chore: remove dead code and unused exports (no behavior change)

[jariy17]

Summary

Whole-repo over-engineering audit (ponytail-style). Removes only verified-dead code — no CLI command, flag, argument, help text, stdout/stderr output, serialized schema, or public API change. Every cut was grep-confirmed zero-caller across src/ + unit/e2e/integ/browser tests before removal, then validated by a full build + test run.

• 41 files changed, net ~1,000 LOC removed
• ✅ tsc --noEmit (src + tests) — clean
• ✅ eslint src/ — 0 errors (3 pre-existing warnings in untouched files)
• ✅ npm run build — lib + esbuild bundle + assets all succeed
• ✅ npm test — 5345 passed, 0 failed

What was removed

Whole files (zero importers):

File	What
tui/hooks/useAttach.ts	12 unused data-fetch hooks
tui/hooks/usePanelNavigation.ts (+test)	unused hook
tui/hooks/use-gradient.ts	self-labelled "kept for potential future use"
tui/components/ScrollableText.tsx, TwoColumn.tsx (+tests)	unrendered components (barrel lines also pruned)
lib/packaging/types/archiver.d.ts	ambient typing for archiver, never imported (zipping uses fflate)
schema/schemas/primitives/index.ts	unreachable re-export barrel
cli/cloudformation/types.ts	4 unused exports (barrel line pruned)
cli/commands/index.ts	stale register* barrel nothing imports

Dead exports / members: unused session-id helpers (getSessionId/saveSessionId/clearSessionId/getOrCreateSessionId), stopRuntimeSession (+ its types, SDK import, barrel entry), PolicyEnginePrimitive.getDeployedGatewayArn, a dangling stub doc-comment, HARNESS_DIR, NPM_INSTALL_HINT, isLinux, getShellCommand/getShellArgs/normalizeCommand (+ test), runCommand wrapper, HarnessSkillInput, CdkToolkitWrapper.getProjectDir, harness session-manager.get/listAll, screen.formatNumbered, availability.unavailableReason, CFN_RESOURCE_IDENTIFIERS, AddDatasetResult, deprecated AddIdentityOptions, and dead re-export lines in templates/, external-requirements/, primitives/.

Tightened visibility: dropped the unnecessary export keyword on internal-only helpers (otel transforms, span-collector executeQuery, feedback build-payload, ab-test resolve) — same module-private behavior, smaller public surface.

Stdlib: replaced two hand-rolled sleep() helpers with node:timers/promises setTimeout (dataset/push, insights/run-insights).

Deliberately NOT included (left for a follow-up / human call)

These showed up in the audit but were excluded to keep this PR 100% safe:

• Dependency removals (commander, yaml, @aws-cdk/cdk-assets-lib, @aws-sdk/region-config-resolver) — all have zero direct imports, but each is load-bearing: commander is a peer dep of @commander-js/extra-typings, yaml/cdk-assets-lib are transitive of @aws-cdk/toolkit-lib, and region-config-resolver is a deliberate bundling-crash workaround. Removing any requires npm-shrinkwrap.json regeneration → out of scope for a no-behavior-change PR.
• ?? defaultProvider() credential-fallback removals — statically unreachable, but it's a security-adjacent path and sibling call sites have tests that mock getCredentialProvider → undefined to exercise it. Not worth the risk for ~9 LOC.
• Cross-repo src/lib + src/schema de-duplication vs @aws/agentcore-cdk — ~6k LOC of vendored copies, but the two have diverged; consolidating needs reconciling two schema sources of truth.

Test plan

npm ci && npm run build && npm test → 5345 passing.

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[github-actions]

Package Tarball

aws-agentcore-0.20.0.tgz

How to install

gh release download pr-1574-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.0.tgz