Skip to content

bug: ag run creates orphaned server session when CLI auth fails #3306

Description

@OneStepAt4time

Bug Report

Found by: Orpheus (dogfood testing, 2026-05-14)
Severity: P2 — causes confusing orphaned sessions on the server

Steps to Reproduce

  1. Server is running with auth enabled (keys.json + config.yaml in project dir)
  2. Run ag run "hello" from a directory that is NOT the project dir (e.g., ~ instead of /path/to/project)
  3. CLI prints: ❌ Unauthorized — the server requires authentication.
  4. Expected: no side effects on the server
  5. Actual: a session is created on the server with empty promptDelivery and no prompt sent

Evidence

$ cd ~ && ag run "test silent"
  🚀 ag run: test silent
  ❌ Unauthorized — the server requires authentication.

# But a session appears on the server:
$ curl -s http://localhost:9100/v1/sessions -H "Authorization: Bearer $TOKEN" | jq '.sessions[-1]'
{
  "displayName": "cc-07745136",
  "status": "idle",
  "promptDelivery": {},   ← empty, orphaned
  ...
}

Root Cause

ag run creates a session via the HTTP API before checking auth locally. When the local auth check fails, the server-side session is already created and never cleaned up.

Expected Behavior

Either:

  1. Check auth locally before making any HTTP request to the server, OR
  2. Clean up the server session if auth fails, OR
  3. At minimum, don't claim "Unauthorized" while silently leaving garbage on the server

Environment

  • Aegis v0.6.7-preview.1
  • Node.js v22.22.1
  • Linux (bubuntu)

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions