debug(api-server): add V(4) logging to pre-auth stream interceptor

[markturansky]

Summary

• Adds verbose (V4) debug logging to the pre-auth gRPC stream interceptor
• Traces every branch in the interceptor to identify why CallerTypeService is not being set
• Temporary diagnostic PR — will be reverted once root cause is identified

Context

PR #1452 added GRPC_SERVICE_ACCOUNT support and PR #1455 fixed the init guard.
Both are merged and deployed to Stage, but runners still get PERMISSION_DENIED.
The init() registration is confirmed (glog file shows the message), but we need
to see which branch the interceptor takes at runtime.

Test plan

• Merge and wait for auto-deploy to Stage
• Check api-server logs for [pre-auth] messages
• Correlate with WatchSessionMessages PERMISSION_DENIED errors

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced internal diagnostic logging for authentication request handling to improve troubleshooting and monitoring capabilities.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	ea52401
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ebfafa2dec540008dc378d

[coderabbitai]

📝 Walkthrough

Walkthrough

The stream bearer-token interceptor in the gRPC middleware adds verbose diagnostic logging across multiple pre-authentication control-flow paths, including token validation, JWT username extraction, and failure scenarios, while preserving existing authentication behavior.

Changes

Cohort / File(s)	Summary
Diagnostic Logging Enhancement components/ambient-api-server/pkg/middleware/bearer_token_grpc.go	Added glog.V(4) diagnostic logs for pre-auth control-flow branches: static token matches, JWT username validation, extraction failures, missing headers/metadata, and fall-through paths where CallerType remains unset. Unary interceptor unchanged; authentication behavior preserved.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	PR logs sensitive OIDC usernames and service account names in plaintext at lines 62 and 65 of bearer_token_grpc.go, creating PII/compliance risks even at V(4) verbose level.	Remove username and serviceAccountUsername substitutions from log statements; replace with boolean/state information only to preserve diagnostics while eliminating sensitive data exposure.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (type: debug, scope: api-server) and accurately describes the main change: adding V(4) verbose logging to the pre-auth stream interceptor.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR adds only O(1) diagnostic V(4) verbose logging to auth interceptor; no algorithmic complexity changes, loops, or unbounded operations introduced.
Kubernetes Resource Safety	✅ Passed	The PR modifies only Go gRPC middleware code with no Kubernetes manifests, resource definitions, RBAC policies, or container configurations.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch debug/pre-auth-interceptor-logging

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch debug/pre-auth-interceptor-logging

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/ambient-api-server/pkg/middleware/bearer_token_grpc.go`:
- Around line 62-66: The current pre-auth logs in the bearer_token_grpc path
emit raw identifiers (username and serviceAccountUsername) via glog.V(4).Infof;
replace those prints with non-identifying information only — e.g., log the match
result and method name and/or a redacted/hashed form of the identifier instead
of the plaintext username. Update the two logging sites that reference
info.FullMethod, username, and serviceAccountUsername (the glog.V(4).Infof calls
surrounding the withCallerType(ctx, CallerTypeService) branch) to remove raw
identifiers and emit either username==serviceAccountUsername (boolean) or a
deterministic hash/redaction token while preserving the existing
CallerTypeService behavior. Ensure any redaction/hashing uses a stable,
non-reversible method and does not change the control flow in withCallerType or
the branch that sets CallerTypeService.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 68c42c0b-f955-4588-9514-fe8cece6b071

📥 Commits

Reviewing files that changed from the base of the PR and between 954024d and ea52401.

📒 Files selected for processing (1)

• components/ambient-api-server/pkg/middleware/bearer_token_grpc.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging raw usernames/service-account identifiers in pre-auth path

These messages log user identifiers directly. Even at V(4), this creates avoidable privacy/compliance risk in retained logs. Keep only match/state booleans (or hash/redact identifiers).

Suggested change

-							glog.V(4).Infof("[pre-auth] stream %s: OIDC username %q matches service account, setting CallerTypeService", info.FullMethod, username)
+							glog.V(4).Infof("[pre-auth] stream %s: OIDC username matches configured service account, setting CallerTypeService", info.FullMethod)
 							ctx = withCallerType(ctx, CallerTypeService)
 						} else {
-							glog.V(4).Infof("[pre-auth] stream %s: OIDC username %q (service account %q, match=%v)", info.FullMethod, username, serviceAccountUsername, username == serviceAccountUsername)
+							glog.V(4).Infof("[pre-auth] stream %s: OIDC username present (service account configured=%t, match=%v)", info.FullMethod, serviceAccountUsername != "", username == serviceAccountUsername)
 						}

As per coding guidelines, **/*: Flag bugs, security vulnerabilities, logic errors, data loss risks, and meaningful refactoring opportunities.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/ambient-api-server/pkg/middleware/bearer_token_grpc.go` around
lines 62 - 66, The current pre-auth logs in the bearer_token_grpc path emit raw
identifiers (username and serviceAccountUsername) via glog.V(4).Infof; replace
those prints with non-identifying information only — e.g., log the match result
and method name and/or a redacted/hashed form of the identifier instead of the
plaintext username. Update the two logging sites that reference info.FullMethod,
username, and serviceAccountUsername (the glog.V(4).Infof calls surrounding the
withCallerType(ctx, CallerTypeService) branch) to remove raw identifiers and
emit either username==serviceAccountUsername (boolean) or a deterministic
hash/redaction token while preserving the existing CallerTypeService behavior.
Ensure any redaction/hashing uses a stable, non-reversible method and does not
change the control flow in withCallerType or the branch that sets
CallerTypeService.

[markturansky]

Superseded by #1465 which includes the actual fix. Root cause: Keycloak client credentials tokens prefix service-account- to the username, so service-account-ocm-ams-service != ocm-ams-service.