Skip to content

fix: allow preview chat with agents #17862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Dakuan wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

fix: allow preview chat with agents #17862

Dakuan wants to merge 6 commits into from

Conversation

@Dakuan
Copy link
Contributor

@Dakuan Dakuan commented Jan 26, 2026
edited by cubic-dev-ai bot
Loading

Summary by cubic

Allow preview chat with agents in the builder. Adds a guarded preview mode for transient chats so builders can test agents without persisting conversations or enabling them.

  • Bug Fixes
    • Chatbox supports a preview flag; builder AgentChatPanel passes it for transient chats.
    • Server permits preview chats for builders in the workspace (non-client) even if the agent is disabled.
    • Updated chat request type to include a preview field.

Written for commit f3cebca. Summary will update on new commits.

@Dakuan
Copy link
Contributor Author

Dakuan commented Jan 26, 2026

@cubic-dev-ai

@cubic-dev-ai
Copy link
Contributor

cubic-dev-ai bot commented Jan 26, 2026

@cubic-dev-ai

@Dakuan I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files

Confidence score: 3/5

  • Preview bypass in packages/server/src/api/controllers/ai/chatConversations.ts skips chatApp agent membership checks, allowing builders to preview any agentId and potentially leak access beyond intended “disabled” scope.
  • Severity is medium (6/10) with plausible user-impacting access control risk, so there’s some merge risk despite otherwise limited scope.
  • Pay close attention to packages/server/src/api/controllers/ai/chatConversations.ts - ensure preview path enforces chatApp membership before allowing access.
Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/server/src/api/controllers/ai/chatConversations.ts">

<violation number="1" location="packages/server/src/api/controllers/ai/chatConversations.ts:217">
P2: The preview bypass skips the chatApp agent membership check. Builders can preview any agentId even if it isn’t configured for the chat app, which is broader than “disabled” and can leak access. Keep the membership check and only bypass the enabled flag.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dakuan