feat: support configurable lanes in agent queue APIs#431
Conversation
Validate the lane query parameter against configured lanes at runtime
instead of hardcoding normal/escalated/backlog allowlists. Unknown
lanes now return a clear 400 error with available lane ids.
- Add lane validation to GET /api/agents/{name}/queue
- Add lane validation to GET /api/agents/{name}/next-task
- Preserve all existing query params: exclude_decomposed, includeClaimed,
includeRenovate
- Backward-compatible: omitting lane still works
- Custom configured lanes can be queried successfully
- Non-claimable lanes excluded from default worker queue
- Response includes issue lane value
![its-saffron[bot]](https://avatars.githubusercontent.com/in/3901073?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
its-saffron
Bot
dismissed
their stale review
Superseded by a newer automated review for this pull request.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
its-saffron
Bot
dismissed
their stale review
Superseded by a newer automated review for this pull request.
There was a problem hiding this comment.
AI Automated Review
Full PR review.
Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — routed smart (risk match: public_route_changes)
PR Review: feat: support configurable lanes in agent queue APIs
Recommendation: Approve
This PR implements configurable lanes for the agent queue APIs, adding lane validation and authorization controls. The implementation is well-tested and follows repository conventions.
Change-by-Change Findings
1. src/app/api/agents/[agentName]/queue/route.ts (+17 lines)
- Added authorization check: The
/queueendpoint now requires bearer token authentication viaauthorizeRequest(). Requests without valid tokens receive 401 Unauthorized. - Added lane validation: When a
lanequery param is provided, it is validated against configured lanes usingisValidLane(). Invalid lanes return 400 with a descriptive error message including valid options. - Backward compatibility: Omitting the
laneparam preserves existing default behavior.
2. src/app/api/agents/[agentName]/next-task/route.ts (+11, -1 lines)
- Added lane validation: Same validation pattern as queue endpoint — checks
isValidLane()when lane is provided, returns 400 for unknown lanes. - Existing auth intact: The endpoint already had
authorizeRequest()check (confirmed via file read).
3. src/app/api/agents/[agentName]/queue/route.test.ts (+365 lines)
- Comprehensive test coverage added for:
- Auth: 401 for missing/invalid tokens, proper behavior with valid tokens
- Auth isolation: unauthorized requests don't trigger DB queries
- Lane validation: 400 for unknown lanes, 200 for valid lanes
- Backward compatibility: omitting lane param works
- Custom lanes: tests with
fast/slow/parkedandalphalane configs - Lane filter interactions:
includeClaimed,includeRenovate,exclude_decomposedpreserved - Response includes lane value as required
4. src/lib/agent-queue.test.ts (+117 lines)
- Tests for configurable lane scenarios:
- Single claimable lane config
- Three claimable lanes config
- Non-claimable lanes excluded by default
- Non-claimable lanes can be included with
claimableOnly: false
Required Checks
✅ verify route access controls are in place
Both /api/agents/{agentName}/queue and /api/agents/{agentName}/next-task endpoints now require bearer token authorization via authorizeRequest(). The queue endpoint received explicit auth protection in this PR. Tests confirm:
- 401 returned when no auth header present
- 401 returned for invalid bearer token
- Valid bearer token allows access
- Unauthorized requests do not invoke database queries
✅ check for unintended public endpoints
No unintended public endpoints introduced. Both modified routes (/queue and /next-task) are internal agent API endpoints requiring bearer token authentication. No authentication was removed; the queue endpoint was strengthened with explicit auth checks.
Standards Compliance
- API routes return appropriate status codes: 401 for unauthorized, 400 for invalid lane, 200 for success. ✅
- Error handling uses
error instanceof Errorpattern: Error responses are structured JSON objects. ✅ - Bearer token auth: Uses
DISPATCH_AGENT_TOKENper repository conventions. ✅ - No secrets committed: No
.envfiles or credentials in diff. ✅ - Test conventions: Tests mock dependencies, use
beforeEach/afterEachcleanup, and test both positive and negative cases. ✅
Linked Issue Fit
Issue PR 384 acceptance criteria are satisfied:
| Criteria | Status |
|---|---|
Default normal queue behavior still works |
✅ Tested |
Default escalated queue behavior still works |
✅ Tested |
| Custom configured lane can be queried successfully | ✅ Tested |
| Unknown lane query returns clear error | ✅ Returns 400 with valid options |
| Single claimable lane config works | ✅ Tested |
| Three claimable lane config works | ✅ Tested |
| Non-claimable lanes excluded from worker queues | ✅ Tested |
| Tests cover default and custom lanes | ✅ Comprehensive |
Evidence Provider Findings
No evidence providers were configured for this PR. No blockers identified.
Tool Harness Findings
No additional verification needed — the files were read directly and confirm:
- Both endpoints have
authorizeRequest()checks - Lane validation uses
isValidLane()andgetLaneIds()from@/lib/lane-config - Error responses are structured consistently
Unknowns / Needs Verification
None. The implementation is fully verified from the diff and test coverage.
Conclusion
This PR adds configurable lane support to agent queue APIs while maintaining backward compatibility and adding proper authorization controls. The implementation is well-tested and meets all acceptance criteria from issue PR 384. CI passed (Validate, review, Docker Build all succeeded).
1 participant
Closes #384