POST /bridge/report_bug returns 502 REPORT_BUG_CREATE_FAILED (GitHub Bad credentials)

[kylemaclaren]

POST /bridge/report_bug returns 502 REPORT_BUG_CREATE_FAILED (GitHub Bad credentials)

Summary

The agent-facing report_bug bridge — advertised in /agent-docs and embedded as help.reportBug in every 4xx/5xx error response — is currently unusable on proofeditor.ai. It responds with HTTP 502 and a GitHub 401 Bad credentials message leaked through in the body, presumably from the server-side GitHub Issues integration that creates tracking issues on EveryInc/proof-sdk.

This is both a reliability bug and a contract bug (a 502 misrepresents the actual state — the payload was captured locally).

Severity

Blocks the documented agent self-report workflow. Because the error surface deliberately funnels agents toward this endpoint ("Call report_bug with what you know..."), any bug an agent tries to file during normal operation now drops on the floor from the agent's perspective, even though Proof's own response says the evidence was preserved.

Environment

• Endpoint: POST https://www.proofeditor.ai/d/<slug>/bridge/report_bug (also tried the doc-agnostic /api/bridge/report_bug, same behavior)
• Date: 2026-04-22

Repro

curl -sS -X POST "https://www.proofeditor.ai/d/<slug>/bridge/report_bug" \
  -H "Authorization: Bearer <share-token>" \
  -H "X-Agent-Id: cursor-composer-kmiller" \
  -H "Content-Type: application/json" \
  -d '{
    "summary": "Test bug report",
    "context": "Just exercising the bridge endpoint",
    "evidence": {"slug": "<slug>"}
  }'

Actual response

HTTP 502

{
  "error": "Bad credentials: {\r\n  \"message\": \"Bad credentials\",\r\n  \"documentation_url\": \"https://docs.github.com/rest\",\r\n  \"status\": \"401\"\r\n}",
  "code": "REPORT_BUG_CREATE_FAILED",
  "issueNumber": null,
  "issueUrl": null,
  "issueApiUrl": null,
  "evidenceCapturedLocally": true,
  "requestId": "9e57521d-6a21-4a6a-a201-f56432676581"
}

The wrapped 401 Bad credentials is from GitHub's REST API, so the server-side PAT / app token used to create issues against (presumably) EveryInc/proof-sdk has been rotated, revoked, or scoped incorrectly.

Expected behavior

1. Primary fix: refresh the GitHub credential the bridge uses, and add monitoring so you notice the next rotation before users do.
2. Contract fix, independent of (1): since evidenceCapturedLocally: true, returning 502 is misleading — the evidence is not lost, the GitHub projection step failed. A friendlier contract would be:
   • Return 202 Accepted (or 200) with a payload like {status: "captured", issueStatus: "failed", requestId, retryable: true} when the local capture succeeds but the outbound GitHub call fails.
   • Reserve 5xx for the case where local capture itself fails.
3. Agents should be able to look up or re-sync by requestId later (if there's a backfill path once GH auth is restored).

Impact on agents

The advertised help.reportBug affordance — present on every error response — currently leads agents to an endpoint that looks like a hard failure. For agents that implement "on error, call report_bug" as a recovery pattern, this becomes a dead-end loop (the report_bug call itself errors, which triggers another report_bug suggestion, etc.). A more conservative policy while this is broken might be to omit help.reportBug from error responses, but the real fix is restoring credentials + tightening the success contract.

Evidence

• requestId: 9e57521d-6a21-4a6a-a201-f56432676581 (from my attempt; evidence should be visible server-side even though no GH issue was created)
• Happy to share the full request body and headers on request.

Related

Filed companion issue about a provenance bug that I tried to report via this endpoint first. That is the underlying bug this report_bug failure blocked.