Skip to content

Revert "WIP: Jwt vertex" #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 12, 2025
Merged

Revert "WIP: Jwt vertex" #289

merged 1 commit into from
Nov 12, 2025

Conversation

@cooktheryan
Copy link
Collaborator

@cooktheryan cooktheryan commented Nov 12, 2025

Reverts #285

@cooktheryan
Copy link
Collaborator Author

cooktheryan commented Nov 12, 2025

Work not completed yet. Assets would be heavily broken

@cooktheryan cooktheryan merged commit b3caed8 into main Nov 12, 2025
7 checks passed
@cooktheryan cooktheryan deleted the revert-285-jwt_vertex branch November 12, 2025 13:29
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025

Post-Merge Code Review

This revert PR (#289) successfully rolls back the WIP Vertex AI JWT authentication implementation from PR #285. Here's my analysis:

✅ What Was Reverted (Good Decision)

1. Removed Vertex AI Credential Minting Endpoint

  • Removed MintSessionVertexCredentials handler (143 lines)
  • Removed route POST /api/projects/:project/agentic-sessions/:session/vertex/credentials
  • Rationale: WIP feature that wasn't production-ready

2. Removed Token Validation Refactoring

  • Removed validateRunnerToken helper function that was extracted from MintSessionGitHubToken
  • Reverted to inline token validation in MintSessionGitHubToken
  • Impact: Some code duplication restored, but acceptable for stability

3. Cleaned Up Type Inconsistencies

  • Reverted kubernetes.Interface*kubernetes.Clientset changes
  • Why this matters: The interface-to-concrete-type change was part of the Vertex work but wasn't necessary

4. Removed Test Infrastructure

  • Deleted handlers/sessions_test.go (432 lines of unit tests for Vertex credentials)
  • Appropriate: Tests for removed functionality

5. Operator Configuration Cleanup

  • Removed Vertex-specific env vars from operator deployment: CLOUD_ML_REGION, ANTHROPIC_VERTEX_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS
  • Kept only the feature flag: CLAUDE_CODE_USE_VERTEX

🔍 Code Quality Observations

Type Safety Regression ⚠️
The revert introduced some type-safety regressions that violate CLAUDE.md standards:

// BEFORE (PR #285 - Better, type-safe)
anns, _, _ := unstructured.NestedStringMap(obj.Object, "metadata", "annotations")
expectedSA, ok := anns["ambient-code.io/runner-sa"]

// AFTER (Revert - Less safe, uses type assertions)
meta, _ := obj.Object["metadata"].(map[string]interface{})
anns, _ := meta["annotations"].(map[string]interface{})
if v, ok := anns["ambient-code.io/runner-sa"].(string); ok {
    expectedSA = strings.TrimSpace(v)
}

Per CLAUDE.md Backend Standards:

Type-Safe Unstructured Access

  • FORBIDDEN: Direct type assertions without checking
  • REQUIRED: Use unstructured.Nested* helpers with three-value returns

Recommendation: In a follow-up PR, restore the type-safe patterns from #285:

  • Use unstructured.NestedStringMap() for annotations
  • Use unstructured.NestedString() for spec fields
  • This is independent of the Vertex feature and improves code safety

📋 Revert Completeness

Clean Revert:

  • All Vertex-related code removed
  • No orphaned dependencies
  • Route registration cleaned up
  • RBAC permissions appropriately reduced
  • Test files removed

No Breaking Changes:

  • Core GitHub token minting still works (revert didn't break existing functionality)
  • Only WIP Vertex feature removed

🎯 Follow-Up Recommendations

  1. Restore Type Safety (Priority: Medium)

    // In MintSessionGitHubToken, replace type assertions with:
anns, _, _ := unstructured.NestedStringMap(obj.Object, "metadata", "annotations")
userID, _, _ := unstructured.NestedString(obj.Object, "spec", "userContext", "userId")

  2. Add Unit Tests for MintSessionGitHubToken (Priority: High)

    • The revert removed 432 lines of tests, but we lost test coverage for the GitHub token minting too
    • Consider adapting the Vertex test patterns for GitHub token endpoint

  3. Document Token Validation Pattern (Priority: Low)

    • The validateRunnerToken helper that was removed showed a good pattern
    • If you need similar validation in the future, consider re-extracting it

🔒 Security Analysis

✅ No security regressions introduced
✅ Token redaction still in place (never logs actual token values)
✅ RBAC properly scoped (backend doesn't need Vertex secret access anymore)
✅ ServiceAccount validation still works correctly

Summary

Verdict: ✅ Revert executed correctly

This was the right decision for a WIP feature. The revert is complete, doesn't introduce breaking changes, and properly cleans up all related code. The only minor downside is the type-safety regression, which should be addressed in a focused follow-up PR independent of Vertex work.

Estimated Risk: Low
Merge Status: Already merged ✓

Review generated by Claude Code based on CLAUDE.md standards

jeremyeder pushed a commit to jeremyeder/platform that referenced this pull request Nov 12, 2025
@cooktheryan @jeremyeder
Revert "WIP: Jwt vertex" (ambient-code#289)
88351d1 
Reverts ambient-code#285
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cooktheryan