feat(fetch): support harness in fetch access (CLI + TUI)

src/cli/commands/fetch/__tests__/fetch-access.test.ts

@@ -3,12 +3,16 @@ import { Command } from '@commander-js/extra-typings';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 const mockFetchGatewayToken = vi.fn();
+const mockFetchRuntimeToken = vi.fn();
+const mockFetchHarnessToken = vi.fn();
 const mockListGateways = vi.fn();
 const mockRequireProject = vi.fn();
 const mockRender = vi.fn();
 
 vi.mock('../../../operations/fetch-access', () => ({
   fetchGatewayToken: (...args: unknown[]) => mockFetchGatewayToken(...args),
+  fetchRuntimeToken: (...args: unknown[]) => mockFetchRuntimeToken(...args),
+  fetchHarnessToken: (...args: unknown[]) => mockFetchHarnessToken(...args),
   listGateways: (...args: unknown[]) => mockListGateways(...args),
 }));
 
@@ -193,4 +197,79 @@ describe('registerFetch', () => {
     const output = JSON.parse(mockLog.mock.calls[0][0]);
     expect(output.success).toBe(true);
   });
+
+  describe('--type harness', () => {
+    const harnessTokenResult = { token: 'harness-token', expiresIn: 3600 };
+
+    it('outputs a CUSTOM_JWT token for a harness when --json flag is used', async () => {
+      mockFetchHarnessToken.mockResolvedValue(harnessTokenResult);
+
+      await program.parseAsync(['fetch', 'access', '--type', 'harness', '--name', 'MyHarness', '--json'], {
+        from: 'user',
+      });
+
+      expect(mockFetchHarnessToken).toHaveBeenCalledWith('MyHarness', {
+        deployTarget: undefined,
+        identityName: undefined,
+      });
+      expect(mockFetchGatewayToken).not.toHaveBeenCalled();
+      expect(mockLog).toHaveBeenCalledTimes(1);
+      const output = JSON.parse(mockLog.mock.calls[0][0]);
+      expect(output.success).toBe(true);
+      expect(output.authType).toBe('CUSTOM_JWT');
+      expect(output.token).toBe('harness-token');
+      expect(output.expiresIn).toBe(3600);
+    });
+
+    it('forwards --identity-name and --target to fetchHarnessToken', async () => {
+      mockFetchHarnessToken.mockResolvedValue(harnessTokenResult);
+
+      await program.parseAsync(
+        [
+          'fetch',
+          'access',
+          '--type',
+          'harness',
+          '--name',
+          'MyHarness',
+          '--identity-name',
+          'my-custom-cred',
+          '--target',
+          'prod',
+          '--json',
+        ],
+        { from: 'user' }
+      );
+
+      expect(mockFetchHarnessToken).toHaveBeenCalledWith('MyHarness', {
+        deployTarget: 'prod',
+        identityName: 'my-custom-cred',
+      });
+    });
+
+    it('errors with a harness-specific message when --name is missing and --json flag is used', async () => {
+      await expect(
+        program.parseAsync(['fetch', 'access', '--type', 'harness', '--json'], { from: 'user' })
+      ).rejects.toThrow('process.exit');
+
+      expect(mockFetchHarnessToken).not.toHaveBeenCalled();
+      expect(mockLog).toHaveBeenCalledTimes(1);
+      const output = JSON.parse(mockLog.mock.calls[0][0]);
+      expect(output.success).toBe(false);
+      expect(output.error).toBe('Missing required option: --name <harness>');
+    });
+
+    it('outputs JSON error when fetchHarnessToken throws (e.g. non-CUSTOM_JWT harness)', async () => {
+      mockFetchHarnessToken.mockRejectedValue(new Error("Harness 'MyHarness' uses AWS_IAM auth, not CUSTOM_JWT."));
+
+      await expect(
+        program.parseAsync(['fetch', 'access', '--type', 'harness', '--name', 'MyHarness', '--json'], { from: 'user' })
+      ).rejects.toThrow('process.exit');
+
+      expect(mockLog).toHaveBeenCalledTimes(1);
+      const output = JSON.parse(mockLog.mock.calls[0][0]);
+      expect(output.success).toBe(false);
+      expect(output.error).toBe("Harness 'MyHarness' uses AWS_IAM auth, not CUSTOM_JWT.");
+    });
+  });
 });

src/cli/commands/fetch/action.ts

@@ -1,4 +1,4 @@
-import { fetchGatewayToken, fetchRuntimeToken, listGateways } from '../../operations/fetch-access';
+import { fetchGatewayToken, fetchHarnessToken, fetchRuntimeToken, listGateways } from '../../operations/fetch-access';
 import type { OAuthTokenResult, TokenFetchResult } from '../../operations/fetch-access';
 import type { FetchAccessOptions } from './types';
 
@@ -16,6 +16,10 @@ export async function handleFetchAccess(options: FetchAccessOptions): Promise<Fe
     return handleFetchAgentAccess(options);
   }
 
+  if (resourceType === 'harness') {
+    return handleFetchHarnessAccess(options);
+  }
+
   return handleFetchGatewayAccess(options);
 }
 
@@ -40,13 +44,29 @@ async function handleFetchGatewayAccess(options: FetchAccessOptions): Promise<Fe
 }
 
 async function handleFetchAgentAccess(options: FetchAccessOptions): Promise<FetchAccessResult> {
+  return fetchTokenAccess(options, 'agent', fetchRuntimeToken);
+}
+
+async function handleFetchHarnessAccess(options: FetchAccessOptions): Promise<FetchAccessResult> {
+  return fetchTokenAccess(options, 'harness', fetchHarnessToken);
+}
+
+/**
+ * Shared flow for the CUSTOM_JWT token-bearing resources (agent runtime, harness): both
+ * resolve an OAuth token by name and surface it in the same result shape (no invoke URL).
+ */
+async function fetchTokenAccess(
+  options: FetchAccessOptions,
+  label: 'agent' | 'harness',
+  fetchToken: (name: string, opts: { deployTarget?: string; identityName?: string }) => Promise<OAuthTokenResult>
+): Promise<FetchAccessResult> {
   if (!options.name) {
-    return { success: false, error: 'Missing required option: --name <agent>' };
+    return { success: false, error: `Missing required option: --name <${label}>` };
   }
 
   let tokenResult: OAuthTokenResult;
   try {
-    tokenResult = await fetchRuntimeToken(options.name, {
+    tokenResult = await fetchToken(options.name, {
       deployTarget: options.target,
       identityName: options.identityName,
     });

src/cli/commands/fetch/command.tsx

@@ -1,5 +1,7 @@
 import { COMMAND_DESCRIPTIONS } from '../../constants';
 import { getErrorMessage } from '../../errors';
+import { withCommandRunTelemetry } from '../../telemetry/cli-command-run.js';
+import { ResourceType, standardize } from '../../telemetry/schemas/common-shapes.js';
 import { requireProject } from '../../tui/guards';
 import { handleFetchAccess } from './action';
 import type { FetchAccessResult } from './action';
@@ -12,9 +14,9 @@ export const registerFetch = (program: Command) => {
 
   fetchCmd
     .command('access')
-    .description('Fetch access info (URL, token, auth guidance) for a deployed gateway or agent.')
-    .option('--name <resource>', 'Gateway or agent name [non-interactive]')
-    .option('--type <type>', 'Resource type: gateway (default) or agent [non-interactive]', 'gateway')
+    .description('Fetch access info (URL, token, auth guidance) for a deployed gateway, agent, or harness.')
+    .option('--name <resource>', 'Gateway, agent, or harness name [non-interactive]')
+    .option('--type <type>', 'Resource type: gateway (default), agent, or harness [non-interactive]', 'gateway')
     .option('--target <target>', 'Deployment target [non-interactive]')
     .option('--identity-name <name>', 'Identity credential name for token fetch [non-interactive]')
     .option('--json', 'Output as JSON [non-interactive]')
@@ -24,7 +26,22 @@ export const registerFetch = (program: Command) => {
 
       let result: FetchAccessResult;
       try {
-        result = await handleFetchAccess(options);
+        // Record cli.command_run for fetch.access. handleFetchAccess runs exactly once inside
+        // the telemetry wrapper; its string-error shape is adapted to the Result {success,
+        // error: Error} the telemetry layer expects (used only for exit_reason/error_name),
+        // while the original result is captured via closure to drive output below.
+        let captured: FetchAccessResult;
+        await withCommandRunTelemetry(
+          'fetch.access',
+          { resource_type: standardize(ResourceType, options.type ?? 'gateway') },
+          async () => {
+            captured = await handleFetchAccess(options);
+            return captured.success
+              ? { success: true as const }
+              : { success: false as const, error: new Error(captured.error) };
+          }
+        );
+        result = captured!;
       } catch (error) {
         if (options.json) {
           console.log(JSON.stringify({ success: false, error: getErrorMessage(error) }));

src/cli/commands/fetch/types.ts

@@ -1,4 +1,4 @@
-export type FetchResourceType = 'gateway' | 'agent';
+export type FetchResourceType = 'gateway' | 'agent' | 'harness';
 
 export interface FetchAccessOptions {
   name?: string;

src/cli/operations/fetch-access/fetch-harness-token.ts

@@ -47,7 +47,7 @@ export async function canFetchHarnessToken(
  */
 export async function fetchHarnessToken(
   harnessName: string,
-  options: { configIO?: ConfigIO; deployTarget?: string } = {}
+  options: { configIO?: ConfigIO; deployTarget?: string; identityName?: string } = {}
 ): Promise<OAuthTokenResult> {
   const configIO = options.configIO ?? new ConfigIO();
 
@@ -79,5 +79,6 @@ export async function fetchHarnessToken(
     deployedState,
     targetName,
     credentials: projectSpec.credentials,
+    credentialName: options.identityName,
   });
 }

src/cli/operations/fetch-access/index.ts

@@ -5,4 +5,5 @@ export { fetchOAuthToken } from './oauth-token';
 export type { OAuthTokenResult } from './oauth-token';
 export { listAgents } from './list-agents';
 export { listGateways } from './list-gateways';
-export type { TokenFetchResult, GatewayInfo, AgentInfo, ResourceInfo } from './types';
+export { listHarnesses } from './list-harnesses';
+export type { TokenFetchResult, GatewayInfo, AgentInfo, HarnessInfo, ResourceInfo } from './types';

src/cli/operations/fetch-access/list-harnesses.ts

@@ -0,0 +1,41 @@
+import { ConfigIO } from '../../../lib';
+import type { HarnessInfo } from './types';
+
+/**
+ * List deployed harnesses with their inbound authorizer type. A harness is included only when
+ * it is registered in the project AND present in deployed-state (mirrors listAgents/listGateways).
+ * The authorizerType lives in each harness.json, so the per-harness spec is read to surface it.
+ */
+export async function listHarnesses(
+  options: { configIO?: ConfigIO; deployTarget?: string } = {}
+): Promise<HarnessInfo[]> {
+  const configIO = options.configIO ?? new ConfigIO();
+
+  const deployedState = await configIO.readDeployedState();
+  const projectSpec = await configIO.readProjectSpec();
+
+  const targetNames = Object.keys(deployedState.targets);
+  if (targetNames.length === 0) return [];
+
+  const targetName = options.deployTarget ?? targetNames[0]!;
+  const target = deployedState.targets[targetName];
+  if (!target) return [];
+
+  const deployedHarnesses = target.resources?.harnesses ?? {};
+
+  const harnesses: HarnessInfo[] = [];
+
+  for (const harness of projectSpec.harnesses) {
+    const deployed = deployedHarnesses[harness.name];
+    if (!deployed?.harnessArn) continue;
+
+    // Read the spec for its authorizerType. A read failure (corrupt/missing harness.json,
+    // post-upgrade schema mismatch) for a deployed harness is a real config problem — let it
+    // propagate so the caller surfaces it, rather than masking it as AWS_IAM and silently
+    // steering a CUSTOM_JWT harness to the "use SigV4" path with no token.
+    const spec = await configIO.readHarnessSpec(harness.name);
+    harnesses.push({ name: harness.name, authType: spec.authorizerType ?? 'AWS_IAM' });
+  }
+
+  return harnesses;
+}

src/cli/operations/fetch-access/types.ts

@@ -1,6 +1,6 @@
 import type { GatewayAuthorizerType, RuntimeAuthorizerType } from '../../../schema';
 
-export type FetchResourceType = 'gateway' | 'agent';
+export type FetchResourceType = 'gateway' | 'agent' | 'harness';
 
 export interface TokenFetchResult {
   url: string;
@@ -20,6 +20,11 @@ export interface AgentInfo {
   authType: RuntimeAuthorizerType;
 }
 
+export interface HarnessInfo {
+  name: string;
+  authType: RuntimeAuthorizerType;
+}
+
 export interface ResourceInfo {
   name: string;
   resourceType: FetchResourceType;

src/cli/telemetry/schemas/common-shapes.ts

@@ -90,7 +90,7 @@ export const OutboundAuthType = z.enum(['oauth', 'api-key', 'none']);
 export const PolicyEngineMode = z.enum(['log_only', 'enforce']);
 export const AgentProtocol = z.enum(['http', 'mcp', 'a2a', 'agui']);
 export const RefType = z.enum(['arn', 'name']);
-export const ResourceType = z.enum(['gateway', 'agent']);
+export const ResourceType = z.enum(['gateway', 'agent', 'harness']);
 export const JobType = z.enum(['recommendation', 'batch-evaluation', 'ab-test', 'insights']);
 export const RecommendationKind = z.enum(['system-prompt', 'tool-description']);
 export const RecommendationInputSource = z.enum(['config-bundle', 'inline', 'file']);

src/cli/tui/screens/fetch-access/FetchAccessScreen.tsx

@@ -21,7 +21,9 @@ function authColor(authType: string): string {
 }
 
 function resourceLabel(resourceType: string): string {
-  return resourceType === 'agent' ? 'Agent' : 'Gateway';
+  if (resourceType === 'agent') return 'Agent';
+  if (resourceType === 'harness') return 'Harness';
+  return 'Gateway';
 }
 
 export function FetchAccessScreen({ isInteractive: _isInteractive, onExit }: FetchAccessScreenProps) {

src/cli/tui/screens/fetch-access/__tests__/useFetchAccessFlow.test.tsx

@@ -1,9 +1,15 @@
-import { fetchGatewayToken, listAgents, listGateways } from '../../../../operations/fetch-access';
+import {
+  fetchGatewayToken,
+  fetchHarnessToken,
+  listAgents,
+  listGateways,
+  listHarnesses,
+} from '../../../../operations/fetch-access';
 import { useFetchAccessFlow } from '../useFetchAccessFlow';
 import { Text } from 'ink';
 import { render } from 'ink-testing-library';
 import React, { act, useImperativeHandle } from 'react';
-import { afterEach, describe, expect, it, vi } from 'vitest';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 // ---------------------------------------------------------------------------
 // Mocks
@@ -12,13 +18,17 @@ import { afterEach, describe, expect, it, vi } from 'vitest';
 vi.mock('../../../../operations/fetch-access', () => ({
   listGateways: vi.fn(),
   listAgents: vi.fn(),
+  listHarnesses: vi.fn(),
   fetchGatewayToken: vi.fn(),
   fetchRuntimeToken: vi.fn(),
+  fetchHarnessToken: vi.fn(),
 }));
 
 const mockListGateways = vi.mocked(listGateways);
 const mockListAgents = vi.mocked(listAgents);
+const mockListHarnesses = vi.mocked(listHarnesses);
 const mockFetchGatewayToken = vi.mocked(fetchGatewayToken);
+const mockFetchHarnessToken = vi.mocked(fetchHarnessToken);
 
 // ---------------------------------------------------------------------------
 // Fixtures
@@ -107,6 +117,10 @@ ImperativeHarness.displayName = 'ImperativeHarness';
 
 afterEach(() => vi.clearAllMocks());
 
+// Default the harness lister to empty so existing gateway/agent cases are unaffected;
+// the harness-specific tests override it.
+beforeEach(() => mockListHarnesses.mockResolvedValue([]));
+
 describe('useFetchAccessFlow', () => {
   describe('initial loading state', () => {
     it('starts in loading phase on mount', () => {
@@ -270,4 +284,49 @@ describe('useFetchAccessFlow', () => {
       expect(lastFrame()).toContain('phase:error');
     });
   });
+
+  describe('harness resources', () => {
+    it('fetches a CUSTOM_JWT token for a single deployed harness', async () => {
+      mockListGateways.mockResolvedValue([]);
+      mockListAgents.mockResolvedValue([]);
+      mockListHarnesses.mockResolvedValue([{ name: 'MyHarness', authType: 'CUSTOM_JWT' }]);
+      mockFetchHarnessToken.mockResolvedValue({ token: 'harness-token', expiresIn: 3600 });
+      const ref = React.createRef<HarnessHandle>();
+      const { lastFrame } = render(<ImperativeHarness ref={ref} />);
+
+      await delay();
+
+      expect(mockFetchHarnessToken).toHaveBeenCalledWith('MyHarness');
+      expect(lastFrame()).toContain('phase:result');
+      expect(ref.current!.getResult()?.authType).toBe('CUSTOM_JWT');
+      expect(ref.current!.getResult()?.token).toBe('harness-token');
+    });
+
+    it('shows the AWS_IAM guidance message for an AWS_IAM harness without fetching a token', async () => {
+      mockListGateways.mockResolvedValue([]);
+      mockListAgents.mockResolvedValue([]);
+      mockListHarnesses.mockResolvedValue([{ name: 'IamHarness', authType: 'AWS_IAM' }]);
+      const ref = React.createRef<HarnessHandle>();
+      const { lastFrame } = render(<ImperativeHarness ref={ref} />);
+
+      await delay();
+
+      expect(mockFetchHarnessToken).not.toHaveBeenCalled();
+      expect(lastFrame()).toContain('phase:result');
+      expect(ref.current!.getResult()?.authType).toBe('AWS_IAM');
+      expect(ref.current!.getResult()?.message).toContain('harness');
+    });
+
+    it('includes harnesses alongside gateways and agents in the picker', async () => {
+      mockListGateways.mockResolvedValue([{ name: 'gw-jwt', authType: 'CUSTOM_JWT' as const }]);
+      mockListAgents.mockResolvedValue([{ name: 'agent-one', authType: 'AWS_IAM' as const }]);
+      mockListHarnesses.mockResolvedValue([{ name: 'MyHarness', authType: 'CUSTOM_JWT' }]);
+      const { lastFrame } = render(<PhaseHarness />);
+
+      await delay();
+
+      expect(lastFrame()).toContain('phase:picking');
+      expect(lastFrame()).toContain('resourceCount:3');
+    });
+  });
 });