rogerchappel · rogerchappel · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -80,8 +80,8 @@ chore: update dependencies
 
 ## API Changes
 
-- All GET endpoints are public (no auth required)
-- Mutations (POST/PATCH/DELETE) require `Authorization: Bearer <HEARTBEAT_SECRET>` or a valid NextAuth session
+- Most endpoints require a valid NextAuth session; runtime-scoped routes may also accept `Authorization: Bearer <HEARTBEAT_SECRET>` when explicitly documented
+- Public endpoints must be explicitly documented as public
 - Don't break existing API contracts. Existing consumers (crons, agent integrations) depend on them.
 
 ## Testing

diff --git a/e2e/agents.spec.ts b/e2e/agents.spec.ts
@@ -6,17 +6,25 @@ test.describe("Agent management", () => {
     await loginViaApi(request);
   });
 
-  test("GET /api/agents returns seeded agents", async ({ request }) => {
+  test("GET /api/agents returns created agents", async ({ request }) => {
+    const callsign = uniqueName("LISTAG").toUpperCase().replace(/-/g, "");
+    await apiPost(
+      request,
+      "/api/agents",
+      {
+        name: "Listed Agent",
+        callsign,
+        title: "E2E Listed Agent",
+      },
+      { expectStatus: 201 },
+    );
+
     const data = await apiGet(request, "/api/agents");
     expect(data.agents).toBeDefined();
     expect(Array.isArray(data.agents)).toBe(true);
-    // Seed creates 7 agents
-    expect(data.agents.length).toBeGreaterThanOrEqual(7);
 
     const callsigns = data.agents.map((a: { callsign: string }) => a.callsign);
-    expect(callsigns).toContain("Neo");
-    expect(callsigns).toContain("Cipher");
-    expect(callsigns).toContain("Havoc");
+    expect(callsigns).toContain(callsign);
   });
 
   test("POST /api/agents creates a new agent", async ({ request }) => {
@@ -59,10 +67,18 @@ test.describe("Agent management", () => {
   });
 
   test("GET /api/agents/:callsign returns a single agent", async ({ request }) => {
-    const data = await apiGet(request, "/api/agents/Neo");
-    expect(data.callsign).toBe("Neo");
-    expect(data.name).toBe("Neo");
-    expect(data.title).toBe("Chief Revenue Officer");
+    const callsign = uniqueName("GETAG").toUpperCase().replace(/-/g, "");
+    await apiPost(
+      request,
+      "/api/agents",
+      { name: "Get Agent", callsign, title: "Lookup Engineer" },
+      { expectStatus: 201 },
+    );
+
+    const data = await apiGet(request, `/api/agents/${callsign}`);
+    expect(data.callsign).toBe(callsign);
+    expect(data.name).toBe("Get Agent");
+    expect(data.title).toBe("Lookup Engineer");
   });
 
   test("PATCH /api/agents/:callsign updates an agent", async ({ request }) => {
@@ -103,7 +119,15 @@ test.describe("Agent management", () => {
   });
 
   test("GET /api/agents/:callsign/status returns status info", async ({ request }) => {
-    const data = await apiGet(request, "/api/agents/Neo/status");
+    const callsign = uniqueName("STATAG").toUpperCase().replace(/-/g, "");
+    await apiPost(
+      request,
+      "/api/agents",
+      { name: "Status Agent", callsign, title: "Status Engineer" },
+      { expectStatus: 201 },
+    );
+
+    const data = await apiGet(request, `/api/agents/${callsign}/status`);
     // Status endpoint returns running state info
     expect(data).toHaveProperty("status");
   });

diff --git a/e2e/api-auth.spec.ts b/e2e/api-auth.spec.ts
@@ -2,24 +2,52 @@ import { test, expect } from "@playwright/test";
 import { uniqueName, loginViaApi } from "./helpers";
 
 test.describe("API authentication", () => {
-  test.describe("GETs are publicly accessible", () => {
-    test("GET /api/agents is public", async ({ request }) => {
-      const res = await request.get("/api/agents");
-      expect(res.status()).toBe(200);
-    });
-
-    test("GET /api/tasks is public", async ({ request }) => {
-      const res = await request.get("/api/tasks");
-      expect(res.status()).toBe(200);
-    });
-
-    test("GET /api/projects is public", async ({ request }) => {
-      const res = await request.get("/api/projects");
-      expect(res.status()).toBe(200);
-    });
+  test.describe("business data requires authentication", () => {
+    const protectedGets = [
+      "/api/agents",
+      "/api/agents/NOPE/status",
+      "/api/agents/NOPE/output",
+      "/api/agents/NOPE/output/stream",
+      "/api/tasks",
+      "/api/tasks/00000000-0000-4000-8000-000000000000",
+      "/api/tasks/00000000-0000-4000-8000-000000000000/comments",
+      "/api/tasks/00000000-0000-4000-8000-000000000000/images",
+      "/api/tasks/00000000-0000-4000-8000-000000000000/time-entries",
+      "/api/projects",
+      "/api/projects/00000000-0000-4000-8000-000000000000",
+      "/api/inbox",
+      "/api/inbox/stats",
+      "/api/docs/00000000-0000-4000-8000-000000000000",
+      "/api/time-entries",
+      "/api/blueprints",
+      "/api/blueprints/builtin-startup-founding-team",
+      "/api/skills",
+      "/api/skills/browse",
+      "/api/skills/sync-status",
+      "/api/runtimes",
+      "/api/schedules",
+      "/api/automations/runs?job_id=e2e",
+      "/api/openclaw/agents",
+      "/api/openclaw/bridge/status",
+      "/api/openclaw/health",
+      "/api/openclaw/nodes",
+      "/api/runtime/check",
+      "/api/runtime/status",
+      "/api/cron/triage",
+      "/api/cron/axiom-research",
+    ];
+
+    for (const path of protectedGets) {
+      test(`GET ${path} without auth returns 401`, async ({ request }) => {
+        const res = await request.get(path);
+        expect(res.status()).toBe(401);
+      });
+    }
+  });
 
-    test("GET /api/inbox is public", async ({ request }) => {
-      const res = await request.get("/api/inbox");
+  test.describe("public auth bootstrap endpoints", () => {
+    test("GET /api/health is public", async ({ request }) => {
+      const res = await request.get("/api/health");
       expect(res.status()).toBe(200);
     });
 
@@ -50,22 +78,58 @@ test.describe("API authentication", () => {
     });
 
     test("PATCH /api/tasks/:id without auth returns 401", async ({ request }) => {
-      // First get a real task ID
-      const tasks = await (await request.get("/api/tasks")).json();
-      if (tasks.length > 0) {
-        const res = await request.patch(`/api/tasks/${tasks[0].id}`, {
-          data: { status: "done" },
-        });
-        expect(res.status()).toBe(401);
-      }
+      const res = await request.patch("/api/tasks/00000000-0000-4000-8000-000000000000", {
+        data: { status: "done" },
+      });
+      expect(res.status()).toBe(401);
     });
 
     test("DELETE /api/projects/:id without auth returns 401", async ({ request }) => {
-      const projects = await (await request.get("/api/projects")).json();
-      if (projects.length > 0) {
-        const res = await request.delete(`/api/projects/${projects[0].id}`);
-        expect(res.status()).toBe(401);
-      }
+      const res = await request.delete("/api/projects/00000000-0000-4000-8000-000000000000");
+      expect(res.status()).toBe(401);
+    });
+
+    test("POST /api/runtimes/probe without auth returns 401", async ({ request }) => {
+      const res = await request.post("/api/runtimes/probe", {
+        data: { mode: "paste", config: "{}" },
+      });
+      expect(res.status()).toBe(401);
+    });
+
+    test("PATCH /api/schedules/:id without auth returns 401", async ({ request }) => {
+      const res = await request.patch("/api/schedules/e2e-schedule", {
+        data: { enabled: false },
+      });
+      expect(res.status()).toBe(401);
+    });
+
+    test("PATCH /api/agents/:callsign/skills/:id without auth returns 401", async ({ request }) => {
+      const res = await request.patch("/api/agents/NOPE/skills/00000000-0000-4000-8000-000000000000", {
+        data: { enabled: false },
+      });
+      expect(res.status()).toBe(401);
+    });
+
+    test("DELETE /api/agents/:callsign/skills/:id without auth returns 401", async ({ request }) => {
+      const res = await request.delete("/api/agents/NOPE/skills/00000000-0000-4000-8000-000000000000");
+      expect(res.status()).toBe(401);
+    });
+
+    test("POST /api/agents/access without auth returns 401", async ({ request }) => {
+      const res = await request.post("/api/agents/access", {
+        data: { agentId: "agent", userId: "user" },
+      });
+      expect(res.status()).toBe(401);
+    });
+
+    test("DELETE /api/agents/access/:id without auth returns 401", async ({ request }) => {
+      const res = await request.delete("/api/agents/access/00000000-0000-4000-8000-000000000000");
+      expect(res.status()).toBe(401);
+    });
+
+    test("POST /api/runtime/check without auth returns 401", async ({ request }) => {
+      const res = await request.post("/api/runtime/check");
+      expect(res.status()).toBe(401);
     });
   });
 

diff --git a/e2e/chat-inbox.spec.ts b/e2e/chat-inbox.spec.ts
@@ -167,6 +167,8 @@ test.describe("Inbox", () => {
 
 test.describe("Chat sessions", () => {
   let companyId: string;
+  let sessionAgentCallsign: string;
+  let listAgentCallsign: string;
 
   test.beforeAll(async ({ request }) => {
     await loginViaApi(request);
@@ -180,6 +182,20 @@ test.describe("Chat sessions", () => {
       });
       companyId = company.id;
     }
+
+    sessionAgentCallsign = uniqueName("CHATAG").toUpperCase().replace(/-/g, "");
+    listAgentCallsign = uniqueName("CHATLIST").toUpperCase().replace(/-/g, "");
+
+    await apiPost(request, "/api/agents", {
+      name: "Chat Agent",
+      callsign: sessionAgentCallsign,
+      title: "Chat Tester",
+    });
+    await apiPost(request, "/api/agents", {
+      name: "Chat List Agent",
+      callsign: listAgentCallsign,
+      title: "Chat List Tester",
+    });
   });
 
   test.beforeEach(async ({ request }) => {
@@ -188,20 +204,20 @@ test.describe("Chat sessions", () => {
 
   test("POST /api/chat/sessions creates a session", async ({ request }) => {
     const res = await apiPost(request, "/api/chat/sessions", {
-      agentId: "neo",
+      agentId: sessionAgentCallsign,
       companyId,
       title: uniqueName("E2E-Chat"),
     });
 
     expect(res.session).toBeDefined();
-    expect(res.session.agentId).toBe("neo");
+    expect(res.session.agentId).toBe(sessionAgentCallsign.toLowerCase());
     expect(res.session.companyId).toBe(companyId);
   });
 
   test("GET /api/chat/sessions lists sessions for company", async ({ request }) => {
     // Create a session first
     await apiPost(request, "/api/chat/sessions", {
-      agentId: "cipher",
+      agentId: listAgentCallsign,
       companyId,
     });
 
@@ -215,7 +231,13 @@ test.describe("Chat sessions", () => {
   });
 
   test("GET /api/chat/sessions filters by agentId", async ({ request }) => {
-    const agentId = `e2echat${Date.now()}`;
+    const agentId = uniqueName("FILTERCHAT").toUpperCase().replace(/-/g, "");
+    await apiPost(request, "/api/agents", {
+      name: "Filter Chat Agent",
+      callsign: agentId,
+      title: "Filter Chat Tester",
+    });
+
     await apiPost(request, "/api/chat/sessions", {
       agentId,
       companyId,
@@ -227,7 +249,7 @@ test.describe("Chat sessions", () => {
     );
     expect(res.sessions).toBeDefined();
     for (const s of res.sessions) {
-      expect(s.agentId).toBe(agentId);
+      expect(s.agentId).toBe(agentId.toLowerCase());
     }
   });
 });
diff --git a/e2e/helpers.ts b/e2e/helpers.ts
@@ -13,10 +13,8 @@ export const TEST_USER = {
 };
 
 /**
- * Bearer token for agent/system auth. Falls back to a test-only value when
- * HEARTBEAT_SECRET is not set (PGlite dev mode still accepts it if the env
- * var is unset, because `requireAuth` skips the bearer check when
- * `expectedToken` is falsy — so session auth is the fallback).
+ * Bearer token for agent/system auth. Tests that exercise valid bearer auth
+ * should skip when HEARTBEAT_SECRET is not configured.
  */
 export const BEARER_TOKEN = process.env.HEARTBEAT_SECRET ?? "e2e-test-secret";
 

diff --git a/e2e/projects.spec.ts b/e2e/projects.spec.ts
@@ -6,15 +6,17 @@ test.describe("Projects CRUD", () => {
     await loginViaApi(request);
   });
 
-  test("GET /api/projects returns seeded projects", async ({ request }) => {
+  test("GET /api/projects returns created projects", async ({ request }) => {
+    const firstName = uniqueName("E2E-ListProject-A");
+    const secondName = uniqueName("E2E-ListProject-B");
+    await apiPost(request, "/api/projects", { name: firstName });
+    await apiPost(request, "/api/projects", { name: secondName });
+
     const projects = await apiGet(request, "/api/projects");
     expect(Array.isArray(projects)).toBe(true);
-    // Seed creates 3 projects: CrewCmd, Product Launch, Content Pipeline
-    expect(projects.length).toBeGreaterThanOrEqual(3);
     const names = projects.map((p: { name: string }) => p.name);
-    expect(names).toContain("CrewCmd");
-    expect(names).toContain("Product Launch");
-    expect(names).toContain("Content Pipeline");
+    expect(names).toContain(firstName);
+    expect(names).toContain(secondName);
   });
 
   test("POST /api/projects creates a new project", async ({ request }) => {

diff --git a/e2e/tasks.spec.ts b/e2e/tasks.spec.ts
@@ -6,10 +6,17 @@ test.describe("Tasks lifecycle", () => {
     await loginViaApi(request);
   });
 
-  test("GET /api/tasks returns seeded tasks", async ({ request }) => {
+  test("GET /api/tasks returns created tasks", async ({ request }) => {
+    const firstTitle = uniqueName("E2E-ListTask-A");
+    const secondTitle = uniqueName("E2E-ListTask-B");
+    await apiPost(request, "/api/tasks", { title: firstTitle, status: "inbox" });
+    await apiPost(request, "/api/tasks", { title: secondTitle, status: "queued" });
+
     const tasks = await apiGet(request, "/api/tasks");
     expect(Array.isArray(tasks)).toBe(true);
-    expect(tasks.length).toBeGreaterThanOrEqual(8);
+    const titles = tasks.map((task: { title: string }) => task.title);
+    expect(titles).toContain(firstTitle);
+    expect(titles).toContain(secondTitle);
   });
 
   test("POST /api/tasks creates a task in inbox", async ({ request }) => {

diff --git a/skills/crewcmd/SKILL.md b/skills/crewcmd/SKILL.md
@@ -10,7 +10,7 @@ CrewCmd is the task board, inbox, and agent management backend. All task operati
 ## Connection
 
 - **Base URL:** Provided via `CREWCMD_URL` env var, or defaults to `https://localhost:3000`
-- **Auth:** `Authorization: Bearer <HEARTBEAT_SECRET>` for mutations. GETs are public.
+- **Auth:** Send `Authorization: Bearer <HEARTBEAT_SECRET>` for runtime-enabled API calls. Include `X-CrewCMD-Runtime-Id` and `workspaceId` or `companyId` when listing workspace data.
 - Use `-k` flag with curl (self-signed TLS in local dev).
 
 ## Task Lifecycle

diff --git a/src/app/api/agents/[callsign]/output/route.ts b/src/app/api/agents/[callsign]/output/route.ts
@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { runtime } from "@/lib/agent-runtime";
 import { resolveReadableAgentByCallsign } from "@/lib/agent-route-auth";
+import { requireUserOrRuntimeAuth } from "@/lib/require-auth";
 
 export const dynamic = "force-dynamic";
 
@@ -10,6 +11,9 @@ interface RouteParams {
 
 /** GET /api/agents/[callsign]/output — Get the output buffer for an agent */
 export async function GET(request: NextRequest, { params }: RouteParams) {
+  const authError = await requireUserOrRuntimeAuth(request);
+  if (authError) return authError;
+
   const { callsign } = await params;
   const agent = await resolveReadableAgentByCallsign(callsign, request);