Skip to content

fix(cli): preflight auth check prevents orphaned sessions (#3306)#3314

Merged
aegis-gh-agent[bot] merged 1 commit into
developfrom
fix/3306-orphan-session
May 14, 2026
Merged

fix(cli): preflight auth check prevents orphaned sessions (#3306)#3314
aegis-gh-agent[bot] merged 1 commit into
developfrom
fix/3306-orphan-session

Conversation

@OneStepAt4time

Copy link
Copy Markdown
Owner

Summary

Fixes #3306 β€” orphaned server sessions when ag run or ag "brief" fails auth.

Problem

When the CLI has an invalid or missing auth token but the server requires authentication, a session was created on the server side before the auth error was returned. This left orphaned idle sessions.

Fix

Add a preflight auth check (GET /v1/sessions/stats) before session creation in both code paths:

  • commands/run.ts (ag run "prompt") β€” new verifyAuth() helper
  • cli.ts (ag "brief" shorthand) β€” inline preflight

If the server returns 401, fail early with a clear error message without creating any session.

Changes

  • src/commands/run.ts: Add verifyAuth() function + preflight before POST /v1/sessions
  • src/cli.ts: Add inline preflight auth check
  • src/__tests__/fix-3306-orphan-session.test.ts: 3 new tests

Verification

tsc --noEmit: βœ… Zero errors
npm run build: βœ… Success
npm test: βœ… 4150 passed (1 pre-existing flaky timeout)

Verification

  • Commit: b94880b
  • Tests: βœ… 3 new + 4147 existing passed
  • Build: βœ… Success

Add verifyAuth preflight before session creation in both 'ag run' and
'ag "brief"' paths. When the server rejects auth, fail early without
creating any server-side session, preventing orphaned idle sessions.

- commands/run.ts: add verifyAuth() + preflight before POST /v1/sessions
- cli.ts: add inline preflight check before POST /v1/sessions
- 3 new tests covering auth rejection, success, and no-token paths

Fixes #3306

@aegis-gh-agent aegis-gh-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

βœ… Approved β€” all 9 merge gates pass.

Review summary:

  • Preflight auth check via GET /v1/sessions/stats before session creation β€” correct and minimal approach
  • Both code paths (ag run and ag "brief") covered consistently
  • Network errors gracefully swallowed (session creation itself will fail with its own error)
  • 3 new tests covering: auth rejection, auth success, no-token skip
  • No secrets, no security concerns
  • CI all green, targets develop, mergeable

No issues found. Clean fix.

@aegis-gh-agent aegis-gh-agent Bot merged commit a4b6dcb into develop May 14, 2026
18 checks passed
@aegis-gh-agent aegis-gh-agent Bot deleted the fix/3306-orphan-session branch May 14, 2026 00:43
OneStepAt4time pushed a commit that referenced this pull request May 16, 2026
Adds entries Hermes missed for: --json-logs (#3519), CLI shortcuts
(#3521), ag run timeout (#3518/#3498), auto MCP wiring (#3501),
Windows workDir (#3502), cost tracking fixes (#3311), metering
lifecycle (#3315), preflight auth (#3314), project-local config
(#3313), /send non-blocking (#3437), ACP notifications wired (#3463),
design tokens system-wide (#3456), auth persistence (#3386),
protobufjs CVE (#3218), and 16 more.
aegis-gh-agent Bot pushed a commit that referenced this pull request May 16, 2026
* chore(release): bump version to 0.6.7 (#3495)

- package.json: 0.6.7-preview.1 β†’ 0.6.7
- .release-please-manifest.json: 0.6.7-preview.1 β†’ 0.6.7
- Helm charts: version + appVersion aligned
- CHANGELOG.md: Unreleased β†’ 0.6.7 release header
- Docs: version references updated

Key fixes in this release:
- #3479: sendPrompt uses request() with 5s ack timeout
- #3484: proactive keys.json reload + orphan auth-token detection
- Zero-config first run (ag run, ag init)
- ACP cutover complete (tmux removed)
- 150+ PRs since v0.6.6

* docs(changelog): add 93 missing entries for PRs #3250-#3517

Covers all merged PRs since the last changelog update (#3254):
- 11 Added (cost tracking, runner, CLI subcommands, dashboard features)
- 4 Changed (auth refactor, design tokens, route cleanup)
- 49 Fixed (ACP, CLI, API, dashboard, deploy, security, CI)
- 26 Documentation (RBAC, competitive, guides, README, ADR)
- 2 Dependencies (dashboard deps, OTel)

Requested by Scribe after review identified ~80+ missing entries.

* docs(changelog): editorial follow-up β€” 36 remaining PRs from Scribe pass

Adds entries Hermes missed for: --json-logs (#3519), CLI shortcuts
(#3521), ag run timeout (#3518/#3498), auto MCP wiring (#3501),
Windows workDir (#3502), cost tracking fixes (#3311), metering
lifecycle (#3315), preflight auth (#3314), project-local config
(#3313), /send non-blocking (#3437), ACP notifications wired (#3463),
design tokens system-wide (#3456), auth persistence (#3386),
protobufjs CVE (#3218), and 16 more.

* docs(changelog): comprehensive 0.6.7 changelog β€” all 141 PRs, Boss's categories

Complete rewrite of the 0.6.7 section:
- 150 commits, 141 unique PRs β€” every single one listed
- Organized by Boss's requested categories:
  Security (21), Features (19), Bug Fixes β€” ACP (14),
  Bug Fixes β€” CLI (13), Bug Fixes β€” API (12),
  Bug Fixes β€” Dashboard (14), Bug Fixes β€” Other (8),
  Documentation (42), Dependencies & Chore (6)
- No summarization β€” each PR gets its own bullet
- All PR references verified against git log

Co-authored-by: Scribe <scribe@openclaw.ai>

---------

Co-authored-by: Argus <argus@openclaw.ai>
Co-authored-by: Hephaestus <hep@aegis.dev>
Co-authored-by: Scribe <scribe@openclaw.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant