Add AgentID console guidance, fix MCP proxy security dialog, remove dead credential endpoint#1349
Add AgentID console guidance, fix MCP proxy security dialog, remove dead credential endpoint#1349yashed wants to merge 3 commits into
Conversation
- Removed AgentClaimSecretResponse and AgentCredentialsResponse types from the API client and related hooks. - Updated AgentIdentityEnvironmentView to eliminate hasUnclaimedSecret field and clarify secret retrieval process. - Refactored hooks and API functions to remove claims and credential retrieval for externally hosted agents. - Enhanced AddMCPToolConfigPanel to support OAuth (AgentID) security, including environment variable references. - Updated ViewMCPServerComponent to handle OAuth security and provide integration guidance for AgentID variables. - Modified MCPProxySecurityTab to confirm authentication method changes that affect existing agent configurations. - Improved EnvAgentIdentitySection to automatically provision AgentID for environments without bindings. - Adjusted ExternalAgentOverview to reflect changes in secret generation and display messages accordingly.
|
Warning Review limit reached
Next review available in: 10 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe change removes AgentID credential retrieval and claim APIs, makes external secrets regeneration-only and non-persistent, renames injected AgentID environment variables, updates related clients and tests, and adds OAuth-aware MCP configuration and confirmation flows. ChangesIdentity secret lifecycle
AgentID environment contract
MCP OAuth configuration
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Console
participant AgentIdentityAPI
participant AgentThunderProvisioningService
participant SecretManagementClient
Console->>AgentIdentityAPI: request identity secret regeneration
AgentIdentityAPI->>AgentThunderProvisioningService: regenerate secret
AgentThunderProvisioningService->>SecretManagementClient: store secret for internal binding
SecretManagementClient-->>AgentThunderProvisioningService: secret reference
AgentThunderProvisioningService-->>Console: return generated secret
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@console/workspaces/pages/configure-agent/src/Configure/subComponents/AddMCPToolConfigPanel.tsx`:
- Around line 143-156: Replace the global usesIdentitySecurity boolean with a
normalized, loading-aware security model for only the mapped endpoints. In
AddMCPToolConfigPanel.tsx lines 143-156, resolve per-environment authentication
and preserve unresolved or mixed states; at lines 274-278, disable Save until
classification completes. In ViewMCPServer.Component.tsx lines 283-299, 415-416,
436-457, and 561-611, derive visibility and panel availability from that model
and render environment-specific guidance without presenting one global
integration guide for mixed authentication.
In `@console/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsx`:
- Around line 128-133: Update the generated token request around token_response
and access_token to set an explicit request timeout. Validate the HTTP response
for success before parsing JSON, and surface a clear OAuth/request error instead
of indexing access_token from an unsuccessful response.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 1c748620-accb-4682-bc36-3dab52fff8f1
⛔ Files ignored due to path filters (2)
cli/pkg/clients/amsvc/gen/client.gen.gois excluded by!**/gen/**cli/pkg/clients/amsvc/gen/types.gen.gois excluded by!**/gen/**
📒 Files selected for processing (30)
agent-manager-service/api/agent_routes.goagent-manager-service/clients/openchoreosvc/client/constants.goagent-manager-service/controllers/agent_controller.goagent-manager-service/docs/api_v1_openapi.yamlagent-manager-service/models/agent_thunder_client.goagent-manager-service/repositories/agent_thunder_client_repository.goagent-manager-service/repositories/agent_thunder_client_repository_test.goagent-manager-service/repositories/repomocks/agent_thunder_client_repository_mock.goagent-manager-service/services/agent_identity_injection_service.goagent-manager-service/services/agent_identity_injection_service_unit_test.goagent-manager-service/services/agent_manager.goagent-manager-service/services/agent_manager_test.goagent-manager-service/services/agent_thunder_provisioning_service.goagent-manager-service/services/agent_thunder_provisioning_service_test.goagent-manager-service/spec/api_agent_identity.goagent-manager-service/spec/model_agent_claim_secret_response.goagent-manager-service/spec/model_agent_credentials_response.goagent-manager-service/spec/model_agent_identity_environment_view.goagent-manager-service/tests/promote_agent_test.goagent-manager-service/utils/errors.goconsole/workspaces/libs/api-client/src/apis/agents.tsconsole/workspaces/libs/api-client/src/hooks/agents.tsconsole/workspaces/libs/types/src/api/agents.tsconsole/workspaces/pages/configure-agent/src/Configure/subComponents/AddMCPToolConfigPanel.tsxconsole/workspaces/pages/configure-agent/src/Configure/subComponents/EnvironmentVariablesReference.tsxconsole/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsxconsole/workspaces/pages/mcp-proxies/src/subComponents/MCPProxySecurityTab.tsxconsole/workspaces/pages/mcp-proxies/src/subComponents/mcpEndpoints.tsconsole/workspaces/pages/overview/src/AgentOverview/EnvAgentIdentitySection.tsxconsole/workspaces/pages/overview/src/AgentOverview/ExternalAgentOverview.tsx
💤 Files with no reviewable changes (8)
- agent-manager-service/utils/errors.go
- agent-manager-service/spec/model_agent_credentials_response.go
- agent-manager-service/spec/model_agent_claim_secret_response.go
- console/workspaces/libs/api-client/src/apis/agents.ts
- console/workspaces/libs/api-client/src/hooks/agents.ts
- agent-manager-service/api/agent_routes.go
- agent-manager-service/repositories/agent_thunder_client_repository_test.go
- agent-manager-service/repositories/repomocks/agent_thunder_client_repository_mock.go
… checks and improve Python snippet timeout handling
Purpose
Internal agents needed AgentID (per-environment OAuth2) credentials injected into their pods, but agent developers had no guidance in the console on how to use them, the MCP proxy security UI had a few rough edges, and one internal endpoint was reading secrets back out of the vault without ever being used.
Resolved - #1333
Goals
Approach
Added an "AgentID Variables" reference block and a Python integration snippet to the MCP tool configuration page and the add-tool panel, shown only for OAuth-secured tools.
Added a confirmation dialog on the MCP proxy Security tab before switching auth method, driven by the actual saved config so it never fires on an unconfigured proxy.
Changed the default security for a brand new MCP proxy endpoint from API Key enabled to unsecured.
Removed GetAgentCredentials end to end: route, controller, service, model, generated OpenAPI spec and CLI client, and the unused frontend hook, along with its dead vault read-back helper.
Renamed the AgentID environment variable constants and updated all references and tests.
UI Changers
User stories
Release note
N/A
Documentation
N/A
Training
N/A
Certification
N/A
Marketing
N/A
Automation tests
Updated and passing for the renamed constants, the removed endpoint, and the affected services (
make test-unit, all green).Verified manually
Security checks
Samples
N/A
Related PRs
Migrations (if applicable)
N/A
Test environment
Local Docker Compose + k3d (Colima), agent-manager-service and console running against a real Postgres and OpenChoreo cluster.
Learning
N/A
Summary by CodeRabbit
New Features
Breaking Changes
AMP_AGENTID_*format.UI Improvements