fix(schema): relax request header allowlist to accept broader X-Amzn-Bedrock-AgentCore-* family

[aidandaly24]

Description

Relaxes the request header allowlist validation on the CLI side to accept the broader set of HTTP header names described in the AgentCore Runtime header allowlist documentation — e.g. Authorization, X-Api-Key, X-Custom-Signature, plus any header in the X-Amzn-Bedrock-AgentCore-* family.

Scope of this PR (Option 3 — CLI-only half-fix)

Per reviewer feedback, this PR is explicitly scoped to CLI-side validation only. The mirror change in agentcore-l3-cdk-constructs (PR #209) has not yet been published to npm, and the currently-pinned @aws/agentcore-cdk@^0.1.0-alpha.28 tarball still ships the old strict predicate.

That means with this PR merged:

• ✅ agentcore.json validation in the CLI accepts the broader header set.
• ✅ The CLI's --request-header-allowlist flag and the TUI wizard advertise the new behavior.
• ✅ agentcore create continues to work (CDK pin reverted to the published ^0.1.0-alpha.28).
• ❌ agentcore deploy → CDK synth will still reject broader header names with the old error message until @aws/agentcore-cdk is republished with the mirror schema change and the pin in src/assets/cdk/package.json is bumped.

A follow-up PR will bump the @aws/agentcore-cdk pin once the mirror change is published. Issue #1151 should stay open to track the end-to-end deploy-flow fix.

Changes

• src/schema/schemas/agent-env.ts
  • Added HEADER_ALLOWLIST_BROAD_PREFIX (X-Amzn-Bedrock-AgentCore-) and HEADER_ALLOWLIST_PATTERN — a conservative subset of RFC 7230 token characters: /^[A-Za-z0-9!#$%&'*+\-.^_\|~]+$/`.
  • Updated RequestHeaderAllowlistSchema's .refine(...) predicate to validate against the new pattern; the service itself enforces the restricted-header list.
  • Kept HEADER_ALLOWLIST_PREFIX exported for backward compatibility.
• src/cli/commands/shared/header-utils.ts
  • normalizeHeaderName now passes through any header that already starts with X- (case-insensitive) unchanged, so e.g. X-Api-Key is no longer silently rewritten to X-Amzn-Bedrock-AgentCore-Runtime-Custom-X-Api-Key. Bare suffixes (e.g. MyHeader) are still auto-prefixed with the canonical Custom- prefix for backward compatibility.
  • Validation error message now references RFC 7230 instead of the narrower "letters, numbers, and hyphens" wording.
  • Dropped the unused HEADER_ALLOWLIST_PATTERN re-export.
• src/cli/commands/shared/__tests__/header-utils.test.ts
  • Added tests for normalizeHeaderName and validateHeaderAllowlist covering X-Api-Key, X-Custom-Signature, and non-Custom AgentCore headers (e.g. X-Amzn-Bedrock-AgentCore-Runtime-User-Id).
• src/cli/primitives/AgentPrimitive.tsx, src/cli/tui/screens/generate/GenerateWizardUI.tsx, src/cli/tui/screens/agent/AddAgentScreen.tsx
  • Updated user-facing flag help and TUI hint copy so what the CLI advertises matches what it now validates.

A mirror change is being made in the agentcore-l3-cdk-constructs repo (PR #209). The @aws/agentcore-cdk pin in src/assets/cdk/package.json will be bumped in a follow-up PR once that publishes.

Related Issue

Refs #1151 (this PR delivers the CLI-side validation portion only; the end-to-end deploy-flow fix tracks in the same issue and will be closed once the CDK constructs publish + pin bump land.)

Documentation PR

N/A — no documentation changes are required in this repo for this fix.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Other (please describe):

Testing

How have you tested the change?

• I ran npm run test:unit and npm run test:integ (targeted: header-utils.test.ts — 37/37 pass)
• I ran npm run typecheck
• I ran npm run lint (Prettier auto-formatted)
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Added unit tests covering:

• normalizeHeaderName preserves an already-prefixed non-Custom AgentCore header unchanged (e.g. X-Amzn-Bedrock-AgentCore-Runtime-User-Id).
• normalizeHeaderName canonicalizes case for non-Custom AgentCore headers.
• normalizeHeaderName passes through other X- headers unchanged (e.g. X-Api-Key, X-Custom-Signature).
• validateHeaderAllowlist accepts non-Custom- AgentCore headers and arbitrary HTTP header names from the AWS docs.

All previously-passing tests continue to pass; the existing strict-Custom canonicalization behavior is preserved.

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published — see "Scope" section above; the CDK mirror change in agentcore-l3-cdk-constructs PR [P0.5] agentcore dev --invoke fails with internal error when no creds? only on @ajesstur #209 is not yet published, and a follow-up will bump the pin

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

[agentcore-cli-automation]

Thanks for pushing this forward. I think the fix is on the right track but is under-relaxing the validation relative to what the linked AWS documentation now describes. See the inline comment on agent-env.ts for details — I think that needs to be resolved before merging. The other note is a question/clarification rather than a blocker.

[agentcore-cli-automation]

This fix (and, by extension, the mirror change in agentcore-l3-cdk-constructs) only relaxes the allowlist to X-Amzn-Bedrock-AgentCore-*, but the AWS doc linked in the PR description and in issue #1151 actually describes a much broader rule:

You can pass any valid HTTP header that is not in the restricted headers list, including webhook signatures like X-Custom-Signature, API keys like X-Api-Key, trace context, or session identifiers.

The doc's own example requestHeaderAllowlist is:

"requestHeaderAllowlist": [
  "X-Custom-Signature",
  "X-Api-Key",
  "X-Amzn-Bedrock-AgentCore-Runtime-Custom-UserId"
]

With the regex in this PR (/^(Authorization|X-Amzn-Bedrock-AgentCore-[A-Za-z0-9-]+)$/), a user who copy/pastes that exact example from the AWS docs into agentcore.json will still fail Zod validation on X-Custom-Signature and X-Api-Key. That seems like the core bug the issue is asking us to fix, and it isn't addressed here.

A few possible options:

1. Match the doc rule directly. Accept any header name matching a valid HTTP header token ([A-Za-z0-9_-]+ or RFC 7230 tchar) except:

   • names starting with x-amz- (case-insensitive)
   • names starting with x-amzn- (case-insensitive) except those starting with X-Amzn-Bedrock-AgentCore-Runtime-Custom-
   • optionally, the explicit restricted-header list from the doc (Host, Authorization-adjacent, Cookie, etc.) — though that list is large and may be better left to the service to reject.

2. Accept any valid HTTP header token plus Authorization, and leave it to the service to reject restricted names. This is the simplest and keeps us from having to chase the restricted list as it evolves. It would still be a strict improvement over today.

3. Keep this PR as a narrow, intentional fix for only the X-Amzn-Bedrock-AgentCore-* family and explicitly scope the issue (and issue Relax Custom Header regex to allow new pattern #1151) to that — but in that case the PR description and the .refine() error message should be updated to reflect that headers like X-Api-Key / X-Custom-Signature are knowingly not yet supported here, and the issue should stay open for follow-up.

Related: the HEADER_ALLOWLIST_PATTERN is exported and also used by normalizeHeaderName, which still unconditionally prepends X-Amzn-Bedrock-AgentCore-Runtime-Custom- to any header that doesn't already start with X-Amzn-Bedrock-AgentCore-. That existing behavior means agentcore invoke -H "X-Api-Key: foo" silently rewrites to X-Amzn-Bedrock-AgentCore-Runtime-Custom-X-Api-Key. Whichever option above you pick, normalizeHeaderName probably needs a matching adjustment (or at minimum a comment) so the two stay consistent.

[agentcore-cli-automation]

Minor behavioral tightening to confirm is intentional: the old predicate was val === 'Authorization' || val.startsWith(HEADER_ALLOWLIST_PREFIX), which would accept a header that is exactly the prefix (empty suffix, e.g. X-Amzn-Bedrock-AgentCore-Runtime-Custom-). The new regex requires [A-Za-z0-9-]+ after the broad prefix, so bare-prefix strings now fail validation. That's almost certainly the right call, but worth calling out explicitly since it's a (small) validation tightening on top of the relaxation.

[agentcore-cli-automation]

Nit on the re-export: HEADER_ALLOWLIST_PATTERN is imported and re-exported here but it isn't used anywhere in header-utils.ts (the two startsWith checks use the two string prefix constants instead). If nothing else in the CLI consumes HEADER_ALLOWLIST_PATTERN via this module, the re-export can be dropped; otherwise no action needed.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	43.36%	9090 / 20962
🔵	Statements	42.63%	9653 / 22640
🔵	Functions	40.11%	1569 / 3911
🔵	Branches	40.2%	5866 / 14589

Generated in workflow #2739 for commit c8abffa by the Vitest Coverage Report Action

[agentcore-cli-automation]

Thanks for iterating on the earlier feedback — the broadened RFC 7230 regex in the schema now matches the AWS docs (e.g. X-Api-Key, X-Custom-Signature), and the pass-through branch in normalizeHeaderName cleanly avoids silently rewriting non-AgentCore X-* headers. The test additions are on point.

Two issues worth addressing before this merges — details in the inline comments. Neither is a logic bug in this repo, but together they would leave users with a confusing end-to-end experience.

[agentcore-cli-automation]

Merge-order / downstream compatibility. The PR description notes that a mirror change is being made in agentcore-l3-cdk-constructs, but the current published @aws/agentcore-cdk (pinned to ^0.1.0-alpha.19 in src/assets/cdk/package.json) still carries the strict val === 'Authorization' || val.startsWith(HEADER_ALLOWLIST_PREFIX) predicate.

That means once this ships, agentcore.json validation will happily accept e.g. "X-Api-Key" in the CLI, but when the user runs agentcore deploy / the synthesized CDK app parses the same config, the bundled L3 construct's Zod schema will reject it with the old error message — and the error will appear to come from CDK synth, not from the CLI that just validated the field.

A few ways to resolve:

1. Land and publish the mirror change in agentcore-l3-cdk-constructs first, then bump the @aws/agentcore-cdk pin in src/assets/cdk/package.json in this PR (or a follow-up that blocks the CLI release).
2. Hold this PR until the constructs release is out, then merge together.
3. If you want to land this now, at minimum add a note in the PR / release notes that users on older @aws/agentcore-cdk versions will still see the old restriction at deploy time.

Option 1 or 2 are strongly preferable — otherwise the "fix" only moves the failure downstream instead of eliminating it.

[agentcore-cli-automation]

Stale user-facing help strings. The schema and normalizeHeaderName now accept a much broader set of headers than just X-Amzn-Bedrock-AgentCore-Runtime-Custom-*, but the flag help text and the TUI hints still tell users the allowlist is only for custom-prefixed names:

• src/cli/primitives/AgentPrimitive.tsx:257 — 'Comma-separated list of custom header names to allow (auto-prefixed with X-Amzn-Bedrock-AgentCore-Runtime-Custom-) [non-interactive]'
• src/cli/tui/screens/generate/GenerateWizardUI.tsx:310 — Enter header suffixes or full names. We auto-prefix with X-Amzn-Bedrock-AgentCore-Runtime-Custom- if needed. 'Authorization' is also accepted.
• src/cli/tui/screens/agent/AddAgentScreen.tsx:1184 — same copy as the wizard.

After this change, a user typing X-Api-Key or X-Custom-Signature into that field is now valid (per the AWS docs and per normalizeHeaderName's new /^x-/i pass-through branch) but the help text actively suggests it isn't. That's a discoverability regression for the feature this PR is supposed to enable.

Please update those three copies to reflect the new behavior (e.g. something like: Comma-separated list of header names to allow-list (e.g. Authorization, X-Api-Key, X-Amzn-Bedrock-AgentCore-Runtime-Custom-MyHeader). Bare suffixes are auto-prefixed with X-Amzn-Bedrock-AgentCore-Runtime-Custom- for backward compatibility.) so that what the CLI validates and what the CLI advertises stay in sync.

[agentcore-cli-automation]

Thanks for the follow-ups — the schema broadening, the updated help text, and the normalizeHeaderName pass-through for X-Api-Key / X-Custom-Signature all look good and correctly address the earlier review feedback.

Two blocking issues before this can merge:

1. The pinned @aws/agentcore-cdk version does not exist on npm. src/assets/cdk/package.json pins ^0.1.0-alpha.29, but the latest published version is 0.1.0-alpha.28 and 0.1.0-alpha.29 returns version not found from the registry. Inspecting the published 0.1.0-alpha.28 tarball confirms it still carries the old strict predicate (val === 'Authorization' || val.startsWith(HEADER_ALLOWLIST_PREFIX)). I also don't see the mirror change in the agentcore-l3-cdk-constructs repo's main branch (still at alpha.22 with the old schema). As shipped, this PR would make every agentcore create scaffold fail at npm install. See the inline comment on src/assets/cdk/package.json.

2. The format CI check is failing on src/schema/schemas/agent-env.ts. Needs npm run format + a commit. See the inline comment.

Everything else (the schema/normalizer logic, the new tests, the updated help strings in the CLI flag and both TUI screens) looks reasonable to me.

[agentcore-cli-automation]

Blocker: this version doesn't exist on npm yet.

The latest published @aws/agentcore-cdk is 0.1.0-alpha.28 — 0.1.0-alpha.29 returns "version not found" from the registry, and the agentcore-l3-cdk-constructs repo's main branch is still at 0.1.0-alpha.22 with the old strict schema (val === 'Authorization' || val.startsWith(HEADER_ALLOWLIST_PREFIX)) — no mirror PR appears to have landed there yet.

If this merges as-is, every agentcore create will produce a CDK scaffold whose npm install fails with No matching version found for @aws/agentcore-cdk@^0.1.0-alpha.29. This is exactly the downstream-compat failure mode flagged in the earlier review — the pin was bumped, but it was bumped to a version that hasn't been cut yet.

A few ways to unblock:

1. Land and publish the mirror change in agentcore-l3-cdk-constructs first (cutting at least 0.1.0-alpha.29, or whatever alpha version actually includes the new schema), then land this PR. Preferred.
2. Hold this PR until the constructs package is published, then retarget the pin to whatever version actually contains the mirror change (alpha.29, alpha.30, etc. — whatever ends up being cut) and re-push.
3. Revert this line to ^0.1.0-alpha.28 (the currently-published version, which still has the strict schema) and accept that agentcore deploy will continue to reject broad header names until the constructs package is updated. This makes the CLI-schema change useless end-to-end but at least keeps agentcore create working.

Option 1 or 2 are strongly preferable. Worth also confirming in the PR description which version of @aws/agentcore-cdk is expected to carry the mirror change, so the reviewer / release manager can verify the two are in sync before merge.

[agentcore-cli-automation]

Blocker: format CI check is failing.

The format job on the latest commit fails with:

[warn] src/schema/schemas/agent-env.ts
[warn] Code style issues found in 2 files. Run Prettier with --write to fix.

(The other file, .github/harness/prompts/review.md, isn't touched by this PR and is presumably a pre-existing issue on main, but agent-env.ts is yours.)

Please run npm run format and commit the result.

[agentcore-cli-automation]

Thanks for the quick turnaround on the pin — that unblocks agentcore create. Two blocking issues still remain, both flagged inline:

1. format CI is still failing, just on different files now. The edits to the two TUI help strings in AddAgentScreen.tsx and GenerateWizardUI.tsx broke Prettier formatting (per the CI log on the latest commit). Needs another npm run format + commit.

2. The end-to-end gap is still open. Pinning back to ^0.1.0-alpha.28 restores npm install, but the published 0.1.0-alpha.28 tarball still ships the old strict predicate (val === 'Authorization' || val.startsWith(HEADER_ALLOWLIST_PREFIX)) — I verified this by pulling the tarball from the registry. The agentcore-l3-cdk-constructs repo's main is also still on alpha.22 with the old schema, and no mirror PR appears to have landed. So as shipped, the CLI now tells users X-Api-Key / X-Custom-Signature / X-Amzn-Bedrock-AgentCore-Runtime-User-* are valid (help text + Zod schema + normalizeHeaderName pass-through), but the CDK synth step in agentcore deploy will still reject them with the old error message. That's the exact failure mode my previous review flagged — the pin was "fixed" by reverting rather than by bumping, which only trades one broken state for another.

The cleanest path is still: land + publish the mirror change in agentcore-l3-cdk-constructs first, then bump this pin to whatever alpha version ends up carrying it, then merge this PR. See the inline comment on src/assets/cdk/package.json for the specific options.

Everything else in the PR (schema, normalizer, tests, help-text copy) looks good — the logic side of the fix is in the right place.

[agentcore-cli-automation]

Blocker (continuation of the previous merge-order comment): end-to-end fix is still broken.

This now pins to ^0.1.0-alpha.28, which is the current latest on npm, so npm install will succeed — good. But I inspected the published @aws/agentcore-cdk@0.1.0-alpha.28 tarball and its dist/schema/schemas/agent-env.js still contains the old strict predicate:

.refine(val => val === 'Authorization' || val.startsWith(exports.HEADER_ALLOWLIST_PREFIX), ...)

And agentcore-l3-cdk-constructs main is still at 0.1.0-alpha.22 with the same old schema — no mirror PR has landed or been published.

So with this PR as-is, a user who puts X-Api-Key in agentcore.json will:

1. pass CLI-side Zod validation (new schema in this PR) ✅
2. have the CLI help text tell them it's valid ✅
3. agentcore deploy → CDK synth → the bundled construct's old Zod schema rejects it with Must be "Authorization" or start with "X-Amzn-Bedrock-AgentCore-Runtime-Custom-" ❌

That's arguably worse than before, because now the CLI is advertising a feature it can't deliver end-to-end.

Options, in order of preference:

1. Land and publish the mirror change in agentcore-l3-cdk-constructs first, bump this pin to the new alpha (e.g. ^0.1.0-alpha.29 or whatever ends up being cut), and then merge this PR. This is the only option that actually delivers the fix end-to-end.
2. Hold this PR until the constructs package is published, then update the pin.
3. Merge as-is and explicitly scope the fix to CLI-side validation only, with a release note that agentcore deploy still rejects the broader header set until the constructs package is updated. This is a half-fix but at least doesn't regress agentcore create.

If you go with option 3, please also (a) update the PR description to say that explicitly, and (b) leave issue #1151 open since the user-facing deploy flow isn't actually fixed.

[agentcore-cli-automation]

Blocker: format CI is failing on this file (and on GenerateWizardUI.tsx with the same edit). From the CI log on commit 4d6dd29:

[warn] src/cli/tui/screens/agent/AddAgentScreen.tsx
[warn] src/cli/tui/screens/generate/GenerateWizardUI.tsx
[warn] Code style issues found in 3 files. Run Prettier with --write to fix.

The previous format fix only covered agent-env.ts — the subsequent help-text rewrite re-broke formatting on these two TSX files. Please run npm run format again and commit the result.

[agentcore-cli-automation]

Same Prettier failure as AddAgentScreen.tsx:1186. Please include this file in the npm run format fix-up commit.

[agentcore-cli-automation]

Reviewed the PR in its current state (commit 76b44cc). The scope narrowing to "CLI-only half-fix" (Option 3) and the corresponding PR-description / issue-#1151 bookkeeping all look good, the schema relaxation matches the AWS docs, and the prior reviewer concerns (stale help strings, pin bumped to a non-existent version, HEADER_ALLOWLIST_PATTERN re-export) have been addressed.

Found one new blocker that hasn't been raised yet: the snapshot for src/assets/cdk/package.json wasn't regenerated after bumping the @aws/agentcore-cdk pin, so assets.snapshot.test.ts is currently failing in CI (unit-test (20.x, 1/3)). See the inline comment on src/assets/cdk/package.json.

Note: the format CI failure on this run is caused only by .github/harness/prompts/review.md, which is untouched by this PR and is a pre-existing issue on main — not a blocker for this PR.

[agentcore-cli-automation]

Blocker: snapshot test is failing for this file.

The @aws/agentcore-cdk pin was bumped from ^0.1.0-alpha.19 → ^0.1.0-alpha.28 here, but the corresponding snapshot in src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap (line 360) still pins ^0.1.0-alpha.19. As a result, unit-test (20.x, 1/3) is currently failing in CI:

× Assets Directory Snapshots > CDK assets > cdk/cdk/package.json should match snapshot
   → Snapshot `Assets Directory Snapshots > CDK assets > cdk/cdk/package.json should match snapshot 1` mismatched

The PR checklist item "If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots" is also still unchecked — this is exactly the case it's guarding against.

Fix: run npm run test:update-snapshots locally and commit the updated .snap file.

[agentcore-cli-automation]

Reviewed the current state of the PR (head c8abffa). The scope narrowing to "CLI-only half-fix" is well-documented in the PR description, the schema relaxation matches the linked AWS docs, the normalizeHeaderName pass-through branch correctly avoids silently rewriting X-Api-Key / X-Custom-Signature, and all previously-raised blockers (help-text staleness, nonexistent CDK pin, format failures, snapshot drift) have been addressed. All CI checks are passing on the latest commit.

One soft concern worth thinking about before merge — see the inline comment on AddAgentScreen.tsx. It's specifically a consequence of the Option-3 scope and is borderline between "acceptable trade-off the PR already documents" and "worth holding until the constructs mirror publishes", so I'll leave the call to you.

[agentcore-cli-automation]

Soft concern (not a hard blocker — leaving the call to you): the help text here (and the matching copy in GenerateWizardUI.tsx:310 and the --request-header-allowlist flag description in AgentPrimitive.tsx:257) now explicitly advertises X-Api-Key as a valid example. But per the PR description, the currently-pinned @aws/agentcore-cdk@^0.1.0-alpha.28 still ships the old strict predicate, so a user who follows this hint and writes X-Api-Key into agentcore.json will:

1. Pass agentcore add / the TUI wizard validation ✅
2. Pass agentcore.json Zod validation in the CLI ✅
3. Fail at agentcore deploy → CDK synth time with the old error message: Must be "Authorization" or start with "X-Amzn-Bedrock-AgentCore-Runtime-Custom-" ❌

That's a more confusing end-state than if we'd kept the help text conservative during the Option-3 window. The Zod schema relaxation on its own is defensible (it unblocks users who already have a broader allowlist in their agentcore.json from a previous source), but actively steering users toward X-Api-Key in the onboarding UI before deploy supports it is the part that feels risky.

Options (listing for the author's choice, in rough order of preference):

1. Keep the schema relaxation + normalizeHeaderName pass-through, but revert the three help-text strings (AddAgentScreen.tsx:1184, GenerateWizardUI.tsx:310, AgentPrimitive.tsx:257) to the pre-PR "suffixes / Authorization" wording for now. Bump them to advertise X-Api-Key etc. in the follow-up PR that also bumps the @aws/agentcore-cdk pin once the mirror publishes. This keeps the CLI-side half of the fix without promising users something deploy can't deliver yet.
2. Hold this PR entirely until the mirror change in agentcore-l3-cdk-constructs PR [P0.5] agentcore dev --invoke fails with internal error when no creds? only on @ajesstur #209 publishes, then merge with both the help-text update and the pin bump together. This is the cleanest end-to-end story but delays the CLI-side change.
3. Merge as-is (status quo of this PR) — accept that the help text is ahead of what deploy supports, and rely on the PR description / issue Relax Custom Header regex to allow new pattern #1151 to convey that to users who hit the deploy failure. This is what the PR currently does.

If you go with option 3, it would at least help to add a short inline caveat in the hint (e.g. "Note: non-Custom- headers require @aws/agentcore-cdk ≥ <ver> to deploy successfully"), though I recognize that's awkward copy for a TUI.

[aidandaly24]

Closing: fresh run with CI fix improvements

[github-actions]

Package Tarball

aws-agentcore-0.13.1.tgz

How to install

npm install https://github.com/aws/agentcore-cli/releases/download/pr-1163-tarball/aws-agentcore-0.13.1.tgz

[agentcore-cli-automation]

Reviewed the PR in its current state (head c8abffa). All the serious issues I would have flagged — schema under-relaxation relative to the AWS docs, stale help/hint copy, the nonexistent ^0.1.0-alpha.29 pin, format CI failures, the assets.snapshot.test.ts drift after the pin bump, the bare-prefix validation tightening, and the end-to-end deploy-flow gap caused by the unpublished CDK mirror change — have already been raised in the existing review thread and either fixed or explicitly accepted as the documented trade-off of the Option 3 (CLI-only half-fix) scope.

No new blockers from my pass:

• Schema change correctly mirrors the linked AWS docs (RFC 7230 token characters) and the comment block accurately describes why only syntactic validation is done client-side.
• normalizeHeaderName's ordering is correct — the Custom- prefix check runs before the broad AgentCore- prefix check, so X-Amzn-Bedrock-AgentCore-Runtime-Custom-Foo keeps its canonical Custom- casing rather than being truncated back to the broad prefix. The X- pass-through branch correctly avoids silently rewriting X-Api-Key / X-Custom-Signature.
• Test additions cover the three new behaviors (non-Custom AgentCore headers preserved, case canonicalization on the broad prefix, arbitrary X-* pass-through) and don't introduce any mocking — they exercise the real functions directly.
• No telemetry instrumentation is warranted here; this is a pure validation relaxation on an existing code path, not a new user-facing feature.

The one live trade-off (help text + schema advertise X-Api-Key et al. as valid, but agentcore deploy → CDK synth will still reject them until @aws/agentcore-cdk publishes the mirror change and the pin is bumped in a follow-up) is explicitly called out in both the PR description and the prior reviewer's soft-concern comment, and issue #1151 is being kept open to track the end-to-end fix. That's a reasonable way to land the CLI-side half.

LGTM.