fix(tui): gate auth screen behind advanced config and fix lint errors

tejaskash · tejaskash · commit d1417fce4750 · 2026-03-25T17:34:42.000-04:00
Auth type selection (CUSTOM_JWT vs AWS_IAM) now only appears when the
user selects advanced config in the generate wizard and BYO agent paths.
Skipping advanced goes directly to confirm with default AWS_IAM auth.

Also fixes 4 lint errors: unused import, optional chain preferences,
and unsafe argument type cast.
diff --git a/src/cli/aws/agentcore.ts b/src/cli/aws/agentcore.ts
@@ -167,7 +167,7 @@ async function invokeWithBearerTokenStreaming(options: InvokeAgentRuntimeOptions
         const result = await reader.read();
         if (result.done) break;
 
-        const decoded = decoder.decode(result.value, { stream: true });
+        const decoded = decoder.decode(result.value as Uint8Array | undefined, { stream: true });
         buffer += decoded;
         fullResponse += decoded;
 
diff --git a/src/cli/operations/agent/import/index.ts b/src/cli/operations/agent/import/index.ts
@@ -8,7 +8,7 @@ import type { RuntimeAuthorizerType, SDKFramework } from '../../../../schema';
 import { getBedrockAgentConfig } from '../../../aws/bedrock-import';
 import { getErrorMessage } from '../../../errors';
 import type { JwtConfigOptions } from '../../../primitives/auth-utils';
-import { buildAuthorizerConfigFromJwtConfig, createManagedOAuthCredential } from '../../../primitives/auth-utils';
+import { createManagedOAuthCredential } from '../../../primitives/auth-utils';
 import type { AddResult } from '../../../primitives/types';
 import type { MemoryOption } from '../../../tui/screens/generate/types';
 import { setupPythonProject } from '../../python';
diff --git a/src/cli/operations/fetch-access/fetch-runtime-token.ts b/src/cli/operations/fetch-access/fetch-runtime-token.ts
@@ -21,7 +21,7 @@ export async function canFetchRuntimeToken(
     const projectSpec = await configIO.readProjectSpec();
 
     const agentSpec = projectSpec.agents.find(a => a.name === agentName);
-    if (!agentSpec || agentSpec.authorizerType !== 'CUSTOM_JWT') return false;
+    if (!agentSpec?.authorizerType || agentSpec.authorizerType !== 'CUSTOM_JWT') return false;
     if (!agentSpec.authorizerConfiguration?.customJwtAuthorizer) return false;
 
     const credName = computeManagedOAuthCredentialName(agentName);
diff --git a/src/cli/tui/screens/agent/AddAgentScreen.tsx b/src/cli/tui/screens/agent/AddAgentScreen.tsx
@@ -87,7 +87,7 @@ const ADVANCED_ITEMS: SelectableItem[] = ADVANCED_OPTIONS.map(o => ({
   title: o.title,
   description: o.description,
 }));
-const BYO_STEPS: ByoStep[] = ['codeLocation', 'buildType', 'modelProvider', 'apiKey', 'advanced', 'authorizerType', 'confirm'];
+const BYO_STEPS: ByoStep[] = ['codeLocation', 'buildType', 'modelProvider', 'apiKey', 'advanced', 'confirm'];
 
 type ImportStep = 'region' | 'bedrockAgent' | 'bedrockAlias' | 'framework' | 'memory' | 'authorizerType' | 'jwtConfig' | 'confirm';
 const BASE_IMPORT_STEPS: ImportStep[] = ['region', 'bedrockAgent', 'bedrockAlias', 'framework', 'memory', 'authorizerType', 'confirm'];
@@ -266,6 +266,7 @@ export function AddAgentScreen({ existingAgentNames, onComplete, onExit }: AddAg
         ...steps.slice(0, afterAdvanced),
         ...networkSteps,
         'requestHeaderAllowlist',
+        'authorizerType',
         ...steps.slice(afterAdvanced),
       ];
     }
@@ -384,7 +385,7 @@ export function AddAgentScreen({ existingAgentNames, onComplete, onExit }: AddAg
       } else {
         setByoAdvancedSelected(false);
         setByoConfig(c => ({ ...c, networkMode: 'PUBLIC' as NetworkMode, subnets: '', securityGroups: '' }));
-        setByoStep('authorizerType');
+        setByoStep('confirm');
       }
     },
     onExit: handleByoBack,
diff --git a/src/cli/tui/screens/generate/__tests__/useGenerateWizard.test.tsx b/src/cli/tui/screens/generate/__tests__/useGenerateWizard.test.tsx
@@ -43,8 +43,8 @@ describe('useGenerateWizard — advanced config gate', () => {
       const frame = lastFrame()!;
       expect(frame).toContain('steps:');
       // Default modelProvider is Bedrock which filters out apiKey
-      // authorizerType is always inserted before confirm
-      expect(frame).toMatch(/modelProvider,advanced,authorizerType,confirm/);
+      // authorizerType is only shown when advanced is selected
+      expect(frame).toMatch(/modelProvider,advanced,confirm/);
       expect(frame).not.toContain('apiKey');
     });
 
@@ -89,15 +89,15 @@ describe('useGenerateWizard — advanced config gate', () => {
       });
     }
 
-    it('setAdvanced(false) jumps to authorizerType with PUBLIC defaults', () => {
+    it('setAdvanced(false) jumps to confirm with PUBLIC defaults', () => {
       const { ref, lastFrame } = setup();
       walkToAdvanced(ref);
       expect(lastFrame()).toContain('step:advanced');
 
       act(() => ref.current!.wizard.setAdvanced(false));
 
       const frame = lastFrame()!;
-      expect(frame).toContain('step:authorizerType');
+      expect(frame).toContain('step:confirm');
       expect(frame).toContain('networkMode:PUBLIC');
       expect(frame).toContain('advancedSelected:false');
     });
@@ -170,7 +170,7 @@ describe('useGenerateWizard — advanced config gate', () => {
       act(() => ref.current!.wizard.setAdvanced(false));
 
       const w = ref.current!.wizard;
-      expect(w.step).toBe('authorizerType');
+      expect(w.step).toBe('confirm');
       expect(w.config.networkMode).toBe('PUBLIC');
       expect(w.advancedSelected).toBe(false);
       // Network steps should not be in the step list
diff --git a/src/cli/tui/screens/generate/useGenerateWizard.ts b/src/cli/tui/screens/generate/useGenerateWizard.ts
@@ -68,10 +68,6 @@ export function useGenerateWizard(options?: UseGenerateWizardOptions) {
         'authorizerType',
         ...filtered.slice(afterAdvanced),
       ];
-    } else {
-      // Even without advanced, add authorizerType before confirm
-      const confirmIndex = filtered.indexOf('confirm');
-      filtered = [...filtered.slice(0, confirmIndex), 'authorizerType', ...filtered.slice(confirmIndex)];
     }
     // Add jwtConfig step after authorizerType when CUSTOM_JWT is selected
     if (config.authorizerType === 'CUSTOM_JWT') {
@@ -190,7 +186,7 @@ export function useGenerateWizard(options?: UseGenerateWizardOptions) {
         securityGroups: undefined,
         requestHeaderAllowlist: undefined,
       }));
-      setStep('authorizerType');
+      setStep('confirm');
     }
   }, []);
 
diff --git a/src/cli/tui/screens/invoke/useInvokeFlow.ts b/src/cli/tui/screens/invoke/useInvokeFlow.ts
@@ -195,7 +195,7 @@ export function useInvokeFlow(options: InvokeFlowOptions = {}): InvokeFlowState
   const fetchBearerToken = useCallback(async () => {
     if (!config) return;
     const agent = config.agents[selectedAgent];
-    if (!agent || agent.authorizerType !== 'CUSTOM_JWT') return;
+    if (agent?.authorizerType !== 'CUSTOM_JWT') return;
 
     // Check if credentials are set up before attempting fetch
     const canFetch = await canFetchRuntimeToken(agent.name);
