Skip to content

[cornerstone] Thread accessToken through agent SSE endpoint#8117

Merged
dglazkov merged 1 commit intomainfrom
cornerstone-access-token
Mar 7, 2026
Merged

[cornerstone] Thread accessToken through agent SSE endpoint#8117
dglazkov merged 1 commit intomainfrom
cornerstone-access-token

Conversation

@dglazkov
Copy link
Collaborator

@dglazkov dglazkov commented Mar 7, 2026

What

Pass the user's OAuth accessToken as a request body parameter to
/streamRunAgent (in addition to the Authorization header), and update the dev
backend to extract it from the body.

Why

The opal-backend's data transforms (conform_body.py) need the user's OAuth
token to call /uploadGeminiFile and /uploadBlobFile on One Platform. The
user's token must travel in the request body, matching the pattern already used
by /uploadGeminiFile, /uploadBlobFile, and /generateWebpageStream.

Changes

Frontend (packages/visual-editor)

  • fetch-allowlist.ts — Add /streamRunAgent to the
    shouldAddAccessTokenToJsonBody predicate so fetchWithCreds injects
    accessToken into the SSE POST body
  • fetch-allowlist.test.ts [NEW] — Unit tests for checkFetchAllowlist,
    verifying shouldAddAccessTokenToJsonBody for all four endpoints plus a
    negative case

Backend (packages/opal-backend)

  • dev/main.pyDevAgentBackend.run() now prefers accessToken from the
    request body (via pop()) over the Authorization header, establishing the
    wire contract for production
  • test_dev_access_token.py [NEW] — 5 tests verifying token extraction:
    body-only, header-fallback, body-takes-precedence,
    drive-client-gets-same-token, pop-strips-before-parsing

Testing

npm run test                    # Full monorepo (43.6s, all pass)
npm run test:file -w packages/visual-editor -- './dist/tsc/tests/ui/fetch-allowlist.test.js'
cd packages/opal-backend && python3 -m pytest tests/test_dev_access_token.py -v

@dglazkov
[cornerstone] Thread accessToken through agent SSE endpoint
6e52c8f 
## What

Pass the user's OAuth `accessToken` as a request body parameter to
`/streamRunAgent` (in addition to the Authorization header), and update the dev
backend to extract it from the body.

## Why

The opal-backend's data transforms (`conform_body.py`) need the user's OAuth
token to call `/uploadGeminiFile` and `/uploadBlobFile` on One Platform. The
user's token must travel in the request body, matching the pattern already used
by `/uploadGeminiFile`, `/uploadBlobFile`, and `/generateWebpageStream`.

## Changes

### Frontend (`packages/visual-editor`)

- **`fetch-allowlist.ts`** — Add `/streamRunAgent` to the
  `shouldAddAccessTokenToJsonBody` predicate so `fetchWithCreds` injects
  `accessToken` into the SSE POST body
- **`fetch-allowlist.test.ts`** [NEW] — Unit tests for `checkFetchAllowlist`,
  verifying `shouldAddAccessTokenToJsonBody` for all four endpoints plus a
  negative case

### Backend (`packages/opal-backend`)

- **`dev/main.py`** — `DevAgentBackend.run()` now prefers `accessToken` from the
  request body (via `pop()`) over the Authorization header, establishing the
  wire contract for production
- **`test_dev_access_token.py`** [NEW] — 5 tests verifying token extraction:
  body-only, header-fallback, body-takes-precedence,
  drive-client-gets-same-token, pop-strips-before-parsing

## Testing

```bash
npm run test                    # Full monorepo (43.6s, all pass)
npm run test:file -w packages/visual-editor -- './dist/tsc/tests/ui/fetch-allowlist.test.js'
cd packages/opal-backend && python3 -m pytest tests/test_dev_access_token.py -v
```
@dglazkov dglazkov enabled auto-merge (squash) March 7, 2026 18:00
@dglazkov dglazkov merged commit 6369953 into main Mar 7, 2026
3 checks passed
@dglazkov dglazkov deleted the cornerstone-access-token branch March 7, 2026 18:04
@github-actions
Copy link

github-actions bot commented Mar 7, 2026

📊 Coverage Report

Metric PR Main Delta
Lines 98.30% 98.30% ⚪ +0.00%
Functions 98.25% 98.25% ⚪ +0.00%
Branches 94.17% 94.17% ⚪ +0.00%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dglazkov