fix(pallas): read bearer token from raw Authorization header

get_access_token() requires FastMCP auth middleware to populate
AuthenticatedUser in the request scope — Pallas runs without auth
middleware so it always returned None. Read the Authorization header
directly from the ASGI request instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

pallas/multimodal_server.py

@@ -39,13 +39,20 @@ logger = get_logger(__name__)
 
 
 def _get_request_bearer_token() -> str | None:
-    """Return the authenticated bearer token for the current MCP request."""
+    """Return the raw bearer token from the current MCP request's Authorization header.
-    try:
-        from fastmcp.server.dependencies import get_access_token
 
-        access_token = get_access_token()
+    Reads the header directly rather than going through get_access_token() because
-        if access_token is not None:
+    Pallas runs without FastMCP auth middleware — there is no AuthenticatedUser in
-            return access_token.token
+    the request scope, so get_access_token() always returns None here. The token
+    is an opaque string forwarded to opted-in downstream servers by _fastagent_patch.
+    """
+    try:
+        from fastmcp.server.dependencies import get_http_request
+
+        request = get_http_request()
+        auth = request.headers.get("authorization", "")
+        if auth.lower().startswith("bearer "):
+            return auth[7:]
     except Exception:
         pass
     return None