AgentCore payments plugin registers an after_tool_call hook on the agent. When auto_payment is enabled and a tool returns a 402 Payment Required, the plugin signs and submits an x402 payment and retries the tool call automatically, with no agent/human decision in between. When disabled, the plugin skips this and the 402 propagates back to the agent as a normal tool result. (Settlement still requires a funded instrument + session in the invocation context, so this is the "settle without asking" switch rather than a standalone money-mover.)

What this PR adds (warnings only — no behavior change):

  • Add-time warningagentcore add payment-manager (when auto-payment is on, i.e. the default) prints a stderr warning naming the per-session spend limit and the --auto-payment false opt-out. The warning is returned from add() as a result field and rendered by each caller (CLI prints to stderr, TUI shows it as a confirm-screen warning field) so it never corrupts the Ink render or the --json output.
  • Deploy-time warningagentcore deploy adds a per-manager entry to postDeployWarnings for any manager with auto-payment active.

The default is intentionally left enabled (transparent 402 settlement is the core of the feature); this PR makes the posture visible rather than changing it.

Note / open question for the Payments team: the underlying AppSec finding frames default-on auto-payment as an unattended-spend risk, but auto-payment only results in real settlement when a funded instrument and session are already in the invocation context. The practical severity in the CLI's own invoke path (where the caller passes --payment-instrument-id / --payment-session-id explicitly) is debatable. This PR takes the conservative "make it visible" route pending that discussion; flipping the default is a separate decision.

Scope: this branch was reduced to the auto-payment warning only. The error-body redaction work (a separate finding) and the --credentials-file secret-intake work have been removed from this PR and will be handled separately.

Related Issue

Internal AppSec finding (auto-payment enabled by default). Not a GitHub issue.

Closes #

Documentation PR

N/A — no doc changes in this PR.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Notes:

  • typecheck 0 errors; PaymentManagerPrimitive unit tests pass (including the add-time-warning-emitted and suppressed-on---auto-payment false cases). No src/assets/ changes.
  • The warning is emitted via the AddResult (autoPaymentWarning) and rendered by the caller, so it stays out of --json stdout and does not write to stderr during an Ink TUI render.

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aidandaly24 aidandaly24 requested a review from a team June 17, 2026 19:09
@github-actions github-actions Bot added the size/l PR size: L label Jun 17, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 17, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 17, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.21.1.tgz

How to install

gh release download pr-1556-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.21.1.tgz

@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 17, 2026

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 37.61% 13850 / 36816
🔵 Statements 36.88% 14727 / 39927
🔵 Functions 32.16% 2368 / 7363
🔵 Branches 31.57% 9218 / 29193
Generated in workflow #3882 for commit 67b4779 by the Vitest Coverage Report Action

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test2

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test3

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for hardening the payment flows — the allowlist-based error builder and the credentials-file pattern both look like solid improvements over what was there. Two issues that I think need to be addressed before this can merge:

  1. The new add-time auto-payment warning is written from PaymentManagerPrimitive.add(), which is also called from the Ink TUI flow. Writing ANSI text directly to process.stderr while Ink is mid-render will corrupt the rendered frame.
  2. readCredentialsFile reads stdin via '/dev/stdin', which doesn't exist on Windows, so --credentials-file - will silently break for Windows users of the new secure-stdin path.

Details inline. Also one optional follow-up suggestion on the error builder.

(Please disregard the three earlier test / test2 / test3 review entries on this PR — those were artifacts from validating which inline-line numbers GitHub would accept; I wasn't able to delete the parent review records, only the inline comments under them.)

Comment thread src/cli/primitives/PaymentManagerPrimitive.ts Outdated
Comment thread src/cli/primitives/credential-file.ts Outdated
Comment thread src/cli/aws/agentcore-payments.ts Outdated
@github-actions github-actions Bot added size/l PR size: L and removed agentcore-harness-reviewing AgentCore Harness review in progress size/l PR size: L labels Jun 17, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 17, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 17, 2026
…abled

Auto-payment is enabled by default so an agent can transparently settle
402 Payment Required responses, but that means it can move money with no
human in the loop. The add flow now emits a prominent stderr warning
naming the per-session spend limit and the --auto-payment false opt-out,
so the unattended-spend posture is never enabled silently.
… enabled

Adds a per-manager post-deploy warning naming the per-session spend limit
whenever auto-payment is active, so the unattended-spend posture is
surfaced at deploy time as well as at add time. Set --auto-payment false
on the manager to require manual approval.
…to stderr

add() is shared by the CLI and the Ink TUI flow (useCreatePayment), so
writing the auto-payment warning to process.stderr corrupted the TUI's
rendered frame. Return the warning text on the AddResult instead and let
each caller render it through its own channel: the CLI action prints it to
stderr, and the TUI confirm screen surfaces it as a warning field.
@aidandaly24 aidandaly24 force-pushed the fix/payments-security branch from fc627a4 to 1c3e6b8 Compare June 24, 2026 18:58
@github-actions github-actions Bot removed the size/l PR size: L label Jun 24, 2026
@github-actions github-actions Bot added the size/s PR size: S label Jun 24, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 24, 2026
@aidandaly24 aidandaly24 changed the title fix(payments): harden secret handling and auto-payment defaults fix(payment-manager): warn when auto-payment is enabled by default Jun 24, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 24, 2026
…nd deploy exit code

Two bug-bash findings on the auto-payment warning:
- The warning was serialized into `add payment-manager --json` stdout via the
  autoPaymentWarning result field. Strip it on the --json branch so stdout stays
  a clean machine-readable result; the notice still renders on the human path.
- The deploy-time auto-payment notice was pushed into postDeployWarnings, which
  the deploy command maps to `process.exit(2)` — so every successful payment
  deploy exited non-zero (a CI failure signal). Route it through the `notes`
  channel (exit 0) instead, which is the correct place for informational notices.
@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels Jun 26, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 26, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 26, 2026
nborges-aws
nborges-aws previously approved these changes Jun 26, 2026
Comment thread src/cli/tui/screens/payment/AddPaymentFlow.tsx Outdated
…isplay

The confirm-screen 'Default Spend Limit' field and the auto-payment warning
both interpolate flow.managerConfig.defaultSpendLimit directly. The field is
typed string and defaulted to '10.00', so '$undefined/session' is not
reachable today — but every other touch point of this field (the wizard
setter, the manager-screen editor) already coerces to the default, leaving
these two display sites as the only undefended ones. Fall back to the shared
DEFAULT_SPEND_LIMIT constant at both interpolations so the rendered warning
stays correct if a future refactor ever loosens the type.
Resolves the e2e PR-check cancellation: the change-detector in
e2e-tests.yml diffs against the main tip, and main's drift (incl. changes to
e2e-tests/harness-e2e-helper.ts) was tripping the run-the-entire-suite path,
which overran the 30-min PR-check budget. Up to date with main, the diff
reflects only this branch's changes (which touch no e2e files), so the check
runs just the default e2e set.
@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels Jun 29, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 29, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 29, 2026
@aidandaly24 aidandaly24 dismissed agentcore-cli-automation’s stale review June 29, 2026 14:11

Dismissing: this CHANGES_REQUESTED was submitted against commit 595c0c1 (the original broad version of this PR). The PR has since been reduced to the auto-payment warning only — all three flagged code paths (credential-file.ts stdin, agentcore-payments.ts error redaction, PaymentManagerPrimitive stderr) have either been removed from the diff or addressed (the stderr write was replaced by the returned-warning pattern the review recommended). All review threads are resolved with explanations.

@aidandaly24 aidandaly24 merged commit 60891b7 into main Jun 29, 2026
36 checks passed
@aidandaly24 aidandaly24 deleted the fix/payments-security branch June 29, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/s PR size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants