fix(api-server): register pre-auth interceptors when only GRPC_SERVICE_ACCOUNT is set

[markturansky]

Summary

Bug in #1452: the init() guard requires AMBIENT_API_TOKEN to be non-empty before registering gRPC pre-auth interceptors. On Stage, only GRPC_SERVICE_ACCOUNT is set — AMBIENT_API_TOKEN is not in the api-server env vars — so interceptors are never registered and the OIDC service caller logic is dead code.

Evidence

Stage api-server env vars (no AMBIENT_API_TOKEN):

AMBIENT_ENV: production
GRPC_SERVICE_ACCOUNT: {secretKeyRef: {key: clientId, name: ambient-api-server}}

Stage api-server startup logs — no bearer token init messages, confirming early return:

I0423 23:54:22.927314  Enabling JWT authentication middleware
# no "Service token auth enabled" or "OIDC service account" line

Runner pods still getting PERMISSION_DENIED on WatchSessionMessages because the interceptor that would set CallerTypeService was never registered.

Fix

Change init() guard from if token == "" to if token == "" && serviceAccount == "" — register interceptors when either env var is set.

Test plan

• After merge + deploy, verify api-server logs show OIDC service account username: ocm-ams-service
• Create session, tail runner logs — no PERMISSION_DENIED on WatchSessionMessages

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Updated gRPC authentication middleware initialization to support multiple authentication configuration options simultaneously. Bearer token interceptors are now enabled based on the presence of either authentication method, providing greater flexibility in authentication setup.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	0fca23c
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69eabe4a5c49910008db88b8

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a533a7b2-d0d9-4194-a23d-fc54c6804fad

📥 Commits

Reviewing files that changed from the base of the PR and between 85af3da and 0fca23c.

📒 Files selected for processing (1)

• components/ambient-api-server/pkg/middleware/bearer_token.go

---

📝 Walkthrough

Walkthrough

Updated bearer-token gRPC interceptor registration logic in the middleware initialization to consider both AMBIENT_API_TOKEN and GRPC_SERVICE_ACCOUNT environment variables when determining whether authentication is enabled, and adjusted logging messages accordingly.

Changes

Cohort / File(s)	Summary
Bearer Token Middleware Configuration components/ambient-api-server/pkg/middleware/bearer_token.go	Modified init() to read GRPC_SERVICE_ACCOUNT upfront and changed the enable/disable condition: interceptors are now registered unless both env vars are unset. Updated logging to report both variables when auth is disabled and to emit gRPC-only messages conditionally.

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(api-server): ...) and accurately describes the main fix: changing the guard logic to register interceptors when only GRPC_SERVICE_ACCOUNT is set.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Guard modification (token == "" to token == "" && serviceAccount == "") introduces no algorithmic or performance regressions; constant-time interceptor operations unchanged.
Security And Secret Handling	✅ Passed	Bearer token initialization is secure with constant-time comparison, no token exposure in logs or errors, and proper authorization enforcement.
Kubernetes Resource Safety	✅ Passed	Kubernetes Resource Safety check is not applicable; PR contains only Go middleware code changes without Kubernetes resource manifest modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bearer-token-init-guard

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/bearer-token-init-guard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-24 01:00 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-04-24 01:00 UTC · at 0fca23ca2573d2cfe4a4284b2bb8d0c9a950eaf5 · squash

This pull request spent 12 seconds in the queue, including 2 seconds running CI.

Required conditions to merge