Three related provisioning fixes:
1. **tools.exec.host auto-configuration**: Add `_tools_exec_host_patch()`
that ensures `tools.exec.host` is set to `"gateway"` during
`patch_agent_heartbeats()`. Without this, heartbeat-driven agents
cannot execute `curl`, `bash`, or any shell command — making
HEARTBEAT.md instructions unexecutable. The function is idempotent
and respects existing user configuration.
2. **agents.update hot-reload race**: After `agents.create` writes to
disk, the gateway triggers a ~500ms debounced hot-reload. If
`agents.update` arrives before the reload completes, it returns
"agent not found". Fix: add a 750ms delay after create + exponential
backoff retry (5 attempts, 0.5s → 4s) on the update call.
3. **Skip no-op config.patch**: When `patch_agent_heartbeats()` detects
no changes to agents, channels, or tools config, skip the
`config.patch` RPC entirely. Each unnecessary patch triggers a
gateway SIGUSR1 restart that rotates agent tokens and breaks active
sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use 'brew upgrade node@22 || brew install node@22' so existing older Node is upgraded
- Add node@22 bin to PATH after install so node/npm are found
- Align error message with node@22 (was suggesting node@22 while install used node)
Made-with: Cursor
The optional variant of get_agent_auth_context had accept_authorization=False,
which prevented agents using Authorization: Bearer from passing through the
ACTOR_DEP / BOARD_READ_DEP / TASK_DEP dependency chain.
This caused 401 on any agent route that resolves a board or task via the shared
ACTOR_DEP (e.g. PATCH /agent/boards/{id}/tasks/{id} and
POST /agent/boards/{id}/tasks/{id}/comments), even though the same token worked
fine on routes that use AGENT_CTX_DEP directly (accept_authorization=True).
Fix: set accept_authorization=True in get_agent_auth_context_optional so both
X-Agent-Token and Authorization: Bearer are accepted consistently.
Verified: PATCH and POST /comments now resolve board/task correctly when
Authorization: Bearer is used. No security regression — agent_token_hash
comparison rejects any non-agent bearer tokens.
FastAPI 0.131.0 includes Pydantic's Rust-based JSON serialization by default (PR #14962), making ORJSONResponse unnecessary. The new default serialization is 2x faster than the previous approach and eliminates the need for explicit orjson configuration.
Changes:
- Upgrade FastAPI from 0.130.0 to 0.131.0
- Remove orjson dependency (deprecated in 0.131.0)
- Remove ORJSONResponse import and configuration
- Use FastAPI's new default Pydantic-based serialization
Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
