feat: add unified agent session runtime platform

.tiltignore

@@ -4,3 +4,11 @@ docs
 codefresh
 packages
 .next
+**/__fixtures__/**
+**/__snapshots__/**
+**/__tests__/**
+**/*.test.ts
+**/*.test.tsx
+**/*.spec.ts
+**/*.spec.tsx
+**/*.snap

Tiltfile

@@ -17,7 +17,7 @@
 ##################################
 load('ext://helm_resource', 'helm_resource', 'helm_repo')
 load("ext://restart_process", "docker_build_with_restart")
-load("ext://secret", "secret_create_generic")
+load("ext://secret", "secret_create_generic", "secret_from_dict")
 load('ext://dotenv', 'dotenv')
 
 update_settings(k8s_upsert_timeout_secs=180)
@@ -61,6 +61,7 @@ local_keycloak_operator_chart = '{}/keycloak-operator'.format(helm_charts_dir)
 local_lifecycle_keycloak_chart = '{}/lifecycle-keycloak'.format(helm_charts_dir)
 lifecycle_keycloak_values = 'sysops/tilt/lifecycle-keycloak-values.yaml'
 lifecycle_local_secrets = './helm/environments/local/secrets.yaml'
+github_idp_secret_name = 'lifecycle-keycloak-github-idp'
 has_local_keycloak_charts = os.path.exists(local_keycloak_operator_chart) and os.path.exists(local_lifecycle_keycloak_chart)
 use_local_keycloak_charts = keycloak_chart_source == "local" or (keycloak_chart_source == "auto" and has_local_keycloak_charts)
 if keycloak_chart_source == "local" and not has_local_keycloak_charts:
@@ -124,6 +125,7 @@ helm_resource(
     namespace=app_namespace,
     resource_deps=['bitnami'],
     flags=[
+        '--version', '25.5.2',
         '--set', 'auth.enabled=false',
         '--set', 'replica.replicaCount=0',
         '--set', 'auth.usePasswordFiles=false',
@@ -232,6 +234,31 @@ lifecycle_keycloak_resource_deps = [
 ]
 lifecycle_keycloak_flags = []
 
+def local_secret_value(key):
+    return str(local([
+        'node',
+        '-e',
+        'const fs = require("fs"); const [file, key] = process.argv.slice(1); const text = fs.readFileSync(file, "utf8"); const escaped = key.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&"); const re = new RegExp("^\\\\s*" + escaped + ":\\\\s*[\\\\\\"\\\']?([^\\\\\\"\\\'\\\\n#]+)", "m"); const match = text.match(re); process.stdout.write(match ? match[1].trim() : "");',
+        lifecycle_local_secrets,
+        key,
+    ], quiet=True))
+
+github_idp_client_id = local_secret_value('githubClientId') or os.getenv('GITHUB_CLIENT_ID', 'local-github-client-id')
+github_idp_client_secret = local_secret_value('githubClientSecret') or os.getenv('GITHUB_CLIENT_SECRET', 'local-github-client-secret')
+if github_idp_client_id == '' or github_idp_client_secret == '':
+    github_idp_client_id = 'local-github-client-id'
+    github_idp_client_secret = 'local-github-client-secret'
+    print('GitHub IDP: GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET not configured; GitHub account linking will use placeholders')
+
+k8s_yaml(secret_from_dict(
+    github_idp_secret_name,
+    namespace=app_namespace,
+    inputs={
+        'clientId': github_idp_client_id,
+        'clientSecret': github_idp_client_secret,
+    },
+))
+
 if use_local_keycloak_charts:
     keycloak_operator_deps.append(keycloak_operator_chart)
     lifecycle_keycloak_deps.append(lifecycle_keycloak_chart)
@@ -293,6 +320,20 @@ helm_resource(
     labels=['infra'],
 )
 
+local_resource(
+    'lifecycle-keycloak-github-idp-sync',
+    cmd='sh sysops/tilt/scripts/sync_keycloak_github_idp.sh {namespace} {secret}'.format(
+        namespace=app_namespace,
+        secret=github_idp_secret_name,
+    ),
+    deps=[
+        lifecycle_local_secrets,
+        'sysops/tilt/scripts/sync_keycloak_github_idp.sh',
+    ],
+    resource_deps=['lifecycle-keycloak'],
+    labels=['infra'],
+)
+
 ##################################
 # Worker & Web (Helm, Single Deploy)
 ##################################
@@ -336,6 +377,7 @@ helm_set_args = [
     'keycloak.companyIdp.userInfoUrl={}/realms/company/protocol/openid-connect/userinfo'.format(internal_keycloak_origin),
     'keycloak.companyIdp.jwksUrl={}/realms/company/protocol/openid-connect/certs'.format(internal_keycloak_origin),
     'keycloak.companyIdp.issuer={}/realms/company'.format(company_idp_origin),
+    'secrets.githubAppAuthCallback={}/realms/lifecycle/broker/github/endpoint'.format(company_idp_origin),
     'secrets.aiApiKey={}'.format(os.getenv("AI_API_KEY", "")),
     'secrets.geminiApiKey={}'.format(os.getenv("GEMINI_API_KEY", "")),
 ]
@@ -382,12 +424,13 @@ for r in patched_deploy:
 
         # Don't add postgres/redis deps for keycloak resources
         if "keycloak" not in name:
-            resource_deps = ['local-postgres', 'redis', 'agent-session-workspace-image']
+            resource_deps = ['local-postgres', 'redis', 'lifecycle-keycloak-github-idp-sync', 'agent-session-workspace-image']
         if "web" in name:
             labels = ["web"]
             port_forwards = ['5001:80']
         elif "worker" in name:
             labels = ["worker"]
+            resource_deps.append('lifecycle-web')
         k8s_resource(
             name,
             resource_deps=resource_deps,

helm/environments/local/lifecycle.yaml

@@ -44,6 +44,8 @@ global:
       value: 'lifecycle-logs'
     - name: OBJECT_STORE_USE_SSL
       value: 'false'
+    - name: ENABLE_AUTH
+      value: 'true'
     - name: AGENT_SESSION_WORKSPACE_IMAGE
       value: 'lifecycle-workspace:latest'
     - name: AGENT_SESSION_WORKSPACE_EDITOR_IMAGE
@@ -67,6 +69,12 @@ components:
       enabled: false
     deployment:
       replicaCount: 1
+      resources:
+        requests:
+          cpu: 200m
+          memory: 1Gi
+        limits:
+          memory: 12Gi
       extraEnv:
         - name: JOB_VERSION
           value: default
@@ -79,9 +87,11 @@ components:
         - name: PINO_PRETTY
           value: 'false'
         - name: LOG_LEVEL
-          value: debug
+          value: info
         - name: NODE_ENV
           value: development
+        - name: NODE_OPTIONS
+          value: '--max-old-space-size=6144'
         - name: LIFECYCLE_MODE
           value: web
         - name: PORT
@@ -128,7 +138,7 @@ components:
         - name: PINO_PRETTY
           value: 'false'
         - name: LOG_LEVEL
-          value: debug
+          value: info
         - name: NODE_ENV
           value: development
         - name: APP_ENV
@@ -146,7 +156,7 @@ components:
         - name: GITHUB_API_REQUEST_INTERVAL
           value: '10000'
         - name: LIFECYCLE_UI_URL
-          value: 'http://localhost:8000'
+          value: 'http://localhost:3000'
         - name: DD_TRACE_ENABLED
           value: 'false'
       ports:

helm/web-app/templates/secret.yaml

@@ -41,6 +41,9 @@ data:
   GITHUB_APP_ID: {{ .Values.secrets.githubAppId | default "not_setup" | b64enc | quote }}
   GITHUB_CLIENT_ID: {{ .Values.secrets.githubClientId | default "not_setup" | b64enc | quote }}
   GITHUB_APP_INSTALLATION_ID: {{ .Values.secrets.githubInstallationId | default "not_setup" | b64enc | quote }}
+  {{- if .Values.secrets.githubAppAuthCallback }}
+  GITHUB_APP_AUTH_CALLBACK: {{ .Values.secrets.githubAppAuthCallback | b64enc | quote }}
+  {{- end }}
   # Database secrets
   {{- if .Values.secrets.databaseUrl }}
   DATABASE_URL: {{ .Values.secrets.databaseUrl | b64enc | quote }}

next.config.js

@@ -24,9 +24,6 @@ module.exports = {
       '@octokit/auth-app',
       'dd-trace',
       'knex',
-      '@google/genai',
-      'google-auth-library',
-      'gaxios',
       '@aws-sdk/client-s3',
     ],
   },

package.json

@@ -7,7 +7,7 @@
   ],
   "scripts": {
     "babel-node": "babel-node --extensions '.ts'",
-    "dev": "LOG_LEVEL=debug ts-node -r ./dd-trace.js -r tsconfig-paths/register --project tsconfig.server.json ws-server.ts | pino-pretty -c -t HH:MM -i pid,hostname,filename -o '{msg}'",
+    "dev": "LOG_LEVEL=${LOG_LEVEL:-info} ts-node -r ./dd-trace.js -r tsconfig-paths/register --project tsconfig.server.json ws-server.ts | pino-pretty -c -t HH:MM -i pid,hostname,filename -o '{msg}'",
     "build": "next build && tsc --project tsconfig.server.json && tsc-alias -p tsconfig.server.json",
     "start": "NEXT_MANUAL_SIG_HANDLE=true NODE_ENV=production node -r ./dd-trace.js .next/ws-server.js",
     "run-prod": "port=5001 pnpm run start",
@@ -31,9 +31,7 @@
     "@ai-sdk/google": "^3.0.58",
     "@ai-sdk/mcp": "^1.0.33",
     "@ai-sdk/openai": "^3.0.50",
-    "@anthropic-ai/sdk": "^0.65.0",
     "@aws-sdk/client-s3": "^3.1000.0",
-    "@google/genai": "^1.38.0",
     "@heroui/react": "^2.8.5",
     "@kubernetes/client-node": "^0.22.3",
     "@modelcontextprotocol/sdk": "^1.25.3",
@@ -69,7 +67,6 @@
     "next": "14.2.35",
     "object-hash": "^2.0.3",
     "objection": "^3.0.1",
-    "openai": "^6.1.0",
     "p-queue": "^6.6.2",
     "pg": "^8.11.0",
     "picomatch": "^4.0.3",