fix: Create placeholder Google OAuth secret for MCP integration

[Gkrumbach07]

Summary

Fixes an issue where Google Workspace MCP integration wouldn't work if the user completed OAuth after starting a session.

Problem

Previously, the operator only mounted the Google OAuth secret if it existed when creating the Job:

• Session created → Job created WITHOUT OAuth volume mount (secret doesn't exist yet)
• User completes OAuth → Backend creates secret
• Pod already running → Kubernetes never syncs the secret because the volume mount doesn't exist

Solution

Now the operator:

1. Creates a placeholder empty secret if one doesn't exist
2. Always mounts the secret with Optional: true

This ensures:

• The volume mount is always present in the pod spec
• Kubernetes syncs secret updates after OAuth completion (~60s)
• Runner's refresh_google_credentials() detects when content appears

Flow After Fix

t=0s:   Session created
        - Operator creates placeholder secret (empty credentials.json)
        - Job created WITH volume mount ✅

t=30s:  User completes OAuth
        - Backend UPDATES existing secret with credentials

t=90s:  K8s syncs secret to pod (~60s delay)

t=95s:  User sends message
        - Runner detects credentials, MCP tools available ✅

Testing

• Operator builds successfully
• Deploy to dev cluster and verify secret is created
• Complete OAuth and verify credentials sync to pod

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Claude Code Review

Summary

This PR implements a clever solution to the Google OAuth timing issue by creating a placeholder secret that ensures the volume mount is always present in the pod spec, allowing Kubernetes to sync credentials after OAuth completion. The implementation is generally solid and follows project patterns, but there are several important issues that should be addressed.

Issues by Severity

🚫 Blocker Issues

None - No blocking issues that would prevent merge.

🔴 Critical Issues

1. Missing OwnerReference APIVersion Field (operator/internal/handlers/sessions.go:1396)

OwnerReferences: []v1.OwnerReference{
    {
        APIVersion: "vteam.ambient-code/v1",  // ❌ Should be v1alpha1
        Kind:       "AgenticSession",
        Name:       currentObj.GetName(),
        UID:        currentObj.GetUID(),
        Controller: boolPtr(true),
    },
},

Issue: APIVersion is set to vteam.ambient-code/v1 but should be vteam.ambient-code/v1alpha1 according to the CRD definition.

Impact: OwnerReference won't match the actual AgenticSession resource, preventing automatic cleanup and potentially causing resource leaks.

Fix: Change to "vteam.ambient-code/v1alpha1" or use currentObj.GetAPIVersion() for consistency.

Reference: CLAUDE.md line 447: "REQUIRED: Set OwnerReferences on all child resources"

---

2. Using Service Account Without User Authorization Check (operator/internal/handlers/sessions.go:1382)

if _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(context.TODO(), googleOAuthSecretName, v1.GetOptions{}); errors.IsNotFound(err) {
    // Create empty placeholder secret
    if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(context.TODO(), placeholderSecret, v1.CreateOptions{}); createErr != nil {

Issue: The operator uses the service account client directly without verifying the user who created the session has permission to create secrets. While this is operator code (not handler code), the pattern deviates from the principle of least privilege.

Impact: Medium - Operator has elevated permissions, but this creates a secret on behalf of user without explicit validation that the user should have this capability.

Recommendation: This is acceptable for operator code since it's managing resources on behalf of the session lifecycle. However, document this as an intentional escalation in the code comments.

🟡 Major Issues

3. No Error Handling for OwnerReference Field Access (operator/internal/handlers/sessions.go:1398-1400)

Name:       currentObj.GetName(),
UID:        currentObj.GetUID(),

Issue: Direct access to currentObj fields without checking if currentObj is nil (though unlikely in this context, defensive programming is important).

Impact: Potential nil pointer dereference if currentObj is somehow nil (race condition, deleted during processing).

Fix: Add nil check or add error return to function signature.

Reference: error-handling.md line 123: "Resource Deleted During Processing" pattern

---

4. Silent Failure on Placeholder Secret Creation (operator/internal/handlers/sessions.go:1410)

if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(context.TODO(), placeholderSecret, v1.CreateOptions{}); createErr != nil {
    log.Printf("Warning: Failed to create placeholder Google OAuth secret %s: %v", googleOAuthSecretName, createErr)
}

Issue: If secret creation fails, the code logs a warning but continues execution. The volume mount will still be added, but it will reference a non-existent secret (even with Optional: true, this could cause confusion).

Impact: Google OAuth will silently fail with no clear indication to the user why MCP tools aren't available.

Recommendation: Consider updating the session status with a condition indicating MCP may not be available, or return an error to prevent job creation.

---

5. Hardcoded APIVersion String (operator/internal/handlers/sessions.go:1396)

Issue: Uses hardcoded string "vteam.ambient-code/v1" instead of extracting from currentObj or using a constant.

Better approach:

APIVersion: currentObj.GetAPIVersion(), // Uses actual API version from object

Reference: k8s-client-usage.md and CLAUDE.md emphasize consistent patterns.

---

6. Missing Test Coverage

Issue: No tests added for the new placeholder secret creation logic. The existing test file (sessions_test.go) has patterns for testing secret operations.

Impact: Changes to secret handling logic could break functionality without detection.

Recommendation: Add test case covering:

• Placeholder secret creation when none exists
• Volume mount is always added
• OwnerReferences are correctly set
• Behavior when secret already exists

Example test pattern available at: components/operator/internal/handlers/sessions_test.go:23

---

7. Context Usage - Using context.TODO() (operator/internal/handlers/sessions.go:1382, 1409)

config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(context.TODO(), ...)

Issue: Uses context.TODO() instead of a proper context with timeout/cancellation.

Impact: Operations could hang indefinitely if Kubernetes API is slow or unresponsive.

Better approach:

ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
// Use ctx instead of context.TODO()

🔵 Minor Issues

8. Inconsistent Logging Verbosity

Issue: Logs "Found existing Google OAuth secret" at info level, which isn't particularly useful in production.

Recommendation: Consider debug level or remove entirely since this is expected behavior.

---

9. Magic String "credentials.json" (operator/internal/handlers/sessions.go:1406)

Issue: Hardcoded key name with no constant definition.

Recommendation: Define as constant at package level:

const GoogleOAuthCredentialsKey = "credentials.json"

---

10. Import Organization (main.py:10)

from pathlib import Path

Issue: Path import moved from inside function to top level, which is good, but it's placed after other imports in a non-standard location.

Recommendation: Follow Python conventions - stdlib imports should be together at top. Move to line 7 after logging.

---

11. Marker File Documentation (main.py:101-103)

Good: Comment explains why custom marker file is used.

Enhancement: Consider adding comment about cleanup strategy - when/if this marker should be deleted.

Positive Highlights

✅ Excellent Problem Analysis - The PR description clearly explains the root cause and solution flow.

✅ Good Use of Optional Field - Using Optional: true on the SecretVolumeSource is the correct pattern for this use case.

✅ OwnerReferences Set - Follows project pattern of setting OwnerReferences for automatic cleanup (though APIVersion needs fix).

✅ Detailed Logging - Good log messages that will help debugging in production.

✅ Marker File Pattern - Smart solution to prevent re-sending INITIAL_PROMPT on session resume.

✅ Comments Explain Intent - Code includes helpful comments explaining the "why" not just the "what".

Recommendations

Priority 1 (Must Fix Before Merge)

1. Fix APIVersion in OwnerReference (Critical Issue Outcome: Reduce Refinement Time with agent System #1) - Change to v1alpha1 or use currentObj.GetAPIVersion()
2. Add test coverage for placeholder secret creation logic

Priority 2 (Should Fix Before Merge)

3. Improve error handling - Don't silently continue if placeholder secret creation fails
4. Use proper context - Replace context.TODO() with timeout context
5. Add nil check for currentObj before accessing fields

Priority 3 (Nice to Have)

6. Extract magic strings to constants
7. Improve Python import organization
8. Consider session status update if MCP setup fails

---

Overall Assessment: This is a well-thought-out solution to a tricky timing problem. The core approach is sound, but there are important issues with OwnerReferences and error handling that should be addressed before merge. With the recommended fixes, this will be a solid implementation.

Estimated Effort to Address: 30-60 minutes for Priority 1 items.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[github-actions]

Claude Code Review

Summary

This PR fixes a critical timing issue with Google Workspace MCP OAuth integration. The solution is elegant: create a placeholder secret at Job creation time to ensure the volume mount exists, allowing Kubernetes to sync credentials after the user completes OAuth.

Overall Assessment: ✅ Good implementation with excellent comments, but has one blocker security issue and several important improvements needed before merge.

---

Issues by Severity

🚫 Blocker Issues

1. Missing OwnerReference Validation (CRITICAL SECURITY)

Location: components/operator/internal/handlers/sessions.go:1395-1401

Issue: Using currentObj.GetName() and currentObj.GetUID() without validating the object still exists creates a race condition that could lead to resource leaks or permission issues.

Why this matters: If the AgenticSession is deleted between the initial fetch and secret creation, the OwnerReference will be invalid, and the secret won't be cleaned up automatically.

Fix required:

// BEFORE creating secret, verify currentObj still exists
verifyObj, err := config.DynamicClient.Resource(types.GetAgenticSessionResource()).
    Namespace(sessionNamespace).Get(context.TODO(), name, v1.GetOptions{})
if errors.IsNotFound(err) {
    log.Printf("AgenticSession %s no longer exists, skipping secret creation", name)
    return nil  // Session deleted, abort
}
if err != nil {
    return fmt.Errorf("failed to verify session exists: %w", err)
}

// Use fresh object for OwnerReference
placeholderSecret := &corev1.Secret{
    ObjectMeta: v1.ObjectMeta{
        // ... other fields
        OwnerReferences: []v1.OwnerReference{
            {
                APIVersion: verifyObj.GetAPIVersion(),
                Kind:       verifyObj.GetKind(),
                Name:       verifyObj.GetName(),
                UID:        verifyObj.GetUID(),
                Controller: boolPtr(true),
            },
        },
    },
    // ...
}

Reference: CLAUDE.md line 753-761, error-handling.md line 116-135

---

🔴 Critical Issues

2. Non-Idempotent Secret Creation

Location: components/operator/internal/handlers/sessions.go:1382-1413

Issue: Secret creation lacks idempotency check. If operator reconciles twice (watch reconnection, restart), it will fail on the second attempt and log a warning, but continue. This is technically safe but violates the reconciliation pattern.

Why this matters: Operator reconciliation should be idempotent. Multiple reconciliations of the same event should produce the same outcome without errors.

Recommendation:

if _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(context.TODO(), googleOAuthSecretName, v1.GetOptions{}); errors.IsNotFound(err) {
    // Create secret
    if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(context.TODO(), placeholderSecret, v1.CreateOptions{}); createErr != nil {
        // Check if already exists (race condition from duplicate watch)
        if errors.IsAlreadyExists(createErr) {
            log.Printf("Google OAuth secret %s already exists (race condition), continuing", googleOAuthSecretName)
        } else {
            log.Printf("Warning: Failed to create placeholder Google OAuth secret %s: %v", googleOAuthSecretName, createErr)
        }
    } else {
        log.Printf("Created placeholder Google OAuth secret %s (will be populated after user OAuth)", googleOAuthSecretName)
    }
}

Reference: CLAUDE.md line 773-777

---

3. Error Handling Inconsistency

Location: components/operator/internal/handlers/sessions.go:1409-1410

Issue: Secret creation failure logs a warning and continues. While this allows the Job to proceed, it means the Google OAuth volume mount will fail (secret doesn't exist), and the operator won't retry.

Why this matters: If secret creation fails due to a transient error (API server timeout, RBAC issue), the session will start but Google MCP integration will be permanently broken for that session.

Recommendation: Return an error to trigger retry instead of just logging:

if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(context.TODO(), placeholderSecret, v1.CreateOptions{}); createErr != nil && !errors.IsAlreadyExists(createErr) {
    return fmt.Errorf("failed to create Google OAuth placeholder secret: %w", createErr)
}

Reference: error-handling.md line 145-170

---

🟡 Major Issues

4. Missing Context Timeout

Location: components/operator/internal/handlers/sessions.go:1382, 1409

Issue: Using context.TODO() instead of a context with timeout. If Kubernetes API is slow or hanging, these operations could block indefinitely.

Recommendation:

ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()

if _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(ctx, googleOAuthSecretName, v1.GetOptions{}); errors.IsNotFound(err) {
    // ...
    if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(ctx, placeholderSecret, v1.CreateOptions{}); createErr != nil {
        // ...
    }
}

Reference: Go best practices for K8s client operations

---

5. Python: Unused Import at Top Level

Location: components/runners/claude-code-runner/main.py:10

Issue: from pathlib import Path is imported at the top level but only used in the lifespan and auto_execute_initial_prompt functions.

Why this matters: While not a functional issue, the diff shows you removed it from within the function (line 83 in old code) and added it at the top. However, it's still only used in those two functions, so the import organization is inconsistent.

Recommendation: Either:

1. Keep at top level if it will be used in multiple places (current approach is fine)
2. Or import locally in both functions (original pattern)

Current approach is acceptable - top-level imports are more idiomatic in Python. Just flagging that it changed.

---

🔵 Minor Issues

6. Missing APIVersion Validation

Location: components/operator/internal/handlers/sessions.go:1396

Issue: Hardcoded APIVersion "vteam.ambient-code/v1" doesn't match the actual API version used elsewhere in the codebase (v1alpha1).

Fix:

APIVersion: "vteam.ambient-code/v1alpha1",  // Match actual CRD version

Reference: CLAUDE.md line 335 states API version is v1alpha1

---

7. Log Message Clarity

Location: components/operator/internal/handlers/sessions.go:1412

Current: "Created placeholder Google OAuth secret %s (will be populated after user OAuth)"

Suggestion: Add context about when updates will sync:

log.Printf("Created placeholder Google OAuth secret %s (K8s will sync credentials ~60s after user completes OAuth)", googleOAuthSecretName)

Why: Helps with debugging when users wonder why credentials aren't available immediately.

---

8. Python: Potential Race in Marker File Creation

Location: components/runners/claude-code-runner/main.py:182-189

Issue: Marker file creation happens AFTER successful API call. If the process crashes between line 180 and 189, the marker won't be created, and the initial prompt will be re-sent on restart.

Impact: Low (unlikely scenario, and re-sending is not catastrophic)

Recommendation: Consider moving marker creation before the API call, or using a try/finally:

# Create marker BEFORE sending to prevent double-send on crash
try:
    marker_path.parent.mkdir(parents=True, exist_ok=True)
    marker_path.write_text(f"sending_at={asyncio.get_event_loop().time()}\n")
    logger.info(f"Created initial prompt marker: {marker_path}")
except Exception as marker_err:
    logger.warning(f"Failed to create initial prompt marker: {marker_err}")

# Now send the prompt
async with session.post(url, json=payload, headers=headers, timeout=aiohttp.ClientTimeout(total=30)) as resp:
    if resp.status == 200:
        result = await resp.json()
        logger.info(f"INITIAL_PROMPT auto-execution started: {result}")
        # Update marker with completion time
        try:
            marker_path.write_text(f"sent_at={asyncio.get_event_loop().time()}\n")
        except Exception:
            pass

---

Positive Highlights

✅ Excellent Problem Analysis: The PR description clearly explains the race condition and why the placeholder secret approach solves it.

✅ Good Use of Comments: Code comments explain the "why" (e.g., "This ensures the volume mount is always present so K8s can sync credentials after OAuth completion").

✅ Proper OwnerReference Pattern: Sets Controller: boolPtr(true) correctly and includes proper labels.

✅ Correct Secret Volume Configuration: Optional: boolPtr(true) ensures pod starts even if secret is empty, which is exactly right for this use case.

✅ Python Marker Logic: The addition of marker file logic in the runner is clean and follows the existing pattern for resume detection.

✅ Backwards Compatible: Always mounting the secret (with Optional: true) means this works whether the secret exists or not, making it safe to deploy.

---

Recommendations (Prioritized)

Must Fix Before Merge (Blockers)

1. Fix OwnerReference race condition - Verify currentObj still exists before creating secret
2. Fix API version - Change v1 to v1alpha1 in OwnerReference

Should Fix (Critical)

3. Make secret creation idempotent - Handle AlreadyExists error gracefully
4. Return error on secret creation failure - Don't silently continue if secret creation fails (unless AlreadyExists)
5. Add context timeout - Replace context.TODO() with context.WithTimeout()

Nice to Have (Major/Minor)

6. Improve log messages - Add timing context (~60s sync delay)
7. Consider marker file timing - Move marker creation before API call (low priority)

---

Testing Recommendations

Before merge, verify:

• Deploy to dev cluster
• Create session without OAuth secret - verify placeholder is created
• Complete OAuth - verify secret is updated (use kubectl get secret -w)
• Wait 60-90s and verify credentials appear in pod (kubectl exec)
• Verify OwnerReference cleanup works (delete session, verify secret deleted)
• Test race condition: delete session immediately after creation (ensure no orphaned secret)
• Test operator restart with placeholder secret present (idempotency)
• Test marker file prevents double-send on runner restart

---

Compliance with Repository Standards

✅ K8s Client Usage: Correct use of service account client for resource creation (k8s-client-usage.md)

✅ Error Handling: Mostly follows patterns, but needs improvement on secret creation failure (error-handling.md)

⚠️ OwnerReferences: Sets properly but has race condition (CLAUDE.md line 447-451)

✅ Logging: Good structured logs with context (namespace, resource name)

⚠️ Idempotency: Needs improvement for multiple reconciliations (CLAUDE.md line 773-777)

---

Overall: This is a well-thought-out fix with clear intent. The core logic is sound, but the OwnerReference race condition is a blocker. Fix that plus the API version issue, and this will be ready to merge.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[github-actions]

Claude Code Review

Summary

This PR fixes a Google OAuth MCP integration issue where credentials wouldn't sync to running pods. The solution creates a placeholder secret upfront and always mounts it, allowing Kubernetes to sync updates after OAuth completion. Additionally, it improves the INITIAL_PROMPT skip logic to use PARENT_SESSION_ID.

Issues by Severity

🚫 Blocker Issues

None - Code is ready to merge from a blocking perspective.

🔴 Critical Issues

1. Missing Context Variable (context.TODO() usage)

• Location: components/operator/internal/handlers/sessions.go:1382, 1409
• Issue: Using context.TODO() instead of proper context with timeout/cancellation
• Pattern Violation: Error handling patterns recommend using context from reconciliation loop
• Impact: Secret operations could hang indefinitely without timeout
• Recommendation:

  // Instead of context.TODO(), use a context with timeout
  ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
  defer cancel()
  _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(ctx, googleOAuthSecretName, v1.GetOptions{})

2. Error Handling - Silent Failure on Secret Creation

• Location: sessions.go:1409-1413
• Issue: Secret creation failure only logs a warning but doesn't update session status
• Pattern Violation: CLAUDE.md states "errors should be logged with context AND status updated"
• Impact: User has no visibility that Google OAuth integration is broken
• Recommendation:

  if _, createErr := config.K8sClient.CoreV1().Secrets(sessionNamespace).Create(ctx, placeholderSecret, v1.CreateOptions{}); createErr != nil {
      log.Printf("Failed to create placeholder Google OAuth secret %s: %v", googleOAuthSecretName, createErr)
      // Update session status to warn user
      statusPatch.AddCondition(conditionUpdate{
          Type:    "GoogleOAuthReady",
          Status:  "False",
          Reason:  "PlaceholderCreationFailed",
          Message: fmt.Sprintf("Failed to create OAuth placeholder: %v", createErr),
      })
  }

🟡 Major Issues

3. OwnerReferences API Version Mismatch

• Location: sessions.go:1396
• Issue: Hardcoded API version vteam.ambient-code/v1 but should be v1alpha1
• Current Code: APIVersion: "vteam.ambient-code/v1"
• Expected: APIVersion: "vteam.ambient-code/v1alpha1" or use currentObj.GetAPIVersion()
• Impact: Garbage collection might not work correctly if API version doesn't match
• Recommendation:

  OwnerReferences: []v1.OwnerReference{
      {
          APIVersion: currentObj.GetAPIVersion(), // Use actual API version from object
          Kind:       currentObj.GetKind(),
          Name:       currentObj.GetName(),
          UID:        currentObj.GetUID(),
          Controller: boolPtr(true),
      },
  },

4. Idempotency Check Missing

• Location: sessions.go:1382
• Issue: If secret creation fails and operator retries, it will try to create again
• Pattern Violation: CLAUDE.md operator patterns require idempotency checks
• Impact: Could create duplicate secrets or error on IsAlreadyExists
• Recommendation: Add IsAlreadyExists check after creation attempt

  if _, createErr := config.K8sClient.CoreV1().Secrets(...).Create(...); createErr != nil {
      if !errors.IsAlreadyExists(createErr) {
          log.Printf("Failed to create placeholder: %v", createErr)
      } else {
          log.Printf("Placeholder secret already exists (idempotent retry)")
      }
  }

🔵 Minor Issues

5. Logging Improvement - Add Namespace Context

• Location: Multiple log statements
• Issue: Logs don't always include namespace for multi-tenant debugging
• Recommendation: Include namespace in all log statements

  log.Printf("Created placeholder Google OAuth secret %s/%s (will be populated after user OAuth)", 
      sessionNamespace, googleOAuthSecretName)

6. Code Organization - Large Function

• Location: handleAgenticSessionEvent function
• Issue: Function is extremely long (1400+ lines based on context)
• Impact: Hard to maintain, test, and review
• Recommendation: Extract secret creation logic into helper function

  func ensureGoogleOAuthPlaceholder(sessionNamespace, name string, currentObj *unstructured.Unstructured) error {
      // Secret creation logic here
  }

7. Python - Slice Bounds Check

• Location: main.py:110
• Issue: parent_session_id[:12] could panic if session ID < 12 chars
• Recommendation:

  session_preview = parent_session_id[:12] if len(parent_session_id) >= 12 else parent_session_id
  logger.info(f"INITIAL_PROMPT detected but has parent session ({session_preview}...) - skipping")

Positive Highlights

✅ Excellent Problem Analysis - PR description clearly explains the race condition and solution flow

✅ Proper OwnerReference Usage - Sets Controller: true correctly (sessions.go:1400)

✅ Security Best Practice - Uses Optional: true to prevent pod failure (sessions.go:1427)

✅ Good Label Usage - Proper labels for secret tracking (ambient-code.io/oauth: placeholder)

✅ Cleaner Logic - INITIAL_PROMPT skip logic simplified from marker file to PARENT_SESSION_ID (much better!)

✅ Follows Patterns - Secret structure matches existing patterns in codebase

✅ Documentation - Inline comments explain the sync timing and purpose

Recommendations (Prioritized)

Must Fix Before Merge

1. Fix API version in OwnerReferences (Issue Epic: Data Source Integration #3) - Use currentObj.GetAPIVersion()
2. Replace context.TODO() (Issue Outcome: Reduce Refinement Time with agent System #1) - Use proper context with timeout
3. Add IsAlreadyExists check (Issue Epic: AI Agent Development #4) - Ensure idempotency

Should Fix Before Merge

4. Update session status on secret creation failure (Issue Epic: RAT Architecture & Design #2) - User visibility
5. Add namespace to all logs (Issue Epic: Jira Integration & Workflow #5) - Better debugging

Nice-to-Have (Can Address Later)

6. Extract secret creation to helper function (Issue Epic: Testing & Validation #6) - Code organization
7. Fix Python slice bounds (Issue Test: Automation Workflow Validation #7) - Edge case handling

Testing Recommendations

Beyond the testing checklist in the PR description, verify:

• Secret creation succeeds/fails gracefully with proper status updates
• Operator handles secret already existing (idempotent retry)
• PARENT_SESSION_ID with various formats (empty, short, long)
• Verify garbage collection works with correct API version in OwnerReference

Overall Assessment

Quality Score: 7.5/10

The PR solves a real problem with a sound architectural approach. The main issues are around following established patterns from CLAUDE.md:

• Context usage instead of context.TODO()
• Status updates on failures
• Idempotency checks for retries

Once the critical issues are addressed, this will be a solid contribution. The INITIAL_PROMPT simplification is a particularly good improvement.

---

Review generated by Claude Code following project standards from CLAUDE.md, .claude/context/, and .claude/patterns/

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.