What happens
agentcore add policy ... --form-category contentFilter --form-filters INSULT succeeds locally, but agentcore deploy then fails at the CFN service:
Resource handler returned message: "Invalid category 'INSULT' for guardrail 'BedrockGuardrails::ContentFilter'.
Valid categories: VIOLENCE, HATE, SEXUAL, MISCONDUCT, INSULTS.
(Service: Bedrock AgentCore Control; Operation: CreatePolicy; Status Code: 400; Error Code: ValidationException)"
The TUI form offers INSULT as a selectable filter and the non-interactive CLI accepts it without complaint.
Repro
agentcore add policy --name MyPolicyEngine1 \
--engine MyPolicyEngine1 \
--form-category contentFilter \
--form-filters INSULT \
--form-effect forbid \
--validation-mode IGNORE_ALL_FINDINGS \
--enforcement-mode ACTIVE
# → Added policy 'MyPolicyEngine1' to engine 'MyPolicyEngine1'
agentcore deploy
# → CFN: Invalid category 'INSULT'... Valid categories: VIOLENCE, HATE, SEXUAL, MISCONDUCT, INSULTS.
--form-filters INSULTS (plural) deploys cleanly — confirms it's just a typo, not a missing feature.
Root cause
src/cli/tui/screens/policy/types.ts:15:
export const CONTENT_FILTER_FILTERS = ['VIOLENCE', 'HATE', 'SEXUAL', 'MISCONDUCT', 'INSULT'] as const;
Should be 'INSULTS' (plural) to match the service's accepted enum. src/cli/tui/screens/policy/__tests__/synthesize-cedar.test.ts uses the same singular form so it doesn't catch the mismatch.
Fix
CONTENT_FILTER_FILTERS in types.ts → change 'INSULT' to 'INSULTS'.- Update the synthesize-cedar tests that reference
INSULT (none currently do directly — the existing tests only use VIOLENCE/HATE, but worth adding one with INSULTS to lock the canonical name in).
Note (out of scope, separate issue worth filing)
There's no client-side validation on --form-filters at all — it accepts any string. agentcore add policy --form-filters NOTAREALCATEGORY succeeds and only fails at deploy time. Worth tightening once we have the right enum.
What happens
agentcore add policy ... --form-category contentFilter --form-filters INSULTsucceeds locally, butagentcore deploythen fails at the CFN service:The TUI form offers
INSULTas a selectable filter and the non-interactive CLI accepts it without complaint.Repro
--form-filters INSULTS(plural) deploys cleanly — confirms it's just a typo, not a missing feature.Root cause
src/cli/tui/screens/policy/types.ts:15:Should be
'INSULTS'(plural) to match the service's accepted enum.src/cli/tui/screens/policy/__tests__/synthesize-cedar.test.tsuses the same singular form so it doesn't catch the mismatch.Fix
CONTENT_FILTER_FILTERSintypes.ts→ change'INSULT'to'INSULTS'.INSULT(none currently do directly — the existing tests only useVIOLENCE/HATE, but worth adding one withINSULTSto lock the canonical name in).Note (out of scope, separate issue worth filing)
There's no client-side validation on
--form-filtersat all — it accepts any string.agentcore add policy --form-filters NOTAREALCATEGORYsucceeds and only fails at deploy time. Worth tightening once we have the right enum.