-
Stefy Lanza (nextime / spora ) authored
Broker (AISBF) chat requests were rejected by the engine with 401 "Invalid API key" — they're authenticated at the aisbf layer (registration token) and carry no end-user Bearer, but the engine's BearerAuthMiddleware still demanded one, so every brokered request came back as a constant ~472-byte error and never ran inference. Fix (token auto-managed, secure): - Front marks broker-relayed requests with x-coderai-broker-authed = the internal shared token (which the engine already trusts via CODERAI_INTERNAL_TOKEN). Added that header to _DROP_REQ so a client-supplied copy is always stripped first — unforgeable from outside. - Engine BearerAuthMiddleware skips the Bearer check when x-coderai-broker-authed matches CODERAI_INTERNAL_TOKEN. This is NOT the plain internal token (which rides on every front→engine request, direct included), so DIRECT API requests still require a real Bearer token. Co-Authored-By:Claude Opus 4.8 <noreply@anthropic.com>
6e111277