fix: preview env agent creation and auth failures (#3125)

vnv-varun · web-flow · commit d6443a9cfa98 · 2026-04-15T17:07:18.000Z
* fix: preview env agent creation and auth failures

Preview environments were missing INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET,
forcing manage-ui server actions to fall back to fragile cookie forwarding
for API auth. This caused false "Failed to create agent" errors and broken
agent detail pages on most PR previews.

Changes:
- Inject INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET into both manage-ui and
  agents-api Vercel preview env vars (requires PREVIEW_MANAGE_API_BYPASS_SECRET
  GitHub secret to be created)
- Add auth mode logging to manage-ui API calls so preview auth issues are
  visible in Vercel logs
- Stop re-throwing auto-commit errors in branchScopedDb middleware - the
  route handler already succeeded and re-throwing turns a 201 into a 500
  while the write is safely in Dolt's working set

* fix: add retry to branchScopedDb auto-commit before swallowing

Address review feedback: add one retry attempt for the auto-commit
before falling back to swallowing the error. This reduces the chance
of relying on the autoCommitPending recovery path.

Also clarify in the comment that Dolt working set changes are
per-branch and survive checkout to main + connection release.
diff --git a/.github/scripts/preview/upsert-vercel-preview-env.sh b/.github/scripts/preview/upsert-vercel-preview-env.sh
@@ -13,6 +13,7 @@ require_env_vars \
   ANTHROPIC_API_KEY \
   BETTER_AUTH_SECRET \
   SPICEDB_PRESHARED_KEY \
+  INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET \
   PR_BRANCH \
   API_URL \
   UI_URL
@@ -22,7 +23,7 @@ if ! [[ "${PR_BRANCH}" =~ ^[A-Za-z0-9._/-]+$ ]]; then
   exit 1
 fi
 
-mask_env_vars ANTHROPIC_API_KEY BETTER_AUTH_SECRET SPICEDB_PRESHARED_KEY MANAGE_DB_URL RUN_DB_URL SPICEDB_ENDPOINT
+mask_env_vars ANTHROPIC_API_KEY BETTER_AUTH_SECRET SPICEDB_PRESHARED_KEY INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET MANAGE_DB_URL RUN_DB_URL SPICEDB_ENDPOINT
 
 if [ -z "${MANAGE_DB_URL:-}" ] || [ -z "${RUN_DB_URL:-}" ] || [ -z "${SPICEDB_ENDPOINT:-}" ]; then
   require_env_vars \
@@ -89,6 +90,7 @@ upsert_env() {
 upsert_env "${VERCEL_MANAGE_UI_PROJECT_ID}" "INKEEP_AGENTS_API_URL" "${API_URL}"
 upsert_env "${VERCEL_MANAGE_UI_PROJECT_ID}" "PUBLIC_INKEEP_AGENTS_API_URL" "${API_URL}"
 upsert_env "${VERCEL_MANAGE_UI_PROJECT_ID}" "NEXT_PUBLIC_INKEEP_AGENTS_API_URL" "${API_URL}"
+upsert_env "${VERCEL_MANAGE_UI_PROJECT_ID}" "INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET" "${INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET}"
 
 upsert_env "${VERCEL_API_PROJECT_ID}" "INKEEP_AGENTS_API_URL" "${API_URL}"
 upsert_env "${VERCEL_API_PROJECT_ID}" "INKEEP_AGENTS_MANAGE_UI_URL" "${UI_URL}"
@@ -102,3 +104,4 @@ upsert_env "${VERCEL_API_PROJECT_ID}" "SPICEDB_ENDPOINT" "${SPICEDB_ENDPOINT}"
 upsert_env "${VERCEL_API_PROJECT_ID}" "SPICEDB_TLS_ENABLED" "false"
 upsert_env "${VERCEL_API_PROJECT_ID}" "BETTER_AUTH_SECRET" "${BETTER_AUTH_SECRET}"
 upsert_env "${VERCEL_API_PROJECT_ID}" "SPICEDB_PRESHARED_KEY" "${SPICEDB_PRESHARED_KEY}"
+upsert_env "${VERCEL_API_PROJECT_ID}" "INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET" "${INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET}"
diff --git a/.github/workflows/preview-environments.yml b/.github/workflows/preview-environments.yml
@@ -13,6 +13,7 @@ name: Preview Environments
 # - PREVIEW_MANAGE_UI_PASSWORD=<admin password> (secret)
 # - PREVIEW_BETTER_AUTH_SECRET=<preview Better Auth secret> (secret)
 # - PREVIEW_SPICEDB_PRESHARED_KEY=<preview SpiceDB key> (secret)
+# - PREVIEW_MANAGE_API_BYPASS_SECRET=<preview manage API bypass secret> (secret)
 #
 # Repository variables:
 # - PREVIEW_ENVIRONMENTS_ENABLED=true|false
@@ -323,6 +324,7 @@ jobs:
           SPICEDB_ENDPOINT: ${{ needs.bootstrap-preview-auth.outputs.spicedb_endpoint }}
           BETTER_AUTH_SECRET: ${{ secrets.PREVIEW_BETTER_AUTH_SECRET }}
           SPICEDB_PRESHARED_KEY: ${{ secrets.PREVIEW_SPICEDB_PRESHARED_KEY }}
+          INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET: ${{ secrets.PREVIEW_MANAGE_API_BYPASS_SECRET }}
           CI: true
           RAILWAY_API_TOKEN: ${{ secrets.RAILWAY_API_TOKEN || secrets.RAILWAY_TOKEN }}
           RAILWAY_PROJECT_ID: ${{ vars.RAILWAY_PROJECT_ID }}
diff --git a/agents-api/src/middleware/branchScopedDb.ts b/agents-api/src/middleware/branchScopedDb.ts
@@ -113,42 +113,62 @@ export const branchScopedDbMiddleware = async (c: Context, next: Next) => {
       resolvedRef.type === 'branch' && operationSuccess && !projectDeleteOperation && !isReadMethod;
 
     if (shouldCommit) {
-      try {
-        // Check if there are uncommitted changes
-        const statusResult = await doltStatus(requestDb)();
-
-        // If there are uncommitted changes and the operation was successful, commit the changes
-        if (statusResult.length > 0 && operationSuccess) {
-          const path = c.req.path;
-          const commitMessage = generateCommitMessage(method, path);
-
-          logger.info(
-            { branch: resolvedRef.name, message: commitMessage },
-            'Auto-committing changes'
-          );
-
-          await doltAddAndCommit(requestDb)({
-            message: commitMessage,
-            author: {
-              name: userId ?? 'agents-api',
-              email: userEmail ?? 'api@inkeep.com',
-            },
-          });
-
-          logger.info({ branch: resolvedRef.name }, 'Successfully committed changes');
-        } else if (statusResult.length > 0 && !operationSuccess) {
-          await doltReset(requestDb)();
-          logger.info(
-            { branch: resolvedRef.name },
-            'Successfully reset changes due to failed operation'
-          );
+      const path = c.req.path;
+      const commitMessage = generateCommitMessage(method, path);
+      const commitAuthor = {
+        name: userId ?? 'agents-api',
+        email: userEmail ?? 'api@inkeep.com',
+      };
+
+      let committed = false;
+      for (let attempt = 1; attempt <= 2 && !committed; attempt++) {
+        try {
+          const statusResult = await doltStatus(requestDb)();
+
+          if (statusResult.length > 0 && operationSuccess) {
+            if (attempt === 1) {
+              logger.info(
+                { branch: resolvedRef.name, message: commitMessage },
+                'Auto-committing changes'
+              );
+            }
+
+            await doltAddAndCommit(requestDb)({
+              message: commitMessage,
+              author: commitAuthor,
+            });
+
+            logger.info({ branch: resolvedRef.name }, 'Successfully committed changes');
+            committed = true;
+          } else if (statusResult.length > 0 && !operationSuccess) {
+            await doltReset(requestDb)();
+            logger.info(
+              { branch: resolvedRef.name },
+              'Successfully reset changes due to failed operation'
+            );
+            committed = true;
+          } else {
+            committed = true;
+          }
+        } catch (error) {
+          if (attempt < 2) {
+            logger.warn(
+              { error, ...getDatabaseErrorLogContext(error), branch: resolvedRef.name, attempt },
+              'Auto-commit attempt failed, retrying'
+            );
+          } else {
+            // Do NOT re-throw: the route handler already returned a successful
+            // response. Re-throwing replaces the handler's 2xx with a 500,
+            // making the client think the operation failed when the write
+            // is in Dolt's working set (persisted per-branch, survives
+            // checkout to main and connection release). The next request's
+            // checkoutBranch with autoCommitPending:true will commit it.
+            logger.error(
+              { error, ...getDatabaseErrorLogContext(error), branch: resolvedRef.name },
+              'Auto-commit failed after retry - writes remain in branch working set for next checkout'
+            );
+          }
         }
-      } catch (error) {
-        logger.error(
-          { error, ...getDatabaseErrorLogContext(error), branch: resolvedRef.name },
-          'Failed to auto-commit changes — uncommitted writes will be lost on connection release'
-        );
-        throw error;
       }
     }
   } finally {
diff --git a/agents-manage-ui/src/lib/api/api-config.ts b/agents-manage-ui/src/lib/api/api-config.ts
@@ -61,11 +61,21 @@ async function makeApiRequestInternal<T>(
     }
   }
 
+  const hasBypassSecret = Boolean(process.env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET);
+  const authMode = hasBypassSecret ? 'bypass-secret' : cookieHeader ? 'cookie' : 'none';
+
+  if (authMode === 'none') {
+    console.warn(
+      `[api-config] No auth credentials for ${endpoint} - ` +
+        'set INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET or ensure session cookies are forwarded'
+    );
+  }
+
   const defaultHeaders: HeadersInit = {
     'Content-Type': 'application/json',
     ...options.headers,
     ...(cookieHeader && { Cookie: cookieHeader }),
-    ...(process.env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET && {
+    ...(hasBypassSecret && {
       Authorization: `Bearer ${process.env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET}`,
     }),
   };
@@ -127,6 +137,7 @@ async function makeApiRequestInternal<T>(
         errorData,
         errorMessage,
         errorCode,
+        authMode,
       });
 
       throw new ApiError(
