[codex] fix media skill profile auth and run events (#965)

* fix media skill profile auth and run events

* test bridge run profile context

packages/server/src/middleware/user-auth.ts

@@ -35,6 +35,7 @@ declare module 'koa' {
   interface DefaultState {
     user?: AuthenticatedUser
     profile?: RequestProfile
+    serverTokenAuth?: boolean
   }
 }
 
@@ -69,6 +70,19 @@ function requestToken(ctx: Context): string {
   return typeof ctx.query.token === 'string' ? ctx.query.token.trim() : ''
 }
 
+const SERVER_TOKEN_MEDIA_PATHS = new Set([
+  '/api/hermes/media/apikey-image-generate',
+  '/api/hermes/media/grok-image-to-video',
+])
+
+async function allowServerTokenForMedia(ctx: Context, token: string): Promise<boolean> {
+  if (!token || !SERVER_TOKEN_MEDIA_PATHS.has(ctx.path)) return false
+  const serverToken = await getToken()
+  if (!serverToken || token !== serverToken) return false
+  ctx.state.serverTokenAuth = true
+  return true
+}
+
 export function signUserJwt(user: Pick<UserRecord, 'id' | 'username' | 'role'>, secret: string, now = Date.now()): string {
   const iat = Math.floor(now / 1000)
   const payload: JwtPayload = {
@@ -149,6 +163,10 @@ export async function requireUserJwt(ctx: Context, next: Next): Promise<void> {
   const token = requestToken(ctx)
   const payload = token ? verifyUserJwt(token, secret) : null
   if (!payload) {
+    if (await allowServerTokenForMedia(ctx, token)) {
+      await next()
+      return
+    }
     ctx.status = 401
     ctx.body = { error: 'Unauthorized' }
     return