fix(invoke): auto-generate session ID for bearer-token invocations

[aidandaly24]

Description

When invoking an agent with a bearer token (OAuth/CUSTOM_JWT) and no session ID, AgentCoreMemoryConfig raised a Pydantic validation error because session_id=None is rejected:

Error: 1 validation error for AgentCoreMemoryConfig
session_id
  Input should be a valid string [type=string_type, input_value=None, input_type=NoneType]

Unlike SigV4 callers, bearer-token callers do not get a server-side auto-generated runtime session ID from AgentCore, so the None value reached the memory-enabled Strands templates and broke them.

Two-layer fix

1. CLI auto-generation (src/cli/commands/invoke/action.ts) — when options.bearerToken is set and options.sessionId is missing, synthesize a UUID via the existing generateSessionId helper before dispatching to any invocation branch (streaming, non-streaming, MCP, A2A, AGUI, exec). Covers both explicit --bearer-token and the CUSTOM_JWT auto-fetch path.

2. Template hardening (src/assets/python/{http,agui,a2a}/strands/capabilities/memory/session.py) — each template now imports uuid, widens the parameter type to Optional[str], and synthesizes session_id = session_id or uuid.uuid4().hex before constructing AgentCoreMemoryConfig. This protects non-CLI callers (curl, Postman, custom apps) who reach the deployed runtime without a session header.

Related Issue

Closes #840

Documentation PR

N/A

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (please describe):

Testing

Unit + snapshot tests:

• I ran npm run test:unit and npm run test:integ
• I ran npm run typecheck
• I ran npm run lint
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

End-to-end verification against a deployed agent

Deployed a Strands agent with CUSTOM_JWT (Cognito M2M) inbound auth + short-term memory to us-west-2, built the CLI from this PR's HEAD, and exercised both call paths:

• Test 1 (CLI fix): agentcore invoke --bearer-token $TOKEN "What is 2+2?" with no --session-id → "2 + 2 = **4**"; invoke log confirms a UUID session ID was synthesized client-side.
• Test 2 (template hardening): raw curl to the runtime /invocations endpoint without an X-Amzn-Bedrock-AgentCore-Runtime-Session-Id header → agent responded normally; the Python template self-defended via uuid.uuid4().hex.

Full command output and session ID evidence: https://gist.github.com/aidandaly24/d8fb51e4048acd0dd2e6f670c701b857

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[github-actions]

Package Tarball

aws-agentcore-0.10.0.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-953-tarball/aws-agentcore-0.10.0.tgz

[notgitika]

LGTM