From 3b20e799e2589a51a8a5ff5fac4cb18ee1c2cb71 Mon Sep 17 00:00:00 2001 From: Adam Grenier Date: Thu, 26 Feb 2026 11:51:45 -0800 Subject: [PATCH 1/4] fix: accept Authorization: Bearer in agent_auth_context_optional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The optional variant of get_agent_auth_context had accept_authorization=False, which prevented agents using Authorization: Bearer from passing through the ACTOR_DEP / BOARD_READ_DEP / TASK_DEP dependency chain. This caused 401 on any agent route that resolves a board or task via the shared ACTOR_DEP (e.g. PATCH /agent/boards/{id}/tasks/{id} and POST /agent/boards/{id}/tasks/{id}/comments), even though the same token worked fine on routes that use AGENT_CTX_DEP directly (accept_authorization=True). Fix: set accept_authorization=True in get_agent_auth_context_optional so both X-Agent-Token and Authorization: Bearer are accepted consistently. Verified: PATCH and POST /comments now resolve board/task correctly when Authorization: Bearer is used. No security regression — agent_token_hash comparison rejects any non-agent bearer tokens. --- backend/app/core/agent_auth.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index 1bd2b7eb..a5f322dc 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -143,11 +143,19 @@ async def get_agent_auth_context_optional( authorization: str | None = Header(default=None, alias="Authorization"), session: AsyncSession = SESSION_DEP, ) -> AgentAuthContext | None: - """Optionally resolve agent auth context from `X-Agent-Token` only.""" + """Optionally resolve agent auth context from `X-Agent-Token` or `Authorization: Bearer`. + + Both `X-Agent-Token` and `Authorization: Bearer ` are accepted so that + routes depending on this function (e.g. board/task dependency resolvers) behave + consistently with `get_agent_auth_context`, which also accepts both headers. + Previously, `accept_authorization=False` caused 401 on any route that resolved + a board or task via the shared `ACTOR_DEP` chain (e.g. PATCH /tasks/{id}, + POST /tasks/{id}/comments) when the caller used `Authorization: Bearer`. + """ resolved = _resolve_agent_token( agent_token, authorization, - accept_authorization=False, + accept_authorization=True, ) if not resolved: if agent_token: From 09643b8cf76004362d3e61ddf80f3ed835d560d8 Mon Sep 17 00:00:00 2001 From: Abhimanyu Saharan Date: Fri, 27 Feb 2026 18:34:58 +0530 Subject: [PATCH 2/4] Update env_file reference in compose.yml --- compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose.yml b/compose.yml index ddde29eb..e55c1e0d 100644 --- a/compose.yml +++ b/compose.yml @@ -34,7 +34,7 @@ services: context: . dockerfile: backend/Dockerfile env_file: - - ./backend/.env.example + - ./backend/.env environment: # Override localhost defaults for container networking DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-mission_control} @@ -77,7 +77,7 @@ services: dockerfile: backend/Dockerfile command: ["rq", "worker", "-u", "redis://redis:6379/0"] env_file: - - ./backend/.env.example + - ./backend/.env depends_on: redis: condition: service_healthy From 4c35cb03adebcf2b523911af3d459c6dd161d556 Mon Sep 17 00:00:00 2001 From: Hanush H Nair Date: Fri, 27 Feb 2026 23:19:40 +0530 Subject: [PATCH 3/4] fix(backend): Return None instead of 401 when agent not found in get_agent_auth_context_optional --- backend/app/core/agent_auth.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index a5f322dc..97d92ad6 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -168,11 +168,12 @@ async def get_agent_auth_context_optional( return None agent = await _find_agent_for_token(session, resolved) if agent is None: - logger.warning( - "agent auth optional invalid token path=%s token_prefix=%s", - request.url.path, - resolved[:6], - ) - raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) + if agent_token: + logger.warning( + "agent auth optional invalid token path=%s token_prefix=%s", + request.url.path, + resolved[:6], + ) + return None await _touch_agent_presence(request, session, agent) return AgentAuthContext(actor_type="agent", agent=agent) From 2f54aeb19ef24ffa1806b57d603183d24fbc25da Mon Sep 17 00:00:00 2001 From: Abhimanyu Saharan Date: Fri, 27 Feb 2026 23:28:02 +0530 Subject: [PATCH 4/4] fix(installer): create backend .env before docker compose up --- install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 25f93b7d..0133c90a 100755 --- a/install.sh +++ b/install.sh @@ -737,6 +737,8 @@ main() { upsert_env_value "$REPO_ROOT/.env" "CORS_ORIGINS" "http://$public_host:$frontend_port" if [[ "$deployment_mode" == "docker" ]]; then + ensure_file_from_example "$REPO_ROOT/backend/.env" "$REPO_ROOT/backend/.env.example" + upsert_env_value "$REPO_ROOT/.env" "DB_AUTO_MIGRATE" "true" info "Starting production-like Docker stack..." @@ -825,4 +827,4 @@ Stop local background services: SUMMARY } -main "$@" \ No newline at end of file +main "$@"