release: fix desktop local auth startup

Author: Dexploarer

apps/app/electrobun/scripts/smoke-test-windows.ps1

@@ -258,6 +258,11 @@ function Dump-PortDiagnostics([int]$Port) {
   Write-Host "--- end netstat ---"
 }
 
+function Test-BackendProbeStatus([int]$StatusCode) {
+  # A 401 still proves the packaged backend is running and enforcing auth.
+  return $StatusCode -eq 200 -or $StatusCode -eq 401
+}
+
 function Dump-ProcessDiagnostics() {
   Write-Host "--- Bun/launcher processes ---"
   try {
@@ -398,10 +403,11 @@ try {
         $client.Timeout = [TimeSpan]::FromSeconds(3)
         $task = $client.GetAsync($uri)
         $task.Wait()
-        if ($task.Result.IsSuccessStatusCode) {
+        $statusCode = [int]$task.Result.StatusCode
+        if (Test-BackendProbeStatus $statusCode) {
           $healthy = $true
           $healthCheckMethod = "HttpClient(no-proxy)"
-          Write-Host "Backend health check passed on port $port (via HttpClient, proxy bypassed)."
+          Write-Host "Backend health check passed on port $port (via HttpClient, proxy bypassed, HTTP $statusCode)."
           break
         }
       } catch {
@@ -418,10 +424,10 @@ try {
       if (-not $healthy) {
         try {
           $curlResult = & "$env:SystemRoot\System32\curl.exe" -s -o NUL -w "%{http_code}" $uri --connect-timeout 3 --noproxy "127.0.0.1" 2>$null
-          if ($curlResult -eq "200") {
+          if ($curlResult -eq "200" -or $curlResult -eq "401") {
             $healthy = $true
             $healthCheckMethod = "curl.exe"
-            Write-Host "Backend health check passed on port $port (via curl.exe)."
+            Write-Host "Backend health check passed on port $port (via curl.exe, HTTP $curlResult)."
             break
           }
         } catch {}
@@ -430,11 +436,11 @@ try {
       # Method 3: Invoke-WebRequest with -NoProxy (PowerShell 7+).
       if (-not $healthy) {
         try {
-          $response = Invoke-WebRequest -Uri $uri -UseBasicParsing -TimeoutSec 3 -NoProxy
-          if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300) {
+          $response = Invoke-WebRequest -Uri $uri -UseBasicParsing -TimeoutSec 3 -NoProxy -SkipHttpErrorCheck
+          if (Test-BackendProbeStatus ([int]$response.StatusCode)) {
             $healthy = $true
             $healthCheckMethod = "Invoke-WebRequest(-NoProxy)"
-            Write-Host "Backend health check passed on port $port (via Invoke-WebRequest -NoProxy)."
+            Write-Host "Backend health check passed on port $port (via Invoke-WebRequest -NoProxy, HTTP $($response.StatusCode))."
             break
           }
         } catch {}

apps/app/electrobun/scripts/smoke-test.sh

@@ -94,6 +94,19 @@ attach_dmg_with_retry() {
   return 1
 }
 
+backend_health_probe_status() {
+  local url="$1"
+  curl -sS -o /dev/null -w "%{http_code}" --connect-timeout 3 "$url" 2>/dev/null || printf "000"
+}
+
+backend_health_probe_satisfied() {
+  local url="$1"
+  local status
+  status="$(backend_health_probe_status "$url")"
+  # A 401 still proves the packaged backend is running and enforcing auth.
+  [[ "$status" == "200" || "$status" == "401" ]]
+}
+
 ensure_diagnostics_dir() {
   if [[ -z "$SMOKE_DIAGNOSTICS_DIR" ]]; then
     SMOKE_DIAGNOSTICS_DIR="$(mktemp -d /tmp/milady-smoke-diagnostics.XXXXXX)"
@@ -672,7 +685,7 @@ while [[ $SECONDS -lt $DEADLINE ]]; do
     fi
   fi
   if [[ -n "$BACKEND_PORT" ]]; then
-    if curl -fsS "http://127.0.0.1:${BACKEND_PORT}/api/health" >/dev/null; then
+    if backend_health_probe_satisfied "http://127.0.0.1:${BACKEND_PORT}/api/health"; then
       echo "Backend health check PASSED on port $BACKEND_PORT."
       break
     fi
@@ -690,7 +703,7 @@ if [[ -z "$BACKEND_PORT" ]]; then
   exit 1
 fi
 
-if ! curl -fsS "http://127.0.0.1:${BACKEND_PORT}/api/health" >/dev/null; then
+if ! backend_health_probe_satisfied "http://127.0.0.1:${BACKEND_PORT}/api/health"; then
   echo "ERROR: Backend did not answer /api/health on port $BACKEND_PORT"
   [[ -f "$STARTUP_LOG" ]] && tail -n 120 "$STARTUP_LOG"
   echo ""
@@ -732,7 +745,7 @@ echo "Waiting ${LIVENESS_TIMEOUT}s for liveness..."
 sleep "$LIVENESS_TIMEOUT"
 LIVE_PID="$(find_live_packaged_pid)"
 if [[ -n "$LIVE_PID" ]] && kill -0 "$LIVE_PID" 2>/dev/null; then
-  if curl -fsS "http://127.0.0.1:${BACKEND_PORT}/api/health" >/dev/null; then
+  if backend_health_probe_satisfied "http://127.0.0.1:${BACKEND_PORT}/api/health"; then
     echo "App process ($LIVE_PID) and backend still healthy after ${LIVENESS_TIMEOUT}s — liveness check PASSED."
   else
     echo "ERROR: App stayed open but backend health check failed after ${LIVENESS_TIMEOUT}s."
@@ -743,7 +756,7 @@ if [[ -n "$LIVE_PID" ]] && kill -0 "$LIVE_PID" 2>/dev/null; then
     dump_failure_diagnostics "backend liveness check failed after startup"
     exit 1
   fi
-elif curl -fsS "http://127.0.0.1:${BACKEND_PORT}/api/health" >/dev/null; then
+elif backend_health_probe_satisfied "http://127.0.0.1:${BACKEND_PORT}/api/health"; then
   echo "WARNING: No packaged app process was detected after ${LIVENESS_TIMEOUT}s, but the packaged backend remained healthy."
   echo "         Treating backend liveness as the release gate for this launcher path."
 else

apps/app/electrobun/src/__tests__/agent.test.ts

@@ -353,6 +353,60 @@ describe("AgentManager", () => {
       expect(mockSpawn).toHaveBeenCalledTimes(1);
     });
 
+    it("authenticates local health and agent probes with the desktop API token", async () => {
+      const originalMiladyToken = process.env.MILADY_API_TOKEN;
+      const originalElizaToken = process.env.ELIZA_API_TOKEN;
+      process.env.MILADY_API_TOKEN = "desktop-local-token";
+      delete process.env.ELIZA_API_TOKEN;
+
+      try {
+        const mockProc = createMockProcess();
+        mockSpawn.mockReturnValue(mockProc);
+
+        mockFetch.mockResolvedValueOnce(makeHealthyResponse());
+        mockFetch.mockResolvedValueOnce({
+          ok: true,
+          json: async () => ({ agents: [{ name: "Milady" }] }),
+        });
+
+        await manager.start();
+
+        const expectedHeaders = {
+          Authorization: "Bearer desktop-local-token",
+          "X-Api-Key": "desktop-local-token",
+          "X-Api-Token": "desktop-local-token",
+        };
+
+        expect(mockFetch).toHaveBeenNthCalledWith(
+          1,
+          "http://127.0.0.1:2138/api/health",
+          expect.objectContaining({
+            headers: expectedHeaders,
+            signal: expect.anything(),
+          }),
+        );
+        expect(mockFetch).toHaveBeenNthCalledWith(
+          2,
+          "http://127.0.0.1:2138/api/agents",
+          expect.objectContaining({
+            headers: expectedHeaders,
+            signal: expect.anything(),
+          }),
+        );
+      } finally {
+        if (originalMiladyToken === undefined) {
+          delete process.env.MILADY_API_TOKEN;
+        } else {
+          process.env.MILADY_API_TOKEN = originalMiladyToken;
+        }
+        if (originalElizaToken === undefined) {
+          delete process.env.ELIZA_API_TOKEN;
+        } else {
+          process.env.ELIZA_API_TOKEN = originalElizaToken;
+        }
+      }
+    });
+
     it("spawns bun process with the canonical runtime entry when present", async () => {
       const mockProc = createMockProcess();
       mockSpawn.mockReturnValue(mockProc);

apps/app/electrobun/src/__tests__/smoke-test-script.test.ts

@@ -65,6 +65,16 @@ describe("smoke-test.sh", () => {
     );
   });
 
+  it("treats auth-protected health probes as proof the packaged backend is alive", () => {
+    const script = fs.readFileSync(SMOKE_TEST_PATH, "utf8");
+
+    expect(script).toContain("backend_health_probe_satisfied() {");
+    expect(script).toContain(
+      "# A 401 still proves the packaged backend is running and enforcing auth.",
+    );
+    expect(script).toContain('[[ "$status" == "200" || "$status" == "401" ]]');
+  });
+
   it("asserts the packaged bundle and executables keep the Milady identifier", () => {
     const script = fs.readFileSync(SMOKE_TEST_PATH, "utf8");
 

apps/app/electrobun/src/index.ts

@@ -33,7 +33,7 @@ import {
   CloudAuthWindowManager,
   readNavigationEventUrl,
 } from "./cloud-auth-window";
-import { ensureDesktopApiToken, getAgentManager } from "./native/agent";
+import { configureDesktopLocalApiAuth, getAgentManager } from "./native/agent";
 import { getDesktopManager } from "./native/desktop";
 import { disposeNativeModules, initializeNativeModules } from "./native/index";
 import {
@@ -124,7 +124,8 @@ function buildApiRequestHeaders(contentType?: string): Record<string, string> {
   if (contentType) {
     headers["Content-Type"] = contentType;
   }
-  const apiToken = process.env.MILADY_API_TOKEN?.trim();
+  const apiToken =
+    process.env.MILADY_API_TOKEN?.trim() ?? process.env.ELIZA_API_TOKEN?.trim();
   if (apiToken) {
     headers.Authorization = `Bearer ${apiToken}`;
   }
@@ -415,13 +416,20 @@ async function startRendererServer(): Promise<string> {
   const initialApiBase = resolveInitialApiBase(
     process.env as Record<string, string | undefined>,
   );
+  const initialApiToken =
+    resolveDesktopRuntimeMode(process.env as Record<string, string | undefined>)
+      .mode === "local"
+      ? configureDesktopLocalApiAuth()
+      : (process.env.MILADY_API_TOKEN?.trim() ??
+        process.env.ELIZA_API_TOKEN?.trim() ??
+        "");
 
   // Inject the API base into index.html so it's available before React mounts.
   function injectApiBaseIntoHtml(html: string): string {
     if (!initialApiBase) {
       return html;
     }
-    const script = `<script>window.__MILADY_API_BASE__=${JSON.stringify(initialApiBase)};</script>`;
+    const script = `<script>window.__MILADY_API_BASE__=${JSON.stringify(initialApiBase)};${initialApiToken ? `Object.defineProperty(window,"__MILADY_API_TOKEN__",{value:${JSON.stringify(initialApiToken)},configurable:true,writable:true,enumerable:false});` : ""}</script>`;
     // Inject before </head> if present, otherwise before <body>
     if (html.includes("</head>")) {
       return html.replace("</head>", `${script}</head>`);
@@ -924,7 +932,7 @@ function injectApiBase(win: BrowserWindow): void {
   const agent = getAgentManager();
   const port =
     agent.getPort() ?? (Number(process.env.MILADY_PORT) || DEFAULT_PORT);
-  const apiToken = ensureDesktopApiToken();
+  const apiToken = configureDesktopLocalApiAuth();
   pushApiBaseToRenderer(win, `http://127.0.0.1:${port}`, apiToken);
   setAgentReady(true);
 }
@@ -967,7 +975,7 @@ async function _startAgent(win: BrowserWindow): Promise<void> {
   }
 
   const agent = getAgentManager();
-  const apiToken = ensureDesktopApiToken();
+  const apiToken = configureDesktopLocalApiAuth();
 
   try {
     const status = await agent.start();

apps/app/electrobun/src/native/__tests__/agent.test.ts

@@ -10,6 +10,7 @@ import path from "node:path";
 import { describe, expect, it } from "vitest";
 
 import {
+  configureDesktopLocalApiAuth,
   ensureDesktopApiToken,
   getMiladyDistFallbackCandidates,
   resolveConfigDir,
@@ -146,3 +147,17 @@ describe("ensureDesktopApiToken", () => {
     expect(env.ELIZA_API_TOKEN).toBe(token);
   });
 });
+
+describe("configureDesktopLocalApiAuth", () => {
+  it("disables pairing while keeping the mirrored desktop token aliases", () => {
+    const env: NodeJS.ProcessEnv = {
+      MILADY_API_TOKEN: "desktop-token",
+    };
+
+    expect(configureDesktopLocalApiAuth(env)).toBe("desktop-token");
+    expect(env.MILADY_API_TOKEN).toBe("desktop-token");
+    expect(env.ELIZA_API_TOKEN).toBe("desktop-token");
+    expect(env.MILADY_PAIRING_DISABLED).toBe("1");
+    expect(env.ELIZA_PAIRING_DISABLED).toBe("1");
+  });
+});

apps/app/electrobun/src/native/agent.ts

@@ -128,8 +128,7 @@ export function resolveConfigDir(opts?: {
 export function ensureDesktopApiToken(
   env: NodeJS.ProcessEnv = process.env,
 ): string {
-  const existing =
-    env.MILADY_API_TOKEN?.trim() ?? env.ELIZA_API_TOKEN?.trim() ?? "";
+  const existing = getDesktopApiToken(env);
   if (existing) {
     env.MILADY_API_TOKEN = existing;
     env.ELIZA_API_TOKEN = existing;
@@ -145,6 +144,35 @@ export function ensureDesktopApiToken(
   return generated;
 }
 
+export function configureDesktopLocalApiAuth(
+  env: NodeJS.ProcessEnv = process.env,
+): string {
+  const token = ensureDesktopApiToken(env);
+  env.MILADY_PAIRING_DISABLED = "1";
+  env.ELIZA_PAIRING_DISABLED = "1";
+  return token;
+}
+
+function getDesktopApiToken(
+  env: NodeJS.ProcessEnv = process.env,
+): string | null {
+  const token =
+    env.MILADY_API_TOKEN?.trim() ?? env.ELIZA_API_TOKEN?.trim() ?? "";
+  return token || null;
+}
+
+function getDesktopApiHeaders(
+  env: NodeJS.ProcessEnv = process.env,
+): Record<string, string> | undefined {
+  const token = getDesktopApiToken(env);
+  if (!token) return undefined;
+  return {
+    Authorization: `Bearer ${token}`,
+    "X-Api-Key": token,
+    "X-Api-Token": token,
+  };
+}
+
 let diagnosticLogPath: string | null = null;
 
 function getDiagnosticLogPath(): string {
@@ -328,12 +356,14 @@ async function waitForHealthy(
   timeoutMs: number = getHealthPollTimeoutMs(),
 ): Promise<boolean> {
   const deadline = Date.now() + timeoutMs;
+  const headers = getDesktopApiHeaders();
 
   while (Date.now() < deadline) {
     const port = getPort();
     const url = `http://127.0.0.1:${port}/api/health`;
     try {
       const response = await fetch(url, {
+        headers,
         signal: AbortSignal.timeout(2_000),
       });
       if (response.ok) {
@@ -542,7 +572,7 @@ export class AgentManager {
       throw new Error(reason);
     }
 
-    ensureDesktopApiToken();
+    configureDesktopLocalApiAuth();
 
     // Reset per-startup flags
     this.pgliteRecoveryDone = false;
@@ -1036,7 +1066,9 @@ export class AgentManager {
    */
   private async fetchAgentName(port: number): Promise<string> {
     try {
+      const headers = getDesktopApiHeaders();
       const response = await fetch(`http://127.0.0.1:${port}/api/agents`, {
+        headers,
         signal: AbortSignal.timeout(5_000),
       });
       if (response.ok) {

scripts/electrobun-release-workflow-drift.test.ts

@@ -187,6 +187,22 @@ describe("Electrobun release workflow drift", () => {
     expect(workflow).not.toContain('bun install -g "rcedit@4.0.1"');
   });
 
+  it("treats auth-protected health probes as valid smoke-test success on every desktop platform", () => {
+    const windowsScript = fs.readFileSync(WINDOWS_SMOKE_PATH, "utf8");
+    const macScript = fs.readFileSync(MACOS_SMOKE_SCRIPT_PATH, "utf8");
+
+    expect(windowsScript).toContain("function Test-BackendProbeStatus");
+    expect(windowsScript).toContain(
+      "return $StatusCode -eq 200 -or $StatusCode -eq 401",
+    );
+    expect(windowsScript).toContain("-SkipHttpErrorCheck");
+
+    expect(macScript).toContain("backend_health_probe_satisfied()");
+    expect(macScript).toContain(
+      '[[ "$status" == "200" || "$status" == "401" ]]',
+    );
+  });
+
   it("stages the desktop bundle before restoring local electrobun caches", () => {
     const workflow = fs.readFileSync(WORKFLOW_PATH, "utf8");
     const stageIndex = workflow.indexOf("name: Stage desktop bundle inputs");

scripts/release-check.ts

@@ -557,6 +557,8 @@ function assertWindowsSmokeScriptHasLeadingParamBlock() {
     "Waiting for health endpoint at http://(?:localhost|127\\.0\\.0\\.1):",
     "$handler.UseProxy = $false",
     '--noproxy "127.0.0.1"',
+    "function Test-BackendProbeStatus",
+    "-SkipHttpErrorCheck",
     "Dump-PortDiagnostics",
     "Dump-ProcessDiagnostics",
     "Dump-FailureDiagnostics",
@@ -617,6 +619,8 @@ function assertMacSmokeScriptLaunchesPackagedLauncherDirectly() {
     'echo "Packaged renderer asset check PASSED (wrapper archive)."',
     'echo "Launcher: $' + "{LAUNCHER_PATH:-<unset>}" + '"',
     'local launcher_stdout="$' + "{LAUNCHER_STDOUT:-}" + '"',
+    "backend_health_probe_satisfied()",
+    '[[ "$status" == "200" || "$status" == "401" ]]',
     "Launcher exited before the first health probe; continuing to wait for packaged app handoff...",
     'dump_failure_diagnostics "backend startup log reported a failure"',
     'dump_failure_diagnostics "backend never reported a started port"',