Skip to content

fix: remove password prompt#4532

Open
iskhakov wants to merge 5 commits into
mainfrom
new-branch
Open

fix: remove password prompt#4532
iskhakov wants to merge 5 commits into
mainfrom
new-branch

Conversation

@iskhakov
Copy link
Copy Markdown
Contributor

@iskhakov iskhakov commented May 11, 2026
edited by archestra-contributor-pr-bot Bot
Loading

iskhakov added 2 commits May 11, 2026 17:30
@iskhakov
fix(model-router): hide models not linked to mapped API keys
d0babda 
The model router exposed every DB model for the mapped providers,
including ones operators hid via Settings -> Models. Mirror the UI's
/api/llm-models/available scoping by restricting both the /models
listing and route resolution to models linked to the virtual key's
chat API keys.
@iskhakov
feat: drop forced default-admin password change prompt at sign-in
15a7b99 
The persistent sidebar warning still nags users about default credentials;
remove the interstitial change-password card and all of its supporting
plumbing (sessionStorage flag, requiresDefaultPasswordChange payload,
WithAuthCheck exception, e2e helper, test IDs).
@iskhakov iskhakov added the run-e2e add label to run e2e tests on demand on a PR (remove and re-add the label to retrigger) label May 11, 2026
@claude
Copy link
Copy Markdown
Contributor

claude Bot commented May 11, 2026
edited
Loading

Claude encountered an error —— View job

I'll analyze this and get back to you.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 11, 2026

Playwright test results

failed  31 failed
passed  91 passed
flaky  5 flaky
skipped  74 skipped

Details

stats  201 tests across 37 suites
duration  8 minutes, 19 seconds
commit  15a7b99

Failed tests

chromium › agents.spec.ts › can create and delete an agent
chromium › agents.spec.ts › can clone an agent and rename it
firefox › agents.spec.ts › can create and delete an agent
firefox › agents.spec.ts › can clone an agent and rename it
webkit › agents.spec.ts › can create and delete an agent
webkit › agents.spec.ts › can clone an agent and rename it
webkit › invitation.spec.ts › Invitation functionality › can generate invitation link and successfully sign up with it
chromium › static-credentials-management.spec.ts › Verify Manage Credentials dialog shows correct other users credentials
identity-providers › identity-providers.ee.spec.ts › Identity Provider IdP Logout (RP-Initiated Logout) › should terminate IdP session on Archestra sign-out
api › custom-yaml-restart.spec.ts › Custom YAML Spec - Server Restart on YAML Edit › server auto-restarts after custom YAML is edited
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenAI › blocks tool invocation when untrusted data is consumed
api › mcp-enterprise-managed.ee.spec.ts › Enterprise-managed MCP credentials › uses per-user exchanged credentials for agent tool execution
api › mcp-enterprise-managed.ee.spec.ts › Enterprise-managed MCP credentials › uses per-user exchanged credentials for MCP gateway tool execution
api › mcp-enterprise-managed.ee.spec.ts › Enterprise-managed MCP credentials › exchanges an ID-JAG at a remote MCP server before gateway tool execution
api › mcp-gateway-auth-at-call-time.spec.ts › MCP Gateway - Auth at Call Time › returns auth-required error with install URL when caller has no matching credential
api › mcp-gateway-jwks-credential-priority.ee.spec.ts › MCP Gateway - JWKS Credential Resolution Priority › should prefer upstream server credentials over JWT propagation
api › mcp-gateway-jwks-credential-priority.ee.spec.ts › MCP Gateway - JWKS Credential Resolution Priority › should propagate JWT as fallback when no upstream credentials exist
api › mcp-gateway-jwks.ee.spec.ts › MCP Gateway - External IdP JWKS Authentication › should authenticate with external IdP JWT, call tools, and log external identity
api › mcp-gateway-jwks.ee.spec.ts › MCP Gateway - External IdP JWKS Authentication › should reject invalid JWT with 401
api › mcp-gateway-jwks.ee.spec.ts › MCP Gateway - External IdP JWKS Authentication › should fall through to archestra token when profile has no IdP
api › mcp-gateway-jwt-propagation.ee.spec.ts › MCP Gateway - JWT Propagation to Upstream MCP Server › should propagate JWT to upstream MCP server and return user identity from tool call
api › mcp-gateway-jwt-propagation.ee.spec.ts › MCP Gateway - JWT Propagation to Upstream MCP Server › should reject tool call when upstream MCP server rejects invalid JWT
api › mcp-gateway-jwt-propagation.ee.spec.ts › MCP Gateway - JWT Propagation to Upstream MCP Server › should propagate JWT to local K8s-orchestrated MCP server via streamable-http
api › oauth-self-hosted.spec.ts › OAuth for Self-Hosted MCP Servers › remote server: full OAuth flow (initiate → authorize → callback → install)
api › oauth-self-hosted.spec.ts › OAuth for Self-Hosted MCP Servers › local streamable-http server: OAuth flow creates server with correct type
api › oauth-self-hosted.spec.ts › OAuth for Self-Hosted MCP Servers › local stdio server: OAuth token injected via access_token_env_var
api › oauth-self-hosted.spec.ts › OAuth for Self-Hosted MCP Servers › OAuth initiate fails for non-OAuth catalog item
api › orchestrator.spec.ts › Orchestrator - MCP Server Installation and Execution › Remote MCP Server › should install remote MCP server and discover its tools
api › orchestrator.spec.ts › Orchestrator - MCP Server Installation and Execution › Local MCP Server - internal-dev-test-server › should install local MCP server and discover its tools
api › orchestrator.spec.ts › Orchestrator - MCP Server Installation and Execution › Local MCP Server - Docker Image › should install a local MCP server via Docker and discover its tools
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to Kubernetes metadata endpoint (169.254.169.254)

Flaky tests

setup-teams › ../auth.teams.setup.ts › setup teams and assignments
webkit › invitation.spec.ts › Invitation functionality › shows error message when email is invalid
chromium › static-credentials-management.spec.ts › Custom Self-hosted MCP Server - installation and static credentials management (vault disabled, prompt-on-installation disabled) › Admin
identity-providers › identity-providers.ee.spec.ts › Identity Provider Team Sync E2E › should sync user to team based on SSO group membership
quickstart › quickstart.spec.ts › Quickstart › first-time user can add API key and immediately chat

Skipped tests

chromium › agents.spec.ts › can create and delete an LLM proxy
chromium › agents.spec.ts › can create and delete an MCP gateway
firefox › agents.spec.ts › can create and delete an LLM proxy
firefox › agents.spec.ts › can create and delete an MCP gateway
webkit › agents.spec.ts › can create and delete an LLM proxy
webkit › agents.spec.ts › can create and delete an MCP gateway
chromium › chat-auth-required.spec.ts › Chat - Auth Required Tool › surfaces missing credentials guidance when tool call fails due to missing credentials
chromium › chat.spec.ts › Chat-UI-zhipuai › can send a message and receive a response from ZhipuAI
chromium › mcp-install.spec.ts › MCP Install › Custom remote › Bearer Token
chromium › static-credentials-management.spec.ts › Verify tool calling using different static credentials
identity-providers › identity-providers.ee.spec.ts › Identity Provider Role Mapping E2E › should evaluate second rule when first rule does not match
identity-providers › identity-providers.ee.spec.ts › Identity Provider Role Mapping E2E › should map admin group to admin role via OIDC
identity-providers › identity-providers.ee.spec.ts › Identity Provider SAML E2E Flow with Keycloak › should configure SAML provider, login via SSO, update, and delete
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenAI › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenAI › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Anthropic › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Anthropic › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Anthropic › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Gemini › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Gemini › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Gemini › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cohere › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cohere › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cohere › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cerebras › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cerebras › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Cerebras › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Groq › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Groq › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Groq › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-xAI › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-xAI › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-xAI › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Mistral › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Mistral › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Mistral › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-vLLM › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-vLLM › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-vLLM › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Ollama › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Ollama › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Ollama › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Zhipuai › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Zhipuai › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Zhipuai › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Minimax › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Minimax › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Minimax › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-DeepSeek › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-DeepSeek › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-DeepSeek › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Bedrock › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Bedrock › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Bedrock › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenRouter › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenRouter › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-OpenRouter › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure Responses › blocks tool invocation when untrusted data is consumed
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure Responses › allows Archestra MCP server tools in untrusted context
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure Responses › allows regular tool call after Archestra MCP server tool call
api › llm-proxy/tool-invocation.spec.ts › LLMProxy-ToolInvocation-Azure Responses Follow-up Context › blocks tool invocation when prior Azure Responses tool output is untrusted
api › mcp-enterprise-managed.ee.spec.ts › Enterprise-managed MCP credentials › installs a protected remote MCP server without a manual access token
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to cluster-internal service (10.x range)
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to private network (192.168.x.x range)
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to private network (172.16.x.x range)
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to localhost / loopback
api › ssrf-protection.spec.ts › SSRF Protection - NetworkPolicy for MCP Servers › should block SSRF to carrier-grade NAT range (100.64.x.x)
credentials-with-vault › credentials-with-vault.ee.spec.ts › Chat API Keys with Readonly Vault › should create a team scoped chat API key with vault secret
credentials-with-vault › credentials-with-vault.ee.spec.ts › Chat API Keys with Readonly Vault › should create a personal scoped chat API key with vault secret
credentials-with-vault › credentials-with-vault.ee.spec.ts › Test self-hosted MCP server with Readonly Vault › Test self-hosted MCP server with Vault - without prompt on installation
credentials-with-vault › credentials-with-vault.ee.spec.ts › Then we configure vault for Default Team

@iskhakov iskhakov changed the title fix: hide model and fix password prompt fix: remove password prompt May 11, 2026
@iskhakov iskhakov removed the run-e2e add label to run e2e tests on demand on a PR (remove and re-add the label to retrigger) label May 12, 2026
@iskhakov iskhakov added the run-e2e add label to run e2e tests on demand on a PR (remove and re-add the label to retrigger) label May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

run-e2e add label to run e2e tests on demand on a PR (remove and re-add the label to retrigger)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iskhakov