fix: add fetch retries for bearer path and extract token helper in e2e

Address PR review comments:
- Add fetchWithRetry() for transient failure retries (429/5xx/network)
  on the MCP bearer-token HTTP path, matching the SDK retry behavior
  the SigV4 path gets for free
- Extract duplicated Cognito token fetch into fetchCognitoAccessToken()
  helper in byo-custom-jwt e2e tests

Author: aidandaly24

e2e-tests/byo-custom-jwt.test.ts

@@ -67,6 +67,23 @@ describe.sequential('e2e: BYO agent with CUSTOM_JWT auth', () => {
   const cognitoClient = new CognitoIdentityProviderClient({ region });
   const cfnClient = new CloudFormationClient({ region });
 
+  /** Fetch a Cognito access token via client_credentials flow. */
+  async function fetchCognitoAccessToken(): Promise<string> {
+    const tokenUrl = `https://${domainPrefix}.auth.${region}.amazoncognito.com/oauth2/token`;
+    const tokenRes = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`,
+      },
+      body: 'grant_type=client_credentials&scope=agentcore/invoke',
+    });
+    expect(tokenRes.ok, `Token fetch failed: ${tokenRes.status}`).toBe(true);
+    const tokenJson = (await tokenRes.json()) as { access_token: string };
+    expect(tokenJson.access_token, 'Should have received an access token').toBeTruthy();
+    return tokenJson.access_token;
+  }
+
   beforeAll(async () => {
     if (!canRun) return;
 
@@ -267,20 +284,7 @@ describe.sequential('e2e: BYO agent with CUSTOM_JWT auth', () => {
     async () => {
       expect(projectPath, 'Project should have been deployed').toBeTruthy();
 
-      // Fetch a Cognito access token via client_credentials flow
-      const tokenUrl = `https://${domainPrefix}.auth.${region}.amazoncognito.com/oauth2/token`;
-      const tokenRes = await fetch(tokenUrl, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-          Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`,
-        },
-        body: 'grant_type=client_credentials&scope=agentcore/invoke',
-      });
-      expect(tokenRes.ok, `Token fetch failed: ${tokenRes.status}`).toBe(true);
-      const tokenJson = (await tokenRes.json()) as { access_token: string };
-      const accessToken = tokenJson.access_token;
-      expect(accessToken, 'Should have received an access token').toBeTruthy();
+      const accessToken = await fetchCognitoAccessToken();
 
       // Invoke with bearer token — should NOT get auth mismatch
       const result = await runLocalCLI(
@@ -313,18 +317,7 @@ describe.sequential('e2e: BYO agent with CUSTOM_JWT auth', () => {
     async () => {
       expect(projectPath, 'Project should have been deployed').toBeTruthy();
 
-      const tokenUrl = `https://${domainPrefix}.auth.${region}.amazoncognito.com/oauth2/token`;
-      const tokenRes = await fetch(tokenUrl, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-          Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`,
-        },
-        body: 'grant_type=client_credentials&scope=agentcore/invoke',
-      });
-      expect(tokenRes.ok, `Token fetch failed: ${tokenRes.status}`).toBe(true);
-      const tokenJson = (await tokenRes.json()) as { access_token: string };
-      const accessToken = tokenJson.access_token;
+      const accessToken = await fetchCognitoAccessToken();
 
       const result = await runLocalCLI(
         ['invoke', '--agent', mcpAgentName, 'list-tools', '--bearer-token', accessToken, '--json'],
@@ -342,18 +335,7 @@ describe.sequential('e2e: BYO agent with CUSTOM_JWT auth', () => {
     async () => {
       expect(projectPath, 'Project should have been deployed').toBeTruthy();
 
-      const tokenUrl = `https://${domainPrefix}.auth.${region}.amazoncognito.com/oauth2/token`;
-      const tokenRes = await fetch(tokenUrl, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-          Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`,
-        },
-        body: 'grant_type=client_credentials&scope=agentcore/invoke',
-      });
-      expect(tokenRes.ok, `Token fetch failed: ${tokenRes.status}`).toBe(true);
-      const tokenJson = (await tokenRes.json()) as { access_token: string };
-      const accessToken = tokenJson.access_token;
+      const accessToken = await fetchCognitoAccessToken();
 
       const result = await runLocalCLI(
         [

src/cli/aws/agentcore.ts

@@ -554,6 +554,28 @@ interface McpRpcResult {
   error?: { message?: string; code?: number };
 }
 
+const TRANSIENT_STATUS_CODES = new Set([429, 500, 502, 503, 504]);
+const MAX_FETCH_RETRIES = 3;
+const FETCH_RETRY_DELAY_MS = 1000;
+
+/** Retry-aware fetch for transient failures (5xx, 429, network errors). */
+async function fetchWithRetry(url: string, init: RequestInit, logger?: SSELogger): Promise<Response> {
+  for (let attempt = 0; attempt < MAX_FETCH_RETRIES; attempt++) {
+    try {
+      const res = await fetch(url, init);
+      if (res.ok || !TRANSIENT_STATUS_CODES.has(res.status) || attempt === MAX_FETCH_RETRIES - 1) {
+        return res;
+      }
+      logger?.logSSEEvent(`Transient failure (${res.status}), retrying (${attempt + 1}/${MAX_FETCH_RETRIES})...`);
+    } catch (err) {
+      if (attempt === MAX_FETCH_RETRIES - 1) throw err;
+      logger?.logSSEEvent(`Network error, retrying (${attempt + 1}/${MAX_FETCH_RETRIES})...`);
+    }
+    await new Promise(resolve => setTimeout(resolve, FETCH_RETRY_DELAY_MS));
+  }
+  throw new Error('fetchWithRetry: exhausted retries');
+}
+
 /** Build the common headers for MCP bearer-token HTTP requests. */
 function buildMcpBearerHeaders(options: McpInvokeOptions): Record<string, string> {
   const headers: Record<string, string> = {
@@ -581,11 +603,7 @@ async function mcpRpcCallWithBearer(options: McpInvokeOptions, body: Record<stri
 
   options.logger?.logSSEEvent(`MCP request: ${JSON.stringify(body)}`);
 
-  const res = await fetch(url, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify(body),
-  });
+  const res = await fetchWithRetry(url, { method: 'POST', headers, body: JSON.stringify(body) }, options.logger);
 
   if (!res.ok) {
     const errBody = await res.text().catch(() => '');
@@ -609,11 +627,7 @@ async function mcpRpcNotifyWithBearer(options: McpInvokeOptions, body: Record<st
   const url = buildInvokeUrl(options.region, options.runtimeArn);
   const headers = buildMcpBearerHeaders(options);
 
-  const res = await fetch(url, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify(body),
-  });
+  const res = await fetchWithRetry(url, { method: 'POST', headers, body: JSON.stringify(body) }, options.logger);
 
   if (!res.ok) {
     const errBody = await res.text().catch(() => '');