fix(cli): preflight auth check prevents orphaned sessions (#3306)#3314
Merged
Conversation
Add verifyAuth preflight before session creation in both 'ag run' and 'ag "brief"' paths. When the server rejects auth, fail early without creating any server-side session, preventing orphaned idle sessions. - commands/run.ts: add verifyAuth() + preflight before POST /v1/sessions - cli.ts: add inline preflight check before POST /v1/sessions - 3 new tests covering auth rejection, success, and no-token paths Fixes #3306
Contributor
There was a problem hiding this comment.
β Approved β all 9 merge gates pass.
Review summary:
- Preflight auth check via
GET /v1/sessions/statsbefore session creation β correct and minimal approach - Both code paths (
ag runandag "brief") covered consistently - Network errors gracefully swallowed (session creation itself will fail with its own error)
- 3 new tests covering: auth rejection, auth success, no-token skip
- No secrets, no security concerns
- CI all green, targets
develop, mergeable
No issues found. Clean fix.
OneStepAt4time
pushed a commit
that referenced
this pull request
May 16, 2026
Adds entries Hermes missed for: --json-logs (#3519), CLI shortcuts (#3521), ag run timeout (#3518/#3498), auto MCP wiring (#3501), Windows workDir (#3502), cost tracking fixes (#3311), metering lifecycle (#3315), preflight auth (#3314), project-local config (#3313), /send non-blocking (#3437), ACP notifications wired (#3463), design tokens system-wide (#3456), auth persistence (#3386), protobufjs CVE (#3218), and 16 more.
aegis-gh-agent Bot
pushed a commit
that referenced
this pull request
May 16, 2026
* chore(release): bump version to 0.6.7 (#3495) - package.json: 0.6.7-preview.1 β 0.6.7 - .release-please-manifest.json: 0.6.7-preview.1 β 0.6.7 - Helm charts: version + appVersion aligned - CHANGELOG.md: Unreleased β 0.6.7 release header - Docs: version references updated Key fixes in this release: - #3479: sendPrompt uses request() with 5s ack timeout - #3484: proactive keys.json reload + orphan auth-token detection - Zero-config first run (ag run, ag init) - ACP cutover complete (tmux removed) - 150+ PRs since v0.6.6 * docs(changelog): add 93 missing entries for PRs #3250-#3517 Covers all merged PRs since the last changelog update (#3254): - 11 Added (cost tracking, runner, CLI subcommands, dashboard features) - 4 Changed (auth refactor, design tokens, route cleanup) - 49 Fixed (ACP, CLI, API, dashboard, deploy, security, CI) - 26 Documentation (RBAC, competitive, guides, README, ADR) - 2 Dependencies (dashboard deps, OTel) Requested by Scribe after review identified ~80+ missing entries. * docs(changelog): editorial follow-up β 36 remaining PRs from Scribe pass Adds entries Hermes missed for: --json-logs (#3519), CLI shortcuts (#3521), ag run timeout (#3518/#3498), auto MCP wiring (#3501), Windows workDir (#3502), cost tracking fixes (#3311), metering lifecycle (#3315), preflight auth (#3314), project-local config (#3313), /send non-blocking (#3437), ACP notifications wired (#3463), design tokens system-wide (#3456), auth persistence (#3386), protobufjs CVE (#3218), and 16 more. * docs(changelog): comprehensive 0.6.7 changelog β all 141 PRs, Boss's categories Complete rewrite of the 0.6.7 section: - 150 commits, 141 unique PRs β every single one listed - Organized by Boss's requested categories: Security (21), Features (19), Bug Fixes β ACP (14), Bug Fixes β CLI (13), Bug Fixes β API (12), Bug Fixes β Dashboard (14), Bug Fixes β Other (8), Documentation (42), Dependencies & Chore (6) - No summarization β each PR gets its own bullet - All PR references verified against git log Co-authored-by: Scribe <scribe@openclaw.ai> --------- Co-authored-by: Argus <argus@openclaw.ai> Co-authored-by: Hephaestus <hep@aegis.dev> Co-authored-by: Scribe <scribe@openclaw.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3306 β orphaned server sessions when
ag runorag "brief"fails auth.Problem
When the CLI has an invalid or missing auth token but the server requires authentication, a session was created on the server side before the auth error was returned. This left orphaned idle sessions.
Fix
Add a preflight auth check (
GET /v1/sessions/stats) before session creation in both code paths:commands/run.ts(ag run "prompt") β newverifyAuth()helpercli.ts(ag "brief"shorthand) β inline preflightIf the server returns 401, fail early with a clear error message without creating any session.
Changes
src/commands/run.ts: AddverifyAuth()function + preflight beforePOST /v1/sessionssrc/cli.ts: Add inline preflight auth checksrc/__tests__/fix-3306-orphan-session.test.ts: 3 new testsVerification
Verification