fix(cli): pass Authorization Bearer header in CLI helpers (closes #518)#577
fix(cli): pass Authorization Bearer header in CLI helpers (closes #518)#577rohitg00 wants to merge 1 commit into
Conversation
…rict When the user sets AGENTMEMORY_SECRET in ~/.agentmemory/.env the server enables the api-auth middleware on every mutating route, including /agentmemory/session/start. The CLI's own helpers — postJson and postJsonStrict — were not passing the Bearer header, so `agentmemory demo` and any other internal CLI HTTP call would 401 with "unauthorized" the moment a secret was configured. Plugin scripts under plugin/scripts/*.mjs already include the Bearer header via authHeaders(); this brings the CLI helpers in line. New jsonAuthHeaders() centralises the header build so future helpers stay consistent. Tests (1081) + build pass.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThe PR introduces a shared ChangesCLI authentication headers
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint skipped: no ESLint configuration detected in root package.json. To enable, add Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/cli.ts (1)
1719-1753:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
agentmemory demostill has an unauthenticated mutating POST.This only fixes callers that go through
postJson/postJsonStrict, butseedDemoSession()still posts to/agentmemory/observewith a hardcoded JSON-only header on Line 1794. WithAGENTMEMORY_SECRETset, demo seeding can still 401 aftersession/startsucceeds, so the CLI auth gap is not fully closed.Proposed fix
- const res = await fetch(url, { - method: "POST", - headers: { "Content-Type": "application/json" }, - body: JSON.stringify(payload), - signal: AbortSignal.timeout(5000), - }); + const res = await fetch(url, { + method: "POST", + headers: jsonAuthHeaders(), + body: JSON.stringify(payload), + signal: AbortSignal.timeout(5000), + });Or route that call through
postJsonStrict()as well so all CLI JSON POSTs share the same auth path.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/cli.ts` around lines 1719 - 1753, seedDemoSession is making an unauthenticated POST to "/agentmemory/observe" with a hardcoded JSON header; update that code to use the existing JSON auth helper instead of a manual header or route the call through postJsonStrict/postJson so the AGENTMEMORY_SECRET is applied. Specifically, replace the direct fetch/header construction in seedDemoSession with a call to postJsonStrict<T>(url, body, timeoutMs) (or at minimum use jsonAuthHeaders() for the fetch headers) so the Authorization Bearer header from jsonAuthHeaders() is included for the observe request.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@src/cli.ts`:
- Around line 1719-1753: seedDemoSession is making an unauthenticated POST to
"/agentmemory/observe" with a hardcoded JSON header; update that code to use the
existing JSON auth helper instead of a manual header or route the call through
postJsonStrict/postJson so the AGENTMEMORY_SECRET is applied. Specifically,
replace the direct fetch/header construction in seedDemoSession with a call to
postJsonStrict<T>(url, body, timeoutMs) (or at minimum use jsonAuthHeaders() for
the fetch headers) so the Authorization Bearer header from jsonAuthHeaders() is
included for the observe request.
1 participant
Summary
Closes #518.
When
AGENTMEMORY_SECRETis set, the server enables theapi-authmiddleware on every mutating REST route (including/agentmemory/session/start). The CLI's own HTTP helpers —postJsonandpostJsonStrict— were not passing theAuthorization: Bearer ${AGENTMEMORY_SECRET}header, soagentmemory demoand any other internal CLI HTTP call would401 unauthorizedthe moment a secret was configured.This matches exactly what @victorbjuliani found:
Plugin scripts (
plugin/scripts/*.mjs) already pass the Bearer correctly viaauthHeaders(). This PR brings the CLI helpers in line.Diff
src/cli.ts—+9/-2addsjsonAuthHeaders()helper and routes bothpostJson+postJsonStrictthrough it.Validation
npm test→ 97/97 test files, 1081/1081 tests passnpm run build→ bundle cleanNote on import-jsonl + consolidation pipeline
The issue body originally framed the symptom as "consolidation pipeline halts after
import-jsonl".import-jsonlitself does pass the Bearer (src/cli.ts:2329-2330) and writes sessions + observations directly via the replay function, which by current design uses synthetic compression inline rather than fanning out through the livemem::observeconsolidation triggers.If
import-jsonlshould also enqueue flow-compress / consolidate / graph-extract on imported observations, that's a separate behavior change worth a dedicated issue — please open a follow-up if so. This PR addresses the auth gap that was blockingdemoand any other CLI HTTP path.Summary by CodeRabbit