From 5f83cf902a15fb5f77e1eafafe9fbb73966addf0 Mon Sep 17 00:00:00 2001 From: Snider Date: Mon, 16 Mar 2026 15:11:10 +0000 Subject: [PATCH] fix: messaging routes use auth.api, fix InboxInput schema - Remove messaging routes from core/agent (conflict with AgentApiAuth) - Routes now only in host app with auth.api middleware (same as brain) - Add Agent field to InboxInput so MCP schema isn't empty Co-Authored-By: Virgil --- pkg/brain/messaging.go | 10 ++++++++-- src/php/Routes/api.php | 6 +++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/pkg/brain/messaging.go b/pkg/brain/messaging.go index cb9a823..895ad9e 100644 --- a/pkg/brain/messaging.go +++ b/pkg/brain/messaging.go @@ -41,7 +41,9 @@ type SendOutput struct { To string `json:"to"` } -type InboxInput struct{} +type InboxInput struct { + Agent string `json:"agent,omitempty"` +} type MessageItem struct { ID int `json:"id"` @@ -95,7 +97,11 @@ func (s *DirectSubsystem) sendMessage(ctx context.Context, _ *mcp.CallToolReques } func (s *DirectSubsystem) inbox(ctx context.Context, _ *mcp.CallToolRequest, input InboxInput) (*mcp.CallToolResult, InboxOutput, error) { - result, err := s.apiCall(ctx, "GET", "/v1/messages/inbox?agent="+agentName(), nil) + agent := input.Agent + if agent == "" { + agent = agentName() + } + result, err := s.apiCall(ctx, "GET", "/v1/messages/inbox?agent="+agent, nil) if err != nil { return nil, InboxOutput{}, err } diff --git a/src/php/Routes/api.php b/src/php/Routes/api.php index 1a4e627..e9979e8 100644 --- a/src/php/Routes/api.php +++ b/src/php/Routes/api.php @@ -87,13 +87,13 @@ Route::middleware(AgentApiAuth::class.':sprints.write')->group(function () { Route::delete('v1/sprints/{slug}', [SprintController::class, 'destroy']); }); -// Agent messaging -Route::middleware(AgentApiAuth::class.':plans.read')->group(function () { +// Agent messaging — uses auth.api (same as brain routes) so CORE_BRAIN_KEY works +Route::middleware(['throttle:120,1', 'auth.api:brain:read'])->group(function () { Route::get('v1/messages/inbox', [\Core\Mod\Agentic\Controllers\Api\MessageController::class, 'inbox']); Route::get('v1/messages/conversation/{agent}', [\Core\Mod\Agentic\Controllers\Api\MessageController::class, 'conversation']); }); -Route::middleware(AgentApiAuth::class.':plans.write')->group(function () { +Route::middleware(['throttle:60,1', 'auth.api:brain:write'])->group(function () { Route::post('v1/messages/send', [\Core\Mod\Agentic\Controllers\Api\MessageController::class, 'send']); Route::post('v1/messages/{id}/read', [\Core\Mod\Agentic\Controllers\Api\MessageController::class, 'markRead']); });