BYOC: add auth token to byoc worker registration

[ad-astra-video]

What does this pull request do? Explain your changes. (required)

Add ability for worker to register with an authentication token similar to ai-runner.

Specific updates (required)

• add token field parsing in json and AuthToken field to ExternalCapability
• catch 401 errors at Orchestratro and return 500 errors to caller after logging on Orchestrator

How did you test each of these updates (required)

Tested with byoc streaming using the runner-router to apply the auth token

Does this pull request close any open issues?

Checklist:

• Read the contribution guide
• make runs successfully
• All tests in ./test.sh pass
• README and other documentation updated
• Pending changelog updated

[Copilot]

Pull request overview

This PR adds support for an auth_token field in BYOC worker capability registration. When a worker registers a capability with an AuthToken, the orchestrator includes a Bearer token in the Authorization header for all subsequent requests to that worker. If the worker returns HTTP 401, the orchestrator removes the capability so the worker can re-register with a valid token.

Changes:

• Adds AuthToken string field to ExternalCapability with JSON tag auth_token, and updates RegisterCapability to copy the token on re-registration
• Injects Authorization: Bearer <token> header in all four outbound paths to workers (processJob, StartStream, StopStream, UpdateStream, and monitorOrchStream)
• Adds 401-handling logic in processJob and StartStream that removes the capability on auth failure, with accompanying tests

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
core/external_capabilities.go	Adds AuthToken field to ExternalCapability struct and copies it during capability re-registration
byoc/job_orchestrator.go	Injects auth header into worker requests in processJob; adds 401 handling that removes the capability and returns HTTP 500
byoc/stream_orchestrator.go	Injects auth header in StartStream, StopStream, UpdateStream, and monitorOrchStream; adds 401 removal logic in StartStream
byoc/job_orchestrator_test.go	Adds test verifying 401 from worker triggers capability removal and returns 500 to caller
byoc/stream_test.go	Adds test verifying 401 from worker triggers capability removal and returns 401 to caller

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 53.44828% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 32.88163%. Comparing base (7ce5478) to head (7f2cc3c).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
byoc/stream_orchestrator.go	46.66667%	20 Missing and 4 partials ⚠️
byoc/job_orchestrator.go	75.00000%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##              master       #3878         +/-   ##
===================================================
+ Coverage   32.81005%   32.88163%   +0.07158%     
===================================================
  Files            171         171                 
  Lines          42042       42063         +21     
===================================================
+ Hits           13794       13831         +37     
+ Misses         27212       27191         -21     
- Partials        1036        1041          +5     

Files with missing lines	Coverage Δ
core/external_capabilities.go	27.19298% <100.00000%> (+0.64431%)	⬆️
byoc/job_orchestrator.go	48.65591% <75.00000%> (+7.77193%)	⬆️
byoc/stream_orchestrator.go	39.41368% <46.66667%> (+3.38674%)	⬆️

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ce5478...7f2cc3c. Read the comment docs.

Files with missing lines	Coverage Δ
core/external_capabilities.go	27.19298% <100.00000%> (+0.64431%)	⬆️
byoc/job_orchestrator.go	48.65591% <75.00000%> (+7.77193%)	⬆️
byoc/stream_orchestrator.go	39.41368% <46.66667%> (+3.38674%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[eliteprox]

Thanks for the PR! This is a good change which helped protect the AI worker service from unauthorized requests.

Strengths:

• Refactoring: createWorkerReq() and processWorkerResp() in stream_orchestrator.go reduce duplication.
• Error handling: 401 responses remove the capability, allowing re-registration.
• Test coverage: Tests cover 401 scenarios in both job and stream flows.
• Security: Uses Bearer token format; token presence is logged without exposing the value.

Suggestions

Please address the Race condition in capability access (medium) comment. The others are small nits.

[eliteprox]

Header duplication risk (small nit)

Issue: These headers are set after createWorkerReq(), which already sets at least one header (X-Stream-Id).

Recommendation:

• Content-Length should be set automatically by Go's HTTP client, worth testing to confirm this works as expected. If so, remove Content-Length (let Go handle it) to ensure no duplication.

• Consider setting all headers within createWorkerReq for maintainability.