Copied to Clipboard
and a code review:
✦ Based on my review of the codebase, project configuration, and infrastructure code, here is a project review with best practices and recommended
improvements for your Model Context Protocol (MCP) ecosystem on Amazon Bedrock AgentCore.
1. Architecture & Design Patterns
* Gateway-Target Decoupling: You have correctly implemented the "Gateway" pattern using AgentCore. This decouples your Strands-based agent from
the Python-based tool provider, allowing them to scale and be updated independently.
* Stateless Tool Runtimes: Your use of FastMCP(..., stateless_http=True) and transport="streamable-http" in server.py is perfectly aligned with
the requirements for managed runtimes in Amazon Bedrock AgentCore.
* Dynamic Tool Discovery: The implementation in app/testagent/mcp_client/client.py using injected environment variables for gateway URLs is the
idiomatic way to handle discovery within the AgentCore ecosystem.
2. Code Quality & Implementation
* Structured Logging: Using python-json-logger is excellent. It ensures that logs from your managed runtimes are easily searchable in
CloudWatch.
* Improvement: In server.py, transition from configuring the root logger to using a named logger: logger = logging.getLogger( __name__ ). This
avoids conflicts with library loggers.
* Robust Streaming in Agents: In app/testagent/agent.py, the invoke entrypoint currently only yields event["data"] if it is a string.
* Best Practice: Update this to handle other event types (like tool calls or usage metadata) or use a more robust streaming utility from the
strands SDK to ensure the agent's full reasoning process is captured or correctly filtered.
3. Infrastructure & Security (CDK)
* IAM Least Privilege: Your CDK code in agentcore/cdk/lib/cdk-stack.ts uses a wildcard for invocation permissions: resources:
[arn:aws:bedrock-agentcore:${this.region}:${this.account}:runtime/*].
* Best Practice: For production, narrow this scope to only the specific runtime ARNs that the Gateway needs to access.
* Auth Patches: The patch in your CDK to enable GATEWAY_IAM_ROLE for SigV4 authentication is a sophisticated and correct way to secure the
"internal" communication between the Gateway and your MCP Server.
4. Dependency Management & DX
* Unified Tooling: You have a uv.lock and pyproject.toml files, which are modern and efficient. However, your Makefile still uses pip install -r
requirements.txt.
* Recommendation: Transition the Makefile and installation workflows fully to uv (e.g., uv sync or uv pip install .). This ensures
deterministic builds and faster setup.
* Testing Strategy:
* Mocking: Your current agent tests are limited because they require a live model. Use pytest-mock to mock the BedrockModel and MCPClient
responses. This allows your CI/CD pipeline to verify agent logic without AWS credentials.
* Protocol Testing: In app/hello_world_server/tests/test_server.py, add a test that sends a raw JSON-RPC payload to the / endpoint to verify
the MCP protocol layer, ensuring your server handles the protocol correctly, not just the tool logic.
5. Observability
* OTEL Integration: You have enableOtel: true in agentcore.json. This is a top-tier best practice. Ensure you are viewing these traces in AWS
X-Ray or Amazon CloudWatch ServiceLens to identify latency bottlenecks in your tool calls.
Summary
The strategy for using Python for MCP development with Gemini CLI on Amazon Bedrock AgentCore was validated with a incremental step by step approach.
A minimal HTTP transport MCP Server was started from Python source code and validated with Gemini CLI running as a MCP client in the same local environment.
This MCP server was then deployed to Amazon Bedrock AgentCore. The local copy of Gemini CLI was used as a MCP client to validate the connection.
This approach can be extended to more complex deployments using other MCP transports and Cloud based options.