feat(invoke,dev): add exec mode for running shell commands in runtimes (#750)

* feat(invoke,dev): add exec mode for running shell commands in runtimes

Add ! exec mode to invoke TUI for running shell commands in deployed
runtimes, and ! local exec / !! container exec to dev TUI. Includes
non-interactive --exec flag for both invoke and dev commands.

- invoke TUI: type ! to enter exec mode, runs commands in deployed runtime
- invoke CLI: --exec flag runs commands via InvokeAgentRuntimeCommand API
- dev TUI: type ! for local exec, !! for container exec (Container builds)
- dev CLI: --exec flag execs into running dev container (Container only)
- TextInput: add onChange and onBackspaceEmpty props for mode switching
- Pink/magenta hint text appears when exec input is empty, disappears on typing
- Backspace on empty input reverses mode (!! -> ! -> normal)
- IAM policy and docs updated with new bedrock-agentcore:InvokeRuntimeCommand

Constraint: dev --exec CLI is Container-only since CodeZip users have local terminal
Rejected: Ctrl+E hotkey for container exec | !! double-bang is more discoverable and consistent
Confidence: high
Scope-risk: moderate

* fix: address review findings — side effects, DRY, dead code, validation

CRITICAL: Move onBackspaceEmpty callback outside setState updater (React
purity violation) and add text.length === 0 guard so it only fires when
input is truly empty.

HIGH: Extract shared runSpawnCommand helper in useDevServer to DRY up
execCommand/execInContainer near-duplication (~100 lines → ~60 lines).

Deslop: Remove dead providerInfo/modelProvider code paths, simplify
singleValueStream to plain yield, replace options.prompt! assertions
with early guard, remove redundant comments.

Medium: Fix timeout:0 falsy check, add --exec+--stream validation,
handle undefined exitCode explicitly, add SDK cast comment + runtime guard.

Constraint: onBackspaceEmpty must fire outside setState to avoid double-fire in React 18 concurrent mode
Rejected: Checking state inside updater for callback | React purity violation
Confidence: high
Scope-risk: narrow

* feat(tui): sticky exec mode with distinct visual styling

- Exec prompt (!) now uses magenta instead of yellow for clear
  differentiation from chat prompt (>)
- Exec output renders in default terminal foreground, distinct from
  green chat responses — works on both dark and light terminals
- Exec mode is sticky: ! prompt persists after running a command,
  exit via Escape or Backspace-on-empty
- Conversation rendering upgraded to per-line colored output in
  InvokeScreen (matching DevScreen pattern)

Constraint: Terminal color palette limited to 8 base colors
Rejected: cyan for exec output | too similar to blue chat input
Rejected: yellow for exec output | invisible on light terminal backgrounds
Confidence: high
Scope-risk: narrow

* fix(tui): resolve 3 exec mode UX bugs from review feedback

Bug 1: Escape in exec mode no longer exits the app. The Screen
component's useExitHandler is disabled when in input mode
(exitEnabled={mode !== 'input'}), so only TextInput's onCancel
handles Escape. Escape in exec drops to > prompt; Escape from >
goes to chat mode; Escape from chat exits.

Bug 2: Dim prompt during command execution now shows ! or !!
instead of always showing >, matching the current exec state.

Bug 3: execInputEmpty is reset to true after command execution,
so typing ! in sticky exec mode correctly escalates to !!
(container exec) on container agents.

* fix(tui): eliminate command flash during exec mode transitions

The !! command and prompt would briefly vanish (replaced by >) when
executing a container command, because setMode('chat') fired in a
separate render batch from setConversation/setIsStreaming.

Fix: add onStart callback to runSpawnCommand that fires in the same
synchronous block as the conversation/streaming state updates, so
React batches them together. The mode transition and conversation
update now render atomically — no flash.

Author: aidandaly24

docs/PERMISSIONS.md

@@ -311,11 +311,12 @@ Required for all deployment operations (`deploy`, `status`, `diff`).
 
 ### Agent invocation
 
-| Action                                        | CLI Commands | Purpose                                                                                   |
-| --------------------------------------------- | ------------ | ----------------------------------------------------------------------------------------- |
-| `bedrock-agentcore:InvokeAgentRuntime`        | `invoke`     | Invoke deployed agents (HTTP, MCP, and A2A protocols)                                     |
-| `bedrock-agentcore:InvokeAgentRuntimeForUser` | `invoke`     | Invoke agents with a user ID (requires `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header) |
-| `bedrock-agentcore:StopRuntimeSession`        | `invoke`     | End an agent runtime session                                                              |
+| Action                                        | CLI Commands    | Purpose                                                                                   |
+| --------------------------------------------- | --------------- | ----------------------------------------------------------------------------------------- |
+| `bedrock-agentcore:InvokeAgentRuntime`        | `invoke`        | Invoke deployed agents (HTTP, MCP, and A2A protocols)                                     |
+| `bedrock-agentcore:InvokeAgentRuntimeForUser` | `invoke`        | Invoke agents with a user ID (requires `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header) |
+| `bedrock-agentcore:InvokeAgentRuntimeCommand` | `invoke --exec` | Execute shell commands in a runtime container                                             |
+| `bedrock-agentcore:StopRuntimeSession`        | `invoke`        | End an agent runtime session                                                              |
 
 ### Runtime and resource status
 

docs/commands.md

@@ -505,20 +505,27 @@ agentcore invoke --json                      # JSON output
 
 # MCP protocol invoke
 agentcore invoke call-tool --tool myTool --input '{"key": "value"}'
+
+# Execute shell commands in the runtime container
+agentcore invoke --exec "ls -la /app"
+agentcore invoke --exec "python script.py" --timeout 120
+agentcore invoke --exec "cat /etc/os-release" --json
 ```
 
-| Flag                | Description                                              |
-| ------------------- | -------------------------------------------------------- |
-| `[prompt]`          | Prompt text (positional argument)                        |
-| `--prompt <text>`   | Prompt text (flag, takes precedence over positional)     |
-| `--agent <name>`    | Specific agent                                           |
-| `--target <name>`   | Deployment target                                        |
-| `--session-id <id>` | Continue a specific session                              |
-| `--user-id <id>`    | User ID for runtime invocation (default: `default-user`) |
-| `--stream`          | Stream response in real-time                             |
-| `--tool <name>`     | MCP tool name (use with `call-tool` prompt)              |
-| `--input <json>`    | MCP tool arguments as JSON (use with `--tool`)           |
-| `--json`            | JSON output                                              |
+| Flag                  | Description                                              |
+| --------------------- | -------------------------------------------------------- |
+| `[prompt]`            | Prompt text (positional argument)                        |
+| `--prompt <text>`     | Prompt text (flag, takes precedence over positional)     |
+| `--agent <name>`      | Specific agent                                           |
+| `--target <name>`     | Deployment target                                        |
+| `--session-id <id>`   | Continue a specific session                              |
+| `--user-id <id>`      | User ID for runtime invocation (default: `default-user`) |
+| `--stream`            | Stream response in real-time                             |
+| `--tool <name>`       | MCP tool name (use with `call-tool` prompt)              |
+| `--input <json>`      | MCP tool arguments as JSON (use with `--tool`)           |
+| `--exec`              | Execute a shell command in the runtime container         |
+| `--timeout <seconds>` | Timeout in seconds for `--exec` commands                 |
+| `--json`              | JSON output                                              |
 
 ---
 

docs/policies/iam-policy-user.json

@@ -36,6 +36,7 @@
       "Action": [
         "bedrock-agentcore:InvokeAgentRuntime",
         "bedrock-agentcore:InvokeAgentRuntimeForUser",
+        "bedrock-agentcore:InvokeAgentRuntimeCommand",
         "bedrock-agentcore:Evaluate",
         "bedrock-agentcore:StopRuntimeSession"
       ],

src/cli/aws/agentcore.ts

@@ -5,6 +5,7 @@ import {
   EvaluateCommand,
   type EvaluationReferenceInput,
   InvokeAgentRuntimeCommand,
+  InvokeAgentRuntimeCommandCommand,
   StopRuntimeSessionCommand,
 } from '@aws-sdk/client-bedrock-agentcore';
 import type { HttpRequest } from '@smithy/protocol-http';
@@ -326,9 +327,7 @@ export async function invokeAgentRuntimeStreaming(options: InvokeAgentRuntimeOpt
         buffer += decoded;
         fullResponse += decoded;
 
-        // Process complete lines from the buffer
         const lines = buffer.split('\n');
-        // Keep the last incomplete line in the buffer
         buffer = lines.pop() ?? '';
 
         for (const line of lines) {
@@ -824,8 +823,9 @@ export async function invokeA2ARuntime(options: A2AInvokeOptions, message: strin
 }
 
 /** Wrap a single string value as an AsyncGenerator for StreamingInvokeResult compatibility. */
+// eslint-disable-next-line @typescript-eslint/require-await
 async function* singleValueStream(value: string): AsyncGenerator<string, void, unknown> {
-  yield await Promise.resolve(value);
+  yield value;
 }
 
 /** Extract text content from A2A JSON-RPC response. Supports both kind:'text' and type:'text' part formats. */
@@ -904,3 +904,89 @@ export async function stopRuntimeSession(options: StopRuntimeSessionOptions): Pr
     statusCode: response.statusCode,
   };
 }
+
+// ---------------------------------------------------------------------------
+// Execute Bash: Run shell commands in runtime containers
+// ---------------------------------------------------------------------------
+
+export interface ExecuteBashOptions {
+  region: string;
+  runtimeArn: string;
+  command: string;
+  sessionId?: string;
+  timeout?: number;
+  /** Custom headers to forward to the agent runtime */
+  headers?: Record<string, string>;
+  /** Bearer token for CUSTOM_JWT auth — not yet supported for exec, will throw */
+  bearerToken?: string;
+}
+
+export interface ExecuteBashStreamEvent {
+  type: 'start' | 'stdout' | 'stderr' | 'stop';
+  data?: string;
+  exitCode?: number;
+  status?: string;
+}
+
+export interface ExecuteBashResult {
+  stream: AsyncGenerator<ExecuteBashStreamEvent, void, unknown>;
+  sessionId: string | undefined;
+}
+
+/**
+ * Execute a shell command in a running AgentCore Runtime container.
+ * Returns a streaming result with stdout/stderr events and exit code.
+ */
+export async function executeBashCommand(options: ExecuteBashOptions): Promise<ExecuteBashResult> {
+  if (options.bearerToken) {
+    throw new Error('Bearer token auth for exec is not yet supported. Use SigV4 credentials.');
+  }
+
+  const client = createAgentCoreClient(options.region, options.headers);
+
+  const command = new InvokeAgentRuntimeCommandCommand({
+    agentRuntimeArn: options.runtimeArn,
+    runtimeSessionId: options.sessionId,
+    body: {
+      command: options.command,
+      ...(options.timeout != null ? { timeout: options.timeout } : {}),
+    },
+  });
+
+  const response = await client.send(command);
+  const sessionId = response.runtimeSessionId;
+
+  async function* streamEvents(): AsyncGenerator<ExecuteBashStreamEvent, void, unknown> {
+    if (!response.stream) {
+      throw new Error('No stream in response from AgentCore Runtime');
+    }
+    for await (const event of response.stream) {
+      // SDK types for InvokeAgentRuntimeCommandCommand stream events are not yet published — cast needed until SDK stabilizes
+      const chunk = (event as unknown as Record<string, unknown>).chunk as Record<string, unknown> | undefined;
+      if (!chunk || typeof chunk !== 'object') continue;
+
+      if (chunk.contentStart !== undefined) {
+        yield { type: 'start' };
+      }
+      const delta = chunk.contentDelta as { stdout?: string; stderr?: string } | undefined;
+      if (delta) {
+        if (delta.stdout) {
+          yield { type: 'stdout', data: delta.stdout };
+        }
+        if (delta.stderr) {
+          yield { type: 'stderr', data: delta.stderr };
+        }
+      }
+      const stop = chunk.contentStop as { exitCode?: number; status?: string } | undefined;
+      if (stop) {
+        yield {
+          type: 'stop',
+          exitCode: stop.exitCode,
+          status: stop.status,
+        };
+      }
+    }
+  }
+
+  return { stream: streamEvents(), sessionId };
+}

src/cli/aws/index.ts

@@ -26,13 +26,17 @@ export {
 } from './policy-generation';
 export {
   DEFAULT_RUNTIME_USER_ID,
+  executeBashCommand,
   invokeA2ARuntime,
   invokeAgentRuntime,
   invokeAgentRuntimeStreaming,
   mcpInitSession,
   mcpListTools,
   mcpCallTool,
   stopRuntimeSession,
+  type ExecuteBashOptions,
+  type ExecuteBashResult,
+  type ExecuteBashStreamEvent,
   type InvokeAgentRuntimeOptions,
   type InvokeAgentRuntimeResult,
   type McpInvokeOptions,

src/cli/commands/dev/command.tsx

@@ -1,5 +1,6 @@
 import { findConfigRoot, getWorkingDirectory, readEnvFile } from '../../../lib';
 import { getErrorMessage } from '../../errors';
+import { detectContainerRuntime } from '../../external-requirements';
 import { ExecLogger } from '../../logging';
 import {
   callMcpTool,
@@ -22,6 +23,7 @@ import { COMMAND_DESCRIPTIONS } from '../../tui/copy';
 import { requireProject } from '../../tui/guards';
 import { parseHeaderFlags } from '../shared/header-utils';
 import type { Command } from '@commander-js/extra-typings';
+import { spawn } from 'child_process';
 import { Text, render } from 'ink';
 import React from 'react';
 
@@ -140,6 +142,26 @@ async function handleMcpInvoke(
   }
 }
 
+async function execInContainer(command: string, containerName: string): Promise<void> {
+  const detection = await detectContainerRuntime();
+  if (!detection.runtime) {
+    console.error('Error: No container runtime found (docker, podman, or finch required)');
+    process.exit(1);
+  }
+  return new Promise((resolve, reject) => {
+    const child = spawn(detection.runtime!.binary, ['exec', containerName, 'bash', '-c', command], {
+      stdio: 'inherit',
+    });
+    child.on('error', reject);
+    child.on('close', code => {
+      if (code !== 0 && code !== null) {
+        process.exit(code);
+      }
+      resolve();
+    });
+  });
+}
+
 export const registerDev = (program: Command) => {
   program
     .command('dev')
@@ -150,6 +172,7 @@ export const registerDev = (program: Command) => {
     .option('-r, --runtime <name>', 'Runtime to run or invoke (required if multiple runtimes)')
     .option('-s, --stream', 'Stream response when invoking [non-interactive]')
     .option('-l, --logs', 'Run dev server with logs to stdout [non-interactive]')
+    .option('--exec', 'Execute a shell command in the running dev container (Container agents only) [non-interactive]')
     .option('--tool <name>', 'MCP tool name (used with "call-tool" prompt) [non-interactive]')
     .option('--input <json>', 'MCP tool arguments as JSON (used with --tool) [non-interactive]')
     .option(
@@ -168,6 +191,26 @@ export const registerDev = (program: Command) => {
           headers = parseHeaderFlags(opts.header);
         }
 
+        // Exec mode: run shell command in the dev container
+        if (opts.exec) {
+          if (!positionalPrompt) {
+            console.error('A command is required with --exec. Usage: agentcore dev --exec "whoami"');
+            process.exit(1);
+          }
+          const workingDir = getWorkingDirectory();
+          const project = await loadProjectConfig(workingDir);
+          const agentName = opts.runtime ?? project?.runtimes[0]?.name ?? 'unknown';
+          const targetAgent = project?.runtimes.find(a => a.name === agentName);
+          if (targetAgent?.build !== 'Container') {
+            console.error('Error: --exec is only supported for Container build agents.');
+            console.error('For CodeZip agents, use your terminal to run commands directly.');
+            process.exit(1);
+          }
+          const containerName = `agentcore-dev-${agentName}`.toLowerCase();
+          await execInContainer(positionalPrompt, containerName);
+          return;
+        }
+
         // If a prompt is provided, invoke a running dev server
         const invokePrompt = positionalPrompt;
         if (invokePrompt !== undefined) {

src/cli/commands/invoke/__tests__/validate.test.ts

@@ -33,4 +33,32 @@ describe('validateInvokeOptions', () => {
   it('returns valid with agentName and targetName', () => {
     expect(validateInvokeOptions({ agentName: 'my-agent', targetName: 'default' })).toEqual({ valid: true });
   });
+
+  it('returns invalid when exec is true but no prompt', () => {
+    const result = validateInvokeOptions({ exec: true });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('--exec');
+  });
+
+  it('returns invalid when exec is combined with --tool', () => {
+    const result = validateInvokeOptions({ exec: true, prompt: 'ls', tool: 'myTool' });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('--exec cannot be combined');
+  });
+
+  it('returns invalid when exec is combined with --input', () => {
+    const result = validateInvokeOptions({ exec: true, prompt: 'ls', input: '{}' });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('--exec cannot be combined');
+  });
+
+  it('returns invalid when exec is combined with --stream', () => {
+    const result = validateInvokeOptions({ exec: true, prompt: 'ls', stream: true });
+    expect(result.valid).toBe(false);
+    expect(result.error).toContain('--exec already streams');
+  });
+
+  it('returns valid with exec and prompt', () => {
+    expect(validateInvokeOptions({ exec: true, prompt: 'ls -la' })).toEqual({ valid: true });
+  });
 });