Known Issues and Bugs
This section describes open bugs and known issues for Agent Factory release 26.4.
Known Issues
Long Host Names Can Prevent Self-Signed Certificate Generation
During installation or certificate generation, deployments with very long fully qualified domain names can fail while creating the default self-signed TLS certificate. The failure can appear as a certificate validation error, a cert.pem is not a valid file message, or an error indicating that a certificate attribute length is invalid.
Workaround:
- Use a shorter DNS name for the Agent Factory application endpoint.
- Or generate a certificate outside Agent Factory with a valid subject and Subject Alternative Name (SAN), and import it by following Manage SSL Certificates.
- If the application is behind a load balancer, terminate TLS at the load balancer with a certificate whose host name matches the browser-facing URL.
Autonomous Database Grants Must Reference SYS.V_$PARAMETER
Some Autonomous Database environments reject grants written as GRANT SELECT ON V$PARAMETER. Agent Factory validates database setup by checking access to SYS.V_$PARAMETER.
Workaround:
Run the grant as a privileged database administrator:
GRANT SELECT ON SYS.V_$PARAMETER TO <DB_USER>;
See Database Preparation and Grants.
MCP OAuth Redirect URI Must Match the Externally Reachable URL
MCP servers that use OAuth authorization-code authentication require the redirect URI registered with the provider to match the redirect URI used by Agent Factory. Mismatches commonly occur when Agent Factory is behind a load balancer, reverse proxy, bastion tunnel, or private subnet access path.
Workaround:
- Configure the MCP provider with the redirect URL displayed in Agent Factory.
- Make sure the URL uses the same protocol, host name, port, and path that the browser uses to access Agent Factory.
- If the provider rejects the callback, inspect the actual
redirect_urivalue in the provider error or browser URL, then update the provider application registration.
See Add MCP Server.
Private Subnet Deployments Require Explicit Access and Egress Planning
When Agent Factory is deployed on a VM in a private subnet, the UI, SSO callbacks, MCP callbacks, LLM providers, data sources, and tracing providers may fail unless inbound and outbound network paths are configured.
Workaround:
- Expose the application through an approved load balancer, bastion tunnel, or other enterprise access method.
- Configure DNS and TLS for the browser-facing host name.
- Provide NAT, service gateway, or proxy egress for external LLMs, data sources, and observability providers.
- Keep callback URLs consistent with the externally reachable application URL.
See Access Agent Factory Deployed in a Private Subnet and Architecture and Security.
Agent Factory Upgrades Fail on macOS Tahoe 26.x
On macOS Tahoe 26.x, users can fail to upgrade directly from an existing Agent Factory installation to Agent Factory release 26.4. This issue appears to be caused by Podman, which can prevent containers from being handled correctly on newer macOS versions.
Workaround:
- Remove the current Agent Factory installation, whether it is a production or quickstart installation.
- Perform a fresh installation of Agent Factory release 26.4.
SQL Node Responses Are Truncated at 101 Rows
By default, responses from the SQL Query Node are truncated at 101 rows. This guardrail helps prevent agents from adding unnecessary results to the context window.
Workaround:
To return more rows, add the FETCH FIRST X ROWS ONLY clause to your SQL statement. Replace X with the maximum integer number of rows to return.