@slates-integrations/aws-lambda 0.2.0-rc.6

package/src/tools/manage-event-source-mapping.ts

@@ -0,0 +1,193 @@
+import { SlateTool } from 'slates';
+import { createClient } from '../lib/helpers';
+import { lambdaServiceError } from '../lib/errors';
+import { spec } from '../spec';
+import { z } from 'zod';
+
+export let manageEventSourceMapping = SlateTool.create(spec, {
+  name: 'Manage Event Source Mapping',
+  key: 'manage_event_source_mapping',
+  description: `Create, update, get, delete, or list event source mappings that connect Lambda to streaming/queue services (SQS, Kinesis, DynamoDB Streams, Kafka, Amazon MQ). Lambda automatically polls the source and invokes the function.`,
+  instructions: [
+    'Use **action** to specify: "create", "update", "get", "delete", or "list".',
+    'For create, provide the eventSourceArn and functionName at minimum.',
+    'For Kinesis/DynamoDB Streams, a startingPosition is required (TRIM_HORIZON, LATEST, or AT_TIMESTAMP).'
+  ]
+})
+  .input(
+    z.object({
+      action: z
+        .enum(['create', 'update', 'get', 'delete', 'list'])
+        .describe('Operation to perform'),
+      mappingUuid: z
+        .string()
+        .optional()
+        .describe('Event source mapping UUID (required for get/update/delete)'),
+      functionName: z.string().optional().describe('Function name or ARN'),
+      eventSourceArn: z
+        .string()
+        .optional()
+        .describe('ARN of the event source (SQS, Kinesis, DynamoDB, Kafka, MQ)'),
+      enabled: z.boolean().optional().describe('Whether the mapping is active'),
+      batchSize: z.number().optional().describe('Maximum records per batch (1-10000)'),
+      startingPosition: z
+        .enum(['TRIM_HORIZON', 'LATEST', 'AT_TIMESTAMP'])
+        .optional()
+        .describe('Starting position for stream sources'),
+      startingPositionTimestamp: z
+        .string()
+        .optional()
+        .describe('Timestamp for AT_TIMESTAMP starting position (ISO 8601)'),
+      maximumBatchingWindowInSeconds: z
+        .number()
+        .optional()
+        .describe('Maximum batching window in seconds'),
+      maximumRetryAttempts: z
+        .number()
+        .optional()
+        .describe('Maximum retry attempts (-1 for infinite)'),
+      parallelizationFactor: z
+        .number()
+        .optional()
+        .describe('Concurrent batches per shard (1-10)'),
+      filterPatterns: z.array(z.string()).optional().describe('Event filter patterns'),
+      onFailureDestinationArn: z
+        .string()
+        .optional()
+        .describe('Destination ARN for failed records'),
+      bisectBatchOnFunctionError: z
+        .boolean()
+        .optional()
+        .describe('Split batch on error for retry'),
+      topics: z.array(z.string()).optional().describe('Kafka topics'),
+      queues: z.array(z.string()).optional().describe('MQ queue names'),
+      maximumConcurrency: z
+        .number()
+        .optional()
+        .describe('Maximum concurrent function invocations (2-1000)')
+    })
+  )
+  .output(
+    z.object({
+      mappingUuid: z.string().optional().describe('Event source mapping UUID'),
+      mappingArn: z.string().optional().describe('Event source mapping ARN'),
+      functionArn: z.string().optional().describe('Function ARN'),
+      eventSourceArn: z.string().optional().describe('Event source ARN'),
+      state: z.string().optional().describe('Mapping state'),
+      batchSize: z.number().optional().describe('Batch size'),
+      lastModified: z.string().optional().describe('Last modified timestamp'),
+      mappings: z
+        .array(
+          z.object({
+            mappingUuid: z.string().optional(),
+            functionArn: z.string().optional(),
+            eventSourceArn: z.string().optional(),
+            state: z.string().optional(),
+            batchSize: z.number().optional()
+          })
+        )
+        .optional()
+        .describe('List of mappings (for list action)'),
+      deleted: z.boolean().optional()
+    })
+  )
+  .handleInvocation(async ctx => {
+    let client = createClient(ctx.config, ctx.auth);
+    let { action } = ctx.input;
+
+    let mapResult = (r: any) => ({
+      mappingUuid: r.UUID,
+      mappingArn: r.EventSourceMappingArn,
+      functionArn: r.FunctionArn,
+      eventSourceArn: r.EventSourceArn,
+      state: r.State,
+      batchSize: r.BatchSize,
+      lastModified: r.LastModified ? String(r.LastModified) : undefined
+    });
+
+    if (action === 'list') {
+      let result = await client.listEventSourceMappings(
+        ctx.input.functionName,
+        ctx.input.eventSourceArn
+      );
+      let mappings = (result.EventSourceMappings || []).map((m: any) => ({
+        mappingUuid: m.UUID,
+        functionArn: m.FunctionArn,
+        eventSourceArn: m.EventSourceArn,
+        state: m.State,
+        batchSize: m.BatchSize
+      }));
+      return {
+        output: { mappings },
+        message: `Found **${mappings.length}** event source mapping(s).`
+      };
+    }
+
+    if (action === 'get') {
+      if (!ctx.input.mappingUuid) throw lambdaServiceError('mappingUuid is required');
+      let result = await client.getEventSourceMapping(ctx.input.mappingUuid);
+      return {
+        output: mapResult(result),
+        message: `Event source mapping **${result.UUID}** is in state **${result.State}**.`
+      };
+    }
+
+    if (action === 'delete') {
+      if (!ctx.input.mappingUuid) throw lambdaServiceError('mappingUuid is required');
+      let result = await client.deleteEventSourceMapping(ctx.input.mappingUuid);
+      return {
+        output: { ...mapResult(result), deleted: true },
+        message: `Deleted event source mapping **${ctx.input.mappingUuid}**.`
+      };
+    }
+
+    let buildParams = (): Record<string, any> => {
+      let params: Record<string, any> = {};
+      if (ctx.input.functionName) params['FunctionName'] = ctx.input.functionName;
+      if (ctx.input.eventSourceArn) params['EventSourceArn'] = ctx.input.eventSourceArn;
+      if (ctx.input.enabled !== undefined) params['Enabled'] = ctx.input.enabled;
+      if (ctx.input.batchSize) params['BatchSize'] = ctx.input.batchSize;
+      if (ctx.input.startingPosition) params['StartingPosition'] = ctx.input.startingPosition;
+      if (ctx.input.startingPositionTimestamp)
+        params['StartingPositionTimestamp'] = ctx.input.startingPositionTimestamp;
+      if (ctx.input.maximumBatchingWindowInSeconds !== undefined)
+        params['MaximumBatchingWindowInSeconds'] = ctx.input.maximumBatchingWindowInSeconds;
+      if (ctx.input.maximumRetryAttempts !== undefined)
+        params['MaximumRetryAttempts'] = ctx.input.maximumRetryAttempts;
+      if (ctx.input.parallelizationFactor)
+        params['ParallelizationFactor'] = ctx.input.parallelizationFactor;
+      if (ctx.input.filterPatterns)
+        params['FilterCriteria'] = {
+          Filters: ctx.input.filterPatterns.map(p => ({ Pattern: p }))
+        };
+      if (ctx.input.onFailureDestinationArn)
+        params['DestinationConfig'] = {
+          OnFailure: { Destination: ctx.input.onFailureDestinationArn }
+        };
+      if (ctx.input.bisectBatchOnFunctionError !== undefined)
+        params['BisectBatchOnFunctionError'] = ctx.input.bisectBatchOnFunctionError;
+      if (ctx.input.topics) params['Topics'] = ctx.input.topics;
+      if (ctx.input.queues) params['Queues'] = ctx.input.queues;
+      if (ctx.input.maximumConcurrency)
+        params['ScalingConfig'] = { MaximumConcurrency: ctx.input.maximumConcurrency };
+      return params;
+    };
+
+    if (action === 'create') {
+      let result = await client.createEventSourceMapping(buildParams());
+      return {
+        output: mapResult(result),
+        message: `Created event source mapping **${result.UUID}** (${result.State}).`
+      };
+    }
+
+    // update
+    if (!ctx.input.mappingUuid)
+      throw lambdaServiceError('mappingUuid is required for update');
+    let result = await client.updateEventSourceMapping(ctx.input.mappingUuid, buildParams());
+    return {
+      output: mapResult(result),
+      message: `Updated event source mapping **${result.UUID}** (${result.State}).`
+    };
+  })
+  .build();

package/src/tools/manage-function-url.ts

@@ -0,0 +1,132 @@
+import { SlateTool } from 'slates';
+import { createClient } from '../lib/helpers';
+import { lambdaServiceError } from '../lib/errors';
+import { spec } from '../spec';
+import { z } from 'zod';
+
+let corsConfigSchema = z
+  .object({
+    allowCredentials: z.boolean().optional().describe('Allow credentials in CORS requests'),
+    allowHeaders: z.array(z.string()).optional().describe('Allowed headers'),
+    allowMethods: z.array(z.string()).optional().describe('Allowed HTTP methods'),
+    allowOrigins: z.array(z.string()).optional().describe('Allowed origins'),
+    exposeHeaders: z.array(z.string()).optional().describe('Headers to expose in responses'),
+    maxAge: z.number().optional().describe('Cache duration for preflight requests in seconds')
+  })
+  .optional();
+
+export let manageFunctionUrl = SlateTool.create(spec, {
+  name: 'Manage Function URL',
+  key: 'manage_function_url',
+  description: `Create, update, get, or delete a dedicated HTTPS endpoint (function URL) for a Lambda function. Function URLs provide public API access without needing API Gateway. Supports IAM authentication or open access, and configurable CORS.`,
+  instructions: [
+    'Use **action** to specify: "create", "update", "get", or "delete".',
+    'Set authType to "NONE" for public access or "AWS_IAM" to require SigV4 signatures.'
+  ]
+})
+  .input(
+    z.object({
+      action: z.enum(['create', 'update', 'get', 'delete']).describe('Operation to perform'),
+      functionName: z.string().describe('Function name or ARN'),
+      qualifier: z.string().optional().describe('Alias name to associate the URL with'),
+      authType: z
+        .enum(['AWS_IAM', 'NONE'])
+        .optional()
+        .describe('Authentication type (required for create)'),
+      cors: corsConfigSchema.describe('CORS configuration'),
+      invokeMode: z.enum(['BUFFERED', 'RESPONSE_STREAM']).optional().describe('Response mode')
+    })
+  )
+  .output(
+    z.object({
+      functionUrl: z.string().optional().describe('The HTTPS endpoint URL'),
+      functionArn: z.string().optional().describe('Function ARN'),
+      authType: z.string().optional().describe('Authentication type'),
+      cors: z.any().optional().describe('CORS configuration'),
+      invokeMode: z.string().optional().describe('Response mode'),
+      creationTime: z.string().optional().describe('Creation timestamp'),
+      deleted: z.boolean().optional()
+    })
+  )
+  .handleInvocation(async ctx => {
+    let client = createClient(ctx.config, ctx.auth);
+    let { action, functionName, qualifier } = ctx.input;
+
+    if (action === 'get') {
+      let result = await client.getFunctionUrlConfig(functionName, qualifier);
+      return {
+        output: {
+          functionUrl: result.FunctionUrl,
+          functionArn: result.FunctionArn,
+          authType: result.AuthType,
+          cors: result.Cors,
+          invokeMode: result.InvokeMode,
+          creationTime: result.CreationTime
+        },
+        message: `Function URL: **${result.FunctionUrl}** (auth: ${result.AuthType}).`
+      };
+    }
+
+    if (action === 'delete') {
+      await client.deleteFunctionUrlConfig(functionName, qualifier);
+      return {
+        output: { deleted: true },
+        message: `Deleted function URL for **${functionName}**.`
+      };
+    }
+
+    let buildParams = (): Record<string, any> => {
+      let params: Record<string, any> = {};
+      if (ctx.input.authType) params['AuthType'] = ctx.input.authType;
+      if (ctx.input.invokeMode) params['InvokeMode'] = ctx.input.invokeMode;
+      if (ctx.input.cors) {
+        let corsObj: Record<string, any> = {};
+        if (ctx.input.cors.allowCredentials !== undefined)
+          corsObj['AllowCredentials'] = ctx.input.cors.allowCredentials;
+        if (ctx.input.cors.allowHeaders) corsObj['AllowHeaders'] = ctx.input.cors.allowHeaders;
+        if (ctx.input.cors.allowMethods) corsObj['AllowMethods'] = ctx.input.cors.allowMethods;
+        if (ctx.input.cors.allowOrigins) corsObj['AllowOrigins'] = ctx.input.cors.allowOrigins;
+        if (ctx.input.cors.exposeHeaders)
+          corsObj['ExposeHeaders'] = ctx.input.cors.exposeHeaders;
+        if (ctx.input.cors.maxAge !== undefined) corsObj['MaxAge'] = ctx.input.cors.maxAge;
+        params['Cors'] = corsObj;
+      }
+      return params;
+    };
+
+    if (action === 'create') {
+      if (!ctx.input.authType)
+        throw lambdaServiceError('authType is required for creating a function URL');
+      let result = await client.createFunctionUrlConfig(
+        functionName,
+        buildParams(),
+        qualifier
+      );
+      return {
+        output: {
+          functionUrl: result.FunctionUrl,
+          functionArn: result.FunctionArn,
+          authType: result.AuthType,
+          cors: result.Cors,
+          invokeMode: result.InvokeMode,
+          creationTime: result.CreationTime
+        },
+        message: `Created function URL: **${result.FunctionUrl}** (auth: ${result.AuthType}).`
+      };
+    }
+
+    // update
+    let result = await client.updateFunctionUrlConfig(functionName, buildParams(), qualifier);
+    return {
+      output: {
+        functionUrl: result.FunctionUrl,
+        functionArn: result.FunctionArn,
+        authType: result.AuthType,
+        cors: result.Cors,
+        invokeMode: result.InvokeMode,
+        creationTime: result.CreationTime
+      },
+      message: `Updated function URL: **${result.FunctionUrl}**.`
+    };
+  })
+  .build();

package/src/tools/manage-layer.ts

@@ -0,0 +1,186 @@
+import { SlateTool } from 'slates';
+import { createClient } from '../lib/helpers';
+import { lambdaServiceError } from '../lib/errors';
+import { spec } from '../spec';
+import { z } from 'zod';
+
+export let manageLayer = SlateTool.create(spec, {
+  name: 'Manage Layer',
+  key: 'manage_layer',
+  description: `Publish, get, delete, or list Lambda layers and their versions. Layers are reusable packages of libraries, dependencies, or custom runtimes that can be attached to functions.`,
+  instructions: [
+    'Use **action** to specify the operation: "publish", "get", "delete", "list_layers", or "list_versions".',
+    'When publishing, provide the layer content via an S3 location or base64-encoded ZIP.'
+  ]
+})
+  .input(
+    z.object({
+      action: z
+        .enum(['publish', 'get', 'delete', 'list_layers', 'list_versions'])
+        .describe('Operation to perform'),
+      layerName: z
+        .string()
+        .optional()
+        .describe('Layer name (required for publish/get/delete/list_versions)'),
+      versionNumber: z
+        .number()
+        .optional()
+        .describe('Layer version number (required for get/delete)'),
+      content: z
+        .object({
+          s3Bucket: z.string().optional().describe('S3 bucket with the layer archive'),
+          s3Key: z.string().optional().describe('S3 object key'),
+          s3ObjectVersion: z.string().optional().describe('S3 object version'),
+          zipFile: z.string().optional().describe('Base64-encoded ZIP file')
+        })
+        .optional()
+        .describe('Layer content (required for publish)'),
+      compatibleRuntimes: z
+        .array(z.string())
+        .optional()
+        .describe('Compatible runtimes (e.g., ["nodejs22.x", "python3.13"])'),
+      compatibleArchitectures: z
+        .array(z.enum(['x86_64', 'arm64']))
+        .optional()
+        .describe('Compatible architectures'),
+      description: z.string().optional().describe('Layer version description'),
+      licenseInfo: z.string().optional().describe('Layer license information'),
+      compatibleRuntimeFilter: z
+        .string()
+        .optional()
+        .describe('Filter layers by compatible runtime (for list_layers)')
+    })
+  )
+  .output(
+    z.object({
+      layerArn: z.string().optional().describe('Layer ARN'),
+      layerVersionArn: z.string().optional().describe('Layer version ARN'),
+      versionNumber: z.number().optional().describe('Layer version number'),
+      description: z.string().optional().describe('Layer description'),
+      codeSize: z.number().optional().describe('Layer code size in bytes'),
+      codeSha256: z.string().optional().describe('SHA256 of the layer code'),
+      compatibleRuntimes: z.array(z.string()).optional().describe('Compatible runtimes'),
+      layers: z
+        .array(
+          z.object({
+            layerName: z.string().optional(),
+            layerArn: z.string().optional(),
+            latestVersion: z.number().optional(),
+            latestDescription: z.string().optional()
+          })
+        )
+        .optional()
+        .describe('List of layers (for list_layers)'),
+      versions: z
+        .array(
+          z.object({
+            layerVersionArn: z.string().optional(),
+            versionNumber: z.number().optional(),
+            description: z.string().optional(),
+            compatibleRuntimes: z.array(z.string()).optional()
+          })
+        )
+        .optional()
+        .describe('List of layer versions (for list_versions)'),
+      deleted: z.boolean().optional()
+    })
+  )
+  .handleInvocation(async ctx => {
+    let client = createClient(ctx.config, ctx.auth);
+    let { action, layerName } = ctx.input;
+
+    if (action === 'list_layers') {
+      let result = await client.listLayers(
+        undefined,
+        undefined,
+        ctx.input.compatibleRuntimeFilter
+      );
+      let layers = (result.Layers || []).map((l: any) => ({
+        layerName: l.LayerName,
+        layerArn: l.LayerArn,
+        latestVersion: l.LatestMatchingVersion?.Version,
+        latestDescription: l.LatestMatchingVersion?.Description
+      }));
+      return {
+        output: { layers },
+        message: `Found **${layers.length}** layer(s).`
+      };
+    }
+
+    if (!layerName) throw lambdaServiceError('layerName is required for this action');
+
+    if (action === 'list_versions') {
+      let result = await client.listLayerVersions(layerName);
+      let versions = (result.LayerVersions || []).map((v: any) => ({
+        layerVersionArn: v.LayerVersionArn,
+        versionNumber: v.Version,
+        description: v.Description,
+        compatibleRuntimes: v.CompatibleRuntimes
+      }));
+      return {
+        output: { versions },
+        message: `Found **${versions.length}** version(s) of layer **${layerName}**.`
+      };
+    }
+
+    if (action === 'delete') {
+      if (!ctx.input.versionNumber)
+        throw lambdaServiceError('versionNumber is required for delete');
+      await client.deleteLayerVersion(layerName, ctx.input.versionNumber);
+      return {
+        output: { deleted: true },
+        message: `Deleted version **${ctx.input.versionNumber}** of layer **${layerName}**.`
+      };
+    }
+
+    if (action === 'get') {
+      if (!ctx.input.versionNumber)
+        throw lambdaServiceError('versionNumber is required for get');
+      let result = await client.getLayerVersion(layerName, ctx.input.versionNumber);
+      return {
+        output: {
+          layerArn: result.LayerArn,
+          layerVersionArn: result.LayerVersionArn,
+          versionNumber: result.Version,
+          description: result.Description,
+          codeSize: result.Content?.CodeSize,
+          codeSha256: result.Content?.CodeSha256,
+          compatibleRuntimes: result.CompatibleRuntimes
+        },
+        message: `Layer **${layerName}** version **${result.Version}** (${result.Content?.CodeSize || 0} bytes).`
+      };
+    }
+
+    // publish
+    if (!ctx.input.content)
+      throw lambdaServiceError('content is required for publishing a layer');
+    let contentObj: Record<string, any> = {};
+    if (ctx.input.content.s3Bucket) contentObj['S3Bucket'] = ctx.input.content.s3Bucket;
+    if (ctx.input.content.s3Key) contentObj['S3Key'] = ctx.input.content.s3Key;
+    if (ctx.input.content.s3ObjectVersion)
+      contentObj['S3ObjectVersion'] = ctx.input.content.s3ObjectVersion;
+    if (ctx.input.content.zipFile) contentObj['ZipFile'] = ctx.input.content.zipFile;
+
+    let params: Record<string, any> = { Content: contentObj };
+    if (ctx.input.compatibleRuntimes)
+      params['CompatibleRuntimes'] = ctx.input.compatibleRuntimes;
+    if (ctx.input.compatibleArchitectures)
+      params['CompatibleArchitectures'] = ctx.input.compatibleArchitectures;
+    if (ctx.input.description) params['Description'] = ctx.input.description;
+    if (ctx.input.licenseInfo) params['LicenseInfo'] = ctx.input.licenseInfo;
+
+    let result = await client.publishLayerVersion(layerName, params);
+    return {
+      output: {
+        layerArn: result.LayerArn,
+        layerVersionArn: result.LayerVersionArn,
+        versionNumber: result.Version,
+        description: result.Description,
+        codeSize: result.Content?.CodeSize,
+        codeSha256: result.Content?.CodeSha256,
+        compatibleRuntimes: result.CompatibleRuntimes
+      },
+      message: `Published layer **${layerName}** version **${result.Version}**.`
+    };
+  })
+  .build();

package/src/tools/manage-permission.ts

@@ -0,0 +1,94 @@
+import { SlateTool } from 'slates';
+import { createClient } from '../lib/helpers';
+import { lambdaServiceError } from '../lib/errors';
+import { spec } from '../spec';
+import { z } from 'zod';
+
+export let managePermission = SlateTool.create(spec, {
+  name: 'Manage Permission',
+  key: 'manage_permission',
+  description: `Add, remove, or view resource-based policy statements on a Lambda function. These policies grant other AWS accounts or services (e.g., S3, API Gateway, EventBridge) permission to invoke the function.`,
+  instructions: [
+    'Use **action** "add" to grant access, "remove" to revoke, or "get" to view the current policy.',
+    'For "add", provide a unique statementId, the allowed action (e.g., lambda:InvokeFunction), and the principal.'
+  ]
+})
+  .input(
+    z.object({
+      action: z.enum(['add', 'remove', 'get']).describe('Operation to perform'),
+      functionName: z.string().describe('Function name or ARN'),
+      qualifier: z.string().optional().describe('Version or alias'),
+      statementId: z
+        .string()
+        .optional()
+        .describe('Unique statement identifier (required for add/remove)'),
+      permissionAction: z
+        .string()
+        .optional()
+        .describe('Lambda action to allow (e.g., "lambda:InvokeFunction")'),
+      principal: z
+        .string()
+        .optional()
+        .describe('AWS service or account (e.g., "s3.amazonaws.com" or account ID)'),
+      sourceArn: z.string().optional().describe('ARN of the source triggering the function'),
+      sourceAccount: z.string().optional().describe('AWS account ID of the source'),
+      principalOrgId: z.string().optional().describe('AWS Organizations ID for the principal')
+    })
+  )
+  .output(
+    z.object({
+      statement: z.string().optional().describe('Policy statement JSON'),
+      policy: z.string().optional().describe('Full policy JSON (for get action)'),
+      revisionId: z.string().optional().describe('Policy revision ID'),
+      removed: z.boolean().optional()
+    })
+  )
+  .handleInvocation(async ctx => {
+    let client = createClient(ctx.config, ctx.auth);
+    let { action, functionName, qualifier } = ctx.input;
+
+    if (action === 'get') {
+      let result = await client.getPolicy(functionName, qualifier);
+      return {
+        output: {
+          policy: result.Policy,
+          revisionId: result.RevisionId
+        },
+        message: `Retrieved resource policy for **${functionName}**.`
+      };
+    }
+
+    if (action === 'remove') {
+      if (!ctx.input.statementId)
+        throw lambdaServiceError('statementId is required for remove');
+      await client.removePermission(functionName, ctx.input.statementId, qualifier);
+      return {
+        output: { removed: true },
+        message: `Removed permission statement **${ctx.input.statementId}** from **${functionName}**.`
+      };
+    }
+
+    // add
+    if (!ctx.input.statementId) throw lambdaServiceError('statementId is required for add');
+    if (!ctx.input.permissionAction)
+      throw lambdaServiceError('permissionAction is required for add');
+    if (!ctx.input.principal) throw lambdaServiceError('principal is required for add');
+
+    let params: Record<string, any> = {
+      StatementId: ctx.input.statementId,
+      Action: ctx.input.permissionAction,
+      Principal: ctx.input.principal
+    };
+    if (ctx.input.sourceArn) params['SourceArn'] = ctx.input.sourceArn;
+    if (ctx.input.sourceAccount) params['SourceAccount'] = ctx.input.sourceAccount;
+    if (ctx.input.principalOrgId) params['PrincipalOrgID'] = ctx.input.principalOrgId;
+
+    let result = await client.addPermission(functionName, params, qualifier);
+    return {
+      output: {
+        statement: result.Statement
+      },
+      message: `Added permission for **${ctx.input.principal}** to invoke **${functionName}**.`
+    };
+  })
+  .build();

package/src/tools/manage-recursion-config.ts

@@ -0,0 +1,63 @@
+import { SlateTool } from 'slates';
+import { createClient } from '../lib/helpers';
+import { lambdaServiceError } from '../lib/errors';
+import { spec } from '../spec';
+import { z } from 'zod';
+
+export let manageRecursionConfig = SlateTool.create(spec, {
+  name: 'Manage Recursion Config',
+  key: 'manage_recursion_config',
+  description: `Get or set recursive loop detection for a Lambda function. Lambda defaults to terminating detected recursive invocation loops; only use Allow for intentional recursive designs with safeguards.`,
+  instructions: [
+    'Use action "get" to read the current recursive loop setting.',
+    'Use action "set" with recursiveLoop set to "Terminate" or "Allow".'
+  ]
+})
+  .input(
+    z.object({
+      action: z.enum(['get', 'set']).describe('Operation to perform'),
+      functionName: z.string().describe('Function name or ARN'),
+      recursiveLoop: z
+        .enum(['Allow', 'Terminate'])
+        .optional()
+        .describe('Recursive loop handling to set')
+    })
+  )
+  .output(
+    z.object({
+      recursiveLoop: z
+        .string()
+        .optional()
+        .describe('Recursive loop handling: Allow or Terminate')
+    })
+  )
+  .handleInvocation(async ctx => {
+    let client = createClient(ctx.config, ctx.auth);
+    let { action, functionName } = ctx.input;
+
+    if (action === 'get') {
+      let result = await client.getFunctionRecursionConfig(functionName);
+      return {
+        output: {
+          recursiveLoop: result.RecursiveLoop
+        },
+        message: `Recursive loop detection for **${functionName}** is **${result.RecursiveLoop}**.`
+      };
+    }
+
+    if (!ctx.input.recursiveLoop) {
+      throw lambdaServiceError('recursiveLoop is required for set.');
+    }
+
+    let result = await client.putFunctionRecursionConfig(
+      functionName,
+      ctx.input.recursiveLoop
+    );
+    return {
+      output: {
+        recursiveLoop: result.RecursiveLoop
+      },
+      message: `Set recursive loop detection for **${functionName}** to **${result.RecursiveLoop}**.`
+    };
+  })
+  .build();