Stabilize chat transport auth for hosted sandboxes

[chelojimenez]

Summary

• keep useChatSession on a single long-lived AI SDK transport and move mutable chat request config behind a ref
• route chat transport requests through authFetch so hosted sandbox chat uses request-time bearer resolution and guest-token retry
• add regression coverage for AI SDK transport latching in hosted and non-hosted hook tests

Testing

• npm test -- --run client/src/hooks/tests/use-chat-session.hosted.test.tsx
• npm test -- --run client/src/hooks/tests/use-chat-session.minimal-mode.test.tsx
• npm test -- --run client/src/hooks/tests/use-chat-session.fork.test.tsx
• npm test -- --run client/src/lib/tests/session-token.hosted-retry.test.ts
• npm test -- --run client/src/components/hosted/tests/SandboxChatPage.test.tsx

---

Note

Medium Risk
Changes how chat requests are authenticated and routed by moving transport config to request-time refs and switching transport fetch to authFetch, which could affect authorization headers and chat session resets in hosted/non-hosted flows.

Overview
Stabilizes useChatSession by creating a single long-lived DefaultChatTransport and moving mutable request config (model, prompt, temperature, selected servers, hosted tokens, tool-approval flag) behind refs so it’s read at send-time instead of via render closures.

Routes chat transport requests through authFetch and changes header behavior: hosted chat relies on authFetch for request-time bearer/guest-token retry, while non-hosted chat only attaches an explicit Authorization header for the MCPJam-provided model path (dropping the previous merged session header approach).

Updates hook tests to simulate AI SDK transport latching and assert correct request bodies/headers for hosted sandboxes, minimal mode, and forked session behavior.

^{Written by Cursor Bugbot for commit ec9a1fb. This will update automatically on new commits. Configure here.}

[chelojimenez]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

This pull request refactors the chat session authentication and transport configuration system. The changes replace static auth header handling with dynamic transport-based configuration, introduce a transport configuration reference that holds session-specific data, and update the mocking infrastructure across tests to simulate transport behavior more realistically. The module exports transition from getAuthHeaders to authFetch, and the transport layer now conditionally constructs request bodies and headers based on hosted mode and model capabilities.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}