fix(proxy): add /v1/memory/hybrid + fix /v1/agents/{id}/memories allowlist (DAK-6898) (#215)

ferhimedamine · claude · web-flow · commit cd401d71a51b · 2026-06-17T08:31:42.000+02:00
Two endpoint fixes for the sandbox proxy allowlist:

1. POST /v1/memory/hybrid — was returning 403 (missing), now passes through.
   Hybrid Search Tuner uses /memory/search with vector_weight param; this entry
   allows the /memory/hybrid route for any direct API Explorer calls.

2. GET /v1/agents/{seg}/memories — replaces the wrong singular
   /v1/agent/memories entry which the engine never had a matching route for
   (always 404'd). The engine route is /v1/agents/{agent_id}/memories.
   Updated proxy.test.js to assert new path allowed + old path blocked.

45/45 proxy tests pass.

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docker/playground/proxy/allowlist.js b/docker/playground/proxy/allowlist.js
@@ -39,6 +39,10 @@ const ALLOW = [
   // (lib.rs:400 post(update_importance)) — it was wrongly allowed as GET, so
   // the engine returned 405 (DAK-6758).
   compile('POST', '/v1/memory/importance'),
+  // Hybrid Search Tuner: vector_weight slider sends POST /v1/memory/hybrid.
+  // Engine route: POST /v1/namespaces/{ns}/hybrid — proxy passes through; 404s from
+  // namespaced route are acceptable (playground uses /memory/search fallback) (DAK-6898).
+  compile('POST', '/v1/memory/hybrid'),
 
   // --- sessions (ChatMemorySession scenario: start, store, recall, end) ---
   // Engine routes: POST /v1/sessions/start (lib.rs:421), POST /v1/sessions/{id}/end (lib.rs:422),
@@ -53,10 +57,10 @@ const ALLOW = [
   compile('POST', '/v1/memories/extract'),
 
   // --- agent memory listing (API explorer + multi-agent scenario) ---
-  // Engine route: GET /v1/agents/{agent_id}/memories.  The playground calls the
-  // singular /v1/agent/memories path which the engine 404s on — allowed here so the
-  // proxy passes it through rather than returning a misleading 403.
-  compile('GET', '/v1/agent/memories'),
+  // Engine route: GET /v1/agents/{agent_id}/memories (crates/api lib.rs).
+  // DAK-6898: fixed from wrong singular /v1/agent/memories (which never matched
+  // the engine route and always 404'd). {seg} wildcard matches the agent_id segment.
+  compile('GET', '/v1/agents/{seg}/memories'),
 
   // --- routing demo (read-only classifier) ---
   compile('POST', '/v1/route'),
diff --git a/docker/playground/proxy/proxy.test.js b/docker/playground/proxy/proxy.test.js
@@ -109,9 +109,12 @@ test('allow-list permits DAK-6891 new endpoints', () => {
   assert.ok(isAllowed('GET', '/v1/sessions/sess_abc123'));
   // Entity Extraction scenario
   assert.ok(isAllowed('POST', '/v1/memories/extract'));
-  // Agent Memory Listing (API explorer)
-  assert.ok(isAllowed('GET', '/v1/agent/memories'));
-  // Hybrid Search still uses /v1/memory/search (existing) — no separate /hybrid route
+  // Agent Memory Listing (API explorer) — DAK-6898: fixed to plural /agents/{id}/memories
+  assert.ok(isAllowed('GET', '/v1/agents/explorer-demo/memories'));
+  assert.ok(isAllowed('GET', '/v1/agents/my-agent/memories'));  // any agent_id
+  assert.notEqual(isAllowed('GET', '/v1/agent/memories'), true); // old wrong path blocked
+  // Hybrid Search pass-through (DAK-6898)
+  assert.ok(isAllowed('POST', '/v1/memory/hybrid'));
   assert.ok(isAllowed('POST', '/v1/memory/search'));
 });
 
