Background
#265 fixed the L1 cascade (13/13 → 0 fail). The very next QA run on bd76223 (anet QA (v0) run 28306382006) revealed 4 pre-existing real bugs that were invisible while every test exited at source ../lib/safe-rm.sh (line ~20).
Net L1: 9/13 PASS, 4 fail — a 12-day improvement, but still red.
The 4 fails (likely 1-2 root causes, not 4)
1. qa-dash-08-cross-account-views
[2] alice creates 'alice-private' + 'alice-secret-agent' + sends + replies
FAIL: alice send_reply
2. qa-dash-10-incremental-poll
[3] /api/messages (no since=) — both msg-A + msg-B present
FAIL: /api/messages should have both A+B, got 0
3. qa-hub-06b-cross-user-isolation
[3] alice sends a 'top-secret-alice' task to alice-agent
FAIL: alice send_task
4. qa-hub-09-task-state-machine
[3] BRANCH replied: send → send_reply(replied)
[4] BRANCH failed: send → send_reply(failed)
FAIL: cancel_task not ok:
{"ok":false,
"error":"from_session_identity_mismatch",
"message":"network token from_session does not match token-bound node alias",
"token_alias":"agent-09",
"requested_from_session":"admin"}
Hypothesis
The from_session_identity_mismatch signature in #4 is a concrete contract violation in commhub-server's token-bound identity check. #1 (send_reply), #3 (send_task), and possibly #2 (messages-since) look like they could share that same identity-mismatch root — alice sending under admin context, or token-bound alias not matching the requesting session.
Scope
- Pull each of the 4 per-case logs (
/tmp/qa-l1-X-run.log artifacts from run 28306382006) to confirm hypothesis
- Likely: 1 server-side fix in
server/src/index.ts or server/src/auth.ts for the identity check
- Possibly: tests are stale and need updating to send the right
from_session context
- Targeted fix PR per root once identified
Not part of #257 or #265 — #265 only fixed the cascade. This issue tracks the real bugs the cascade was hiding.
Why not fold into #266
#266 = Docker E2E Tests workflow (Base 137 / 45 fail) — different harness, different test set.
This issue = anet QA (v0) L1 contract tests (4 fail) — same harness as #265, but real product bugs vs the COPY bug.
Reproduce
git checkout main
docker build -t anet-qa-hub-09 -f tests/qa-hub-09-task-state-machine/Dockerfile .
docker run --rm anet-qa-hub-09 # observe FAIL: cancel_task ... from_session_identity_mismatch
Discovered
Related
Background
#265 fixed the L1 cascade (13/13 → 0 fail). The very next QA run on bd76223 (
anet QA (v0)run28306382006) revealed 4 pre-existing real bugs that were invisible while every test exited atsource ../lib/safe-rm.sh(line ~20).Net L1: 9/13 PASS, 4 fail — a 12-day improvement, but still red.
The 4 fails (likely 1-2 root causes, not 4)
1. qa-dash-08-cross-account-views
2. qa-dash-10-incremental-poll
3. qa-hub-06b-cross-user-isolation
4. qa-hub-09-task-state-machine
Hypothesis
The
from_session_identity_mismatchsignature in #4 is a concrete contract violation in commhub-server's token-bound identity check. #1 (send_reply), #3 (send_task), and possibly #2 (messages-since) look like they could share that same identity-mismatch root —alicesending under admin context, or token-bound alias not matching the requesting session.Scope
/tmp/qa-l1-X-run.logartifacts from run 28306382006) to confirm hypothesisserver/src/index.tsorserver/src/auth.tsfor the identity checkfrom_sessioncontextNot part of #257 or #265 — #265 only fixed the cascade. This issue tracks the real bugs the cascade was hiding.
Why not fold into #266
#266 =
Docker E2E Testsworkflow (Base 137 / 45 fail) — different harness, different test set.This issue =
anet QA (v0)L1 contract tests (4 fail) — same harness as #265, but real product bugs vs the COPY bug.Reproduce
Discovered
Related