Skip to content

[fix] Preserve invoke auth without trace context#5266

Merged
mmabrouk merged 1 commit into
big-agentsfrom
fix/invoke-auth-without-trace-context
Jul 13, 2026
Merged

[fix] Preserve invoke auth without trace context#5266
mmabrouk merged 1 commit into
big-agentsfrom
fix/invoke-auth-without-trace-context

Conversation

@mmabrouk

Copy link
Copy Markdown
Member

Context

An agent invocation could carry its Agenta authorization through the tracing context even when no active trace span produced a traceparent. trace_context() returned None whenever traceparent was absent, so it silently discarded the authorization and the downstream runner request could become unauthenticated.

Changes

trace_context() now keeps the context when either traceparent or Authorization is present. It still returns None when both are absent.

Tests / notes

  • Added coverage for an authorization-only context and an empty context.
  • Focused tracing tests: 6 passed.
  • Wire-contract tests: 35 passed.
  • Combined focused SDK verification: 68 passed.
  • Ruff formatting and lint passed.

How to review

Read the early-return condition in tracing.py, then the two regression cases in test_tracing.py.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jul 13, 2026
@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agenta-documentation Ready Ready Preview, Comment Jul 13, 2026 12:33am

Request Review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 00304b8c-f1a3-4365-b5d8-2274e64a59c2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

trace_context() now captures Authorization independently of traceparent, creating a context when either header is present. Unit tests cover authorization-only injection and the case where both headers are absent.

Changes

Tracing context capture

Layer / File(s) Summary
Authorization fallback and validation
sdks/python/agenta/sdk/agents/tracing.py, sdks/python/oss/tests/pytest/unit/agents/test_tracing.py
trace_context() preserves authorization when traceparent is missing and returns None only when both values are absent; tests verify both behaviors.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main fix: preserving authorization when no trace context exists.
Description check ✅ Passed The description is directly related to the changes and accurately describes the behavior fix and tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/invoke-auth-without-trace-context

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@dosubot dosubot Bot added bug Something isn't working python Pull requests that update Python code labels Jul 13, 2026
@mmabrouk mmabrouk added the needs-review Agent updated; awaiting Mahmoud's review label Jul 13, 2026
@mmabrouk

mmabrouk commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

🤖 The AI agent says:

This is an independent two-file hotfix extracted from #5242. Please verify the early return now drops the tracing context only when both traceparent and Authorization are absent. The regression tests cover the authorization-only path and the empty path.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr diff 5266 --repo Agenta-AI/agenta

Length of output: 2315


🏁 Script executed:

#!/bin/bash
sed -n '1,90p' sdks/python/agenta/sdk/agents/tracing.py 2>/dev/null || gh api repos/Agenta-AI/agenta/contents/sdks/python/agenta/sdk/agents/tracing.py -q .content | base64 -d

Length of output: 3724


This checks out — the diff and the resulting trace_context() behavior match the stated objective and the two-file scope described:

  • Line 56–57: the early return now only fires if not traceparent and not authorization, so an authorization-only context (no traceparent) is preserved, and traceparent alone also still passes through as before.
  • authorization is captured once and reused in the TraceContext construction, so behavior is unchanged when both are present.
  • The two new regression tests in test_tracing.py cover exactly the described cases: authorization-only (context is not None, traceparent is None, authorization == "ApiKey invoke-credential") and the fully-empty case (trace_context() is None).
  • No other logic in the function (endpoint resolution, exception handling) depends on traceparent, so widening the condition doesn't introduce side effects.

This is a minimal, correctly scoped fix for the described bug.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
fd -a "tracing.py" | grep -i sdk || fd -a "tracing.py"
echo "---"
fd -a "test_tracing.py"

Length of output: 729


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== contexts/tracing.py ==="
cat -n sdks/python/agenta/sdk/contexts/tracing.py
echo "=== agents/tracing.py ==="
cat -n sdks/python/agenta/sdk/agents/tracing.py
echo "=== test file ==="
cat -n sdks/python/oss/tests/pytest/unit/agents/test_tracing.py

Length of output: 20558


@mmabrouk Verified the fix. In sdks/python/agenta/sdk/agents/tracing.py, trace_context() (Line 57) now reads:

traceparent = headers.get("traceparent")
authorization = headers.get("Authorization")
if not traceparent and not authorization:
    return None

This correctly drops the tracing context only when both traceparent and Authorization are absent — previously it dropped the context (and the caller's authorization along with it) whenever traceparent alone was missing, which is exactly the bug described.

The two regression tests in test_tracing.py line up with this behavior:

  • test_trace_context_keeps_authorization_without_traceparent: inject returns only Authorization; asserts trace_context() is not None, traceparent is None, and authorization is preserved.
  • test_trace_context_none_without_traceparent_or_authorization: inject returns {}; asserts trace_context() is None.

Both scenarios are correctly exercised, and the early-return condition matches the stated intent. This is a clean, minimal, well-scoped hotfix — no other issues found in the two files.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mmabrouk mmabrouk added the lgtm This PR has been approved by a maintainer label Jul 13, 2026
@mmabrouk
mmabrouk merged commit a0d9d03 into big-agents Jul 13, 2026
23 checks passed
@mmabrouk mmabrouk mentioned this pull request Jul 13, 2026
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer needs-review Agent updated; awaiting Mahmoud's review python Pull requests that update Python code size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant