From 1a7d67df7a1aaf1a598c7637ad78a1946b725475 Mon Sep 17 00:00:00 2001 From: Lukas Parsons Date: Tue, 7 Jul 2026 00:39:50 -0400 Subject: [PATCH] Add anti-wipe guard for hfToken in cookbook state sync The frontend strips hfToken from state responses (GET replaces it with masked version). When it syncs back via POST, incoming state has no hfToken. The servers anti-wipe guard existed but hfToken had no equivalent protection, so the token could be wiped by a sync race. Added hfToken preservation matching the servers guard pattern. --- routes/cookbook_routes.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/routes/cookbook_routes.py b/routes/cookbook_routes.py index 7a35de97..973d6bcc 100644 --- a/routes/cookbook_routes.py +++ b/routes/cookbook_routes.py @@ -2696,6 +2696,9 @@ def setup_cookbook_routes() -> APIRouter: elif disk_env.get("servers") and not inc_env.get("servers"): inc_env["servers"] = disk_env["servers"] logger.warning("cookbook state POST: incoming env.servers empty; preserved on-disk servers (anti-wipe guard)") + if disk_env.get("hfToken") and not inc_env.get("hfToken"): + inc_env["hfToken"] = disk_env["hfToken"] + logger.debug("cookbook state POST: incoming env missing hfToken; preserved on-disk token (anti-wipe guard)") disk_tasks = on_disk.get("tasks") or [] if isinstance(on_disk, dict) else [] incoming_tasks = data.get("tasks") if isinstance(data.get("tasks"), list) else []