Skip to content

Agent cannot read comment text on tokenless shared docs #31

Open
Open
Agent cannot read comment text on tokenless shared docs#31
@jonnext

Description

@jonnext
jonnext
opened on Mar 20, 2026

Summary

When a Proof document is shared without a token (URL like /d/<slug> with no ?token=), agents can read the document content but cannot access comment thread text. The comment anchors (highlighted spans) are visible in the DOM/markdown, but the actual comment body text is stored server-side and all API endpoints that would return it require authentication.

Steps to Reproduce

  1. Create a Proof doc and add comments via the editor UI
  2. Share the URL without a token (e.g. https://www.proofeditor.ai/d/439nuvhs)
  3. As an agent, try to read the comments:
    • GET /d/<slug> with Accept: application/json — returns markdown with proof: base64 markers showing comment anchors (position + ID), but no comment body text
    • GET /api/agent/<slug>/state — returns 401 Unauthorized
    • GET /api/agent/<slug>/snapshot — returns 401 Unauthorized
    • GET /api/agent/<slug>/events/pending — returns 401 Unauthorized
    • POST /api/agent/<slug>/presence — returns 401 Unauthorized

What Works

  • Document markdown content is fully readable via GET /d/<slug> (both text/markdown and application/json)
  • Comment anchor positions are embedded as base64-encoded marks in the markdown (e.g. proof:W3si...)
  • The decoded marks contain type, from, to, id, and by fields
  • DOM shows <span data-proof="comment" data-id="..." data-by="..."> elements with the highlighted text

What Doesn't Work

  • Comment body text is inaccessible — no API endpoint returns it without a token
  • The JSON response includes "hint": "This link has no token. Ask for a tokenized link if you need a stable shareable URL." — but the document owner could not find a way to generate a tokenized URL in the Proof UI
  • The tokenSource field returns "none"

Impact

This breaks the agent-in-the-loop review workflow. The human leaves comments, but the agent can only see where comments are, not what they say. This is the primary use case for Proof + AI collaboration.

Suggested Fix

Either:

  1. Include comment body text in the base64 marks embedded in the markdown (so tokenless reads get the full picture)
  2. Allow tokenless read access to comment threads on docs with shareState: "ACTIVE" and role: "editor"
  3. Make token generation discoverable in the UI — the owner should be able to generate a tokenized share link easily

Environment

  • Document slug: 439nuvhs
  • projectionFresh: false, repairPending: true
  • shareState: "ACTIVE", role: "editor"
  • capabilities: { canRead: true, canComment: true, canEdit: true }
  • Bug also filed via report_bug API → internal issue #733

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions