Skip to content

Commit 320bf2b

Browse files
authored
fix(cli): agents webhook-secret regenerate sends X-Confirm-Destructive header (Bug cmp03hy9o) (#47)
`cueapi agents webhook-secret regenerate <ref>` was making the POST /v1/agents/{ref}/webhook-secret/regenerate request without the `X-Confirm-Destructive: true` header that the server requires. Result: even after the user typed `y` at the confirmation prompt, the request was rejected HTTP 400 server-side. Surfaced 2026-05-10 from Phase 2 messaging smoke testing — identical bug shape to the one already fixed on `cueapi key webhook-secret regenerate` (which did pass the header). Mirror the existing pattern: pass the header on the httpx POST right after the Y/N confirm clears. Tests: - New `test_agents_webhook_secret_regenerate_sends_destructive_header` pins the header on the wire — same shape as the existing `test_key_webhook_secret_regenerate_sends_destructive_header`.
1 parent 49a6366 commit 320bf2b

2 files changed

Lines changed: 33 additions & 1 deletion

File tree

cueapi/cli.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1662,7 +1662,11 @@ def agents_webhook_secret_regenerate(ctx: click.Context, ref: str, yes: bool) ->
16621662
return
16631663
try:
16641664
with CueAPIClient(api_key=ctx.obj.get("api_key"), profile=ctx.obj.get("profile")) as client:
1665-
resp = client.post(f"/agents/{ref}/webhook-secret/regenerate", json={})
1665+
resp = client.post(
1666+
f"/agents/{ref}/webhook-secret/regenerate",
1667+
json={},
1668+
headers={"X-Confirm-Destructive": "true"},
1669+
)
16661670
if resp.status_code == 200:
16671671
data = resp.json()
16681672
click.echo()

tests/test_cli.py

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -682,6 +682,34 @@ def test_agents_webhook_secret_regenerate_with_yes(monkeypatch):
682682
assert "save now" in result.output.lower() or "shown once" in result.output.lower()
683683

684684

685+
def test_agents_webhook_secret_regenerate_sends_destructive_header(monkeypatch):
686+
"""Pin: `cueapi agents webhook-secret regenerate` MUST send
687+
`X-Confirm-Destructive: true` header — server requires it (Bug
688+
cmp03hy9o, surfaced 2026-05-10 from Phase 2 messaging smoke).
689+
Mirrors the same header pin on `cueapi key webhook-secret regenerate`.
690+
"""
691+
holder: dict = {}
692+
_patch_ws_client(
693+
monkeypatch,
694+
holder,
695+
responses={
696+
("POST", "/agents/agt_x/webhook-secret/regenerate"): lambda: _FakeResp(
697+
200, {"webhook_secret": "wsec_new"}
698+
)
699+
},
700+
)
701+
result = runner.invoke(
702+
main,
703+
["agents", "webhook-secret", "regenerate", "agt_x", "--yes"],
704+
)
705+
assert result.exit_code == 0, result.output
706+
method, path, body, headers = holder["client"].calls[-1]
707+
assert method == "POST"
708+
assert path == "/agents/agt_x/webhook-secret/regenerate"
709+
assert headers == {"X-Confirm-Destructive": "true"}
710+
assert "wsec_new" in result.output
711+
712+
685713
# --- inbox / sent ---
686714

687715

0 commit comments

Comments
 (0)