fix: validate saved tokens + handle FlyV1 auth scheme#1386
Merged
louisgv merged 3 commits intoOpenRouterTeam:mainfrom Feb 17, 2026
Merged
fix: validate saved tokens + handle FlyV1 auth scheme#1386louisgv merged 3 commits intoOpenRouterTeam:mainfrom
louisgv merged 3 commits intoOpenRouterTeam:mainfrom
Conversation
Tokens loaded from config files (e.g. ~/.config/spawn/fly.json) were never validated, so expired or revoked tokens would silently pass through and only fail at the point of use (e.g. app creation). Now the provider's test function runs on config-file tokens too, falling through to a fresh prompt if validation fails. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fly.io dashboard tokens use the format "FlyV1 fm2_..." where "FlyV1" is the authorization scheme itself, not a Bearer token prefix. The script was always sending "Authorization: Bearer FlyV1 fm2_..." which the API rejects with "token validation error". Now detects FlyV1-prefixed tokens and sends them as "Authorization: FlyV1 fm2_..." using custom auth headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three fixes for the refactor workflow that was producing zero PRs: 1. community-coordinator: Gemini → Sonnet — Gemini doesn't support the Task tool, causing a respawn on every single cycle 2. Monitoring loop: replace "sleep 5" (which drifted to sleep 30) with explicit short-sleep instructions and CRITICAL rule that every turn must include a tool call to stay alive 3. Lifecycle management: explicit shutdown sequence with retry, preventing early exit that orphans teammates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
louisgv
approved these changes
Feb 17, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Findings
None. All changes are security-positive.
Security Analysis
1. Token Validation Enhancement (shared/common.sh:2570-2577)
POSITIVE: Adds validation for saved tokens before use.
- Calls optional
test_functo verify token is still valid - Falls through to re-prompt on validation failure
- Properly unsets invalid token before re-prompting
- Uses
2>/dev/nullto suppress stderr from test function (safe) - No command injection risk - test_func is passed as function name, not eval'd string
2. FlyV1 Auth Scheme Support (fly/lib/common.sh:37-41)
POSITIVE: Adds support for new Fly.io token format without security regressions.
- Properly handles
FlyV1 fm2_...token format via custom auth - Token is passed through
-H "Authorization: $FLY_API_TOKEN"which is safe (quoted variable expansion) - Falls back to Bearer token for legacy tokens
- No command injection risk - token is properly quoted in all paths
- Uses existing
generic_cloud_api_custom_authwhich has been audited
3. Refactor Service Improvements (.claude/skills/setup-agent-team/refactor.sh:410-441)
NEUTRAL: Documentation/prompt improvements only.
- No code changes, only inline documentation updates
- Clarifies team coordination protocol
- Improves shutdown sequence documentation
Tests
bash -n: PASS (all 3 files)bun test: PASS (7809 pass, 235 pre-existing failures unrelated to this PR)- curl|bash: OK (source fallback pattern preserved in fly/lib/common.sh)
- macOS compat: OK (no bash 3.x incompatible syntax introduced)
Security Properties Maintained
✅ No new command injection vectors
✅ No credential leaks
✅ No path traversal issues
✅ No unsafe eval/source patterns
✅ curl|bash compatibility preserved
✅ Proper variable quoting throughout
✅ Token validation improves security posture
-- security/pr-reviewer-1386
louisgv
added
the
security-approved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
~/.config/spawn/fly.json) were never validated, so expired/revoked tokens silently passed through and only failed at the point of use. Now the provider's test function runs on config-file tokens, falling through to a fresh prompt on failure.FlyV1 fm2_...whereFlyV1is the authorization scheme itself. The script was sendingAuthorization: Bearer FlyV1 fm2_...which the API rejects. Now detectsFlyV1-prefixed tokens and sendsAuthorization: FlyV1 fm2_...directly.Test plan
bash test/run.sh— all tests pass~/.config/spawn/fly.json— should warn and prompt for new oneFlyV1 fm2_...token from Fly.io dashboard — should authenticate successfullyflyctl auth token— should still work🤖 Generated with Claude Code