Skip to content

fix: conditionally set --share team:edit based on task ownership#66

Merged
ianhodge merged 1 commit intomainfrom
oz-agent/fix-team-share-user-owned-tasks
May 5, 2026
Merged

fix: conditionally set --share team:edit based on task ownership#66
ianhodge merged 1 commit intomainfrom
oz-agent/fix-team-share-user-owned-tasks

Conversation

@ianhodge
Copy link
Copy Markdown
Member

@ianhodge ianhodge commented May 5, 2026

Problem

When "Team visible" is unchecked in the Oz web app, self-hosted worker agents
fail to start every time. This is a 100% repro on the K8s backend.

Root Cause

The oz-agent-worker hardcodes --share team:edit in the CLI args for every
task (worker.go:395). When "Team visible" is unchecked:

  1. The server creates the task with UserPermissionSubject ownership
  2. GenerateAPIKeyForTask produces a user-scoped per-task API key
  3. The oz CLI authenticates with this user-scoped key and tries to set up
    team-level session sharing via --share team:edit
  4. This fails because the user-scoped key cannot create team-scoped sessions

Solution

  • Add a TaskOwner type to the worker's Task struct to deserialize the
    owner field the server already sends in the TaskAssignmentMessage
  • Conditionally emit --share team:edit only when owner.Type == "TEAM"
  • User-owned tasks skip team sharing, letting the session stay user-scoped

No server-side changes needed — the server already serializes Task.Owner
in the WebSocket assignment payload.

Testing

  • Added unit tests for team-owned, user-owned, and nil-owner cases
  • All existing tests pass (go test ./...)

Conversation: https://staging.warp.dev/conversation/5d0d24f7-28ac-4621-9f24-e337039d989a
Run: https://oz.staging.warp.dev/runs/019dfa3a-1ee9-7d99-8eb8-f1c1081a10a9
This PR was generated with Oz.

@ianhodge @oz-agent
fix: conditionally set --share team:edit based on task ownership
76e80b6 
When "Team visible" is unchecked in the Oz web app, the task is created
with user ownership and a user-scoped API key. The hardcoded
--share team:edit flag caused the oz CLI to fail on startup because the
user-scoped key cannot set up team-level session sharing.

This change:
- Adds a TaskOwner type to the worker's Task struct so the worker can
  see whether a task is team-owned or user-owned (the server already
  serializes this in the TaskAssignmentMessage).
- Conditionally emits --share team:edit only for team-owned tasks.
  User-owned tasks skip team sharing, letting the session stay
  user-scoped.

Co-Authored-By: Oz <oz-agent@warp.dev>
@ianhodge ianhodge requested a review from a team May 5, 2026 22:53
@ianhodge ianhodge marked this pull request as ready for review May 5, 2026 22:53
@ianhodge ianhodge merged commit 881a2ea into main May 5, 2026
8 checks passed
@ianhodge ianhodge deleted the oz-agent/fix-team-share-user-owned-tasks branch May 5, 2026 23:36
bnavetta
bnavetta reviewed May 6, 2026
View reviewed changes
Comment thread internal/worker/worker.go
// Only share with the team when the task is team-owned. User-owned tasks
// (created with "Team visible" unchecked) use user-scoped API keys that
// cannot set up team-level session sharing.
if task.Owner.IsTeamOwned() {
Copy link
Copy Markdown
Collaborator

@bnavetta bnavetta May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The --share team:edit flag should add a team guest to the session - we hardcode this for Warp-hosted tasks as well.

I think this will result in the shared session links for user-owned runs being inaccessible to their teammates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bnavetta bnavetta bnavetta left review comments

@captainsafia captainsafia captainsafia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ianhodge @bnavetta @captainsafia