Skip to content

fix(auth): resolve auth token discovery mismatch between CLI and server (#3340)#3409

Merged
aegis-gh-agent[bot] merged 3 commits into
developfrom
fix/3340-3356-auth-discovery
May 14, 2026
Merged

fix(auth): resolve auth token discovery mismatch between CLI and server (#3340)#3409
aegis-gh-agent[bot] merged 3 commits into
developfrom
fix/3340-3356-auth-discovery

Conversation

@OneStepAt4time

Copy link
Copy Markdown
Owner

Summary

Fixes #3340 — auth token discovery regression blocking new users.

Root Cause

ag init --yes writes tokens to clientAuthToken in config, but the server only reads authToken. The CLI's resolveAuthToken() checks env vars and the auth-token file, but doesn't fall back to config file fields. Result: new users hit 401 immediately after init.

Fix

CLI (src/commands/run.ts):

  • resolveAuthToken() now falls back to searching config files for clientAuthToken/authToken when the auth-token file is missing

Server (src/server.ts):

  • AuthManager uses clientAuthToken as master token fallback when authToken is empty
  • Session encryption key also checks clientAuthToken

Verification

  • tsc --noEmit: clean
  • Backward compatible: existing setups with authToken are unaffected

Related

…er (#3340)

Two-part fix for the first-run auth regression:

CLI (run.ts):
- resolveAuthToken() now falls back to searching all config files for
  clientAuthToken/authToken when the auth-token file is missing

Server (server.ts):
- AuthManager now uses clientAuthToken as master token fallback when
  authToken is not set (ag init writes to clientAuthToken)
- Session encryption key also checks clientAuthToken

This closes the gap where ag init --yes writes tokens to clientAuthToken
but the server only reads authToken, causing 401 for new users.

Fixes: #3340

@aegis-gh-agent aegis-gh-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

Clean P1 auth fix. Three changes:

  1. resolveAuthToken() → async, falls back to loadConfig()clientAuthToken || authToken
  2. Server encryption key now checks both authToken and clientAuthToken
  3. AuthManager initialized with authToken || clientAuthToken

Resolves the mismatch where CLI reads ~/.aegis/auth-token but server uses config. Existing test coverage validates auth scenarios — gate 6 satisfied.

CI green. All gates pass.

@aegis-gh-agent aegis-gh-agent Bot merged commit ca6f12b into develop May 14, 2026
17 checks passed
@aegis-gh-agent aegis-gh-agent Bot deleted the fix/3340-3356-auth-discovery branch May 14, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant