feat(auth): enforce API key for agent validation; propagate displayName in backend and client; remove startup agent display and defer to validation

🤖 Generated with Codebuff
Co-Authored-By: Codebuff <noreply@codebuff.com>

Author: brandonkachen

backend/src/api/agents.ts

@@ -15,7 +15,12 @@ import type {
 const AGENT_VALIDATION_CACHE_TTL_MS = 5 * 60 * 1000 // 5 minutes
 
 type CacheEntry = {
-  result: { valid: true; source?: string; normalizedId?: string }
+  result: {
+    valid: true
+    source?: string
+    normalizedId?: string
+    displayName?: string
+  }
   expiresAt: number
 }
 
@@ -35,15 +40,11 @@ export async function validateAgentNameHandler(
   try {
     // Check for x-codebuff-api-key header for authentication
     const apiKey = extractAuthTokenFromHeader(req)
-
-    if (apiKey) {
-      logger.debug(
-        {
-          hasApiKey: true,
-          agentId: req.query.agentId,
-        },
-        'Agent validation request with API key authentication',
-      )
+    if (!apiKey) {
+      return res.status(403).json({
+        valid: false,
+        message: 'API key required',
+      })
     }
 
     // Parse from query instead (GET)
@@ -60,11 +61,13 @@ export async function validateAgentNameHandler(
     }
 
     // Check built-in agents first
-    if (AGENT_PERSONAS[agentId as keyof typeof AGENT_PERSONAS]) {
+    const persona = AGENT_PERSONAS[agentId as keyof typeof AGENT_PERSONAS]
+    if (persona) {
       const result = {
         valid: true as const,
         source: 'builtin',
         normalizedId: agentId,
+        displayName: persona.displayName,
       }
       agentValidationCache.set(agentId, {
         result,
@@ -80,6 +83,7 @@ export async function validateAgentNameHandler(
         valid: true as const,
         source: 'published',
         normalizedId: found.id,
+        displayName: found.displayName,
       }
       agentValidationCache.set(agentId, {
         result,

npm-app/src/cli.ts

@@ -633,17 +633,8 @@ export class CLI {
       if (client.user) {
         displayGreeting(this.costMode, client.user.name)
 
-        // Show selected agent when provided via --agent
-        if (this.agent) {
-          try {
-            const localAgentInfo = await getLocalAgentInfo()
-            const agentDisplayName = getAgentDisplayName(
-              this.agent,
-              localAgentInfo,
-            )
-            console.log(green(`\nAgent: ${bold(agentDisplayName)}`))
-          } catch {}
-        }
+        // Agent name will be displayed by validateAgent when resolved
+        // No need to display here to avoid race conditions
       } else {
         console.log(
           `Welcome to Codebuff! Give us a sec to get your account set up...`,

npm-app/src/index.ts

@@ -3,7 +3,7 @@
 import { type CostMode } from '@codebuff/common/constants'
 import { AnalyticsEvent } from '@codebuff/common/constants/analytics-events'
 import { Command, Option } from 'commander'
-import { red, yellow, bold } from 'picocolors'
+import { red, yellow, green, bold } from 'picocolors'
 
 import { displayLoadedAgents, loadLocalAgents } from './agents/load-agents'
 import { CLI } from './cli'
@@ -34,7 +34,7 @@ import type { CliOptions } from './types'
 export async function validateAgent(
   agent: string,
   localAgents?: Record<string, any>,
-): Promise<void> {
+): Promise<string | undefined> {
   const agents = localAgents ?? {}
 
   // if local agents are loaded, they're already validated
@@ -55,9 +55,20 @@ export async function validateAgent(
       method: 'GET',
       headers,
     })
-    const data: { valid?: boolean } = await resp.json().catch(() => ({}) as any)
-
-    if (resp.ok && data.valid) return
+    // Include optional fields from backend, notably displayName
+    const data: {
+      valid?: boolean
+      normalizedId?: string
+      displayName?: string
+    } = await resp.json().catch(() => ({}) as any)
+
+    if (resp.ok && data.valid) {
+      // Console log the agent name immediately when resolved
+      if (data.displayName) {
+        console.log(green(`\nAgent: ${bold(data.displayName)}`))
+      }
+      return data.displayName
+    }
 
     if (resp.ok && !data.valid) {
       console.error(red(`\nUnknown agent: ${bold(agent)}. Exiting.`))
@@ -72,6 +83,7 @@ export async function validateAgent(
   } finally {
     Spinner.get().stop()
   }
+  return undefined
 }
 
 async function codebuff({
@@ -102,7 +114,7 @@ async function codebuff({
   // Ensure validation runs strictly after local agent load/display
   const loadAndValidatePromise: Promise<void> = loadLocalAgents({
     verbose: true,
-  }).then((agents) => {
+  }).then(async (agents) => {
     validateAgentDefinitionsIfAuthenticated(Object.values(agents))
 
     const codebuffConfig = loadCodebuffConfig()
@@ -111,7 +123,7 @@ async function codebuff({
       return
     }
 
-    return validateAgent(agent, agents)
+    await validateAgent(agent, agents)
   })
 
   const readyPromise = Promise.all([