fix: Some new fixes that were discovered by AI reviewers during 2.9-hotfixing

[raunakab]

Description

• Fix ownership check granting access to unauthenticated users:
  • checkUserIdOwnsAssistant previously returned true when userId was undefined, incorrectly granting ownership to loading / unauthenticated users.
  • Now requires a valid userId before granting ownership.
• Fix ShareAgentModal losing unsaved selections on reopen:
  • The modal always reinitialized from backend data instead of the current form state.
  • Now callers pass the current values (userIds, groupIds, isPublic) as required props, so AgentEditorPage can pass pending Formik state while AgentCard passes fresh backend data.
• Refactor ShareAgentModal to eliminate prop drilling:
  • Moved hooks and handlers (useUsers, useGroups, useUser, useAgent, comboBoxOptions, handleClose, handleCopyLink) into ShareAgentFormContent where they're actually used, reducing the props interface to just { agentId?: number }.

How Has This Been Tested?

No UI changes; screenshots not required.

Additional Options

• [Optional] Override Linear Check

---

Summary by cubic

Refactored agent sharing to use agentId and internal data, and tightened ownership checks to avoid granting access when userId is undefined. Also improved modal behavior and small UI polish.

• Bug Fixes

  • Prevent premature ownership: checkUserIdOwnsAssistant now returns false when userId is undefined.
  • Close modals only on success and after updates (ShareAgent/DeleteAgent), and auto-close after share.
  • Small UI fixes: use Card in ActionsToolSkeleton, align file chips, remove extra space, allow ReactNode tooltips.

• Refactors

  • Simplified ShareAgentModal: moved data fetching and handlers into ShareAgentFormContent; modal now accepts agentId, userIds, groupIds, isPublic.
  • Updated AgentCard and AgentEditorPage to pass new props and use full agent data from useAgent.

^{Written for commit be9f8a2. Summary will update on new commits.}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR applies fixes discovered by AI reviewers during 2.9 hotfixing, addressing a critical security issue and several architectural improvements.

Key Changes:

• Security Fix: Fixed checkUserIdOwnsAssistant to require a valid userId before granting ownership, preventing unauthorized access during loading states when userId is undefined
• Refactoring: Eliminated prop drilling in ShareAgentModal by moving data fetching to ShareAgentFormContent and passing only agentId and form values
• Modal UX: Added explicit modal close calls after successful share operations in AgentCard and AgentEditorPage
• Delete Flow: Moved deleteAgentModal.toggle(false) before async operations in AgentEditorPage for better UX
• Component Consistency: Replaced manual div styling with Card component in ActionsToolSkeleton
• Type Cleanup: Removed redundant | string from SimpleTooltip tooltip prop type
• Layout Fix: Added alignItems="start" to file cards section for proper alignment
• Minor: Removed trailing space from description text

Confidence Score: 5/5

• This PR is safe to merge with high confidence - it fixes a critical security issue and improves code quality
• The changes are well-structured, focused, and include a critical security fix. The refactoring eliminates prop drilling while maintaining functionality, and all changes follow established patterns in the codebase. No risky operations or breaking changes detected.
• No files require special attention

Important Files Changed

Filename	Overview
web/src/lib/agents.ts	Fixed critical security issue in checkUserIdOwnsAssistant by requiring valid userId before granting ownership access, preventing premature authorization during loading states
web/src/sections/modals/ShareAgentModal.tsx	Refactored to eliminate prop drilling by moving data fetching into ShareAgentFormContent, passing only agentId and form values as props, and adding modal close on share
web/src/refresh-components/AgentCard.tsx	Updated ShareAgentModal usage to pass individual props instead of full agent object, and added modal close on successful share
web/src/refresh-pages/AgentEditorPage.tsx	Updated ShareAgentModal usage to pass individual props, added modal close on share, fixed modal close timing in delete flow, added alignItems="start" for file cards layout, removed trailing space in description

Sequence Diagram

sequenceDiagram
    participant User
    participant AgentCard
    participant ShareAgentModal
    participant ShareAgentFormContent
    participant API
    
    User->>AgentCard: Click share button
    AgentCard->>ShareAgentModal: Open modal (agentId, userIds, groupIds, isPublic)
    ShareAgentModal->>ShareAgentFormContent: Render form (agentId)
    ShareAgentFormContent->>API: Fetch users (useUsers)
    ShareAgentFormContent->>API: Fetch groups (useGroups)
    ShareAgentFormContent->>API: Fetch full agent (useAgent)
    API-->>ShareAgentFormContent: Return data
    ShareAgentFormContent->>User: Display form with current share settings
    
    User->>ShareAgentFormContent: Modify sharing settings
    User->>ShareAgentFormContent: Click "Share"
    ShareAgentFormContent->>ShareAgentModal: Submit form values
    ShareAgentModal->>AgentCard: onShare callback (userIds, groupIds, isPublic)
    AgentCard->>API: updateAgentSharedStatus
    API-->>AgentCard: Success
    AgentCard->>AgentCard: refreshAgent()
    AgentCard->>ShareAgentModal: toggle(false)
    ShareAgentModal-->>User: Modal closed

Loading

[cubic-dev-ai]

No issues found across 6 files