fix: AUTH_HEADER abstraction so create-artist + short-video work for both BYOA and sandbox personas (1/3)

[sidneyswift]

The problem

Two skills on main hardcode a single auth header, breaking one customer persona each.

Recoup customers run agents two ways:

• Sandbox (chat.recoupable.com) — auth via Authorization: Bearer $RECOUP_ACCESS_TOKEN
• BYOA (developers.recoupable.com) — auth via x-api-key: $RECOUP_API_KEY

Both authenticate to the same endpoints (verified — the docs explicitly say "x-api-key or Authorization Bearer token" for nearly every endpoint).

Skill	Pre-PR (main)	Persona that breaks	What they see
create-artist	Hardcoded Authorization: Bearer $RECOUP_ACCESS_TOKEN	BYOA users	$RECOUP_ACCESS_TOKEN is empty → Authorization: Bearer (empty token) → HTTP 401 on every step of the 8-call chain
short-video	Hardcoded x-api-key: $RECOUP_API_KEY	Sandbox users	$RECOUP_API_KEY is empty → x-api-key: (empty value) → HTTP 401 on every step

Each skill works for half the customers.

The fix

Set AUTH_HEADER once at the top of each skill from whichever env var is set:

if [ -n "$RECOUP_ACCESS_TOKEN" ]; then
  AUTH_HEADER="Authorization: Bearer $RECOUP_ACCESS_TOKEN"
elif [ -n "$RECOUP_API_KEY" ]; then
  AUTH_HEADER="x-api-key: $RECOUP_API_KEY"
else
  echo "No Recoup auth found. Set RECOUP_API_KEY (BYOA — get a key at developers.recoupable.com) or RECOUP_ACCESS_TOKEN (sandbox)."; exit 1
fi

Then every curl uses -H "$AUTH_HEADER" instead of hardcoding one or the other.

The error message is self-contained — no assumption about another skill being installed, no agent-runtime-specific slash-command syntax. Tells the user exactly what to set + where to get a key.

Files (2)

• skills/create-artist/SKILL.md — single AUTH_HEADER block at top + 14 curl headers swapped to -H "$AUTH_HEADER"
• skills/short-video/SKILL.md — single AUTH_HEADER block in ## Setup (top of file) + 11 curl headers swapped + Prerequisites section references the Setup block via anchor link (no duplication)

2 files, +53 / -32. Same 8-line AUTH_HEADER block in each file.

Verification (live, against prod API)

Test	Endpoint	Result
BYOA on POST /api/artists (create-artist's first call)	api.recoupable.com	HTTP 201 ✓ artist created, then cleaned up
BYOA on GET /api/organizations (used in short-video)	api.recoupable.com	HTTP 200 ✓
BYOA on GET /api/content/templates (short-video manual recipe)	api.recoupable.com	HTTP 200 ✓
BYOA on GET /api/tasks/runs (short-video async polling)	api.recoupable.com	HTTP 500 (Not found for a fake runId — not 401, so auth was accepted) ✓
AUTH_HEADER block resolves Bearer when only RECOUP_ACCESS_TOKEN set	(logic test)	✓
AUTH_HEADER block resolves x-api-key when only RECOUP_API_KEY set	(logic test)	✓

Sandbox (Bearer) path on these specific endpoints not live-tested — would need a Privy access token from a real chat.recoupable.com session (no programmatic way to get one — checked the CLI, the docs, and open-agents). The AUTH_HEADER block is symmetric and Bearer auth is already in production via main's create-artist, so the failure surface is just the bash conditional (verified working).

What this PR is not

• Not the orchestrator. Cache safety, persona detection, routing — all deferred to a separate PR after this lands. Branch feat/orchestrator preserved.
• Not a docs cleanup. recoup research "Drake" example in getting-started and the chart-metric install command fix are deferred (the chart-metric fix waits for feat(marketplace): add unified marketplace machinery (2/3) #25 to land anyway).
• Not the marketplace machinery (feat(marketplace): add unified marketplace machinery (2/3) #25) or catalog plugin (feat(catalog-plugin): import music-catalog-diligence via subtree (3/3) #27).

This PR does one thing: makes create-artist and short-video work for both customer personas.

Merge order

PR 1 of 3. Smallest. Independent of #25 and #27 — can merge anytime.

#	PR	What	Files
1	this PR	AUTH_HEADER abstraction (BYOA + sandbox in 2 skills)	2
2	#25	Marketplace machinery	12
3	#27	Catalog plugin	113

Merge preference

Please merge yourself when satisfied — I'd rather you push the button than approve.

🤖 Made with Cursor

[coderabbitai]

📝 Walkthrough

Walkthrough

Both create-artist and short-video skill workflows now establish a unified $AUTH_HEADER variable once in prerequisites that adapts to either $RECOUP_ACCESS_TOKEN (Bearer format) or $RECOUP_API_KEY (x-api-key format), failing fast if neither is set. All curl examples throughout both workflows replace hardcoded authorization headers with -H "$AUTH_HEADER" for consistency.

Changes

Unified authentication pattern across skill workflows

Layer / File(s)	Summary
Create-artist authentication standardization skills/create-artist/SKILL.md	Prerequisites now define dual-mode Recoup authentication and construct $AUTH_HEADER once. All workflow steps (artist creation, Spotify search, research lookups, catalog fetches, web social search, and socials PATCH) replace hardcoded Bearer headers with -H "$AUTH_HEADER".
Short-video authentication standardization skills/short-video/SKILL.md	Mirrors create-artist's $AUTH_HEADER pattern in prerequisites supporting both Bearer and x-api-key modes. Async pipeline operations (trigger, poll, read), org/artist lookups, and manual walkthrough steps (templates, base image, upscale, video, captions) all switch to -H "$AUTH_HEADER".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• recoupable/skills#14: Updates recoup-api skill documentation to define Bearer token authentication, providing foundational context for the centralized header pattern applied here.
• recoupable/skills#20: Restructures create-artist Chartmetric research steps into /research/lookup/profile/career/playlists/web endpoints—the same endpoints receiving auth header updates in this PR.

Poem

🐰 One header to auth them all,
Bearer or key-paved,
Two skills now heed the call,
Their headers unified, saved.
No more confusion, bright and tall! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: introducing AUTH_HEADER abstraction to make two skills compatible with both authentication modes (BYOA and Sandbox personas).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/broken-skills

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/chart-metric/README.md`:
- Line 18: The header "Vercel skills CLI (works in 18+ agents)" is ambiguous;
update the parenthetical after the header text to a clear phrase that matches
the intent: if you mean compatibility with multiple platforms change it to
"compatible with 18+ AI agent platforms", or if you mean a minimum version
requirement change it to "requires agents v18+"; edit the README header line
that currently contains "works in 18+ agents" to one of those clearer
alternatives (or an equivalent explicit phrase) so readers know whether this is
a platform count or a version requirement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ba49aa11-689f-41a2-8c9e-1129ca895e59

📥 Commits

Reviewing files that changed from the base of the PR and between 77126f9 and a58fd50.

📒 Files selected for processing (4)

• skills/chart-metric/README.md
• skills/create-artist/SKILL.md
• skills/getting-started/SKILL.md
• skills/short-video/SKILL.md

[cubic-dev-ai]

No issues found across 4 files