fix(agent): trim unauthenticated /health payload to bare status#275
fix(agent): trim unauthenticated /health payload to bare status#275jaredglaser wants to merge 3 commits into
Conversation
The /health endpoint bypasses auth so the agent-updater and Docker
healthchecks can probe liveness, but it also returned the agent version,
Docker engine/API versions, and ZFS capability detail to anyone who
could reach the port. That detail now lives on a new authenticated
GET /info endpoint; /health returns only { status } with the same
200/503 semantics, so liveness consumers (agent-updater, Dockerfile
HEALTHCHECK, dev-seed) keep working unchanged.
Web callers that read version info were updated to preserve behavior:
AgentClient.health() now queries /info with its existing signer, and
checkAgentHealth() accepts an optional token minter so host health
checks fetch version/capability detail from /info after the liveness
probe. Hosts without an enrolled keypair still get a liveness verdict,
just without version info.
Closes #230
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 56 minutes and 15 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (13)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Validate /health body shape at runtime: check body.status === 'healthy' rather than just parsing JSON, so an unrelated server returning 200 with arbitrary JSON is rejected - Guard handleUpdateAgent retry loop against undefined version: a transient /info failure returns version: undefined, which must not be treated as a version change or the loop exits prematurely - Log /info HTTP errors and network failures via console.error so operators can diagnose missing version info in Managed Hosts; getToken failures remain silent (expected for pending/unenrolled hosts) - Fix missing expectedAudience arg in new middleware test for /info - Add tests: /health body shape validation, console.error logging for /info failures, no logging on getToken throws, hostName forwarding in handleRefreshHostStatus, undefined-version guard in update loop Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016xMT3rEMsfcBMLhLTHqTtk
The PR branch authenticateRequest takes 3 args (no expectedAudience); the cherry-pick left HOST references from the main-branch version. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016xMT3rEMsfcBMLhLTHqTtk
Summary
/health(intentionally unauthenticated) previously returned the agent version, Docker engine/API versions, and ZFS capability detail. It now returns only{ status: "healthy" | "unhealthy" }with the same 200/503 semantics, so liveness consumers (agent-updaterhealth-reporter, the agent Dockerfile HEALTHCHECK, worker dev-seed) keep working unchanged.GET /infoendpoint on the agent that carries the previous detail payload (agentVersion, Docker and ZFS capabilities). The auth middleware only bypasses/health, so/inforequires a valid JWT; a middleware test asserts this.agent/src/types.ts:AgentHealthCheckResponseis now status-only and a newAgentInfoResponsedescribes/info. The oldAgentHealthyResponse/AgentUnhealthyResponsetypes did not match what the agent actually returned.AgentClient.health()now queries/info(it always has a signer) and readsagentVersion.checkAgentHealth()in the web app still probes/healthfor liveness, and accepts an optional token minter to fetch version/Docker version from/infoafterward. Failures on/info(no keypair enrolled yet, older agent, network error) never affect the healthy verdict.addHost,updateAgent,checkHostHealth) wire a per-host JWT signer into the health check, so agent version reporting in Settings -> Managed Hosts is preserved (and now actually populated; the old code read aversionfield the agent never sent).docs/architecture.md.Testing
bun run typecheckandbun run typecheck:agent: pass.bun test --isolate(269 pass), including newhandleInfotests, status-only/healthassertions, and a middleware test that/inforequires auth.agent-health-service.test.ts(liveness plus new authenticated/infopaths: bearer token, 401, non-JSON, token minting failure, no/infocall when/healthfails),agent-client.test.ts(health() hits/info),handlers.test.ts,host-utils.test.ts: all pass.Closes #230
🤖 Generated with Claude Code