fix(backend): inherit parent userContext in child sessions

[Gkrumbach07]

Summary

• When a runner service account creates a child session, the child now inherits the parent session's userContext instead of getting the service account identity
• The runner API client automatically sets parentSessionId to the current session name
• Fixes credential resolution (GitHub, Jira, etc.) for child sessions

Problem

Child sessions created by a runner pod had userContext.userId set to the service account identity (e.g., system-serviceaccount-ns-ambient-session-session-123). When the backend tried to resolve GitHub credentials for the child, it looked up credentials for the service account — which has none — returning 404.

Changes

components/backend/handlers/sessions.go

• When parentSessionId is provided, fetch the parent session CR and copy its spec.userContext to the child
• Falls back to existing identity resolution if no parent or parent lookup fails

components/runners/ambient-runner/ambient_runner/tools/backend_api.py

• create_session() now automatically sets parentSessionId from AGENTIC_SESSION_NAME env var

Test plan

• Create a session that spawns child sessions — verify child sessions have the parent's userId
• Verify child sessions can resolve GitHub credentials
• Verify sessions created directly (no parent) still work as before
• Verify parent lookup failure (e.g., deleted parent) gracefully falls back

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 87c88524-1903-4a6f-a70f-a3b6272f8575

📥 Commits

Reviewing files that changed from the base of the PR and between 5176d14 and 49e972f.

📒 Files selected for processing (2)

• components/manifests/base/core/operator-deployment.yaml
• components/manifests/overlays/production/route.yaml

---

Walkthrough

Backend session creation now supports parent/child inheritance: when a parentSessionID is provided the handler copies the parent's spec.userContext into the new session. The Python client sets parentSessionId from AGENTIC_SESSION_NAME. Manifests adjust operator memory and add HAProxy route annotations.

Changes

Cohort / File(s)	Summary
Backend Session Handler components/backend/handlers/sessions.go	CreateSession now checks req.ParentSessionID; if present it fetches the parent AgenticSession CR from Kubernetes and assigns spec.userContext from the parent. If no parent (or not found), it falls back to resolving token identity and building spec.userContext from the caller and request.
Ambient Runner — Backend API Client components/runners/ambient-runner/ambient_runner/tools/backend_api.py	create_session() reads AGENTIC_SESSION_NAME from the environment and, when non-empty, includes parentSessionId in the session creation payload sent to the backend.
Kubernetes Manifests components/manifests/base/core/operator-deployment.yaml, components/manifests/overlays/production/route.yaml	Increased agentic-operator memory request/limit (64Mi->128Mi, 256Mi->512Mi). Added HAProxy annotations to frontend-route to enable round-robin balance and disable cookies.

Sequence Diagram

sequenceDiagram
    participant Client as Python Client
    participant Handler as Backend Handler
    participant K8s as Kubernetes API

    Client->>Handler: POST /sessions (parentSessionId=X?)
    alt parentSessionId provided
        Handler->>K8s: GET AgenticSession CR (parentSessionId)
        K8s-->>Handler: AgenticSession CR (spec.userContext)
        Handler->>Handler: Set newSession.spec.userContext = parent.spec.userContext
    else no parentSessionId
        Handler->>Handler: Read caller userID, resolve token identity if needed
        Handler->>Handler: Build newSession.spec.userContext from identity + req.UserContext
    end
    Handler-->>Client: 201 Created (new session)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(backend): inherit parent userContext in child sessions' clearly and specifically summarizes the main change: child sessions now inherit parent session context instead of using service account identity.
Description check	✅ Passed	The description is well-structured, directly related to the changeset, and explains the problem, solution, and test plan. It clearly describes the implementation across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-fix-child-session-user-context

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}