From 48d54e57c0d162a5c67c0e50889427a447ad35ad Mon Sep 17 00:00:00 2001 From: Rohit Ghumare Date: Wed, 20 May 2026 16:53:56 +0100 Subject: [PATCH] fix(cli): pass Authorization Bearer header from postJson / postJsonStrict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the user sets AGENTMEMORY_SECRET in ~/.agentmemory/.env the server enables the api-auth middleware on every mutating route, including /agentmemory/session/start. The CLI's own helpers — postJson and postJsonStrict — were not passing the Bearer header, so `agentmemory demo` and any other internal CLI HTTP call would 401 with "unauthorized" the moment a secret was configured. Plugin scripts under plugin/scripts/*.mjs already include the Bearer header via authHeaders(); this brings the CLI helpers in line. New jsonAuthHeaders() centralises the header build so future helpers stay consistent. Tests (1081) + build pass. --- src/cli.ts | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/cli.ts b/src/cli.ts index e1ea9757..28f7c761 100644 --- a/src/cli.ts +++ b/src/cli.ts @@ -1716,6 +1716,13 @@ function buildDemoSessions(): DemoSession[] { ]; } +function jsonAuthHeaders(): Record { + const headers: Record = { "Content-Type": "application/json" }; + const secret = process.env["AGENTMEMORY_SECRET"]; + if (secret) headers["Authorization"] = `Bearer ${secret}`; + return headers; +} + async function postJson( url: string, body: unknown, @@ -1724,7 +1731,7 @@ async function postJson( try { const res = await fetch(url, { method: "POST", - headers: { "Content-Type": "application/json" }, + headers: jsonAuthHeaders(), body: JSON.stringify(body), signal: AbortSignal.timeout(timeoutMs), }); @@ -1742,7 +1749,7 @@ async function postJsonStrict( ): Promise { const res = await fetch(url, { method: "POST", - headers: { "Content-Type": "application/json" }, + headers: jsonAuthHeaders(), body: JSON.stringify(body), signal: AbortSignal.timeout(timeoutMs), });