fix(cli): connector run uses agent API origin, not memory MCP URL

[buremba]

Summary

lobu connector run was building its REST URL from getMemoryUrl(), which defaults to https://lobu.ai/mcp. The origin collapsed to https://lobu.ai — the marketing site — so every hosted-prod user ran into:

Error: GET https://lobu.ai/api/buremba/connector-run/auth-profile/<slug> → 404 — <!DOCTYPE html>…

The connector-run REST routes live on the main app (/api/:orgSlug/connector-run/*), same origin as the agent API URL configured per context. Switch to resolveContext().apiUrl and everything resolves correctly on every configured context (community.lobu.ai, app.lobu.ai, local dev).

--url remains an explicit override but now requires LOBU_API_TOKEN — we refuse to forward the context's stored credentials to a URL the user typed on the command line.

Repro before the fix

$ lobu connector run revolut --auth-profile google-chrome-burak-emre --check
Error: GET https://lobu.ai/api/buremba/connector-run/auth-profile/google-chrome-burak-emre → 404 — <!DOCTYPE html>…

After:

$ lobu connector run revolut --auth-profile google-chrome-burak-emre --check
Resolved auth profile 'google-chrome-burak-emre' (browser_session, status=active)
✓ All resolved. Re-run without --check to execute.

Test plan

• Manual e2e against prod (community.lobu.ai origin) with stored credentials — --check resolves, profile returns
• Manual e2e with --url https://app.lobu.ai + LOBU_API_TOKEN — works
• --url without LOBU_API_TOKEN — explicit error, no silent credential forwarding
• bun test packages/cli — 114 tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Fixed incorrect API endpoint routing in the connector-run command to ensure requests reach the correct destination.
  • Strengthened authentication: when using the --url flag, you must now provide an explicit API token instead of relying on stored credentials.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: aeaa7e65-bc04-48cc-80bf-2b68c42297ba

📥 Commits

Reviewing files that changed from the base of the PR and between 1400eb6 and 7be89db.

📒 Files selected for processing (1)

• packages/cli/src/commands/_lib/connector-run-cmd.ts

---

📝 Walkthrough

Walkthrough

Refactored connector-run-cmd.ts to resolve API origin and authentication context via resolveContext() instead of prior MCP-based server URL derivation. Updated imports, reworked the apiBaseFrom helper to accept agent API URL, and implemented token guardrails requiring explicit LOBU_API_TOKEN when --url is provided, removing legacy code paths.

Changes

Connector-run context and auth resolution

Layer / File(s)

Summary

API resolution and token handling refactor packages/cli/src/commands/_lib/connector-run-cmd.ts

Imports resolveContext instead of resolveServerUrl; updates apiBaseFrom helper to accept agentApiUrl and extract origin for main app routing; refactors connectorRun to resolve context via resolveContext(), compute apiBase from either --url (origin-only) or resolved context's apiUrl, enforce token guardrail requiring LOBU_API_TOKEN when --url is provided, and call getUsableToken with resolved context name; removes legacy baseMcpUrl-dependent apiBase assignment.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 Through context we route with care,
Tokens guarded, credentials spare,
API base now finds its way,
To the main app's rightful place to stay!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main fix: switching from the memory MCP URL to the agent API origin for connector run REST calls.
Description check	✅ Passed	The description includes a clear Summary section, a detailed Test plan with all items checked, and comprehensive Notes covering the issue, fix, and reproducible examples.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cli-connector-run-url

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/cli/src/commands/_lib/connector-run-cmd.ts (1)

183-201: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

When --url overrides the backend, require --org or skip context-based org fallback.

Line 201 still resolves orgSlug from resolvedContextName, and when LOBU_API_TOKEN is set alongside --url, that context name comes from the selected context (line 183). This means feed and profile lookups at lines 217 and 243 construct URLs like ${override-url}/api/${context-org}/..., hitting the override host with the wrong organization prefix. Without --org, this produces 404/403 errors.

Either require --org when --url is provided, or skip the context-based org fallback in this override path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/commands/_lib/connector-run-cmd.ts` around lines 183 - 201,
When an explicitUrl override is used (explicitUrl true / user passed --url) and
credentials come from LOBU_API_TOKEN or a selected context, avoid resolving org
from the stored context; instead either require the user to pass --org or skip
context-based fallback by calling resolveOrg with undefined contextName.
Concretely: in the branch where explicitUrl is set (and you may have obtained
token from getUsableToken or LOBU_API_TOKEN), ensure you do not pass
resolvedContextName into resolveOrg — if args.org is empty, throw an error
requiring --org when explicitUrl is present, or call resolveOrg(args.org,
undefined, undefined) so the override host is not combined with the context org;
use variables explicitUrl, args.org, getUsableToken, resolvedContextName and
resolveOrg to implement this conditional behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/web`:
- Line 1: The packages/web submodule is pinned to a commit not reachable from
owletto-web/main; repin the submodule at packages/web to a SHA that is an
ancestor of the submodule's origin/main: fetch the submodule remote, identify a
commit on origin/main that is an ancestor (or use the latest origin/main tip),
check out that commit inside the packages/web working tree, update the
superproject's submodule reference (stage the packages/web change) and commit
the update so the submodule SHA in the superproject points to a reachable
ancestor of origin/main.

---

Outside diff comments:
In `@packages/cli/src/commands/_lib/connector-run-cmd.ts`:
- Around line 183-201: When an explicitUrl override is used (explicitUrl true /
user passed --url) and credentials come from LOBU_API_TOKEN or a selected
context, avoid resolving org from the stored context; instead either require the
user to pass --org or skip context-based fallback by calling resolveOrg with
undefined contextName. Concretely: in the branch where explicitUrl is set (and
you may have obtained token from getUsableToken or LOBU_API_TOKEN), ensure you
do not pass resolvedContextName into resolveOrg — if args.org is empty, throw an
error requiring --org when explicitUrl is present, or call resolveOrg(args.org,
undefined, undefined) so the override host is not combined with the context org;
use variables explicitUrl, args.org, getUsableToken, resolvedContextName and
resolveOrg to implement this conditional behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: af5f5fe6-0acb-4510-a835-5fbcd495ddae

📥 Commits

Reviewing files that changed from the base of the PR and between e7533da and 1400eb6.

📒 Files selected for processing (3)

• packages/cli/src/commands/_lib/connector-run-cmd.ts
• packages/server/src/utils/__tests__/mcp-install-targets.test.ts
• packages/web