fix: include upstream repo in agent prompt and SOP

Author: Hweinstock

.github/agent-sops/task-tester.sop.md

@@ -14,6 +14,9 @@ You have TUI harness MCP tools: `tui_launch`, `tui_send_keys`, `tui_action`, `tu
 
 You also have `shell` for setup commands and GitHub tools for posting comments.
 
+**Important:** Always use `aws/agentcore-cli` as the repository for all GitHub API calls (get PR, post comments, etc.),
+not the fork repository.
+
 ## Steps
 
 ### 1. Setup

.github/scripts/javascript/process-inputs.cjs

@@ -85,7 +85,9 @@ function buildPrompts(mode, issueId, isPullRequest, command, branchName, inputs)
   const systemPrompt = fs.readFileSync(scriptFile, 'utf8');
 
   let prompt = isPullRequest ? 'The pull request id is:' : 'The issue id is:';
-  prompt += `${issueId}\n${command}\nreview and continue`;
+  prompt += `${issueId}\n`;
+  prompt += `The repository is: aws/agentcore-cli\n`;
+  prompt += `${command}\nreview and continue`;
 
   return { sessionId, systemPrompt, prompt };
 }

E2E_FAILURE_REPORT.md

@@ -0,0 +1,263 @@
+# E2E Test Failure Report — agentcore-cli
+
+**Date:** 2026-03-26
+**CI Run:** [#23616254746](https://github.com/aws/agentcore-cli/actions/runs/23616254746)
+**Branch:** main (push trigger from PR #657 merge)
+**Result:** 84/87 passed, 3 skipped (1 suite failed in `beforeAll`)
+
+## Summary
+
+The `byo-custom-jwt.test.ts` E2E test (introduced in PR #657) fails because the `e2e-github-actions` IAM role in account `685197708687` is missing **8 required IAM actions**. There are two distinct gaps:
+
+1. **7 Cognito actions** — the test creates/deletes a Cognito user pool as an OIDC provider
+2. **1 CloudFormation action** — the test calls `GetTemplate` to verify the deployed CFN template
+
+The Cognito gap causes the immediate `beforeAll` failure. The `GetTemplate` gap is a **hidden second failure** that would surface after fixing Cognito.
+
+## Proven Root Causes
+
+### Failure 1: Missing `cognito-idp:*` permissions (VISIBLE)
+
+The test's `beforeAll` hook creates a Cognito user pool to serve as the OIDC provider for CUSTOM_JWT auth. The `e2e-github-actions` role has zero Cognito permissions.
+
+**CI error:**
+```
+AccessDeniedException: User: arn:aws:sts::685197708687:assumed-role/e2e-github-actions/GitHubActions
+is not authorized to perform: cognito-idp:CreateUserPool on resource:
+arn:aws:cognito-idp:us-east-1:685197708687:userpool/*
+because no identity-based policy allows the cognito-idp:CreateUserPool action
+```
+
+**Reproduction (simulate-principal-policy from Admin in 685197708687):**
+```
++-----------------------------------+----------------+
+|  cognito-idp:CreateUserPool       |  implicitDeny  |
+|  cognito-idp:CreateUserPoolDomain |  implicitDeny  |
+|  cognito-idp:CreateResourceServer |  implicitDeny  |
+|  cognito-idp:CreateUserPoolClient |  implicitDeny  |
+|  cognito-idp:DeleteResourceServer |  implicitDeny  |
+|  cognito-idp:DeleteUserPoolDomain |  implicitDeny  |
+|  cognito-idp:DeleteUserPool       |  implicitDeny  |
++-----------------------------------+----------------+
+```
+
+### Failure 2: Missing `cloudformation:GetTemplate` (HIDDEN)
+
+The test's first `it` block calls `cfnClient.send(new GetTemplateCommand(...))` to verify the deployed CFN template contains `AuthorizerConfiguration`. This call uses the ambient e2e role credentials (not the CDK deploy role). The role only has `cloudformation:DescribeStacks`, not `GetTemplate`.
+
+**Reproduction:**
+```
++-----------------------------------+----------------+
+|  cloudformation:GetTemplate       |  implicitDeny  |
++-----------------------------------+----------------+
+```
+
+This failure is currently masked because `beforeAll` fails first (Cognito), causing all 3 tests to skip.
+
+### Verification: Existing tests pass correctly
+
+All actions used by the 84 passing tests are allowed:
+```
++----------------------------------------------------+---------------+
+|  sts:GetCallerIdentity                             |  allowed      |
+|  cloudformation:DescribeStacks                     |  allowed      |
+|  bedrock-agentcore:InvokeAgentRuntime              |  allowed      |
+|  bedrock-agentcore:GetAgentRuntime                 |  allowed      |
+|  bedrock-agentcore:DeleteApiKeyCredentialProvider  |  allowed      |
+|  secretsmanager:GetSecretValue                     |  allowed      |
+|  logs:FilterLogEvents                              |  allowed      |
+|  tag:GetResources                                  |  allowed      |
++----------------------------------------------------+---------------+
+```
+
+## Fix
+
+Add the following statement to the `test-only-permissions` inline policy on the `e2e-github-actions` role in account `685197708687`:
+
+```json
+{
+  "Sid": "E2ECustomJwtCognitoSetup",
+  "Effect": "Allow",
+  "Action": [
+    "cognito-idp:CreateUserPool",
+    "cognito-idp:CreateUserPoolDomain",
+    "cognito-idp:CreateResourceServer",
+    "cognito-idp:CreateUserPoolClient",
+    "cognito-idp:DeleteResourceServer",
+    "cognito-idp:DeleteUserPoolDomain",
+    "cognito-idp:DeleteUserPool"
+  ],
+  "Resource": "*"
+}
+```
+
+And add `cloudformation:GetTemplate` to the `e2e-permissions` inline policy's `CloudFormationStackStatus` statement:
+
+```json
+{
+  "Sid": "CloudFormationStackStatus",
+  "Effect": "Allow",
+  "Action": [
+    "cloudformation:DescribeStacks",
+    "cloudformation:GetTemplate"
+  ],
+  "Resource": "*"
+}
+```
+
+Also update `iam-policy-e2e-additions.json` in the repo to document these additions:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "E2ECredentialCleanup",
+      "Effect": "Allow",
+      "Action": "bedrock-agentcore:DeleteApiKeyCredentialProvider",
+      "Resource": "*"
+    },
+    {
+      "Sid": "E2ESecretsManager",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:CreateSecret"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "E2ECustomJwtCognitoSetup",
+      "Effect": "Allow",
+      "Action": [
+        "cognito-idp:CreateUserPool",
+        "cognito-idp:CreateUserPoolDomain",
+        "cognito-idp:CreateResourceServer",
+        "cognito-idp:CreateUserPoolClient",
+        "cognito-idp:DeleteResourceServer",
+        "cognito-idp:DeleteUserPoolDomain",
+        "cognito-idp:DeleteUserPool"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "E2ECloudFormationTemplateVerification",
+      "Effect": "Allow",
+      "Action": "cloudformation:GetTemplate",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## How to Apply the Fix (685197708687)
+
+```bash
+# Assume Admin in the E2E account
+ada credentials update --account 685197708687 --provider isengard --role Admin --once
+
+# 1. Add Cognito permissions to test-only-permissions
+aws iam put-role-policy \
+  --role-name e2e-github-actions \
+  --policy-name test-only-permissions \
+  --policy-document '{
+    "Statement": [
+      {
+        "Sid": "Statement1",
+        "Effect": "Allow",
+        "Action": ["bedrock-agentcore:DeleteApiKeyCredentialProvider"],
+        "Resource": "*"
+      },
+      {
+        "Sid": "Statement2",
+        "Effect": "Allow",
+        "Action": ["secretsmanager:GetSecretValue", "secretsmanager:CreateSecret"],
+        "Resource": ["*"]
+      },
+      {
+        "Sid": "E2ECustomJwtCognitoSetup",
+        "Effect": "Allow",
+        "Action": [
+          "cognito-idp:CreateUserPool",
+          "cognito-idp:CreateUserPoolDomain",
+          "cognito-idp:CreateResourceServer",
+          "cognito-idp:CreateUserPoolClient",
+          "cognito-idp:DeleteResourceServer",
+          "cognito-idp:DeleteUserPoolDomain",
+          "cognito-idp:DeleteUserPool"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }'
+
+# 2. Add GetTemplate to e2e-permissions (full policy — must include all existing statements)
+# Get current policy first, add cloudformation:GetTemplate to CloudFormationStackStatus, then put back
+aws iam get-role-policy --role-name e2e-github-actions --policy-name e2e-permissions \
+  --query PolicyDocument > /tmp/e2e-permissions.json
+
+# Edit /tmp/e2e-permissions.json: add "cloudformation:GetTemplate" to the CloudFormationStackStatus statement
+# Then apply:
+aws iam put-role-policy \
+  --role-name e2e-github-actions \
+  --policy-name e2e-permissions \
+  --policy-document file:///tmp/e2e-permissions.json
+
+# 3. Verify the fix
+aws iam simulate-principal-policy \
+  --policy-source-arn arn:aws:iam::685197708687:role/e2e-github-actions \
+  --action-names \
+    cognito-idp:CreateUserPool \
+    cognito-idp:CreateUserPoolDomain \
+    cognito-idp:CreateResourceServer \
+    cognito-idp:CreateUserPoolClient \
+    cognito-idp:DeleteResourceServer \
+    cognito-idp:DeleteUserPoolDomain \
+    cognito-idp:DeleteUserPool \
+    cloudformation:GetTemplate \
+  --output table \
+  --query 'EvaluationResults[*].[EvalActionName,EvalDecision]'
+# Expected: all "allowed"
+```
+
+## Reproducing in Dev Account (440744214761)
+
+The `byo-custom-jwt.test.ts` test can run in any account with sufficient permissions. Prerequisites:
+
+```bash
+# 1. Assume credentials with Admin/PowerUser in your dev account
+ada credentials update --account 440744214761 --provider isengard --role hkobew-default --once
+
+# 2. Build the CLI
+cd ~/repos/agentcore-cli
+npm ci && npm run build
+
+# 3. Build the CDK tarball (required — test checks CDK_TARBALL env var)
+#    Clone the CDK repo, build, and pack:
+CDK_REPO="<CDK_REPO_NAME from GitHub secrets>"
+git clone https://github.com/${CDK_REPO}.git /tmp/agentcore-cdk
+cd /tmp/agentcore-cdk && npm ci && npm run build && npm pack
+export CDK_TARBALL=$(ls /tmp/agentcore-cdk/*.tgz | head -1)
+
+# 4. Set required env vars
+export AWS_REGION=us-east-1
+export AWS_ACCOUNT_ID=440744214761
+
+# 5. Run just the failing test
+cd ~/repos/agentcore-cli
+npx vitest run --project e2e e2e-tests/byo-custom-jwt.test.ts
+```
+
+Your dev account's `hkobew-default` role likely has sufficient Cognito and CloudFormation permissions already (unlike the locked-down e2e-github-actions role).
+
+## Other CI Failures (Not on Main)
+
+These are on PR branches, not main. Included for completeness:
+
+| Run | Branch | Cause | Fix |
+|-----|--------|-------|-----|
+| 23618035513 | episodic-memory-strategy | Prettier violation in `docs/memory.md` | Run `npx prettier --write docs/memory.md` |
+| 23616427107 | dependabot/eslint-10 | `eslint-plugin-import@2.32.0` incompatible with eslint 10 | Close the dependabot PR; wait for plugin update |
+| 23616334309 | json-schema-gen | Prettier violation in `schemas/README.md` | Run `npx prettier --write schemas/README.md` |
+
+None of these affect main branch CI.