feat(cli): inline --oauth for storyboard run + actionable auth hint#766
Conversation
When capability discovery fails with an OAuth challenge, `detectAuthRejection` now classifies via OAuth-specific bigrams (not the bare substring "authorization", which false-matched benign "authorization header" upstream errors), and the remediation observation fires whenever the error phrasing signals OAuth even if metadata discovery can't resolve the well-known chain. `adcp storyboard run <alias> --oauth` and `storyboard step <alias> --oauth` now run the browser PKCE flow inline when the saved alias lacks valid tokens and persist them back to the alias — matching the existing `--oauth` contract on the top-level command. Raw URL + `--oauth` stays a warning in human mode and becomes a structured `oauth_requires_alias` error (exit 2) under `--json` so CI pipelines fail fast instead of hanging. The shared helper wraps MCP client/transport/provider cleanup in try/finally, persists silently-refreshed tokens on the happy path, and carries `oauth_code_verifier` into the temp agent so a crashed mid-flight PKCE attempt survives. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Picks up asset_type discriminators on inline asset interfaces (image, video, audio, vast, daast, text, markdown, url, html, css, webhook, javascript, brief, catalog) and the "no separate account field" clarifications on plan-scoped governance requests. Pure regeneration — no handwritten source touched. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This reverts commit e38e526.
|
CI status note — Test & Build and CodeQL failures on this PR aren't introduced by the OAuth work; they reflect upstream state on
Happy to rebase once the schema-fixture migration lands on main. |
This reverts commit d23e2b3.
…xtures The regenerated AdCP schemas require an asset_type discriminator on every inline asset (image/video/audio/text/url/html/javascript/css/markdown etc). Four downstream sites got caught: - `src/lib/conformance/seeder.ts` ASSET_PLACEHOLDER entries — the seeder now emits matching `asset_type` on every synthesized placeholder. - `test/lib/conformance-seeder.test.js` assertion updated to expect the discriminator on the synthesized text asset. - `test/lib/request-validation.test.js` two sync_creatives fixtures now include `asset_type: 'video'`. - `test/lib/zod-schemas.test.js` GetCreativeFeaturesRequest fixture now includes `asset_type: 'image'` + required dimensions. Pure catch-up work against the latest schemas; no client/runtime changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Update: Test & Build now passes after adding All required checks green. The standalone |
Summary
storyboard runagainst an OAuth-protected agent reportedAgent unreachable — requires OAuth authorizationwith no actionable hint.detectAuthRejection's keyword list missedNeedsAuthorizationError's "requires OAuth authorization" phrasing, so the classification fell through to the generic unreachable path and the--save-auth --oauthremediation observation never fired.oauth authorization,requires oauth,oauthflowhandler,www-authenticate,bearer realm, etc.) instead of the bare substring "authorization" — that was also a security/DX false-match on benign errors like"authorization header missing from upstream"or"failed to connect to oauth proxy". The remediation observation now fires whenever OAuth phrasing is present OR metadata is discoverable.--oauthonstoryboard runandstoryboard step: opens the browser PKCE flow when the saved alias lacks valid tokens, persists them back, then continues the run. Matches the existing top-level--oauthcontract. Raw URL +--oauthstays a warning in human mode and becomes a structuredoauth_requires_aliaserror (exit 2) under--jsonso CI pipelines fail fast.ensureOAuthTokensForAliaswraps cleanup intry/finally, persists silently-refreshed tokens on the happy path, and carriesoauth_code_verifierso a crashed mid-flight PKCE attempt survives.docs/CLI.mdanddocs/guides/VALIDATE-YOUR-AGENT.mddocument both flows (pre-save + inline) and the CI path (save tokens once locally, ship~/.adcp/agents.jsonto the runner, drop--oauth).Test plan
detectAuthRejectionclassifiesNeedsAuthorizationError-style messages as auth, emits the remediation hint even when OAuth metadata isn't discoverable, doesn't mis-classify plain bearer 401s, and — regression guard — doesn't mis-classify benign"authorization header"upstream errors.storyboard run --oauthwith a raw URL prints the save-first warning in human mode and emits the structuredoauth_requires_aliasJSON error + exit 2 under--json.test-agentalias → ranadcp storyboard run test-agent --oauth --storyboards security_baseline→ browser opened → completed auth atagenticadvertising.org→ tokens persisted → storyboard ran withAuth: oauth (auto-refresh). The new remediation wording renders with fenced issuer.🤖 Generated with Claude Code