fix(cron): propagate auth-profile resolution to isolated sessions (#20624) (#20689)

2026-05-09 15:04:33 +00:00 · 2026-02-23 01:45:03 +08:00
parent 3a19b0201c
commit 91944ede4c
4 changed files with 150 additions and 8 deletions
--- a/src/cron/isolated-agent/run.ts
+++ b/src/cron/isolated-agent/run.ts
@@ -5,6 +5,7 @@ import {
  resolveAgentWorkspaceDir,
  resolveDefaultAgentId,
 } from "../../agents/agent-scope.js";
+import { resolveSessionAuthProfileOverride } from "../../agents/auth-profiles/session-override.js";
 import { runCliAgent } from "../../agents/cli-runner.js";
 import { getCliSessionId, setCliSessionId } from "../../agents/cli-session.js";
 import { lookupContextTokens } from "../../agents/context.js";
@@ -432,6 +433,21 @@ export async function runCronIsolatedAgentTurn(params: {
  cronSession.sessionEntry.systemSent = true;
  await persistSessionEntry();

+  // Resolve auth profile for the session, mirroring the inbound auto-reply path
+  // (get-reply-run.ts). Without this, isolated cron sessions fall back to env-var
+  // auth which may not match the configured auth-profiles, causing 401 errors.
+  const authProfileId = await resolveSessionAuthProfileOverride({
+    cfg: cfgWithAgentDefaults,
+    provider,
+    agentDir,
+    sessionEntry: cronSession.sessionEntry,
+    sessionStore: cronSession.store,
+    sessionKey: agentSessionKey,
+    storePath: cronSession.storePath,
+    isNewSession: cronSession.isNewSession,
+  });
+  const authProfileIdSource = cronSession.sessionEntry.authProfileOverrideSource;
+
  let runResult: Awaited<ReturnType<typeof runEmbeddedPiAgent>>;
  let fallbackProvider = provider;
  let fallbackModel = model;
@@ -490,6 +506,8 @@ export async function runCronIsolatedAgentTurn(params: {
          lane: params.lane ?? "cron",
          provider: providerOverride,
          model: modelOverride,
+          authProfileId,
+          authProfileIdSource,
          thinkLevel,
          verboseLevel: resolvedVerboseLevel,
          timeoutMs,