Do not merge#325
Open
luis5tb wants to merge 25 commits into
Open
Conversation
Previously, 5xx responses from the Procurement API when resolving account IDs were silently swallowed (logged as warning, returned None). This meant the entitlement was created with an empty account_id and Pub/Sub considered the event handled (200 response), never retrying. Now 5xx responses raise RuntimeError (same pattern as network errors), causing the handler to fail and Pub/Sub to retry the event. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The dcr_clients table always has a valid account_id (from the JWT sub claim), but marketplace_entitlements often has account_id='' because Pub/Sub events rarely include account info. Add backfill_entitlement_account_id() to ProcurementService and call it during DCR register_client() — every DCR request now writes the JWT's authoritative account_id back to the entitlement if it was previously empty. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gemini 3.5 Flash (GA, May 2026) offers significantly better agentic and coding performance — 83.6% on MCP Atlas (vs 62% for 3 Flash), beats 3.1 Pro on Terminal-Bench and Finance Agent benchmarks, and runs ~4x faster than other frontier models. Updated across config, deployment manifests (Cloud Run, OpenShift, Podman), and documentation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Helm chart and setup scripts for ArgoCD-managed deployment of the Lightspeed Agent on Google Cloud (Cloud Run). ArgoCD manages intermediate K8s resources on OpenShift; a PostSync hook Job triggers Cloud Build to deploy Cloud Run services. Key design decisions: - Uses --no-source with an injected git clone build step to avoid VPC Service Controls blocking the default Cloud Build bucket - Cloud Build logging set to CLOUD_LOGGING_ONLY (no GCS log bucket needed) - _SCAN_SEVERITY patched via sed (commas conflict with --substitutions) - ESO CRD defaults added explicitly to prevent ArgoCD perpetual diffs Includes: - deploy/gitops/google-cloud/ — Helm chart (templates, values, helpers) - deploy/gitops/setup/ — prerequisite scripts (GitOps operator, ESO, GCP SA) - deploy/gitops/README.md — architecture, setup, secrets management docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Store the service account key in GCP Secret Manager so ESO can pull it automatically when externalSecrets.enabled=true. If the secret already exists, a new version is added. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The bootstrap K8s secret (gcp-sa-bootstrap) already contains the GCP SA key needed by the deploy Job. ESO was just pulling a redundant copy of the same key from GCP Secret Manager. Removed: - external-secret.yaml, secret-store.yaml templates - install-eso-operator.sh setup script - externalSecrets values block and secretmanager.secretAccessor role - GCP Secret Manager upload step from setup-gcp-sa.sh The deploy Job now mounts gcp-sa-bootstrap directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix GitOps repo URL inconsistency in CLAUDE.md (luis5tb -> RHEcosystemAppEng) - Remove incorrect ESO mention in CLAUDE.md - Fix --help sed pattern in both setup scripts to show full help text - Fix setup/README.md Quick Start paths to clarify GitOps repo origin - Move bootstrap secret from 'Resources created' to 'Prerequisites' in NOTES.txt - Add _SCAN_SEVERITY input validation and post-sed verification - Add GIT_BRANCH character validation - Add post-sed verification for clone step injection - Add git token exposure warning for private repos - Add readOnlyRootFilesystem with emptyDir for /tmp - Remove unnecessary secrets access from RBAC Role - Add nameOverride/fullnameOverride to values.yaml - Add key rotation guidance to setup-gcp-sa.sh Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document what collides when deploying multiple agent instances to the same GCP project, what is shared by design, and step-by-step instructions for setting up staging + prod instances with independent ArgoCD Applications and per-instance resource names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Parameterize GEMINI_MODEL and AGENT_LOGGING_DETAIL in Cloud Run service.yaml so they can be overridden via Cloud Build substitutions and GitOps values. Make the MCP --debug flag conditional in both OpenShift (Helm) and Cloud Run (sed-based placeholder) deployments. Cloud Run / GitOps pipeline: - service.yaml: replace hardcoded values with substitution variables - cloudbuild.yaml: add _GEMINI_MODEL, _AGENT_LOGGING_DETAIL, _MCP_DEBUG - deploy.sh: add matching sed substitutions for manual deploys - gitops chart: wire new values through values.yaml, ConfigMap, and deploy Job SUBSTITUTIONS OpenShift chart: - Wrap --debug in conditional (mcp.debug, defaults to true to preserve current behavior) - GEMINI_MODEL and AGENT_LOGGING_DETAIL were already parameterized Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add comprehensive testing guide covering dev mode with SKIP_JWT_VALIDATION, ADK web UI, curl examples, order_id behavior, and Podman deployment testing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch from prompt-only augmentation to SendA2uiToClientToolset for server-side A2UI JSON validation. Add domain-specific few-shot examples for Red Hat Insights data (CVEs, advisor, inventory, remediations). Add A2UI input modes to Agent Card for button/form action payloads. Cache schema manager and fix docs MIME type inconsistencies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update docs to reflect SendA2uiToClientToolset approach instead of prompt augmentation, add missing examples.py to code layouts, fix test coverage descriptions, correct TOOL_RESULT_MAX_CHARS default from 51200 to 204800, and add Bearer token to X-Order-Id curl example. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Upgrade from A2UI v0.8 to v0.9 (createSurface/updateComponents format) - Rewrite Insights examples in v0.9 format (no Table component in v0.9) - Pin a2ui-agent-sdk>=0.2.0,<0.2.3 (0.2.3+ has NameError with ADK 2.2.0) - Remove dead generate_a2ui_instruction() and unused instruction variable - Update standalone UI renderer to support both v0.8 and v0.9 formats - Fix logging: use exc_info=True instead of f-string exception formatting - Update all docs, tests, and config for v0.9 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix Card/Button v0.9 children rendering (was using v0.8 singular child only, v0.9 arrays rendered as empty containers) - Add $data binding resolution in resolveA2UIValue with actual data model lookup instead of placeholder text - Fix createSurface rootId detection via tree analysis instead of hardcoding 'root' - Thread dataModel through all render functions for proper binding - Narrow except Exception to ImportError in A2UI toolset init - Add version constraint comment for a2ui-agent-sdk in pyproject.toml - Remove empty updateDataModel from examples 1, 2, 4 (keep example 3 which uses data binding) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add Example 5 (RHEL Lifecycle & Upcoming Changes) to a2ui/examples.py showing Planning service data rendered as A2UI cards with data bindings - Add A2UI Rich Rendering section to response-formatting skill to guide the LLM to prefer A2UI components over markdown tables when the send_a2ui_json_to_client tool is available Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wire A2UI_ENABLED through all deployment paths: - Cloud Run: deploy.sh default, service.yaml env var, cloudbuild.yaml substitution - OpenShift Helm: values.yaml default, configmap.yaml template - Google Cloud GitOps: values.yaml, deployment-config.yaml, deploy-job.yaml Also fix cherry-pick issue: use instruction variable (with pre-loaded strict skills) instead of raw AGENT_INSTRUCTION constant in LlmAgent constructor, and update A2UI tests to account for strict skill preloading. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add eval testing that the agent prefers A2UI components over markdown tables when the send_a2ui_json_to_client tool is available. Assertions check: A2UI preference, correct vulnerability tool usage, component references, and plain text for explanations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add eval 7 (a2ui-rendering) to evals.json testing A2UI preference - Update skill-snapshot with current skills (including A2UI rendering guidance in response-formatting) - Add iteration-6 results: with_skill 32/35 (91.4%) vs old_skill 27/35 (77.1%), A2UI eval confirms the response-formatting skill change works as intended — no regressions on evals 1-6 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Keep only the CVE list and Advisor card examples (the two most common patterns). The other 3 examples (inventory, remediation, lifecycle) were adding ~3.8K tokens to the system prompt, causing Gemini 3.5 Flash to generate incomplete A2UI payloads (bare createSurface with no updateComponents) when combined with MCP tool results. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.