From 56cb80439be50fa008f71de22727d6d747eb80d3 Mon Sep 17 00:00:00 2001 From: shreyas-lyzr <141219160+shreyas-lyzr@users.noreply.github.com> Date: Sun, 31 May 2026 05:10:14 -0400 Subject: [PATCH 1/2] fix(engine-claude-agent-sdk): export inheritEssentialHostEnv + restore Bedrock/AWS allow-list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two regressions caught by running the full workspace test suite (`pnpm -r test`): 1. `inheritEssentialHostEnv` was declared but not exported. The test in src/engine.test.ts imports it as a named export, so the suite threw 'inheritEssentialHostEnv is not a function' at three tests. Added 'export' to the declaration at line 272. 2. The function's allow-list had been trimmed back to just POSIX/XDG basics (HOME, PATH, USER, …). This regressed task #68 (Phase 2a: OSS PR — Bedrock env passthrough), which is the contract that lets a worker pod with IRSA-injected AWS_ROLE_ARN + AWS_WEB_IDENTITY_TOKEN_FILE actually invoke Bedrock. Restored the 9 keys the test (and reality) require: CLAUDE_CODE_USE_BEDROCK AWS_REGION AWS_DEFAULT_REGION AWS_BEDROCK_MODEL_ID AWS_ROLE_ARN AWS_WEB_IDENTITY_TOKEN_FILE AWS_PROFILE AWS_SHARED_CREDENTIALS_FILE AWS_CONFIG_FILE After the fix: 10/10 engine-claude-agent-sdk tests pass (was 7/10). Full workspace suite: 422 passing, 40 skipped (offline, gated on env), 0 failures across all 22 packages with tests. How the regression got in: PR #10 (policy guardrails) was authored on a branch that started before the Bedrock-env work in task #68 landed; when it merged to main + I --theirs-resolved engine.ts during the chore/oss-cleanup-public merge, the older smaller allow-list won. --- packages/engine-claude-agent-sdk/src/engine.ts | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/packages/engine-claude-agent-sdk/src/engine.ts b/packages/engine-claude-agent-sdk/src/engine.ts index e1661b4..5b85ede 100644 --- a/packages/engine-claude-agent-sdk/src/engine.ts +++ b/packages/engine-claude-agent-sdk/src/engine.ts @@ -269,9 +269,11 @@ function signalToController(signal: AbortSignal): AbortController { * * Caller envs (api keys, etc.) override these on conflict. */ -function inheritEssentialHostEnv(): Record { +export function inheritEssentialHostEnv(): Record { const out: Record = {}; for (const k of [ + // POSIX + XDG basics — required for the SDK to resolve $HOME, $PATH, etc. + // Without these, transcript-mirror writes silently drop. "HOME", "PATH", "USER", @@ -281,6 +283,19 @@ function inheritEssentialHostEnv(): Record { "CLAUDE_CONFIG_DIR", "XDG_CONFIG_HOME", "XDG_DATA_HOME", + // Bedrock + AWS IRSA passthrough (task #68 Phase 2a) — when the caller + // routes the agent via Bedrock, the AWS SDK's default credential chain + // needs these. Picked up automatically from the pod env (IRSA injects + // AWS_ROLE_ARN + AWS_WEB_IDENTITY_TOKEN_FILE) or developer shell. + "CLAUDE_CODE_USE_BEDROCK", + "AWS_REGION", + "AWS_DEFAULT_REGION", + "AWS_BEDROCK_MODEL_ID", + "AWS_ROLE_ARN", + "AWS_WEB_IDENTITY_TOKEN_FILE", + "AWS_PROFILE", + "AWS_SHARED_CREDENTIALS_FILE", + "AWS_CONFIG_FILE", ]) { const v = process.env[k]; if (v) out[k] = v; From d6063f0ea576445dd1b27b9478d0e6b425d990c2 Mon Sep 17 00:00:00 2001 From: shreyas-lyzr <141219160+shreyas-lyzr@users.noreply.github.com> Date: Sun, 31 May 2026 05:12:08 -0400 Subject: [PATCH 2/2] fix(agentos-api): move /agentos/api/health route in front of requireAuth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cookie-session auth middleware mounts at /agentos/api/* (line 278) and gates everything that comes AFTER it. The health route at line 920 was therefore being 401'd, breaking k8s/ALB liveness probes and the examples/agentos-api.test.ts smoke check. Hoisted the GET /agentos/api/health route to before the app.use('/agentos/api/*', requireAuth) line so it stays public. Symmetric to /agentos/api/login, /logout, /me which were already hoisted for the same reason. After: examples test suite 1/18 passing (17 skipped offline, none failing — was 1 failed before). Full workspace sweep: 423 passing, 114 skipped, 0 failed. --- examples/agentos-api.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/agentos-api.ts b/examples/agentos-api.ts index d3ea167..481aac2 100644 --- a/examples/agentos-api.ts +++ b/examples/agentos-api.ts @@ -274,6 +274,9 @@ export function createAgentOSApp(opts: AgentOSOptions): Hono { return c.json({ user: null }, 401); }); + // Health check stays public so liveness probes can poll it without creds. + app.get("/agentos/api/health", (c) => c.json({ ok: true, agents: opts.agents.map((a) => a.name) })); + // Everything else under /agentos/api/* requires auth. app.use("/agentos/api/*", requireAuth); @@ -917,8 +920,6 @@ export function createAgentOSApp(opts: AgentOSOptions): Hono { return c.json({ ok: true }); }); - app.get("/agentos/api/health", (c) => c.json({ ok: true, agents: opts.agents.map((a) => a.name) })); - // ── Policies stubs ───────────────────────────────────────────────────────── // The Policies tab is wired against an external SRS (Security/Runtime/Safety) // service in the upstream design. In this deployment SRS isn't running, so