Skip to content

Add /api/dev/session for curl-based testing#885

Draft
nicoalbanese wants to merge 9 commits into
mainfrom
dev-session-endpoint
Draft

Add /api/dev/session for curl-based testing#885
nicoalbanese wants to merge 9 commits into
mainfrom
dev-session-endpoint

Conversation

@nicoalbanese

@nicoalbanese nicoalbanese commented May 21, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds POST /api/dev/session, a dev-only endpoint that mints a real Better Auth session cookie for a dedicated bot user (id = __test_bot__, username = test-bot) so the app can be exercised end-to-end from the command line.
  • Adds scripts/test-agent.sh — a self-contained smoke test that mints the cookie, creates a chat session, waits for the Vercel sandbox, sends a message, and streams the response. Supports --session SESSION_ID for follow-up turns to an existing chat.
  • Adds docs/agents/endpoints.md — the curl-based testing guide, linked from AGENTS.md.

Why

Today every feature is only really testable through the browser. That blocks coding agents (and humans on the CLI) from verifying changes without OAuth-signing-in and clicking around. With this endpoint, anything the browser can do is reachable from curl with a real session cookie — same code path, same auth, same workflow.

Security boundary

  • Cannot impersonate real users. Only ever mints a session for __test_bot__. The id is a 12-char sentinel that cannot collide with Better Auth's 21-char nanoid IDs.
  • Disabled in production. 404 when VERCEL_ENV=production. Vercel previews stay enabled.
  • Disabled without secret. 404 when TEST_AUTH_SECRET is unset or shorter than 64 hex chars.
  • Constant-time secret comparison via crypto.timingSafeEqual.
  • Short session TTL (1 hour).
  • Logged on every successful mint.

The bot is given a @vercel.com email so it bypasses the managed-template-trial gate (which otherwise caps at 1 session and 5 messages per non-Vercel user).

Verification

End-to-end verified against the live dev server:

  1. Mint cookie via /api/dev/session → Better Auth's verifier accepts it (GET /api/auth/info returns the bot user).
  2. Create a chat session via /api/sessions → real Vercel sandbox provisions in ~10s.
  3. POST /api/chat streams a real agent response.
  4. Follow-up turn referencing the same session has full prior context — agent recalled an 8-digit random number across turns.

Test plan

  • Set TEST_AUTH_SECRET=$(openssl rand -hex 32) in apps/web/.env.local
  • Run bash scripts/test-agent.sh — expect the agent to reply
  • Run the printed follow-up command — expect the agent to have prior context
  • Try without the secret header — expect 401
  • Try without TEST_AUTH_SECRET set — expect 404
  • Confirm production deploy still 404s the endpoint (env-gated)

🤖 Generated with Claude Code

nicoalbanese and others added 4 commits May 21, 2026 14:57
@nicoalbanese @claude
Add /api/dev/session for curl-based testing
621b330 
Mints a real Better Auth session cookie for a dedicated bot user
(id `__test_bot__`) so the app can be exercised end-to-end from
the command line. The endpoint cannot impersonate real users, is
gated by `TEST_AUTH_SECRET` + `X-Test-Auth` header (timing-safe),
and is disabled on production deployments.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@nicoalbanese @claude
Give bot user a @vercel.com email to bypass trial-user gate
805b534 
The managed-template-trial gate treats any Vercel-auth user without a
vercel.com email as a trial user, capped at 1 session and 5 messages.
The bot needs to exercise multiple sessions and unlimited turns to be
useful for testing, so we assign it `test-bot@vercel.com`. Existing
bot users created before this change get their email backfilled on
the next call to /api/dev/session.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@nicoalbanese @claude
Add scripts/test-agent.sh smoke test for the curl-driven flow
1af0bde 
Drives the full happy path from the command line: mint cookie →
create session → wait for sandbox → send message → stream response.
Accepts a custom prompt as the first argument and prints the
sessionId/chatId so follow-up turns can target the same chat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@nicoalbanese @claude
Support --session follow-ups in scripts/test-agent.sh
7dc6ff7 
When `--session SESSION_ID` is passed, the script skips session/sandbox
creation, fetches the existing chat and its message history, and appends
the new user turn. The trailing hint now points to a runnable command
instead of a hand-rolled curl sequence.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented May 21, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
open-agents Ready Ready Preview May 26, 2026 11:43am

vercel[bot]
vercel Bot reviewed May 21, 2026
View reviewed changes
Comment thread apps/web/.env.example Outdated
@nicoalbanese @vercel
Update apps/web/.env.example
dfd3d4d 
Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com>
@nicoalbanese nicoalbanese marked this pull request as draft May 26, 2026 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicoalbanese