Autri Beta — Requirements
Drafted 2026-05-19 via /hl:red-team (validation mode on the 5 epic drafts) + /hl:blue-team (scope cuts). Contract for the 2-week beta sprint. Amendments require explicit notation.
Amendments
Amendments
Track any post-contract changes here so scope changes are visible.
| Date | Amendment | Reason |
|---|---|---|
| 2026-05-21 | EPIC-1 spike findings folded into EPIC-4 scope (new "Day 8.5 — MCP server AgentCore-readiness pass"). Adds 6 sub-tasks: (1) Swap HS256DevAuth → CognitoJwksAuth (~30 min), (2) Add Dockerfile to mcp-servers/doc-search (~30 min), (3) Implement connector-ID-in-JWT pattern (~1-2 hrs), (4) OAuth metadata proxy for Cognito with RFC 8414 (~1-2 days), (5) PKCE enforcement on prod app client (~10 min), (6) Stdout request logging (~30 min). Net scope addition: ~2-3 days inside EPIC-4. | EPIC-1 spike validated Stack B but surfaced 8 operational findings (F1–F8 in projects/autri/epics/epic-1-spike-findings) that require concrete work before AgentCore production deploy. Specifically: AgentCore strips Authorization by default (F1), Cognito doesn't expose RFC 8414 OAuth metadata which blocks MCP-spec clients (F2, biggest item), AgentCore URLs auto-suffix → custom domain needs CloudFront (F3), single URL per runtime breaks our /c/:connectorId/mcp scheme (F4). Folding into EPIC-4 rather than reopening EPIC-3 because: (a) EPIC-3 wedge gate was met locally last session, (b) the new work is production-deploy-shaped, (c) avoids epic-numbering proliferation. |
| 2026-05-24 | OAuth metadata proxy + DCR shim DEFERRED to v1.1 (Day 8.5 sub-task #4 removed from EPIC-4 scope; per D41). Beta MCP UX becomes power-user manual-config in Claude Desktop Advanced settings (paste server URL + client_id + client_secret + token). MCP-spec clients that require RFC 8414 discovery + RFC 7591 DCR — Claude.ai Custom Connector, mcp-remote, Cursor's one-click install, ChatGPT-MCP — stay broken for beta. The remaining MCP infra (AgentCore Runtime, MCP container, Cognito resource server + scopes, Pre-Token-Gen Lambda, CloudFront for mcp.autri.ai) ships in EPIC-4 unchanged. Day 11 validation step updated to use manual-config flow. Day 8.5 code work (sub-tasks 1-3, 6) shipped in commit 198ee6a on 2026-05-24. Day 9 absorbs sub-task #5 (PKCE) + the Pre-Token-Gen Lambda infra from sub-task #3. Net scope reduction: ~1-2 days from EPIC-4. | AgentCore Identity eval (2026-05-24) confirmed it does NOT serve RFC 8414 — it's an outbound credential vault, not an inbound OAuth authorization server. AWS awslabs/amazon-bedrock-agentcore-samples#1056 (Mar 2026) names our exact bug with no fix ETA. The Lambda + API Gateway proxy is still the right path when we get to it, but the work is bespoke (~1-2 days), doesn't compound to other concerns, and requires both RFC 8414 + RFC 9728 PRM endpoints (bigger than the original estimate). Beta audience skews technical-curious (Dan, STEM Racing engineer, mom's writer group, possibly Alex); manual-config is workable for them. Wedge story (D19, MCP-as-infrastructure) stays alive empirically — power-user beta testers can validate the inspector-as-citation-surface UX (D38) end-to-end through Claude Desktop. Accepted risk: won't validate frictionless MCP install with non-power-users until v1.1. |