fix: 3 regressions from PR #10 merge — Bedrock env passthrough + health route#14
Merged
Merged
Conversation
…e Bedrock/AWS allow-list
Two regressions caught by running the full workspace test suite (`pnpm
-r test`):
1. `inheritEssentialHostEnv` was declared but not exported. The test
in src/engine.test.ts imports it as a named export, so the suite
threw 'inheritEssentialHostEnv is not a function' at three tests.
Added 'export' to the declaration at line 272.
2. The function's allow-list had been trimmed back to just POSIX/XDG
basics (HOME, PATH, USER, …). This regressed task #68 (Phase 2a:
OSS PR — Bedrock env passthrough), which is the contract that lets
a worker pod with IRSA-injected AWS_ROLE_ARN +
AWS_WEB_IDENTITY_TOKEN_FILE actually invoke Bedrock. Restored the
9 keys the test (and reality) require:
CLAUDE_CODE_USE_BEDROCK
AWS_REGION
AWS_DEFAULT_REGION
AWS_BEDROCK_MODEL_ID
AWS_ROLE_ARN
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_PROFILE
AWS_SHARED_CREDENTIALS_FILE
AWS_CONFIG_FILE
After the fix: 10/10 engine-claude-agent-sdk tests pass (was 7/10).
Full workspace suite: 422 passing, 40 skipped (offline, gated on env),
0 failures across all 22 packages with tests.
How the regression got in: PR #10 (policy guardrails) was authored on
a branch that started before the Bedrock-env work in task #68 landed;
when it merged to main + I --theirs-resolved engine.ts during the
chore/oss-cleanup-public merge, the older smaller allow-list won.
The cookie-session auth middleware mounts at /agentos/api/* (line 278)
and gates everything that comes AFTER it. The health route at line 920
was therefore being 401'd, breaking k8s/ALB liveness probes and the
examples/agentos-api.test.ts smoke check.
Hoisted the GET /agentos/api/health route to before the
app.use('/agentos/api/*', requireAuth) line so it stays public.
Symmetric to /agentos/api/login, /logout, /me which were already
hoisted for the same reason.
After: examples test suite 1/18 passing (17 skipped offline, none
failing — was 1 failed before).
Full workspace sweep: 423 passing, 114 skipped, 0 failed.
shreyas-lyzr
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three regressions caught by running
pnpm -r testacross the whole workspace after the cleanup-merge. All three came from PR #10 (policy guardrails) branching off an older base + my--theirsresolution during the merge picking up the older code.engine-claude-agent-sdk/src/engine.ts:272inheritEssentialHostEnvdeclared but not exported; test imports it as a named exportexportCLAUDE_CODE_USE_BEDROCK,AWS_REGION,AWS_DEFAULT_REGION,AWS_BEDROCK_MODEL_ID,AWS_ROLE_ARN,AWS_WEB_IDENTITY_TOKEN_FILE,AWS_PROFILE,AWS_SHARED_CREDENTIALS_FILE,AWS_CONFIG_FILEexamples/agentos-api.ts:920GET /agentos/api/healthwas mounted AFTERapp.use('/agentos/api/*', requireAuth)→ became 401-gated. Breaks k8s/ALB liveness probes.Workspace test sweep — full coverage
The 114 skipped are deliberate offline-gates: substrate × source matrix tests gated on
ANTHROPIC_API_KEY+E2B_API_KEY, Mongo tests gated onMONGO_URL, etc. They run live in the spike.Verification