fix(security): Keep short agent token prefixes in logs

Restore the existing short token-prefix logging behavior for agent auth failures while keeping the optional bearer-path rate-limit fix. Update tests and docs so the replacement branch reflects the intended logging policy.

Co-Authored-By: Claude <noreply@anthropic.com>

backend/app/core/agent_auth.py

@@ -133,8 +133,9 @@ async def get_agent_auth_context(
     agent = await _find_agent_for_token(session, resolved)
     if agent is None:
         logger.warning(
-            "agent auth invalid token path=%s",
+            "agent auth invalid token path=%s token_prefix=%s",
             request.url.path,
+            resolved[:6],
         )
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
     await _touch_agent_presence(request, session, agent)
@@ -178,8 +179,9 @@ async def get_agent_auth_context_optional(
     agent = await _find_agent_for_token(session, resolved)
     if agent is None:
         logger.warning(
-            "agent auth optional invalid token path=%s",
+            "agent auth optional invalid token path=%s token_prefix=%s",
             request.url.path,
+            resolved[:6],
         )
         return None
     await _touch_agent_presence(request, session, agent)

backend/tests/test_agent_auth_security.py

@@ -87,7 +87,7 @@ async def test_require_user_or_agent_skips_agent_auth_when_user_auth_succeeds(
 
 
 @pytest.mark.asyncio
-async def test_required_agent_auth_invalid_token_logs_no_token_material(
+async def test_required_agent_auth_invalid_token_logs_short_prefix_only(
     monkeypatch: pytest.MonkeyPatch,
 ) -> None:
     limiter = _RecordingLimiter()
@@ -118,11 +118,16 @@ async def test_required_agent_auth_invalid_token_logs_no_token_material(
         )
 
     assert exc_info.value.status_code == 401
-    assert logged == [("agent auth invalid token path=%s", ("/api/v1/agent/boards",))]
+    assert logged == [
+        (
+            "agent auth invalid token path=%s token_prefix=%s",
+            ("/api/v1/agent/boards", "invali"),
+        )
+    ]
 
 
 @pytest.mark.asyncio
-async def test_optional_agent_auth_invalid_token_logs_no_token_material(
+async def test_optional_agent_auth_invalid_token_logs_short_prefix_only(
     monkeypatch: pytest.MonkeyPatch,
 ) -> None:
     limiter = _RecordingLimiter()
@@ -152,4 +157,9 @@ async def test_optional_agent_auth_invalid_token_logs_no_token_material(
     )
 
     assert ctx is None
-    assert logged == [("agent auth optional invalid token path=%s", ("/api/v1/tasks/task-2",))]
+    assert logged == [
+        (
+            "agent auth optional invalid token path=%s token_prefix=%s",
+            ("/api/v1/tasks/task-2", "invali"),
+        )
+    ]

docs/reference/authentication.md

@@ -36,4 +36,4 @@ Autonomous agents primarily authenticate via an `X-Agent-Token` header. On share
 Security notes:
 
 - Agent auth is rate-limited to **20 requests per 60 seconds per IP**. Exceeding this returns `429 Too Many Requests`.
-- Authentication failure logs never include token material.
+- Authentication failure logs may include a short token prefix for debugging, but never the full token.

docs/reference/security.md

@@ -72,7 +72,7 @@ This boundary helps LLM-based agents distinguish trusted instructions from untru
 
 ## Agent token logging
 
-On authentication failure, logs include request context only. Token values and token prefixes are not written to logs.
+On authentication failure, logs include request context and may include a short token prefix for debugging. Full tokens are not written to logs.
 
 ## Cross-tenant isolation