feat(fetch): support harness in fetch access (CLI + TUI)#1611
feat(fetch): support harness in fetch access (CLI + TUI)#1611tejaskash wants to merge 3 commits into
Conversation
Adds 'harness' as a resource type for fetch access, fetching a CUSTOM_JWT bearer token for a deployed harness via the existing fetchHarnessToken operation. CLI: - types: FetchResourceType += 'harness' - action: handleFetchHarnessAccess dispatch; agent + harness share one fetchTokenAccess helper - command: help text covers harness TUI: - new listHarnesses operation (project registry ∩ deployed-state, reads each harness.json for authorizerType) - useFetchAccessFlow loads harnesses alongside gateways/agents and routes the harness fetch through fetchHarnessToken - FetchAccessScreen labels the harness resource type Verified end-to-end against real AWS (us-west-2): deployed a CUSTOM_JWT harness backed by Cognito with the OAuth credential stored in AgentCore Identity, then fetched a valid bearer token via both 'fetch access --type harness' and the TUI picker. Unit tests: 48 passing across fetch-access (incl. 6 new harness cases).
github-actions
Bot
added
the
agentcore-harness-reviewing
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Package TarballHow to installgh release download pr-1611-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz |
agentcore-cli-automation
left a comment
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Nice cleanup factoring fetchTokenAccess out of the agent and harness paths. A couple of real issues to address before merge — see inline comments. The main one: --identity-name is silently ignored for harnesses because fetchHarnessToken doesn't accept that option, even though the CLI advertises the flag for all token-bearing resources.
One additional note (not file in this PR, so flagging here):
Telemetry — ResourceType in src/cli/telemetry/schemas/common-shapes.ts:93 is z.enum(['gateway', 'agent']) and backs the fetch.access resource_type attribute (see command-run.ts:173). Adding harness means that enum needs 'harness' for any future emission to be valid.
Separately, I couldn't find any actual cli.command_run emission for fetch.access — the schema entry exists but commands/fetch/command.tsx doesn't wrap the handler with withCommandRunTelemetry. That's a pre-existing gap, but per src/cli/telemetry/README.md adding telemetry to new features is expected. Worth wiring up while you're here so the new harness path doesn't go unobserved.
github-actions
Bot
removed
the
agentcore-harness-reviewing
Coverage Report
|
- fetchHarnessToken: accept identityName and forward as credentialName, so
'fetch access --type harness --identity-name X' is honored instead of
silently using the default <name>-oauth (mirrors fetchRuntimeToken).
- listHarnesses: drop the silent AWS_IAM fallback on readHarnessSpec failure;
let the error propagate so a corrupt/missing harness.json for a deployed
harness surfaces instead of masking a CUSTOM_JWT harness as AWS_IAM.
- HarnessInfo.authType: type as RuntimeAuthorizerType (was string) to match
AgentInfo and get the TUI auth-type branches type-checked.
- tests: replace the objectContaining({}) matcher with exact-options
assertions and add a case proving --identity-name/--target are forwarded.
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Set the CUSTOM_JWT harness up via 'add harness' with the JWT + OAuth-credential flags (--authorizer-type/--discovery-url/--allowed-audience/--client-id/ --client-secret) instead of patching harness.json directly. This registers the managed OAuth credential and .env.local secret — the real user flow — which are the prerequisites for fetch access to mint a token. Adds a step asserting 'fetch access --type harness' returns a CUSTOM_JWT bearer token and that the JWT's issuer/client_id claims match the Cognito pool. Depends on the fetch-access-harness feature (PR #1611); until that merges, this step exercises a command not yet on main. The e2e suite is manual/full-suite only, so this does not gate per-PR CI.
github-actions
Bot
added
the
agentcore-harness-reviewing
|
Looks good to merge from my pass. The three inline issues from the previous review ( The only outstanding item is the telemetry note from the previous review summary — it wasn't addressed and isn't a code-change blocker in this PR, but worth tracking:
Both are pre-existing gaps that this PR widens rather than introduces. Happy to see them addressed in a follow-up if you'd rather keep this PR scoped. |
github-actions
Bot
removed
the
agentcore-harness-reviewing
…ess command_run Addresses the re-review's telemetry notes: - ResourceType enum += 'harness', so a fetch.access emission with resource_type=harness validates (the enum backs that attribute). - Wire withCommandRunTelemetry into 'fetch access' (was unwrapped — no cli.command_run was emitted at all), recording resource_type. handleFetchAccess runs once inside the wrapper; its string-error shape is adapted to the Result the telemetry layer expects while the original result drives output. Tests: 131 passing across telemetry + fetch + tui-fetch suites; ResourceType accepts 'harness' and rejects unknown values.
|
Addressed the telemetry note from the review body in 2ad7236:
The three inline issues ( |
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
2 participants
Summary
Adds harness as a resource type for
fetch access, so users can retrieve a CUSTOM_JWT bearer token for a deployed harness — both from the CLI (fetch access --type harness --name <name>) and the interactive TUI picker. Builds on the existingfetchHarnessTokenoperation (already used byinvokeauto-fetch); this exposes it through thefetchcommand surface.What changed
CLI
commands/fetch/types.ts—FetchResourceType+='harness'commands/fetch/action.ts—handleFetchHarnessAccessdispatch; the agent and harness handlers now share onefetchTokenAccesshelper (they were near-identical)commands/fetch/command.tsx—--type/--name/ description help text cover harnessTUI
operations/fetch-access/list-harnesses.ts— newlistHarnesses(project registry ∩ deployed-state, reads eachharness.jsonforauthorizerType); mirrorslistAgentsoperations/fetch-access/{types,index}.ts—HarnessInfotype + exportstui/screens/fetch-access/useFetchAccessFlow.ts— loads harnesses alongside gateways/agents; routes harness fetch throughfetchHarnessTokentui/screens/fetch-access/FetchAccessScreen.tsx— labels the harness resource typeTesting
Unit: 48 passing across fetch-access, including 6 new harness cases (3 CLI action, 3 TUI flow).
End-to-end against real AWS (account 346532552948 / us-west-2):
create-oauth2-credential-provider).fetch access --type harness --name <name>→success: true, returned a valid Cognito-issued JWT (verified claims: correct issuer, client_id,scope=agentcore/invoke,token_use=access).fetchflow → harness appears in the picker asHarness [JWT], selecting it fetches and displays the same valid token.Notes
AWS_IAMharness has no token to fetch — it surfaces the existing "use SigV4" guidance (same UX as the agent path). Token fetch applies only to CUSTOM_JWT harnesses with a managed OAuth credential.listHarnessesreads eachharness.jsonforauthorizerType(the project registry entry only carries name/path).