Summary
ax token mint <agent> --create and ax agents create <agent> both 500 against a current dev/staging backend (local stack, axmarketplace_dev, alembic @ merge_heads_2026_04_11). Two different DB check constraints reject the insert depending on which API path the CLI takes.
Reproduction
Against a local backend on dev/staging with a valid user PAT (axp_u_):
Path 1 — management endpoint (via ax token mint --create):
$ ax token mint night_owl_local --env local --profile local-night_owl --create --no-print-token
Resolving agent 'night_owl_local'...
Agent 'night_owl_local' not found. Creating...
Error 500: Server error
URL: http://localhost:8001/agents/manage/create
Backend log:
CheckViolationError: new row for relation "agents" violates check constraint "ck_valid_origin"
Path 2 — legacy endpoint (via ax agents create):
$ ax agents create night_owl_local --space-id a632f74e-... -d "..."
Error 500: Server error
URL: http://localhost:8001/api/v1/agents
Backend log:
CheckViolationError: new row for relation "agents" violates check constraint "ck_agents_user_owner"
Analysis
- CLI sends a minimal body (
{name, description, space_id}) — see ax_cli/client.py create_agent (line 609) and mgmt_create_agent (line 750).
- DB has
ck_valid_origin CHECK (origin IN ('space_agent','cloud','external_gateway','agentcore','mcp')) and a separate ck_agents_user_owner.
- Column default is
origin = 'cloud' (valid) — so the management endpoint is explicitly setting a bad origin somewhere server-side.
- The legacy
/api/v1/agents path doesn't populate owner_user_id / owner_space_id, violating ck_agents_user_owner.
Impact
- Not security. DB correctly refused both inserts; no data written, no tokens minted.
- UX: the documented CLI bootstrap flow (`ax token mint --create`) is broken for any fresh agent name on dev/staging. Users must fall back to picking an existing agent.
Likely fix
Backend-side — both /agents/manage/create and /api/v1/agents need to:
- Accept origin (or default to
'mcp' for CLI-created agents) consistent with ck_valid_origin.
- Populate
owner_user_id + owner_space_id from the authenticated principal.
CLI-side: could also explicitly send origin: "mcp" once the server contract is clarified.
Environment
- Branch:
dev/staging (ax-cli, ax-backend, ax-agents, ax-frontend, ax-mcp-server all at dev/staging tips as of 2026-04-18)
- Backend alembic:
merge_heads_2026_04_11
- CLI: installed from
~/claude_home/ax-cli editable
Summary
ax token mint <agent> --createandax agents create <agent>both 500 against a currentdev/stagingbackend (local stack,axmarketplace_dev, alembic @merge_heads_2026_04_11). Two different DB check constraints reject the insert depending on which API path the CLI takes.Reproduction
Against a local backend on
dev/stagingwith a valid user PAT (axp_u_):Path 1 — management endpoint (via
ax token mint --create):Backend log:
Path 2 — legacy endpoint (via
ax agents create):Backend log:
Analysis
{name, description, space_id}) — seeax_cli/client.pycreate_agent(line 609) andmgmt_create_agent(line 750).ck_valid_origin CHECK (origin IN ('space_agent','cloud','external_gateway','agentcore','mcp'))and a separateck_agents_user_owner.origin = 'cloud'(valid) — so the management endpoint is explicitly setting a bad origin somewhere server-side./api/v1/agentspath doesn't populateowner_user_id/owner_space_id, violatingck_agents_user_owner.Impact
Likely fix
Backend-side — both
/agents/manage/createand/api/v1/agentsneed to:'mcp'for CLI-created agents) consistent withck_valid_origin.owner_user_id+owner_space_idfrom the authenticated principal.CLI-side: could also explicitly send
origin: "mcp"once the server contract is clarified.Environment
dev/staging(ax-cli, ax-backend, ax-agents, ax-frontend, ax-mcp-server all atdev/stagingtips as of 2026-04-18)merge_heads_2026_04_11~/claude_home/ax-clieditable