Skip to content

fix: report auth env mismatch instead of session expired#263

Merged
vreshch merged 1 commit into
masterfrom
fix/auth-env-mismatch
Jul 9, 2026
Merged

fix: report auth env mismatch instead of session expired#263
vreshch merged 1 commit into
masterfrom
fix/auth-env-mismatch

Conversation

@vreshch

@vreshch vreshch commented Jul 9, 2026

Copy link
Copy Markdown
Member

Root cause

The CLI target host comes from siteFqdn() = normalizeFqdn(process.env.AGENTAGE_SITE_FQDN), defaulting to agentage.io (production) when unset. But the stored credential in ~/.agentage/auth.json carries its OWN siteFqdn (the environment it was issued for, e.g. dev.agentage.io).

gatherStatus / introspectToken validated the stored token against the CURRENT target's auth server, ignoring the credential's own auth.siteFqdn. So a credential issued for dev, checked against production, was rejected and reported as auth [x] session expired - run: agentage setup - misleading: the session is not expired, it belongs to a DIFFERENT environment than the CLI is pointed at.

Fix

New helper src/lib/auth/env-match.ts detectEnvMismatch(auth, targetFqdn) compares normalized fqdns. gatherStatus calls it BEFORE introspection: on a mismatch it renders a neutral line and does NOT introspect cross-environment.

Before (mismatch case)

auth       [x] session expired - run: agentage setup

After (mismatch case)

auth       ! signed in to dev.agentage.io - CLI targets agentage.io (production); run: agentage setup to sign into production, or set AGENTAGE_SITE_FQDN=dev.agentage.io
  • New marker: ! (yellow, neutral - not check, not cross). Exit code stays 0.
  • status --json gains an additive auth.mismatch field: { credentialFqdn, credentialEnv, targetFqdn, targetEnv }, signedIn: false. Existing fields (signedIn, endpoint, fqdn, env, version) unchanged - e2e helpers untouched.

setup

When already signed in but the stored credential is for a DIFFERENT environment than the current target, setup no longer says a bare "Already signed in." It informs the user they are signed into <credEnv> and this run signs them into <targetEnv>, then proceeds to a fresh sign-in (the correct action). Matching-env behavior unchanged.

Same-env path preserved

When credential env == target env, behavior is exactly as before: introspect via the #262-hardened path (valid -> session active; transient -> transient note; terminal -> the literal session expired - run: agentage setup that e2e greps). The mismatch case is a NEW, distinct message and does not reuse the expired literal.

Tests

  • env-match.test.ts: match/mismatch both directions + localhost/dev detection + fqdn normalization.
  • status-info.test.ts: mismatch (dev cred vs prod target, and reverse) -> mismatch set, signedIn: false, not "session expired", no cross-env introspection.
  • status.test.ts: neutral ! mismatch line naming both sides, never expired.
  • setup.test.ts: mismatched-env (both directions) -> informs + signs into current target, no introspect; matched-env valid -> "Already signed in" unchanged.

npm run verify green (481 tests).

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎉 PR Validation ✅ PASSED

Commit: f59861eb6767d34512b626386dd1870cd2ece95d
Branch: fix/auth-env-mismatch

Checks:

  • ✅ Release guard (no version/changelog changes)
  • ✅ Dependencies installed
  • ✅ Type check passed
  • ✅ Linting passed
  • ✅ Format check passed
  • ✅ Tests + coverage passed
  • ✅ Build successful

Ready to merge!


🔗 View workflow run
⏰ Generated at: 2026-07-09T18:24:52.209Z

@vreshch vreshch marked this pull request as ready for review July 9, 2026 18:26
@vreshch vreshch merged commit 0154aef into master Jul 9, 2026
3 checks passed
@vreshch vreshch deleted the fix/auth-env-mismatch branch July 9, 2026 18:26
vreshch added a commit that referenced this pull request Jul 9, 2026
Release v0.0.4 - prepared manually (the release-prepare workflow failed
only on the AI changelog step: the repo ANTHROPIC_API_KEY hit its usage
limit until 2026-08-01; version bump + changelog done by hand).

Version 0.0.3 -> 0.0.4. Covers everything merged since v0.0.3
(#221-#263). Highlights:
- BREAKING: removed the `agentage mcp` stdio command; MCP now served by
the daemon over HTTP.
- Account sync + autodiscovery; setup starts the daemon.
- status overhaul (daemon/mcp/target/vaults rows, silent refresh,
version headers).
- Data-integrity fix: atomic file-lock create (no more silent lost
registry writes).
- Auth resilience: transient handling + env-mismatch reporting.

Merge (squash) to publish 0.0.4 to npm via publish.yml. Squash subject
stays `chore: prepare release v0.0.4` to pass the release gate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant