konokenj.cdk-api-mcp-server 0.70.0__py3-none-any.whl → 0.72.0__py3-none-any.whl

cdk_api_mcp_server/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Kenji Kono <konoken@amazon.co.jp>
 #
 # SPDX-License-Identifier: MIT
-__version__ = "0.70.0"
+__version__ = "0.72.0"

cdk_api_mcp_server/resources/aws-cdk/constructs/@aws-cdk/aws-bedrock-agentcore-alpha/README.md

@@ -155,7 +155,7 @@ to production by simply updating the endpoint to point to the newer version.
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `runtimeName` | `string` | Yes | The name of the agent runtime. Valid characters are a-z, A-Z, 0-9, _ (underscore). Must start with a letter and can be up to 48 characters long |
+| `runtimeName` | `string` | No | The name of the agent runtime. Valid characters are a-z, A-Z, 0-9, _ (underscore). Must start with a letter and can be up to 48 characters long. If not provided, a unique name will be auto-generated |
 | `agentRuntimeArtifact` | `AgentRuntimeArtifact` | Yes | The artifact configuration for the agent runtime containing the container configuration with ECR URI |
 | `executionRole` | `iam.IRole` | No | The IAM role that provides permissions for the agent runtime. If not provided, a role will be created automatically |
 | `networkConfiguration` | `NetworkConfiguration` | No | Network configuration for the agent runtime. Defaults to `RuntimeNetworkConfiguration.usingPublicNetwork()` |
@@ -171,7 +171,7 @@ to production by simply updating the endpoint to point to the newer version.
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `endpointName` | `string` | Yes | The name of the runtime endpoint. Valid characters are a-z, A-Z, 0-9, _ (underscore). Must start with a letter and can be up to 48 characters long |
+| `endpointName` | `string` | No | The name of the runtime endpoint. Valid characters are a-z, A-Z, 0-9, _ (underscore). Must start with a letter and can be up to 48 characters long. If not provided, a unique name will be auto-generated |
 | `agentRuntimeId` | `string` | Yes | The Agent Runtime ID for this endpoint |
 | `agentRuntimeVersion` | `string` | Yes | The Agent Runtime version for this endpoint. Must be between 1 and 5 characters long.|
 | `description` | `string` | No | Optional description for the runtime endpoint |
@@ -469,16 +469,34 @@ const repository = new ecr.Repository(this, "TestRepository", {
 });
 const agentRuntimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(repository, "v1.0.0");
 
+// Optional: Create custom claims for additional validation
+const customClaims = [
+  agentcore.RuntimeCustomClaim.withStringValue('department', 'engineering'),
+  agentcore.RuntimeCustomClaim.withStringArrayValue('roles', ['admin'], agentcore.CustomClaimOperator.CONTAINS),
+  agentcore.RuntimeCustomClaim.withStringArrayValue('permissions', ['read', 'write'], agentcore.CustomClaimOperator.CONTAINS_ANY),
+];
+
 const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
   runtimeName: "myAgent",
   agentRuntimeArtifact: agentRuntimeArtifact,
   authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingCognito(
     userPool, // User Pool (required)
     [userPoolClient, anotherUserPoolClient], // User Pool Clients
+    ["audience1"], // Allowed Audiences (optional)
+    ["read", "write"], // Allowed Scopes (optional)
+    customClaims, // Custom claims (optional) - see Custom Claims Validation section
   ),
 });
 ```
 
+You can configure:
+
+- User Pool: The Cognito User Pool that issues JWT tokens
+- User Pool Clients: One or more Cognito User Pool App Clients that are allowed to access the runtime
+- Allowed audiences: Used to validate that the audiences specified in the Cognito token match or are a subset of the audiences specified in the AgentCore Runtime
+- Allowed scopes: Allow access only if the token contains at least one of the required scopes configured here
+- Custom claims: A set of rules to match specific claims in the incoming token against predefined values for validating JWT tokens
+
 #### JWT Authentication
 
 To configure custom JWT authentication with your own OpenID Connect (OIDC) provider:
@@ -495,13 +513,77 @@ const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
   authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingJWT(
     "https://example.com/.well-known/openid-configuration",  // Discovery URL (required)
     ["client1", "client2"],  // Allowed Client IDs (optional)
-    ["audience1"]           // Allowed Audiences (optional)
+    ["audience1"],           // Allowed Audiences (optional)
+    ["read", "write"],       // Allowed Scopes (optional)
+    // Custom claims (optional) - see Custom Claims Validation section below
   ),
 });
 ```
 
+You can configure:
+
+- Discovery URL: Enter the Discovery URL from your identity provider (e.g. Okta, Cognito, etc.), typically found in that provider's documentation. This allows your Agent or Tool to fetch login, downstream resource token, and verification settings.
+- Allowed audiences: This is used to validate that the audiences specified for the OAuth token matches or are a subset of the audiences specified in the AgentCore Runtime.
+- Allowed clients: This is used to validate that the public identifier of the client, as specified in the authorization token, is allowed to access the AgentCore Runtime.
+- Allowed scopes: Allow access only if the token contains at least one of the required scopes configured here.
+- Custom claims: A set of rules to match specific claims in the incoming token against predefined values for validating JWT tokens.
+
 **Note**: The discovery URL must end with `/.well-known/openid-configuration`.
 
+##### Custom Claims Validation
+
+Custom claims allow you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. You can create custom claims using the `RuntimeCustomClaim` class:
+
+```typescript fixture=default
+const repository = new ecr.Repository(this, "TestRepository", {
+  repositoryName: "test-agent-runtime",
+});
+const agentRuntimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(repository, "v1.0.0");
+
+// String claim - validates that the claim exactly equals the specified value
+// Uses EQUALS operator automatically
+const departmentClaim = agentcore.RuntimeCustomClaim.withStringValue('department', 'engineering');
+
+// String array claim with CONTAINS operator (default)
+// Validates that the claim array contains a specific string value
+// IMPORTANT: CONTAINS requires exactly one value in the array parameter
+const rolesClaim = agentcore.RuntimeCustomClaim.withStringArrayValue('roles', ['admin']);
+
+// String array claim with CONTAINS_ANY operator
+// Validates that the claim array contains at least one of the specified values
+// Use this when you want to check for multiple possible values
+const permissionsClaim = agentcore.RuntimeCustomClaim.withStringArrayValue(
+  'permissions',
+  ['read', 'write'],
+  agentcore.CustomClaimOperator.CONTAINS_ANY
+);
+
+// Use custom claims in authorizer configuration
+const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
+  runtimeName: "myAgent",
+  agentRuntimeArtifact: agentRuntimeArtifact,
+  authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingJWT(
+    "https://example.com/.well-known/openid-configuration",
+    ["client1", "client2"],
+    ["audience1"],
+    ["read", "write"],
+    [departmentClaim, rolesClaim, permissionsClaim] // Custom claims
+  ),
+});
+```
+
+**Custom Claim Rules**:
+
+- **String claims**: Must use the `EQUALS` operator (automatically set). The claim value must exactly match the specified string.
+- **String array claims**: Can use `CONTAINS` (default) or `CONTAINS_ANY` operators:
+  - **`CONTAINS`**: Checks if the claim array contains a specific string value. **Requires exactly one value** in the array parameter. For example, `['admin']` will check if the token's claim array contains the string `'admin'`.
+  - **`CONTAINS_ANY`**: Checks if the claim array contains at least one of the provided string values. Use this when you want to validate against multiple possible values. For example, `['read', 'write']` will check if the token's claim array contains either `'read'` or `'write'`.
+
+**Example Use Cases**:
+
+- Use `CONTAINS` when you need to verify a user has a specific role: `RuntimeCustomClaim.withStringArrayValue('roles', ['admin'])`
+- Use `CONTAINS_ANY` when you need to verify a user has any of several permissions: `RuntimeCustomClaim.withStringArrayValue('permissions', ['read', 'write'], CustomClaimOperator.CONTAINS_ANY)`
+
 #### OAuth Authentication
 
 To configure OAuth 2.0 authentication:
@@ -516,8 +598,11 @@ const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
   runtimeName: "myAgent",
   agentRuntimeArtifact: agentRuntimeArtifact,
   authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingOAuth(
-    "https://github.com/.well-known/openid-configuration",  
-    "oauth_client_123",  
+    "https://github.com/.well-known/openid-configuration",  // Discovery URL (required)
+    "oauth_client_123",  // OAuth Client ID (required)
+    ["audience1"],       // Allowed Audiences (optional)
+    ["openid", "profile"], // Allowed Scopes (optional)
+    // Custom claims (optional) - see Custom Claims Validation section
   ),
 });
 ```
@@ -748,7 +833,7 @@ For more information on VPC connectivity for Amazon Bedrock AgentCore Browser, p
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `browserCustomName` | `string` | Yes | The name of the browser. Must start with a letter and can be up to 48 characters long. Pattern: `[a-zA-Z][a-zA-Z0-9_]{0,47}` |
+| `browserCustomName` | `string` | No | The name of the browser. Must start with a letter and can be up to 48 characters long. Pattern: `[a-zA-Z][a-zA-Z0-9_]{0,47}`. If not provided, a unique name will be auto-generated |
 | `description` | `string` | No | Optional description for the browser. Can have up to 200 characters |
 | `networkConfiguration` | `BrowserNetworkConfiguration` | No | Network configuration for browser. Defaults to PUBLIC network mode |
 | `recordingConfig` | `RecordingConfig` | No | Recording configuration for browser. Defaults to no recording |
@@ -959,7 +1044,7 @@ For more information on VPC connectivity for Amazon Bedrock AgentCore Browser, p
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `codeInterpreterCustomName` | `string` | Yes | The name of the code interpreter. Must start with a letter and can be up to 48 characters long. Pattern: `[a-zA-Z][a-zA-Z0-9_]{0,47}` |
+| `codeInterpreterCustomName` | `string` | No | The name of the code interpreter. Must start with a letter and can be up to 48 characters long. Pattern: `[a-zA-Z][a-zA-Z0-9_]{0,47}`. If not provided, a unique name will be auto-generated |
 | `description` | `string` | No | Optional description for the code interpreter. Can have up to 200 characters |
 | `executionRole` | `iam.IRole` | No | The IAM role that provides permissions for the code interpreter to access AWS services. A new role will be created if not provided |
 | `networkConfiguration` | `CodeInterpreterNetworkConfiguration` | No | Network configuration for code interpreter. Defaults to PUBLIC network mode |
@@ -1084,7 +1169,7 @@ The Gateway construct provides a way to create Amazon Bedrock Agent Core Gateway
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `gatewayName` | `string` | Yes | The name of the gateway. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen). Maximum 100 characters |
+| `gatewayName` | `string` | No | The name of the gateway. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen). Maximum 100 characters. If not provided, a unique name will be auto-generated |
 | `description` | `string` | No | Optional description for the gateway. Maximum 200 characters |
 | `protocolConfiguration` | `IGatewayProtocolConfig` | No | The protocol configuration for the gateway. Defaults to MCP protocol |
 | `authorizerConfiguration` | `IGatewayAuthorizerConfig` | No | The authorizer configuration for the gateway. Defaults to Cognito |
@@ -1132,21 +1217,33 @@ your AgentCore gateway. By default, if not provided, the construct will create a
 **JSON Web Token (JWT)** – A secure and compact token used for authorization. After creating the JWT, you specify it as the authorization
 configuration when you create the gateway. You can create a JWT with any of the identity providers at Provider setup and configuration.
 
-You can configure a custom authorization provider using the `inboundAuthorizer` property with `GatewayAuthorizer.usingCustomJwt()`.
+You can configure a custom authorization provider using the `authorizerConfiguration` property with `GatewayAuthorizer.usingCustomJwt()`.
 You need to specify an OAuth discovery server and client IDs/audiences when you create the gateway. You can specify the following:
 
 - Discovery Url — String that must match the pattern ^.+/\.well-known/openid-configuration$ for OpenID Connect discovery URLs
 - At least one of the below options depending on the chosen identity provider.
 - Allowed audiences — List of allowed audiences for JWT tokens
 - Allowed clients — List of allowed client identifiers
+- Allowed scopes — List of allowed scopes for JWT tokens
+- Custom claims — Optional custom claim validations (see Custom Claims Validation section below)
 
 ```typescript fixture=default
+
+// Optional: Create custom claims (CustomClaimOperator and GatewayCustomClaim from agentcore)
+const customClaims = [
+  agentcore.GatewayCustomClaim.withStringValue('department', 'engineering'),
+  agentcore.GatewayCustomClaim.withStringArrayValue('roles', ['admin'], agentcore.CustomClaimOperator.CONTAINS),
+  agentcore.GatewayCustomClaim.withStringArrayValue('permissions', ['read', 'write'], agentcore.CustomClaimOperator.CONTAINS_ANY),
+];
+
 const gateway = new agentcore.Gateway(this, "MyGateway", {
   gatewayName: "my-gateway",
   authorizerConfiguration: agentcore.GatewayAuthorizer.usingCustomJwt({
     discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
     allowedAudience: ["my-app"],
     allowedClients: ["my-client-id"],
+    allowedScopes: ["read", "write"],
+    customClaims: customClaims, // Optional custom claims
   }),
 });
 ```
@@ -1188,6 +1285,31 @@ const oauthScopes = gateway.oauthScopes;
 // oauthScopes are in the format: ['{resourceServerId}/read', '{resourceServerId}/write']
 ```
 
+**Using Cognito User Pool Explicitly with Custom Claims** – You can also use an existing Cognito User Pool with custom claims:
+
+```typescript fixture=default
+declare const userPool: cognito.UserPool;
+declare const userPoolClient: cognito.UserPoolClient;
+
+// Optional: Create custom claims (CustomClaimOperator and GatewayCustomClaim from agentcore)
+const customClaims = [
+  agentcore.GatewayCustomClaim.withStringValue('department', 'engineering'),
+  agentcore.GatewayCustomClaim.withStringArrayValue('roles', ['admin'], agentcore.CustomClaimOperator.CONTAINS),
+  agentcore.GatewayCustomClaim.withStringArrayValue('permissions', ['read', 'write'], agentcore.CustomClaimOperator.CONTAINS_ANY),
+];
+
+const gateway = new agentcore.Gateway(this, "MyGateway", {
+  gatewayName: "my-gateway",
+  authorizerConfiguration: agentcore.GatewayAuthorizer.usingCognito({
+    userPool: userPool,
+    allowedClients: [userPoolClient],
+    allowedAudiences: ["audience1"],
+    allowedScopes: ["read", "write"],
+    customClaims: customClaims, // Optional custom claims
+  }),
+});
+```
+
 To authenticate with the gateway, request an access token using the client credentials flow and use it to call Gateway endpoints. For more information about the token endpoint, see [The token issuer endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html).
 
 The following is an example of a token request using curl:
@@ -1225,6 +1347,7 @@ const gateway = new agentcore.Gateway(this, "MyGateway", {
     discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
     allowedAudience: ["my-app"],
     allowedClients: ["my-client-id"],
+    allowedScopes: ["read", "write"],
   }),
   kmsKey: encryptionKey,
   exceptionLevel: agentcore.GatewayExceptionLevel.DEBUG,
@@ -1255,6 +1378,7 @@ const gateway = new agentcore.Gateway(this, "MyGateway", {
     discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
     allowedAudience: ["my-app"],
     allowedClients: ["my-client-id"],
+    allowedScopes: ["read", "write"],
   }),
   role: executionRole,
 });
@@ -1278,6 +1402,7 @@ const gateway = new agentcore.Gateway(this, "MyGateway", {
     discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
     allowedAudience: ["my-app"],
     allowedClients: ["my-client-id"],
+    allowedScopes: ["read", "write"],
   }),
 });
 
@@ -1307,7 +1432,7 @@ credential provider attached enabling you to securely access targets whether the
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `gatewayTargetName` | `string` | Yes | The name of the gateway target. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) |
+| `gatewayTargetName` | `string` | No | The name of the gateway target. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen). If not provided, a unique name will be auto-generated |
 | `description` | `string` | No | Optional description for the gateway target. Maximum 200 characters |
 | `gateway` | `IGateway` | Yes | The gateway this target belongs to |
 | `targetConfiguration` | `ITargetConfiguration` | Yes | The target configuration (Lambda, OpenAPI, or Smithy). **Note:** Users typically don't create this directly. When using convenience methods like `GatewayTarget.forLambda()`, `GatewayTarget.forOpenApi()`, `GatewayTarget.forSmithy()` or the gateway's `addLambdaTarget()`, `addOpenApiTarget()`, `addSmithyTarget()` methods, this configuration is created internally for you. Only needed when using the GatewayTarget constructor directly for [advanced scenarios](#advanced-usage-direct-configuration-for-gateway-target). |
@@ -1842,6 +1967,124 @@ const target = new agentcore.GatewayTarget(this, "AdvancedTarget", {
 
 This approach gives you full control over the configuration but is typically not necessary for most use cases. The convenience methods (`GatewayTarget.forLambda()`, `GatewayTarget.forOpenApi()`, `GatewayTarget.forSmithy()`) handle all of this internally.
 
+### Gateway Interceptors
+
+Gateway interceptors allow you to run custom code during each gateway invocation to implement fine-grained access control, transform requests and responses, or implement custom authorization logic. A gateway can have at most one REQUEST interceptor and one RESPONSE interceptor.
+
+**Interceptor Types:**
+
+- **REQUEST interceptors**: Execute before the gateway calls the target. Useful for request validation, transformation, or custom authorization
+- **RESPONSE interceptors**: Execute after the target responds but before the gateway sends the response back. Useful for response transformation, filtering, or adding custom headers
+
+**Security Best Practices:**
+
+1. Keep `passRequestHeaders` disabled unless absolutely necessary (default: false)
+2. Implement idempotent Lambda functions (gateway may retry on failures)
+3. Restrict gateway execution role to specific Lambda functions
+4. Avoid logging sensitive information in your interceptor
+
+For more information, see the [Gateway Interceptors documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-interceptors.html).
+
+#### Adding Interceptors via Constructor
+
+```typescript fixture=default
+// Create Lambda functions for interceptors
+const requestInterceptorFn = new lambda.Function(this, "RequestInterceptor", {
+  runtime: lambda.Runtime.PYTHON_3_12,
+  handler: "index.handler",
+  code: lambda.Code.fromInline(`
+def handler(event, context):
+    # Validate and transform request
+    return {
+        "interceptorOutputVersion": "1.0",
+        "mcp": {
+            "transformedGatewayRequest": event["mcp"]["gatewayRequest"]
+        }
+    }
+  `),
+});
+
+const responseInterceptorFn = new lambda.Function(this, "ResponseInterceptor", {
+  runtime: lambda.Runtime.PYTHON_3_12,
+  handler: "index.handler",
+  code: lambda.Code.fromInline(`
+def handler(event, context):
+    # Filter or transform response
+    return {
+        "interceptorOutputVersion": "1.0",
+        "mcp": {
+            "transformedGatewayResponse": event["mcp"]["gatewayResponse"]
+        }
+    }
+  `),
+});
+
+// Create gateway with interceptors
+const gateway = new agentcore.Gateway(this, "MyGateway", {
+  gatewayName: "my-gateway",
+  interceptorConfigurations: [
+    agentcore.LambdaInterceptor.forRequest(requestInterceptorFn, {
+      passRequestHeaders: true  // Only if you need to inspect headers
+    }),
+    agentcore.LambdaInterceptor.forResponse(responseInterceptorFn)
+  ]
+});
+```
+
+**Automatic Permission Granting:**
+
+When you add a Lambda interceptor to a gateway (either via constructor or `addInterceptor()`), the gateway's IAM role automatically receives `lambda:InvokeFunction` permission on the Lambda function. This permission grant happens internally during the bind process - you do not need to manually configure these IAM permissions.
+
+#### Adding Interceptors Dynamically
+
+```typescript fixture=default
+// Create a gateway first
+const gateway = new agentcore.Gateway(this, "MyGateway", {
+  gatewayName: "my-gateway",
+});
+
+// Create Lambda functions for interceptors
+const requestInterceptorFn = new lambda.Function(this, "RequestInterceptor", {
+  runtime: lambda.Runtime.PYTHON_3_12,
+  handler: "index.handler",
+  code: lambda.Code.fromInline(`
+def handler(event, context):
+    # Custom request validation logic
+    return {
+        "interceptorOutputVersion": "1.0",
+        "mcp": {
+            "transformedGatewayRequest": event["mcp"]["gatewayRequest"]
+        }
+    }
+  `),
+});
+
+const responseInterceptorFn = new lambda.Function(this, "ResponseInterceptor", {
+  runtime: lambda.Runtime.PYTHON_3_12,
+  handler: "index.handler",
+  code: lambda.Code.fromInline(`
+def handler(event, context):
+    # Filter sensitive data from response
+    return {
+        "interceptorOutputVersion": "1.0",
+        "mcp": {
+            "transformedGatewayResponse": event["mcp"]["gatewayResponse"]
+        }
+    }
+  `),
+});
+
+gateway.addInterceptor(
+  agentcore.LambdaInterceptor.forRequest(requestInterceptorFn, {
+    passRequestHeaders: false  // Default, headers not passed for security
+  })
+);
+
+gateway.addInterceptor(
+  agentcore.LambdaInterceptor.forResponse(responseInterceptorFn)
+);
+```
+
 ### Gateway Target IAM Permissions
 
 The Gateway Target construct provides convenient methods for granting IAM permissions:
@@ -1901,7 +2144,7 @@ To write to long-term memory, you need to configure extraction strategies which
 
 | Name | Type | Required | Description |
 |------|------|----------|-------------|
-| `memoryName` | `string` | Yes | The name of the memory |
+| `memoryName` | `string` | No | The name of the memory. If not provided, a unique name will be auto-generated |
 | `expirationDuration` | `Duration` | No | Short-term memory expiration in days (between 7 and 365). Default: 90 days |
 | `description` | `string` | No | Optional description for the memory. Default: no description. |
 | `kmsKey` | `IKey` | No | Custom KMS key to use for encryption. Default: Your data is encrypted with a key that AWS owns and manages for you |
@@ -1958,7 +2201,7 @@ You can use built-in extraction strategies for quick setup, or create custom ext
 
 ### Memory with Built-in Strategies
 
-The library provides three built-in LTM strategies. These are default strategies for organizing and extracting memory data,
+The library provides four built-in LTM strategies. These are default strategies for organizing and extracting memory data,
 each optimized for specific use cases.
 
 For example: An agent helps multiple users with cloud storage setup. From these conversations,
@@ -1985,6 +2228,14 @@ Extracted memory example: User needs clear guidance on cloud storage account con
    - Extracts user behavior patterns from raw conversations
    - Namespace: `/strategies/{memoryStrategyId}/actors/{actorId}`
 
+4. **Episodic Memory Strategy** (`MemoryStrategy.usingBuiltInEpisodic()`)
+Captures meaningful slices of user and system interactions, preserve them into compact records after summarizing.
+Extracted memory example: User first asked about pricing on Monday, then requested feature comparison on Tuesday, finally made purchase decision on Wednesday.
+
+   - Captures event sequences and temporal relationships
+   - Namespace: `/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}`
+   - Reflections: `/strategy/{memoryStrategyId}/actor/{actorId}` 
+
 ```typescript fixture=default
 // Create memory with built-in strategies
 const memory = new agentcore.Memory(this, "MyMemory", {
@@ -1995,6 +2246,7 @@ const memory = new agentcore.Memory(this, "MyMemory", {
     agentcore.MemoryStrategy.usingBuiltInSummarization(),
     agentcore.MemoryStrategy.usingBuiltInSemantic(),
     agentcore.MemoryStrategy.usingBuiltInUserPreference(),
+    agentcore.MemoryStrategy.usingBuiltInEpisodic(),
   ],
 });
 ```
@@ -2004,6 +2256,7 @@ The name generated for each built in memory strategy is as follows:
 - For Summarization: `summary_builtin_cdk001`
 - For Semantic:`semantic_builtin_cdk001>`
 - For User Preferences: `preference_builtin_cdk001`
+- For Episodic : `episodic_builtin_cdkGen0001`
 
 ### Memory with custom Strategies
 
@@ -2045,12 +2298,13 @@ You can customise the namespace, i.e. where the memories are stored by using the
 1. **Summarization Strategy** (`MemoryStrategy.usingSummarization(props)`)
 1. **Semantic Memory Strategy** (`MemoryStrategy.usingSemantic(props)`)
 1. **User Preference Strategy** (`MemoryStrategy.usingUserPreference(props)`)
+1. **Episodic Memory Strategy** (`MemoryStrategy.usingEpisodic(props)`)
 
 ```typescript fixture=default
-// Create memory with built-in strategies
+// Create memory with custom strategies
 const memory = new agentcore.Memory(this, "MyMemory", {
   memoryName: "my_memory",
-  description: "Memory with built-in strategies",
+  description: "Memory with custom strategies",
   expirationDuration: cdk.Duration.days(90),
   memoryStrategies: [
     agentcore.MemoryStrategy.usingUserPreference({
@@ -2061,6 +2315,13 @@ const memory = new agentcore.Memory(this, "MyMemory", {
         name: "CustomerSupportSemantic",
         namespaces: ["support/customer/{actorId}/semantic"]
     }),
+     agentcore.MemoryStrategy.usingEpisodic({
+        name: "customerJourneyEpisodic",
+        namespaces: ["/journey/customer/{actorId}/episodes"],
+        reflectionConfiguration: {
+            namespaces: ["/journey/customer/{actorId}/reflections"]
+        }
+    }),
   ],
 });
 ```