feat: send conversation owner id header on CAS websocket handshake

get_chat_bridge / get_voice_bridge forward context.synthetic_user_id as the
X-UiPath-Internal-SyntheticUserId handshake header so CAS can validate Unified Runtime
Robot connections for RunAsMe=false conversations. No-op when the context field is unset.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: scottcmg

packages/uipath/src/uipath/_cli/_chat/_bridge.py

@@ -525,6 +525,14 @@ def get_chat_bridge(
         "X-UiPath-ConversationId": context.conversation_id,
     }
 
+    # Conversation owner id forwarded by CAS via FpsProperties (conversationalService.syntheticUserId).
+    # CAS validates it against conversation.user_id on the handshake, since the Robot token's own
+    # subject is the robot account, not the conversation owner. Sent as a header (not a query param)
+    # to keep it out of access / load-balancer logs.
+    synthetic_user_id = getattr(context, "synthetic_user_id", None)
+    if synthetic_user_id:
+        headers["X-UiPath-Internal-SyntheticUserId"] = synthetic_user_id
+
     return SocketIOChatBridge(
         websocket_url=websocket_url,
         websocket_path=websocket_path,

packages/uipath/src/uipath/_cli/_chat/_voice_bridge.py

@@ -249,6 +249,14 @@ def get_voice_bridge(
         "X-UiPath-ConversationId": context.conversation_id,
     }
 
+    # Conversation owner id forwarded by CAS via FpsProperties (conversationalService.syntheticUserId).
+    # CAS validates it against conversation.user_id on the handshake, since the Robot token's own
+    # subject is the robot account, not the conversation owner. Sent as a header (not a query param)
+    # to keep it out of access / load-balancer logs.
+    synthetic_user_id = getattr(context, "synthetic_user_id", None)
+    if synthetic_user_id:
+        headers["X-UiPath-Internal-SyntheticUserId"] = synthetic_user_id
+
     return VoiceToolCallSession(
         url=url,
         socketio_path=socketio_path,

packages/uipath/tests/cli/chat/test_bridge.py

@@ -206,6 +206,33 @@ def test_get_chat_bridge_constructs_correct_headers(
         assert "X-UiPath-ConversationId" in bridge.headers
         assert bridge.headers["X-UiPath-ConversationId"] == "conv-789"
 
+    def test_get_chat_bridge_includes_synthetic_user_id_header_when_set(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """Conversation owner id (from FpsProperties) is sent on the handshake for CAS to validate."""
+        monkeypatch.setenv("UIPATH_URL", "https://cloud.uipath.com/org/tenant")
+        monkeypatch.setenv("UIPATH_ACCESS_TOKEN", "my-access-token")
+
+        context = MockRuntimeContext(conversation_id="conv-789")
+        context.synthetic_user_id = "owner-guid"  # type: ignore[attr-defined]
+
+        bridge = cast(SocketIOChatBridge, get_chat_bridge(cast(Any, context)))
+
+        assert bridge.headers["X-UiPath-Internal-SyntheticUserId"] == "owner-guid"
+
+    def test_get_chat_bridge_omits_synthetic_user_id_header_when_absent(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """No header is sent when the runtime has no owner id (backward compatible)."""
+        monkeypatch.setenv("UIPATH_URL", "https://cloud.uipath.com/org/tenant")
+        monkeypatch.setenv("UIPATH_ACCESS_TOKEN", "my-access-token")
+
+        context = MockRuntimeContext(conversation_id="conv-789")
+
+        bridge = cast(SocketIOChatBridge, get_chat_bridge(cast(Any, context)))
+
+        assert "X-UiPath-Internal-SyntheticUserId" not in bridge.headers
+
     def test_get_chat_bridge_raises_without_uipath_url(
         self, monkeypatch: pytest.MonkeyPatch
     ) -> None:

packages/uipath/tests/cli/chat/test_voice_bridge.py

@@ -135,3 +135,31 @@ def test_headers_fall_back_to_env_when_context_ids_are_none(
 
         assert bridge._headers["X-UiPath-Internal-TenantId"] == "env-tenant"
         assert bridge._headers["X-UiPath-Internal-AccountId"] == "env-org"
+
+    def test_includes_synthetic_user_id_header_when_set(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """Conversation owner id (from FpsProperties) is sent on the handshake for CAS to validate."""
+        monkeypatch.setenv("UIPATH_URL", "https://cloud.uipath.com")
+        ctx = MagicMock(
+            conversation_id="conv-1", tenant_id="t", org_id="o",
+            synthetic_user_id="owner-guid",
+        )
+
+        bridge = get_voice_bridge(ctx, AsyncMock())
+
+        assert bridge._headers["X-UiPath-Internal-SyntheticUserId"] == "owner-guid"
+
+    def test_omits_synthetic_user_id_header_when_none(
+        self, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        """No header is sent when the runtime has no owner id (backward compatible)."""
+        monkeypatch.setenv("UIPATH_URL", "https://cloud.uipath.com")
+        ctx = MagicMock(
+            conversation_id="conv-1", tenant_id="t", org_id="o",
+            synthetic_user_id=None,
+        )
+
+        bridge = get_voice_bridge(ctx, AsyncMock())
+
+        assert "X-UiPath-Internal-SyntheticUserId" not in bridge._headers