Bug Report
Found by: Orpheus (dogfood testing, 2026-05-14)
Severity: P2 — causes confusing orphaned sessions on the server
Steps to Reproduce
- Server is running with auth enabled (keys.json + config.yaml in project dir)
- Run
ag run "hello" from a directory that is NOT the project dir (e.g., ~ instead of /path/to/project)
- CLI prints:
❌ Unauthorized — the server requires authentication.
- Expected: no side effects on the server
- Actual: a session is created on the server with empty
promptDelivery and no prompt sent
Evidence
$ cd ~ && ag run "test silent"
🚀 ag run: test silent
❌ Unauthorized — the server requires authentication.
# But a session appears on the server:
$ curl -s http://localhost:9100/v1/sessions -H "Authorization: Bearer $TOKEN" | jq '.sessions[-1]'
{
"displayName": "cc-07745136",
"status": "idle",
"promptDelivery": {}, ← empty, orphaned
...
}
Root Cause
ag run creates a session via the HTTP API before checking auth locally. When the local auth check fails, the server-side session is already created and never cleaned up.
Expected Behavior
Either:
- Check auth locally before making any HTTP request to the server, OR
- Clean up the server session if auth fails, OR
- At minimum, don't claim "Unauthorized" while silently leaving garbage on the server
Environment
- Aegis v0.6.7-preview.1
- Node.js v22.22.1
- Linux (bubuntu)
Bug Report
Found by: Orpheus (dogfood testing, 2026-05-14)
Severity: P2 — causes confusing orphaned sessions on the server
Steps to Reproduce
ag run "hello"from a directory that is NOT the project dir (e.g.,~instead of/path/to/project)❌ Unauthorized — the server requires authentication.promptDeliveryand no prompt sentEvidence
Root Cause
ag runcreates a session via the HTTP API before checking auth locally. When the local auth check fails, the server-side session is already created and never cleaned up.Expected Behavior
Either:
Environment