fix: cross-origin credentials not sent on agentex-ui API requests

[sayakmaity]

Summary

• Fixes cross-origin 401 errors on chat.dev-sgp.scale.com when making API calls to agentex.dev-sgp.scale.com
• The agentex SDK's custom fetch option is not applied — the SDK internally calls window.fetch via Shims.getDefaultFetch(), bypassing the wrapper. This means credentials: 'include' was never sent on cross-origin requests.
• Switches to fetchOptions: { credentials: 'include' } which the SDK properly merges into every request via buildRequest()

Root Cause

The system-manager-config secret has urls.agentexBackend = agentex.dev-sgp.scale.com, causing the pack template to set apiBaseUrl to a cross-origin URL. Without credentials: 'include', the browser doesn't send auth cookies on these cross-origin fetch requests, resulting in 401s.

Additionally, the agentex backend's middleware ordering means 401 responses don't include CORS headers (AgentexAuthMiddleware runs before CORSMiddleware), which causes the browser to report CORS errors instead of 401s — masking the real issue.

Test plan

• Deploy to dev-sgp and verify chat.dev-sgp.scale.com loads agents successfully
• Verify cross-origin fetch requests to agentex.dev-sgp.scale.com include Cookie header
• Verify no CORS errors in browser console

Fixes SGPINF-1217

Greptile Summary

This PR fixes cross-origin authentication failures on chat.dev-sgp.scale.com by correcting how credentials: 'include' is passed to the Agentex SDK client. The previous approach wrapping fetch was silently bypassed — the SDK internally uses Shims.getDefaultFetch() (i.e. window.fetch) rather than the provided fetch option, so cookies were never included in cross-origin requests, resulting in 401 errors.

Key changes:

• Removes the dead-code custom fetch wrapper in AgentexProvider that was never actually invoked by the SDK.
• Replaces it with fetchOptions: { credentials: 'include' }, which the SDK correctly merges into every outbound request (including streaming/SSE requests via buildRequest()).
• The fix is minimal (5 lines removed, 1 line added) and self-contained to agentex-provider.tsx.

Confidence Score: 5/5

• Safe to merge — a single-file fix that removes broken dead code and replaces it with the correct SDK API.
• The change is minimal, well-reasoned, and directly addresses a documented SDK behavior. The old fetch wrapper was provably ineffective (the SDK bypasses it). The new fetchOptions approach is the standard pattern for Stainless-generated SDKs and will correctly attach credentials to all requests including streaming ones. No edge cases or regressions are introduced.
• No files require special attention.

Important Files Changed

Filename	Overview
agentex-ui/components/providers/agentex-provider.tsx	Replaces a non-functional custom fetch wrapper with fetchOptions: { credentials: 'include' }, which is properly merged by the SDK into every request. Clean, minimal fix with no new issues introduced.

Sequence Diagram

sequenceDiagram
    participant Browser as Browser (chat.dev-sgp)
    participant SDK as AgentexSDK
    participant Backend as agentex.dev-sgp (API)

    Note over Browser,Backend: Before fix — credentials never sent
    Browser->>SDK: new AgentexSDK({ fetch: customWrapper })
    SDK->>Backend: window.fetch(url) — bypasses customWrapper, no Cookie header
    Backend-->>SDK: 401 Unauthorized (no CORS header → masked as CORS error)
    SDK-->>Browser: CORS error in console

    Note over Browser,Backend: After fix — credentials always sent
    Browser->>SDK: new AgentexSDK({ fetchOptions: { credentials: 'include' } })
    SDK->>Backend: window.fetch(url, { credentials: 'include' }) — Cookie header included
    Backend-->>SDK: 200 OK
    SDK-->>Browser: Agents/tasks load successfully

Loading

_{Last reviewed commit: 2c4ac96}