fix: report auth env mismatch instead of session expired#263
Merged
Conversation
Contributor
|
🎉 PR Validation ✅ PASSED Commit: Checks:
Ready to merge! ✨ 🔗 View workflow run |
vreshch
added a commit
that referenced
this pull request
Jul 9, 2026
Release v0.0.4 - prepared manually (the release-prepare workflow failed only on the AI changelog step: the repo ANTHROPIC_API_KEY hit its usage limit until 2026-08-01; version bump + changelog done by hand). Version 0.0.3 -> 0.0.4. Covers everything merged since v0.0.3 (#221-#263). Highlights: - BREAKING: removed the `agentage mcp` stdio command; MCP now served by the daemon over HTTP. - Account sync + autodiscovery; setup starts the daemon. - status overhaul (daemon/mcp/target/vaults rows, silent refresh, version headers). - Data-integrity fix: atomic file-lock create (no more silent lost registry writes). - Auth resilience: transient handling + env-mismatch reporting. Merge (squash) to publish 0.0.4 to npm via publish.yml. Squash subject stays `chore: prepare release v0.0.4` to pass the release gate.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause
The CLI target host comes from
siteFqdn()=normalizeFqdn(process.env.AGENTAGE_SITE_FQDN), defaulting toagentage.io(production) when unset. But the stored credential in~/.agentage/auth.jsoncarries its OWNsiteFqdn(the environment it was issued for, e.g.dev.agentage.io).gatherStatus/introspectTokenvalidated the stored token against the CURRENT target's auth server, ignoring the credential's ownauth.siteFqdn. So a credential issued for dev, checked against production, was rejected and reported asauth [x] session expired - run: agentage setup- misleading: the session is not expired, it belongs to a DIFFERENT environment than the CLI is pointed at.Fix
New helper
src/lib/auth/env-match.tsdetectEnvMismatch(auth, targetFqdn)compares normalized fqdns.gatherStatuscalls it BEFORE introspection: on a mismatch it renders a neutral line and does NOT introspect cross-environment.Before (mismatch case)
After (mismatch case)
!(yellow, neutral - not check, not cross). Exit code stays 0.status --jsongains an additiveauth.mismatchfield:{ credentialFqdn, credentialEnv, targetFqdn, targetEnv },signedIn: false. Existing fields (signedIn,endpoint,fqdn,env,version) unchanged - e2e helpers untouched.setup
When already signed in but the stored credential is for a DIFFERENT environment than the current target, setup no longer says a bare "Already signed in." It informs the user they are signed into
<credEnv>and this run signs them into<targetEnv>, then proceeds to a fresh sign-in (the correct action). Matching-env behavior unchanged.Same-env path preserved
When credential env == target env, behavior is exactly as before: introspect via the #262-hardened path (valid -> session active; transient -> transient note; terminal -> the literal
session expired - run: agentage setupthat e2e greps). The mismatch case is a NEW, distinct message and does not reuse the expired literal.Tests
env-match.test.ts: match/mismatch both directions + localhost/dev detection + fqdn normalization.status-info.test.ts: mismatch (dev cred vs prod target, and reverse) ->mismatchset,signedIn: false, not "session expired", no cross-env introspection.status.test.ts: neutral!mismatch line naming both sides, never expired.setup.test.ts: mismatched-env (both directions) -> informs + signs into current target, no introspect; matched-env valid -> "Already signed in" unchanged.npm run verifygreen (481 tests).