npm - colana - Versions diffs - 1.0.0-beta.49 → 1.0.0-beta.50 - Mend

colana 1.0.0-beta.49 → 1.0.0-beta.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/server/personal-agent-routes.js +25 -5
package/server/pty-manager.js +7 -19

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "colana",
-  "version": "1.0.0-beta.49",
+  "version": "1.0.0-beta.50",
   "description": "Agent-First. Multiplied. Multi-agent command center for AI coding agents.",
   "type": "module",
   "main": "server/index.js",

package/server/personal-agent-routes.js CHANGED Viewed

@@ -157,15 +157,35 @@ export function registerPersonalAgentRoutes(app, { sensitiveLimiter }) {
           const providerLabel = provider || null;
           const envVar = provider ? PROVIDER_ENV_MAP[provider] : null;
-          // Check if the error body hints at provider-level auth failure
+          // Check if the error body hints at provider-level auth failure.
+          // OpenClaw gateway proxies upstream 401s as-is. The upstream error body
+          // varies by provider — some include "api_key", others just "unauthorized".
+          // We also probe /v1/models with our token: if that works, the gateway
+          // accepts our token and the 401 must be from the upstream provider.
           const isProviderAuth = errText.includes('api_key') || errText.includes('API key')
-            || errText.includes('invalid_api_key') || errText.includes('authentication_error');
+            || errText.includes('invalid_api_key') || errText.includes('authentication_error')
+            || errText.includes('"type":"unauthorized"') || errText.includes('"type": "unauthorized"');
+          // If provider-level detection didn't match, verify if gateway auth is actually fine
+          // by probing /v1/models (lightweight, always available)
+          let gatewayAuthOk = isProviderAuth;
+          if (!gatewayAuthOk) {
+            try {
+              const probeRes = await fetch(`http://127.0.0.1:${port}/v1/models`, {
+                headers: { 'Authorization': `Bearer ${authToken}` },
+                signal: AbortSignal.timeout(3000),
+              });
+              // If /v1/models returns 200, our gateway token is accepted —
+              // so the 401 on /v1/chat/completions is from the upstream provider
+              gatewayAuthOk = probeRes.ok;
+            } catch { /* probe failed — assume gateway token issue */ }
+          }
-          if (isProviderAuth) {
+          if (gatewayAuthOk) {
             return res.status(401).json({
               error: providerLabel
                 ? `Authentication failed — your ${providerLabel} API key may be missing or invalid.`
-                : 'Authentication failed — your API key may be missing or invalid.',
+                : 'Authentication failed — your model provider API key may be missing or invalid.',
               code: 'GATEWAY_AUTH_FAILED',
               fix: envVar
                 ? `Add or update your ${envVar} in Settings > Personal AI Agents.`
@@ -174,7 +194,7 @@ export function registerPersonalAgentRoutes(app, { sensitiveLimiter }) {
             });
           }
-          // Default: gateway token mismatch (token exists locally but doesn't match gateway)
+          // Gateway itself rejected our token — needs restart to resync
           return res.status(401).json({
             error: 'Gateway authentication failed — the auth token may be stale.',
             code: 'GATEWAY_TOKEN_STALE',

package/server/pty-manager.js CHANGED Viewed

@@ -317,30 +317,18 @@ async function ensureOpenClawConfigured() {
 /**
  * Verify that the running gateway accepts our bearer token.
- * Uses POST /v1/chat/completions with a minimal body — the same endpoint
- * the chat route uses — to ensure auth is truly valid end-to-end.
+ * Uses GET /v1/models — a lightweight endpoint that checks gateway-level
+ * auth without hitting any upstream provider (avoids false 401s from
+ * missing/invalid provider API keys).
  * Returns true if token is accepted, false if 401.
  */
 async function verifyGatewayToken(port, token) {
   try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 5000);
-    // Use the actual chat endpoint — /v1/models may not require auth
-    const res = await fetch(`http://127.0.0.1:${port}/v1/chat/completions`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${token}`,
-        'x-openclaw-agent-id': 'main',
-      },
-      body: JSON.stringify({
-        messages: [{ role: 'user', content: 'ping' }],
-        max_tokens: 1,
-      }),
-      signal: controller.signal,
+    const res = await fetch(`http://127.0.0.1:${port}/v1/models`, {
+      headers: { 'Authorization': `Bearer ${token}` },
+      signal: AbortSignal.timeout(3000),
     });
-    clearTimeout(timeout);
-    // 401 = token rejected. Anything else (200, 400, 500, etc.) = token accepted.
+    // 401 = gateway rejected our token. Anything else = token accepted.
     const accepted = res.status !== 401;
     if (!accepted) {
       const body = await res.text().catch(() => '');