Fix spurious OAuth warning by setting rootSessionID for local runtime

[Copilot]

Fixes the spurious OAuth warning that appears when running cagent exec or cagent run --tui=false with the message:

time=2025-10-06T09:17:59.036+02:00 level=WARN msg="rootSessionID not set, using current session ID for OAuth" session_id=09ee59b4-d228-49db-b5bc-b72bdba3a7a0

Problem

The issue occurred because local runtimes (used by cagent exec and cagent run --tui=false) were being created without a rootSessionID, which is required for OAuth state encoding. This caused warnings to appear even for sessions that don't actually need OAuth authentication, such as simple agents without MCP tools that require authentication.

Root Cause

The local runtime creation code in cmd/root/run.go was missing the runtime.WithRootSessionID() option that was already properly set in the server code (pkg/server/server.go). This inconsistency meant:

• Server-based runtimes had proper OAuth state encoding
• Local runtimes (CLI usage) generated spurious warnings

Solution

The fix ensures that local runtimes are created with a proper root session ID by:

1. Creating the session first to obtain its unique ID
2. Passing that ID to the runtime using runtime.WithRootSessionID(sess.ID)

This change:

• ✅ Eliminates the spurious OAuth warning for sessions that don't need authentication
• ✅ Maintains full OAuth functionality when MCP servers do require authentication
• ✅ Aligns local runtime behavior with server runtime behavior
• ✅ Makes no breaking changes to the public API

The fix is minimal and surgical, addressing only the root cause without affecting any other functionality.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.openai.com
  • Triggering command: ./bin/cagent exec ./examples/pirate.yaml hi (dns block)
  • Triggering command: ./bin/cagent run ./examples/pirate.yaml --tui=false hi (dns block)
• models.dev
  • Triggering command: ./bin/cagent exec ./examples/pirate.yaml hi (dns block)
  • Triggering command: ./bin/cagent run ./examples/pirate.yaml --tui=false hi (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Spurious oauth log for sessions that don't need auth</issue_title>
<issue_description>```
cagent exec ./examples/pirate.yaml "hi"
time=2025-10-06T09:17:59.036+02:00 level=WARN msg="rootSessionID not set, using current session ID for OAuth" session_id=09ee59b4-d228-49db-b5bc-b72bdba3a7a0

--- Agent: root ---

Ahoy there, matey! How be ye sailin' this fine day?

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@dgageot</author><body>
cc @trungutt @rumpl </body></comment_new>
<comment_new><author>@dgageot</author><body>
Seems fixed now</body></comment_new>
<comment_new><author>@dgageot</author><body>
Not really, no</body></comment_new>
</comments>

Fixes #418

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[dgageot]

@rumpl wdyt?