feat(gateway): add agentcore fetch access command (#627)

* feat(gateway): add `agentcore fetch access` command

Add CLI + TUI for fetching gateway access info and tokens.
Supports NONE (URL only), AWS_IAM (SigV4 guidance), and
CUSTOM_JWT (OAuth client_credentials token fetch with OIDC discovery).

- CLI: `agentcore fetch access --name <gw> [--target] [--json]`
- TUI: interactive gateway picker with auth type badges
- Token copy to clipboard (C key) with visual feedback
- 3-legged OAuth detection with clear unsupported error
- Token expiry tracking with refresh (R key)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(gateway): address PR review feedback for fetch access

- Extract business logic from command.tsx into action.ts + types.ts
- Slim command.tsx to registration-only, delegating to handleFetchAccess
- Fix export ordering in operations/index.ts (alphabetical)
- Add spawn error handler to prevent unhandled ENOENT crashes
- Cap setTimeout to 2^31-1ms to avoid immediate-fire on large expiresIn
- Clean up copiedTimerRef on unmount to prevent timer leak

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(gateway): move process.exit outside try/catch in fetch command

Fixes test failures where mocked process.exit throws, cascading into
the catch block and causing console.log to be called twice.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: aidandaly24

src/cli/cli.ts

@@ -3,6 +3,7 @@ import { registerCreate } from './commands/create';
 import { registerDeploy } from './commands/deploy';
 import { registerDev } from './commands/dev';
 import { registerEval } from './commands/eval';
+import { registerFetch } from './commands/fetch';
 import { registerHelp } from './commands/help';
 import { registerInvoke } from './commands/invoke';
 import { registerLogs } from './commands/logs';
@@ -135,6 +136,7 @@ export function registerCommands(program: Command) {
   registerDeploy(program);
   registerCreate(program);
   registerEval(program);
+  registerFetch(program);
   registerHelp(program);
   registerInvoke(program);
   registerLogs(program);

src/cli/commands/fetch/__tests__/fetch-access.test.ts

@@ -0,0 +1,176 @@
+import { registerFetch } from '../command';
+import { Command } from '@commander-js/extra-typings';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+const mockFetchGatewayToken = vi.fn();
+const mockListGateways = vi.fn();
+const mockRequireProject = vi.fn();
+const mockRender = vi.fn();
+
+vi.mock('../../../operations/fetch-access', () => ({
+  fetchGatewayToken: (...args: unknown[]) => mockFetchGatewayToken(...args),
+  listGateways: (...args: unknown[]) => mockListGateways(...args),
+}));
+
+vi.mock('../../../tui/guards', () => ({
+  requireProject: (...args: unknown[]) => mockRequireProject(...args),
+}));
+
+vi.mock('ink', () => ({
+  render: (...args: unknown[]) => mockRender(...args),
+  Box: 'Box',
+  Text: 'Text',
+}));
+
+const jwtResult = {
+  url: 'https://gw.example.com',
+  authType: 'CUSTOM_JWT',
+  token: 'test-token',
+  expiresIn: 3600,
+};
+
+const noneResult = {
+  url: 'https://gw.example.com',
+  authType: 'NONE',
+  message: 'No authentication required.',
+};
+
+describe('registerFetch', () => {
+  let program: Command;
+  let mockExit: ReturnType<typeof vi.spyOn>;
+  let mockLog: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    program = new Command();
+    program.exitOverride();
+    registerFetch(program);
+
+    mockExit = vi.spyOn(process, 'exit').mockImplementation(() => {
+      throw new Error('process.exit');
+    });
+    mockLog = vi.spyOn(console, 'log').mockImplementation(() => undefined);
+  });
+
+  afterEach(() => {
+    mockExit.mockRestore();
+    mockLog.mockRestore();
+    vi.clearAllMocks();
+  });
+
+  it('registers fetch command with access subcommand', () => {
+    const fetchCmd = program.commands.find(c => c.name() === 'fetch');
+    expect(fetchCmd).toBeDefined();
+
+    const accessCmd = fetchCmd!.commands.find(c => c.name() === 'access');
+    expect(accessCmd).toBeDefined();
+  });
+
+  it('outputs valid JSON for CUSTOM_JWT result when --json flag is used', async () => {
+    mockFetchGatewayToken.mockResolvedValue(jwtResult);
+
+    await program.parseAsync(['fetch', 'access', '--name', 'myGateway', '--json'], { from: 'user' });
+
+    expect(mockLog).toHaveBeenCalledTimes(1);
+    const output = JSON.parse(mockLog.mock.calls[0][0]);
+    expect(output.success).toBe(true);
+    expect(output.url).toBe('https://gw.example.com');
+    expect(output.authType).toBe('CUSTOM_JWT');
+    expect(output.token).toBe('test-token');
+    expect(output.expiresIn).toBe(3600);
+  });
+
+  it('outputs valid JSON with no token field for NONE gateway when --json flag is used', async () => {
+    mockFetchGatewayToken.mockResolvedValue(noneResult);
+
+    await program.parseAsync(['fetch', 'access', '--name', 'myGateway', '--json'], { from: 'user' });
+
+    expect(mockLog).toHaveBeenCalledTimes(1);
+    const output = JSON.parse(mockLog.mock.calls[0][0]);
+    expect(output.success).toBe(true);
+    expect(output.url).toBe('https://gw.example.com');
+    expect(output.authType).toBe('NONE');
+    expect(output.token).toBeUndefined();
+    expect(output.message).toBe('No authentication required.');
+  });
+
+  it('shows error with available gateways when --name is missing and gateways exist', async () => {
+    mockListGateways.mockResolvedValue([
+      { name: 'gateway-one', authType: 'CUSTOM_JWT' },
+      { name: 'gateway-two', authType: 'NONE' },
+    ]);
+
+    await expect(program.parseAsync(['fetch', 'access'], { from: 'user' })).rejects.toThrow('process.exit');
+
+    expect(mockRender).toHaveBeenCalled();
+    const renderArg = mockRender.mock.calls[0]![0];
+    expect(JSON.stringify(renderArg)).toContain('Missing required option');
+  });
+
+  it('shows deploy message when --name is missing and no gateways are deployed', async () => {
+    mockListGateways.mockResolvedValue([]);
+
+    await expect(program.parseAsync(['fetch', 'access'], { from: 'user' })).rejects.toThrow('process.exit');
+
+    expect(mockRender).toHaveBeenCalled();
+    const renderArg = mockRender.mock.calls[0]![0];
+    expect(JSON.stringify(renderArg)).toContain('agentcore deploy');
+  });
+
+  it('outputs JSON error with available gateways when --name is missing and --json flag is used', async () => {
+    mockListGateways.mockResolvedValue([
+      { name: 'gateway-one', authType: 'CUSTOM_JWT' },
+      { name: 'gateway-two', authType: 'NONE' },
+    ]);
+
+    await expect(program.parseAsync(['fetch', 'access', '--json'], { from: 'user' })).rejects.toThrow('process.exit');
+
+    expect(mockLog).toHaveBeenCalledTimes(1);
+    const output = JSON.parse(mockLog.mock.calls[0][0]);
+    expect(output.success).toBe(false);
+    expect(output.error).toBe('Missing required option: --name');
+    expect(output.availableGateways).toEqual([
+      { name: 'gateway-one', authType: 'CUSTOM_JWT' },
+      { name: 'gateway-two', authType: 'NONE' },
+    ]);
+    expect(mockRender).not.toHaveBeenCalled();
+  });
+
+  it('outputs JSON deploy message when --name is missing, --json flag is used, and no gateways deployed', async () => {
+    mockListGateways.mockResolvedValue([]);
+
+    await expect(program.parseAsync(['fetch', 'access', '--json'], { from: 'user' })).rejects.toThrow('process.exit');
+
+    expect(mockLog).toHaveBeenCalledTimes(1);
+    const output = JSON.parse(mockLog.mock.calls[0][0]);
+    expect(output.success).toBe(false);
+    expect(output.error).toContain('agentcore deploy');
+    expect(output.availableGateways).toBeUndefined();
+    expect(mockRender).not.toHaveBeenCalled();
+  });
+
+  it('outputs JSON error when fetchGatewayToken throws and --json flag is used', async () => {
+    mockFetchGatewayToken.mockRejectedValue(new Error('Token fetch failed'));
+
+    await expect(
+      program.parseAsync(['fetch', 'access', '--name', 'myGateway', '--json'], { from: 'user' })
+    ).rejects.toThrow('process.exit');
+
+    expect(mockLog).toHaveBeenCalledTimes(1);
+    const output = JSON.parse(mockLog.mock.calls[0][0]);
+    expect(output.success).toBe(false);
+    expect(output.error).toBe('Token fetch failed');
+    expect(mockRender).not.toHaveBeenCalled();
+  });
+
+  it('shows error message when fetchGatewayToken throws', async () => {
+    mockFetchGatewayToken.mockRejectedValue(new Error('Token fetch failed'));
+
+    await expect(program.parseAsync(['fetch', 'access', '--name', 'myGateway'], { from: 'user' })).rejects.toThrow(
+      'process.exit'
+    );
+
+    expect(mockRender).toHaveBeenCalled();
+    const renderArg = mockRender.mock.calls[0]![0];
+    expect(JSON.stringify(renderArg)).toContain('Token fetch failed');
+  });
+});

src/cli/commands/fetch/action.ts

@@ -0,0 +1,27 @@
+import { fetchGatewayToken, listGateways } from '../../operations/fetch-access';
+import type { TokenFetchResult } from '../../operations/fetch-access';
+import type { FetchAccessOptions } from './types';
+
+export interface FetchAccessResult {
+  success: boolean;
+  result?: TokenFetchResult;
+  availableGateways?: { name: string; authType: string }[];
+  error?: string;
+}
+
+export async function handleFetchAccess(options: FetchAccessOptions): Promise<FetchAccessResult> {
+  if (!options.name) {
+    const gateways = await listGateways({ deployTarget: options.target });
+    if (gateways.length === 0) {
+      return { success: false, error: 'No deployed gateways found. Run `agentcore deploy` first.' };
+    }
+    return {
+      success: false,
+      error: 'Missing required option: --name',
+      availableGateways: gateways,
+    };
+  }
+
+  const result = await fetchGatewayToken(options.name, { deployTarget: options.target });
+  return { success: true, result };
+}

src/cli/commands/fetch/command.tsx

@@ -0,0 +1,93 @@
+import { getErrorMessage } from '../../errors';
+import { COMMAND_DESCRIPTIONS } from '../../tui/copy';
+import { requireProject } from '../../tui/guards';
+import { handleFetchAccess } from './action';
+import type { FetchAccessResult } from './action';
+import type { FetchAccessOptions } from './types';
+import type { Command } from '@commander-js/extra-typings';
+import { Box, Text, render } from 'ink';
+
+export const registerFetch = (program: Command) => {
+  const fetchCmd = program.command('fetch').description(COMMAND_DESCRIPTIONS.fetch);
+
+  fetchCmd
+    .command('access')
+    .description('Fetch access info (URL, token, auth guidance) for a deployed gateway.')
+    .option('--name <resource>', 'Gateway name')
+    .option('--target <target>', 'Deployment target')
+    .option('--json', 'Output as JSON')
+    .action(async (cliOptions: FetchAccessOptions) => {
+      requireProject();
+
+      let result: FetchAccessResult;
+      try {
+        result = await handleFetchAccess(cliOptions);
+      } catch (error) {
+        if (cliOptions.json) {
+          console.log(JSON.stringify({ success: false, error: getErrorMessage(error) }));
+        } else {
+          render(<Text color="red">Error: {getErrorMessage(error)}</Text>);
+        }
+        process.exit(1);
+        return;
+      }
+
+      if (!result.success) {
+        if (cliOptions.json) {
+          console.log(
+            JSON.stringify({
+              success: false,
+              error: result.error,
+              ...(result.availableGateways && { availableGateways: result.availableGateways }),
+            })
+          );
+        } else if (!result.availableGateways) {
+          render(<Text color="red">{result.error}</Text>);
+        } else {
+          render(
+            <Box flexDirection="column">
+              <Text color="red">{result.error}</Text>
+              <Text>Available gateways:</Text>
+              {result.availableGateways.map(gw => (
+                <Text key={gw.name}>
+                  {'  '}
+                  {gw.name} [{gw.authType}]
+                </Text>
+              ))}
+            </Box>
+          );
+        }
+        process.exit(1);
+        return;
+      }
+
+      if (cliOptions.json) {
+        console.log(JSON.stringify({ success: true, ...result.result }, null, 2));
+        return;
+      }
+
+      const r = result.result!;
+      render(
+        <Box flexDirection="column">
+          <Text>
+            <Text bold>URL:</Text>
+            <Text color="green"> {r.url}</Text>
+          </Text>
+          <Text>
+            <Text bold>Auth:</Text> {r.authType}
+          </Text>
+          {r.message && <Text>{r.message}</Text>}
+          {r.token && (
+            <Text>
+              <Text bold>Token:</Text> {r.token}
+            </Text>
+          )}
+          {r.expiresIn !== undefined && (
+            <Text>
+              <Text bold>Expires in:</Text> {r.expiresIn}s
+            </Text>
+          )}
+        </Box>
+      );
+    });
+};

src/cli/commands/fetch/index.ts

@@ -0,0 +1 @@
+export { registerFetch } from './command';

src/cli/commands/fetch/types.ts

@@ -0,0 +1,5 @@
+export interface FetchAccessOptions {
+  name?: string;
+  target?: string;
+  json?: boolean;
+}

src/cli/commands/index.ts

@@ -4,6 +4,7 @@ export { registerDeploy } from './deploy';
 export { registerDev } from './dev';
 export { registerCreate } from './create';
 export { registerEval } from './eval';
+export { registerFetch } from './fetch';
 export { registerInvoke } from './invoke';
 export { registerPackage } from './package';
 export { registerPause } from './pause';