Skip to content

test(e2e): add harness E2E coverage for lite_llm, tools, and CUSTOM_JWT#1609

Open
tejaskash wants to merge 2 commits into
mainfrom
test/harness-e2e-coverage
Open

test(e2e): add harness E2E coverage for lite_llm, tools, and CUSTOM_JWT#1609
tejaskash wants to merge 2 commits into
mainfrom
test/harness-e2e-coverage

Conversation

@tejaskash

@tejaskash tejaskash commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds three real-AWS E2E scenarios for harness that the existing provider matrix (harness-bedrock / harness-openai / harness-gemini) doesn't cover. Companion to #1608 (integration-layer coverage); these prove behaviors that only surface at CloudFormation synth/deploy or runtime.

What's added

  • harness-litellm.test.ts — the lite_llm provider, routed at a Bedrock model so the deploy needs no third-party API key (LiteLLM's bedrock backend uses the runtime execution role's IAM). Deploy-only (skipInvoke) — the bedrock suite already proves invoke; this proves the lite_llm model config is accepted by CloudFormation.
  • harness-with-tool.test.ts — a bedrock harness with an agentcore_code_interpreter tool attached via add tool. Tool wiring only fails at synth/deploy, so this is the layer that catches it; then invokes to confirm the harness still works. Code interpreter chosen because it needs no external ARN.
  • harness-custom-jwt.test.ts — a harness with a CUSTOM_JWT authorizer backed by a Cognito user pool. Asserts AuthorizerConfiguration in the CFN template, SigV4 rejection, and bearer-token invoke. Mirrors the existing byo-custom-jwt.test.ts pattern.

Also extends harness-e2e-helper.ts with modelId / apiBase / additionalParams config (for the lite_llm case).

Notes

  • Naturally gated. All tests self-skip without AWS creds. The per-PR e2e-tests.yml workflow auto-runs any changed harness-*.test.ts, so these run once on this PR; afterward they only run in the sharded full suite (e2e-tests-full.yml).
  • create has no harness authorizer flags, so the JWT test patches harness.json after create — same approach byo-custom-jwt.test.ts uses for agentcore.json.
  • Correction vs. original plan: fetch access does not support harness (FetchResourceType = 'gateway' | 'agent'); the harness JWT-token path lives in invoke auto-fetch. The JWT test therefore exercises bearer-token invoke, not fetch access.
  • VPC deploy intentionally excluded — too slow/flaky for E2E (VPC validation is covered locally in the integ PR).

Testing

  • vitest list --project e2e enumerates all cases correctly (lite_llm's invoke step correctly absent due to skipInvoke).
  • tsc --noEmit, eslint, prettier, secretlint all clean.
  • Not run against AWS from this workstation (no creds; real deploys) — validated for collection/compile only. CI will execute them on this PR.

@tejaskash
test(e2e): add harness E2E coverage for lite_llm, attached tools, and…
4e98ad2 
… CUSTOM_JWT

Extends the harness E2E surface with three real-AWS scenarios that the
provider matrix (bedrock/open_ai/gemini) doesn't cover:

- harness-litellm.test.ts — lite_llm provider routed at a Bedrock model
  (no third-party key); deploy-only (skipInvoke) to prove the model config is
  accepted by CloudFormation. Extends harness-e2e-helper with modelId/apiBase/
  additionalParams support.
- harness-with-tool.test.ts — bedrock harness + agentcore_code_interpreter tool
  via 'add tool'; proves tool wiring survives synth/deploy and the harness still
  invokes.
- harness-custom-jwt.test.ts — harness with a CUSTOM_JWT authorizer backed by a
  Cognito pool; asserts AuthorizerConfiguration in the CFN template, SigV4
  rejection, and bearer-token invoke (mirrors byo-custom-jwt.test.ts).

All self-skip without AWS creds. The per-PR e2e workflow auto-runs changed
harness-*.test.ts files; the full suite shards everything.
@tejaskash tejaskash requested a review from a team June 22, 2026 19:33
@github-actions github-actions Bot added the size/m PR size: M label Jun 22, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 22, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 22, 2026
@agentcore-devx-automation

agentcore-devx-automation Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 22, 2026
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.20.2.tgz

How to install

gh release download pr-1609-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz

agentcore-cli-automation
agentcore-cli-automation approved these changes Jun 22, 2026
View reviewed changes

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — closely mirrors the existing byo-custom-jwt.test.ts pattern (which is good) and exercises three meaningful gaps in harness E2E coverage (lite_llm provider, tool wiring at CFN synth, CUSTOM_JWT authorizer). The helper extension for modelId/apiBase/additionalParams is appropriately scoped. Self-gating on AWS creds means no impact on contributor PRs. No blocking issues found.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 22, 2026
@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 36.98% 13516 / 36546
🔵 Statements 36.25% 14369 / 39631
🔵 Functions 31.59% 2317 / 7334
🔵 Branches 30.76% 8905 / 28944
Generated in workflow #3758 for commit 111217e by the Vitest Coverage Report Action

@tejaskash tejaskash marked this pull request as draft June 22, 2026 19:56
@tejaskash
test(e2e): add fetch access --type harness step to custom-jwt e2e
111217e 
Set the CUSTOM_JWT harness up via 'add harness' with the JWT + OAuth-credential
flags (--authorizer-type/--discovery-url/--allowed-audience/--client-id/
--client-secret) instead of patching harness.json directly. This registers the
managed OAuth credential and .env.local secret — the real user flow — which are
the prerequisites for fetch access to mint a token.

Adds a step asserting 'fetch access --type harness' returns a CUSTOM_JWT bearer
token and that the JWT's issuer/client_id claims match the Cognito pool.

Depends on the fetch-access-harness feature (PR #1611); until that merges, this
step exercises a command not yet on main. The e2e suite is manual/full-suite
only, so this does not gate per-PR CI.
@tejaskash tejaskash marked this pull request as ready for review June 22, 2026 23:19
@github-actions github-actions Bot added size/m PR size: M and removed size/m PR size: M labels Jun 22, 2026
@tejaskash

tejaskash commented Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Updated and marked ready for review.

Added a fetch access --type harness step to harness-custom-jwt.test.ts, and reworked that test to set the harness up the real way — via add harness --authorizer-type CUSTOM_JWT --discovery-url ... --allowed-audience ... --client-id ... --client-secret ... — instead of patching harness.json directly. That flag path registers the managed OAuth credential + .env.local secret, which are the prerequisites for fetch access to mint a bearer token. The new step asserts the command returns a CUSTOM_JWT token and that the JWT's iss/client_id claims match the Cognito pool.

Verified against real AWS (us-west-2): the bedrock, litellm, and with-tool harness e2e tests pass end-to-end. The fetch-access flow itself was also verified live (CLI + TUI) on a deployed CUSTOM_JWT harness.

Dependency: the fetch access --type harness step exercises the feature in #1611, which isn't on main yet. The e2e suite runs manually / in the full sharded suite (not per-PR CI), so this doesn't gate anything — but the new step will only pass once #1611 merges. Suggest merging #1611 first.

@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 22, 2026
@agentcore-devx-automation

agentcore-devx-automation Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/m PR size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tejaskash @agentcore-cli-automation