fix(invoke): adjust redaction regex to allow words following bearer

[Hweinstock]

Description

See #1479. The fix is to leverage the shape of JWT instead of a bearer prefix for redaction.

This relies on AgentCore inbound auth only accepting JWT, and not arbitrary bearer tokens.

Tests create an actual JWT (pull in jose as dev dependency) to verify the pattern matching is working as expected.

Related Issue

Closes #

Documentation PR

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (please describe):

Testing

How have you tested the change?

• I ran npm run test:unit and npm run test:integ
• I ran npm run typecheck
• I ran npm run lint
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[github-actions]

Package Tarball

aws-agentcore-0.18.0.tgz

How to install

gh release download pr-1480-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.18.0.tgz

[agentcore-cli-automation]

Looks good to merge. The fix correctly switches from a prefix-based match (which over-redacted bare words like token after bearer) to a JWT-shape match, which directly addresses #1479. The tests are well-constructed: they generate real JWTs via jose rather than mocking, and they include explicit regression cases for the prose patterns that triggered the bug (bearer token is available, Invalid Bearer Token).

A couple of small things I considered but don't think need to block:

• The regex assumes AgentCore inbound auth is always JWT-shaped. The PR description calls this out explicitly, so 👍. If opaque bearer tokens are ever supported, the JWT-shape pattern won't catch them and we'll want to revisit.
• The trailing [A-Za-z0-9_-]+ is greedy and unanchored, so a JWT immediately concatenated with adjacent base64url-ish text (no quote/whitespace/punctuation between them) would over-match. In practice JWTs in logs/JSON/headers are always bounded, so this is a theoretical concern only.

No telemetry needed since this is a pure fix to a redaction utility.

[Hweinstock]

harness failure is a transient connection failure, here is the comment it tried to post:

Summary of my analysis:

**Findings:**
1. The fix is correct and well-scoped: matches by JWT shape, no longer captures bare words after `bearer`.
2. Tests properly use real JWTs via `jose` (no excessive mocking).
3. The PR comment correctly explains the rationale.
4. The trailing `[A-Za-z0-9_-]+` is greedy and could potentially over-match if a JWT is concatenated directly with adjacent base64url-like alphanumeric text. In practice this is unlikely (JWTs are bounded by quotes/whitespace/punctuation), but worth noting. Not a blocker.
5. A theoretical concern: if AgentCore ever supports non-JWT bearer tokens (opaque tokens), this regex won't catch them. The PR description explicitly acknowledges this assumption.
6. No telemetry needed (pure refactor of redaction utility).

I don't see any serious issues that need code changes. Let me approve with a minor note.

[Hweinstock]

the eslint flag is existing code, and its a false-positive. The rule is prone to false positives, and they call it out here: https://www.npmjs.com/package/safe-regex

[notgitika]

TIL about jose pretty neat!

[notgitika]

nice that our integ/e2e tests caught this!