fix(unit-only): Add bearer-token support to the A2A invoke path, mirrorin... (#815)

[aidandaly24]

Refs aws#815

Issues

• A2A invoke does not support CUSTOM_JWT authentication aws/agentcore-cli#815 — An A2A-protocol agent configured with CUSTOM_JWT authorization cannot be invoked. The CLI auto-fetches a bearer token but silently drops it on the A2A path, falling back to SigV4, so every invoke fails with a confusing "Authorization method mismatch" service error. There is no workaround other than a code change, and no add-time warning. Affects CLI invoke, the TUI, and the dev web-UI.

Root cause

A2A invoke path has no bearerToken support: A2AInvokeOptions (agentcore.ts:926-934) lacks the field and invokeA2ARuntime (942-986) always uses SigV4 (createAgentCoreClient line 943), with no bearer dispatch like the HTTP path (356-357). The token is auto-fetched in resolve.ts:116-145 and stored at action.ts:306 but dropped by the A2A option literals at action.ts:592-601, useInvokeFlow.ts:782-792, and invocations.ts:456-463/552-560 (MCP/AGUI/HTTP siblings all pass it). No add-time guard (validate.ts:319-335).

The fix

Add bearer-token support to the A2A invoke path, mirroring HTTP. (1) Add bearerToken?: string; to A2AInvokeOptions (agentcore.ts:926-934). (2) In invokeA2ARuntime (agentcore.ts:942), when options.bearerToken is set, send a raw HTTP POST of the JSON-RPC body with Authorization: Bearer via buildInvokeUrl/buildBearerInvokeHeaders (agentcore.ts:201-233) instead of the SigV4 createAgentCoreClient + InvokeAgentRuntimeCommand, then parse the response through the existing parseA2AResponse. A2A uses the same InvokeAgentRuntime data plane and /runtimes/{arn}/invocations endpoint as HTTP, which already supports bearer auth, so this is sound. (3) Pass the token at the three call sites: bearerToken: options.bearerToken at action.ts:592-601, bearerToken: bearerToken || undefined at useInvokeFlow.ts:782-792, and thread bearerToken through DeployedInvokeParams to the A2A dispatch and handler at invocations.ts:456-463 / 552-560. Minimal-effort fallback only if the service truly rejects CUSTOM_JWT for A2A: add a fail-loud guard at the top of invokeA2ARuntime like AGUI's (agentcore.ts:1080-1082), or reject A2A+CUSTOM_JWT in validate.ts:319-335 — but the full fix is preferred.

Files touched: src/cli/aws/agentcore.ts (A2AInvokeOptions interface lines 926-934; invokeA2ARuntime lines 942-986), src/cli/commands/invoke/action.ts:592-601, src/cli/tui/screens/invoke/useInvokeFlow.ts:782-792, src/cli/operations/dev/web-ui/handlers/invocations.ts (DeployedInvokeParams 498-506, dispatch 456-463, handleDeployedA2AInvocation 552-560)

Validation evidence

The fix was verified by reproducing the original symptom and re-running after the change:

BEFORE (original symptom reproduced): committed HEAD's invokeA2ARuntime (agentcore.ts:944) unconditionally called createAgentCoreClient + InvokeAgentRuntimeCommand (SigV4) and had no bearerToken field on A2AInvokeOptions, so a supplied Cognito bearer token was dropped and a CUSTOM_JWT runtime rejected the call with "Authorization method mismatch". I empirically reproduced this by temporarily removing the fix's bearer branch and running the new test: the "uses fetch with Bearer Authorization header and never the SigV4 client" case FAILED — execution fell through to client.send(command) and threw "Cannot read properties of undefined (reading 'response')" at agentcore.ts:973, proving the bearer token was ignored and the SigV4 path was taken. AFTER (fix restored, rebuilt exit 0): the new unit test (src/cli/aws/tests/agentcore-a2a-bearer.test.ts) passes both cases — with bearerToken set, invokeA2ARuntime calls global fetch exactly once with header Authorization=Bearer test-jwt-token, the fetch body carries the JSON-RPC method=message/send with parts[0].text='hi', mockSdkSend (SigV4 client) is never called, and the JSON-RPC result is routed through parseA2AResponse to yield 'Hello from A2A'; with no bearerToken, mockSdkSend is called once and fetch is never called (SigV4 path preserved). All three call sites thread the token: action.ts:596, useInvokeFlow.ts:786, invocations.ts (DeployedInvokeParams.bearerToken:505, handler:559, dispatch:463). Fix reuses existing buildInvokeUrl

Test suite: green.

---

Staged on the fork as a draft for human review. Promote to aws/agentcore-cli after vetting.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	37.2%	13613 / 36587
🔵	Statements	36.47%	14472 / 39678
🔵	Functions	31.82%	2335 / 7337
🔵	Branches	31.12%	9008 / 28942

Generated in workflow #135 for commit 75d5f7c by the Vitest Coverage Report Action