Add authorizeRequest (Bearer or basic) to GET /api/agents/[agentName]/next-task and document the auth model in the OpenC

[itsmiso-ai]

Parent umbrella issue: #408
Source audit: Weekly tech debt audit: dispatch - 2026-06-17
Source audit date: 2026-06-17

Original recommendation

P1 — Add authorizeRequest (Bearer or basic) to GET /api/agents/[agentName]/next-task and document the auth model in the OpenClaw workflow contract.

Matched top finding

The new next-task endpoint is the most powerful read endpoint in the system: given an agentName, it returns the next implement/followup-pr/groom task, the lane, and the full task contract. It is unauthenticated, like the older read endpoints (queue, active-work, work-summary), but it consolidates more decision-critical data into a single response than the older endpoints do. The agent queue and lease identifiers are exposed, which is useful reconnaissance for any actor probing the system.

Evidence:

• src/app/api/agents/[agentName]/next-task/route.ts:1-30: no authorizeRequest import; route summary auth=no verbs=GET(.
• The route file is 229 lines; reads from prisma.issue.findMany (open issues from enabled repos), listQueuedPrFixItems (PR fix queue), and findLeasedIssueIds (other agents' leases).
• The test file next-task/route.test.ts has 0 cases for 401/unauthorized — confirms the design intent (intentionally public) but does not document that intent anywhere.