trycompai · Marfuen · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/workflows/device-agent-release.yml b/.github/workflows/device-agent-release.yml
@@ -1,6 +1,7 @@
 name: Device Agent Release
 
 on:
+  workflow_dispatch:
   push:
     branches: ['**']
     paths:
@@ -18,6 +19,7 @@ jobs:
       tag_name: ${{ steps.version.outputs.tag_name }}
       is_prerelease: ${{ steps.version.outputs.is_prerelease }}
       portal_url: ${{ steps.version.outputs.portal_url }}
+      api_url: ${{ steps.version.outputs.api_url }}
       release_name: ${{ steps.version.outputs.release_name }}
       auto_update_url: ${{ steps.version.outputs.auto_update_url }}
       s3_env: ${{ steps.version.outputs.s3_env }}
@@ -50,12 +52,14 @@ jobs:
             TAG_NAME="device-agent-v${NEXT_VERSION}"
             IS_PRERELEASE="false"
             PORTAL_URL="https://portal.trycomp.ai"
+            API_URL="https://api.trycomp.ai"
             RELEASE_NAME="Device Agent v${NEXT_VERSION}"
             S3_ENV="production"
           else
             TAG_NAME="device-agent-v${NEXT_VERSION}-staging.${GITHUB_RUN_NUMBER}"
             IS_PRERELEASE="true"
             PORTAL_URL="https://portal.staging.trycomp.ai"
+            API_URL="https://api.staging.trycomp.ai"
             RELEASE_NAME="Device Agent v${NEXT_VERSION} (Staging #${GITHUB_RUN_NUMBER})"
             S3_ENV="staging"
           fi
@@ -67,6 +71,7 @@ jobs:
           echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT
           echo "is_prerelease=$IS_PRERELEASE" >> $GITHUB_OUTPUT
           echo "portal_url=$PORTAL_URL" >> $GITHUB_OUTPUT
+          echo "api_url=$API_URL" >> $GITHUB_OUTPUT
           echo "release_name=$RELEASE_NAME" >> $GITHUB_OUTPUT
           echo "auto_update_url=$AUTO_UPDATE_URL" >> $GITHUB_OUTPUT
           echo "s3_env=$S3_ENV" >> $GITHUB_OUTPUT
@@ -77,6 +82,7 @@ jobs:
           echo "Tag name: $TAG_NAME"
           echo "Pre-release: $IS_PRERELEASE"
           echo "Portal URL: $PORTAL_URL"
+          echo "API URL: $API_URL"
           echo "Auto-update URL: $AUTO_UPDATE_URL"
           echo "S3 env: $S3_ENV"
 
@@ -112,6 +118,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 
@@ -170,6 +177,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 
@@ -201,13 +209,10 @@ jobs:
           Invoke-WebRequest -Uri "https://github.com/SSLcom/CodeSignTool/releases/download/v1.3.0/CodeSignTool-v1.3.0-windows.zip" -OutFile "codesigntool.zip"
           Expand-Archive -Path "codesigntool.zip" -DestinationPath "codesigntool"
 
-          $cstDir = Get-ChildItem -Path "codesigntool" -Directory | Select-Object -First 1
-          if (-not $cstDir) { throw "CodeSignTool directory not found after extraction" }
-          Write-Host "CodeSignTool directory: $($cstDir.FullName)"
-
-          $jar = Get-ChildItem -Path $cstDir.FullName -Recurse -Filter "code_sign_tool-*.jar" | Select-Object -First 1
+          $jar = Get-ChildItem -Path "codesigntool" -Recurse -Filter "code_sign_tool-*.jar" | Select-Object -First 1
           if (-not $jar) { throw "CodeSignTool jar not found" }
           Write-Host "Found CodeSignTool jar at: $($jar.FullName)"
+          $cstDir = $jar.Directory.Parent
 
           $releaseDir = Get-Location
           Get-ChildItem -Path $releaseDir -Filter "*.exe" | ForEach-Object {
@@ -239,7 +244,7 @@ jobs:
             Write-Host "  Issuer: $($sig.SignerCertificate.Issuer)"
             Write-Host "  Valid from: $($sig.SignerCertificate.NotBefore) to $($sig.SignerCertificate.NotAfter)"
             if ($sig.Status -ne 'Valid') {
-              Write-Host "::error::Signature verification FAILED for $($_.Name) — Status: $($sig.Status)"
+              Write-Host "::error::Signature verification FAILED for $($_.Name) - Status: $($sig.Status)"
               $allSigned = $false
             }
           }
@@ -319,6 +324,7 @@ jobs:
       - name: Build
         env:
           PORTAL_URL: ${{ needs.detect-version.outputs.portal_url }}
+          API_URL: ${{ needs.detect-version.outputs.api_url }}
           AGENT_VERSION: ${{ needs.detect-version.outputs.version }}
         run: bun run build
 

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -34,10 +34,13 @@ packages/
 
 ## Authentication & Session
 
-- **Session-based auth only.** No JWT tokens. All requests use `credentials: 'include'` to send httpOnly session cookies.
+- **Auth lives in `apps/api` (NestJS).** The API is the single source of truth for authentication via better-auth. All apps and packages that need to authenticate (app, portal, device-agent, etc.) MUST go through the API — never run a local better-auth instance or handle auth directly in a frontend app.
+- **Session-based auth only.** No JWT tokens. Cross-subdomain cookies (`.trycomp.ai`) allow sessions to work across all apps.
 - **HybridAuthGuard** supports 3 methods in order: API Key (`x-api-key`), Service Token (`x-service-token`), Session (cookies). `@Public()` skips auth.
-- **Client-side**: `apiClient` from `@/lib/api-client` (always sends cookies).
-- **Server-side**: `serverApi` from `@/lib/api-server.ts`.
+- **Client-side auth**: `authClient` (better-auth client) with `baseURL` pointing to the API, NOT the current app.
+- **Client-side data**: `apiClient` from `@/lib/api-client` (always sends cookies).
+- **Server-side data**: `serverApi` from `@/lib/api-server.ts`.
+- **Server-side session checks**: Proxy to the API's `/api/auth/get-session` endpoint — do NOT instantiate better-auth locally.
 - **Raw `fetch()` to API**: MUST include `credentials: 'include'`, otherwise 401.
 
 ## API Architecture

diff --git a/apps/api/src/auth/auth.server.ts b/apps/api/src/auth/auth.server.ts
@@ -5,6 +5,7 @@ import { db } from '@trycompai/db';
 import { betterAuth } from 'better-auth';
 import { prismaAdapter } from 'better-auth/adapters/prisma';
 import {
+  bearer,
   emailOTP,
   magicLink,
   multiSession,
@@ -302,6 +303,7 @@ export const auth = betterAuth({
       },
     }),
     multiSession(),
+    bearer(),
   ],
   socialProviders,
   user: {