You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After the v0.2.2 release, all runner pods reject requests from the backend-api and operator with 401 Unauthorized. This breaks session creation, workflow reconciliation, and the between-run listener across all project namespaces on vteam-uat.
The runner starts correctly (AG-UI token authentication enabled), and the operator successfully provisions and refreshes tokens (Refreshed runner token for session ...), but the token the backend sends is not accepted by the runner.
This is an interaction between two PRs that both merged before v0.2.2:
Discovered during investigation of vteam-uat outage on 2026-04-22. This is the user-facing symptom — sessions fail with "Error: Runner error: HTTP 401". Affected namespaces include test-jumpstarter-bugs, cve-fixer-workflow, maas-cve-fixer, chocolate-factory, and others.
Problem
After the v0.2.2 release, all runner pods reject requests from the backend-api and operator with
401 Unauthorized. This breaks session creation, workflow reconciliation, and the between-run listener across all project namespaces on vteam-uat.The runner starts correctly (
AG-UI token authentication enabled), and the operator successfully provisions and refreshes tokens (Refreshed runner token for session ...), but the token the backend sends is not accepted by the runner.This is an interaction between two PRs that both merged before v0.2.2:
X-Ambient-Session-Tokenheader validation middleware to the runner, andrunnerTransportin the backend to inject the headerapp.pystartup, restructured endpoint registration (addedevents_router), and modified the middleware/lifespan orderingLikely causes to investigate
runnerTransportsends and what_require_session_tokenchecksgetRunnerAGUIToken()reads from a secret that the v0.2.2 operator writes differently than v0.2.0Reproduction
Deploy v0.2.2 to a kind cluster and attempt to create a session. The runner pod logs will show
401 Unauthorizedon every inbound request.Affected files
components/runners/ambient-runner/ambient_runner/app.py(auth middleware)components/backend/handlers/sessions.go(runnerTransport,getRunnerAGUIToken)components/operator/internal/handlers/sessions.go(regenerateRunnerToken)Context
Discovered during investigation of vteam-uat outage on 2026-04-22. This is the user-facing symptom — sessions fail with "Error: Runner error: HTTP 401". Affected namespaces include test-jumpstarter-bugs, cve-fixer-workflow, maas-cve-fixer, chocolate-factory, and others.