localstack · whummer · Jan 29, 2026 · Jan 24, 2026 · Jan 24, 2026 · Jan 25, 2026
@@ -15,6 +15,7 @@ You are an AI agent tasked with adding additional functionality or test coverage
 * You can call different `make` targets (e.g., `make test`) in this repo (no need to prompt for confirmation)
 * For each new file created or existing file modified, add a header comment to the file, something like `# Note/disclosure: This file has been (partially or fully) generated by an AI agent.`
 * The proxy tests are executed against real AWS and may incur some costs, so rather than executing the entire test suite or entire modules, focus the testing on individual test functions within a module only.
+* Before claiming success, always double-check against real AWS (via `aws` CLI commands) that everything has been cleaned up and there are no leftover resources from the proxy tests.
 * Never add any `print(..)` statements to the code - use a logger to report any status to the user, if required.
 * To format/lint the codebase you can run `make format` and `make lint`.
 
@@ -31,6 +32,19 @@ To run a single test via `pytest` (say, `test_my_logic` in `test_s3.py`), use th
 TEST_PATH=tests/test_s3.py::test_my_logic make test
 ```
 
+### Read-Only Mode Support
+
+Some services have operations that are functionally read-only (don't modify state) but don't follow the standard naming conventions (`Describe*`, `Get*`, `List*`, `Query*`). When adding tests or support for a new service with `read_only: true` configuration, check the [AWS Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/) for the service and identify any operations that:
+- Are classified as "Read" access level but don't match the standard prefixes
+- Evaluate or simulate something without modifying state (e.g., `Evaluate*`, `Simulate*`, `Test*`, `Check*`, `Validate*`)
+
+If you find such operations, add them to the service-specific rules in `aws_proxy/server/aws_request_forwarder.py` in the `_is_read_request` method. This ensures that read-only proxy configurations correctly forward these operations rather than blocking them.
+
+Example services with non-standard read-only operations:
+- **AppSync**: `EvaluateCode`, `EvaluateMappingTemplate`
+- **IAM**: `SimulateCustomPolicy`, `SimulatePrincipalPolicy`
+- **Cognito**: `InitiateAuth`
+
 When adding new integration tests, consider the following:
 * Include a mix of positive and negative assertions (i.e., presence and absence of resources).
 * Include a mix of different configuration options, e.g., the `read_only: true` flag can be specified in the proxy service configuration YAML, enabling read-only mode (which should be covered by tests as well).

@@ -223,6 +223,11 @@ def _is_read_request(self, context: RequestContext) -> bool:
             "PartiQLSelect",
         }:
             return True
+        if context.service.service_name == "appsync" and operation_name in {
+            "EvaluateCode",
+            "EvaluateMappingTemplate",
+        }:
+            return True
         # TODO: add more rules
         return False