Skip to content

Add AgentID console guidance, fix MCP proxy security dialog, remove dead credential endpoint#1349

Open
yashed wants to merge 3 commits into
wso2:mainfrom
yashed:task/agent-id-2b
Open

Add AgentID console guidance, fix MCP proxy security dialog, remove dead credential endpoint#1349
yashed wants to merge 3 commits into
wso2:mainfrom
yashed:task/agent-id-2b

Conversation

@yashed

@yashed yashed commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Purpose

Internal agents needed AgentID (per-environment OAuth2) credentials injected into their pods, but agent developers had no guidance in the console on how to use them, the MCP proxy security UI had a few rough edges, and one internal endpoint was reading secrets back out of the vault without ever being used.
Resolved - #1333

Goals

  • Show agent developers the AgentID environment variables and a working code sample wherever an MCP tool uses OAuth security.
  • Warn before switching an MCP proxy's auth method if it would break agents already using it, but only when a method is actually configured.
  • Remove the unused internal credential-retrieval endpoint that read secrets back from the vault.
  • Shorten the AgentID environment variable names (AMP_AGENT_IDENTITY_* to AMP_AGENTID_*).

Approach

  • Added an "AgentID Variables" reference block and a Python integration snippet to the MCP tool configuration page and the add-tool panel, shown only for OAuth-secured tools.

  • Added a confirmation dialog on the MCP proxy Security tab before switching auth method, driven by the actual saved config so it never fires on an unconfigured proxy.

  • Changed the default security for a brand new MCP proxy endpoint from API Key enabled to unsecured.

  • Removed GetAgentCredentials end to end: route, controller, service, model, generated OpenAPI spec and CLI client, and the unused frontend hook, along with its dead vault read-back helper.

  • Renamed the AgentID environment variable constants and updated all references and tests.

  • UI Changers

image image

User stories

  • As an agent developer, I can see which environment variables my OAuth-secured MCP tool needs and copy a working code sample, instead of guessing.
  • As an org admin, I get warned before an auth method change breaks agents that already depend on it.

Release note

N/A

Documentation

N/A

Training

N/A

Certification

N/A

Marketing

N/A

Automation tests

  • Unit tests
    Updated and passing for the renamed constants, the removed endpoint, and the affected services (make test-unit, all green).
  • Integration tests
    Verified manually

Security checks

Samples

N/A

Related PRs

Migrations (if applicable)

N/A

Test environment

Local Docker Compose + k3d (Colima), agent-manager-service and console running against a real Postgres and OpenChoreo cluster.

Learning

N/A

Summary by CodeRabbit

  • New Features

    • External agent secrets are now generated on demand and are never stored or retrieved through a claim flow.
    • Agent identity views now display client IDs without exposing secret availability.
    • MCP configuration supports OAuth/AgentID variables with dedicated setup guidance.
    • Users receive confirmation before changing MCP proxy authentication methods.
  • Breaking Changes

    • Removed agent credential retrieval and one-time secret-claiming APIs.
    • Updated AgentID environment variable names to the AMP_AGENTID_* format.
  • UI Improvements

    • External agents now automatically provision identities and clearly warn that generated secrets are shown only once.

yashed added 2 commits July 17, 2026 23:44
- Removed AgentClaimSecretResponse and AgentCredentialsResponse types from the API client and related hooks.
- Updated AgentIdentityEnvironmentView to eliminate hasUnclaimedSecret field and clarify secret retrieval process.
- Refactored hooks and API functions to remove claims and credential retrieval for externally hosted agents.
- Enhanced AddMCPToolConfigPanel to support OAuth (AgentID) security, including environment variable references.
- Updated ViewMCPServerComponent to handle OAuth security and provide integration guidance for AgentID variables.
- Modified MCPProxySecurityTab to confirm authentication method changes that affect existing agent configurations.
- Improved EnvAgentIdentitySection to automatically provision AgentID for environments without bindings.
- Adjusted ExternalAgentOverview to reflect changes in secret generation and display messages accordingly.
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@yashed, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 10 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b2fb72e6-c8bb-425b-aaa4-e7b74ae3aa3e

📥 Commits

Reviewing files that changed from the base of the PR and between 804f3ca and 5ac9d63.

📒 Files selected for processing (2)
  • console/workspaces/pages/configure-agent/src/Configure/subComponents/AddMCPToolConfigPanel.tsx
  • console/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsx
📝 Walkthrough

Walkthrough

The change removes AgentID credential retrieval and claim APIs, makes external secrets regeneration-only and non-persistent, renames injected AgentID environment variables, updates related clients and tests, and adds OAuth-aware MCP configuration and confirmation flows.

Changes

Identity secret lifecycle

Layer / File(s) Summary
Remove credential and claim contracts
agent-manager-service/api/..., agent-manager-service/controllers/..., agent-manager-service/docs/..., agent-manager-service/spec/..., console/workspaces/libs/...
Credential retrieval and secret-claim routes, handlers, schemas, generated clients, hooks, response models, and hasUnclaimedSecret fields are removed.
Separate internal persistence from external regeneration
agent-manager-service/services/..., agent-manager-service/repositories/..., agent-manager-service/models/..., agent-manager-service/utils/errors.go
Internal credentials remain persisted, while external secrets are generated without storage or claim tracking; tests cover both behaviors.
Update identity credential UI
console/workspaces/pages/overview/...
External identity sections auto-provision and show client IDs, while regeneration displays a never-stored secret message.

AgentID environment contract

Layer / File(s) Summary
Rename injected AgentID variables
agent-manager-service/clients/..., agent-manager-service/services/..., agent-manager-service/tests/...
Agent identity environment variables change from AMP_AGENT_IDENTITY_* to AMP_AGENTID_* across injection, synchronization, promotion, and tests.

MCP OAuth configuration

Layer / File(s) Summary
Configure identity-secured MCP tools
console/workspaces/pages/configure-agent/src/Configure/...
Proxy security details determine editable environment variables and save payload contents, with AgentID references shown for identity-secured tools.
Render AgentID MCP integration guidance
console/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsx
OAuth-specific connection instructions, environment references, and Python token-request guidance are added alongside the existing API-key flow.
Confirm proxy authentication changes
console/workspaces/pages/mcp-proxies/src/subComponents/...
Changing a saved authentication method now requires confirmation, and default API-key behavior is documented.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Console
  participant AgentIdentityAPI
  participant AgentThunderProvisioningService
  participant SecretManagementClient
  Console->>AgentIdentityAPI: request identity secret regeneration
  AgentIdentityAPI->>AgentThunderProvisioningService: regenerate secret
  AgentThunderProvisioningService->>SecretManagementClient: store secret for internal binding
  SecretManagementClient-->>AgentThunderProvisioningService: secret reference
  AgentThunderProvisioningService-->>Console: return generated secret
Loading

Possibly related PRs

Suggested reviewers: hanzjk, rasika2012, menakaj

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 45.83% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly covers the main changes: AgentID guidance, MCP proxy dialog, and removal of the dead credential endpoint.
Description check ✅ Passed The description matches the template and includes the required sections, screenshots, tests, and impact notes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@yashed
yashed marked this pull request as ready for review July 18, 2026 15:14

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@console/workspaces/pages/configure-agent/src/Configure/subComponents/AddMCPToolConfigPanel.tsx`:
- Around line 143-156: Replace the global usesIdentitySecurity boolean with a
normalized, loading-aware security model for only the mapped endpoints. In
AddMCPToolConfigPanel.tsx lines 143-156, resolve per-environment authentication
and preserve unresolved or mixed states; at lines 274-278, disable Save until
classification completes. In ViewMCPServer.Component.tsx lines 283-299, 415-416,
436-457, and 561-611, derive visibility and panel availability from that model
and render environment-specific guidance without presenting one global
integration guide for mixed authentication.

In `@console/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsx`:
- Around line 128-133: Update the generated token request around token_response
and access_token to set an explicit request timeout. Validate the HTTP response
for success before parsing JSON, and surface a clear OAuth/request error instead
of indexing access_token from an unsuccessful response.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1c748620-accb-4682-bc36-3dab52fff8f1

📥 Commits

Reviewing files that changed from the base of the PR and between fa473da and 804f3ca.

⛔ Files ignored due to path filters (2)
  • cli/pkg/clients/amsvc/gen/client.gen.go is excluded by !**/gen/**
  • cli/pkg/clients/amsvc/gen/types.gen.go is excluded by !**/gen/**
📒 Files selected for processing (30)
  • agent-manager-service/api/agent_routes.go
  • agent-manager-service/clients/openchoreosvc/client/constants.go
  • agent-manager-service/controllers/agent_controller.go
  • agent-manager-service/docs/api_v1_openapi.yaml
  • agent-manager-service/models/agent_thunder_client.go
  • agent-manager-service/repositories/agent_thunder_client_repository.go
  • agent-manager-service/repositories/agent_thunder_client_repository_test.go
  • agent-manager-service/repositories/repomocks/agent_thunder_client_repository_mock.go
  • agent-manager-service/services/agent_identity_injection_service.go
  • agent-manager-service/services/agent_identity_injection_service_unit_test.go
  • agent-manager-service/services/agent_manager.go
  • agent-manager-service/services/agent_manager_test.go
  • agent-manager-service/services/agent_thunder_provisioning_service.go
  • agent-manager-service/services/agent_thunder_provisioning_service_test.go
  • agent-manager-service/spec/api_agent_identity.go
  • agent-manager-service/spec/model_agent_claim_secret_response.go
  • agent-manager-service/spec/model_agent_credentials_response.go
  • agent-manager-service/spec/model_agent_identity_environment_view.go
  • agent-manager-service/tests/promote_agent_test.go
  • agent-manager-service/utils/errors.go
  • console/workspaces/libs/api-client/src/apis/agents.ts
  • console/workspaces/libs/api-client/src/hooks/agents.ts
  • console/workspaces/libs/types/src/api/agents.ts
  • console/workspaces/pages/configure-agent/src/Configure/subComponents/AddMCPToolConfigPanel.tsx
  • console/workspaces/pages/configure-agent/src/Configure/subComponents/EnvironmentVariablesReference.tsx
  • console/workspaces/pages/configure-agent/src/ViewMCPServer.Component.tsx
  • console/workspaces/pages/mcp-proxies/src/subComponents/MCPProxySecurityTab.tsx
  • console/workspaces/pages/mcp-proxies/src/subComponents/mcpEndpoints.ts
  • console/workspaces/pages/overview/src/AgentOverview/EnvAgentIdentitySection.tsx
  • console/workspaces/pages/overview/src/AgentOverview/ExternalAgentOverview.tsx
💤 Files with no reviewable changes (8)
  • agent-manager-service/utils/errors.go
  • agent-manager-service/spec/model_agent_credentials_response.go
  • agent-manager-service/spec/model_agent_claim_secret_response.go
  • console/workspaces/libs/api-client/src/apis/agents.ts
  • console/workspaces/libs/api-client/src/hooks/agents.ts
  • agent-manager-service/api/agent_routes.go
  • agent-manager-service/repositories/agent_thunder_client_repository_test.go
  • agent-manager-service/repositories/repomocks/agent_thunder_client_repository_mock.go

… checks and improve Python snippet timeout handling
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant