fix: address third round of CodeRabbit review feedback

- Honor gitcookie subdomain flag (column 2) in parseGitcookies:
  only allow subdomain matching when flag is TRUE, preventing
  credential scope widening on mistyped URLs
- Add cluster URL validation to Gerrit MCP auth check fallback
  to prevent BOT_TOKEN exfiltration via user-overridden env vars
- Propagate Gerrit PermissionError into auth_failures list for
  consistent fail-fast behavior with other providers
- Align spec type name GerritInstancesListResponse →
  GerritInstancesResponse to match implementation
- Update spec assumption to reflect per-user Secret model
- Add discriminator keyword to OpenAPI oneOf schemas

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Sylvain Bauza

components/backend/handlers/integration_validation.go

@@ -224,7 +224,9 @@ func ValidateGerritToken(ctx context.Context, gerritURL, authMethod, username, h
 }
 
 // parseGitcookies extracts the cookie value for a given Gerrit URL from gitcookies content.
-// Gitcookies format: host\tFALSE\t/\tTRUE\t2147483647\to\tvalue
+// Gitcookies format: host\tsubdomain_flag\t/\tTRUE\t2147483647\to\tvalue
+// The subdomain flag (column 2) controls whether subdomains are allowed:
+// "TRUE" means any subdomain matches; "FALSE" means exact host match only.
 func parseGitcookies(gerritURL, content string) string {
 	parsed, err := url.Parse(gerritURL)
 	if err != nil {
@@ -241,7 +243,13 @@ func parseGitcookies(gerritURL, content string) string {
 		fields := strings.Split(line, "\t")
 		if len(fields) >= 7 {
 			cookieHost := strings.TrimPrefix(fields[0], ".")
-			if cookieHost == host || strings.HasSuffix(host, "."+cookieHost) {
+			subdomainFlag := strings.ToUpper(strings.TrimSpace(fields[1]))
+
+			if cookieHost == host {
+				return fields[5] + "=" + fields[6]
+			}
+			// Only allow subdomain matching when the flag is TRUE
+			if subdomainFlag == "TRUE" && strings.HasSuffix(host, "."+cookieHost) {
 				return fields[5] + "=" + fields[6]
 			}
 		}

components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py

@@ -12,6 +12,7 @@
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Dict
+from urllib.parse import urlparse
 
 from ambient_runner.platform.context import RunnerContext
 from ambient_runner.platform.utils import get_bot_token
@@ -358,6 +359,18 @@ def check_mcp_authentication(server_name: str) -> tuple[bool | None, str | None]
             session_id = os.getenv("SESSION_ID", "")
 
             if base and project and session_id:
+                # Reject non-cluster URLs to prevent token exfiltration
+                parsed_base = urlparse(base)
+                if parsed_base.hostname and not (
+                    parsed_base.hostname.endswith(".svc.cluster.local")
+                    or parsed_base.hostname == "localhost"
+                    or parsed_base.hostname == "127.0.0.1"
+                ):
+                    logger.error(
+                        f"Refusing to send credentials to external host: {parsed_base.hostname}"
+                    )
+                    return False, "Gerrit not configured - connect on Integrations page"
+
                 url = f"{base}/projects/{project.strip()}/agentic-sessions/{session_id}/credentials/gerrit"
                 req = _urllib_request.Request(url, method="GET")
                 bot = (os.getenv("BOT_TOKEN") or "").strip()

components/runners/ambient-runner/ambient_runner/platform/auth.py

@@ -423,6 +423,8 @@ async def populate_runtime_credentials(context: RunnerContext) -> None:
     # config from a previous refresh is cleaned up when all instances are removed.
     if isinstance(gerrit_instances, Exception):
         logger.warning(f"Failed to fetch Gerrit credentials: {gerrit_instances}")
+        if isinstance(gerrit_instances, PermissionError):
+            auth_failures.append(str(gerrit_instances))
     else:
         try:
             from ambient_runner.bridges.claude.mcp import generate_gerrit_config

specs/001-gerrit-integration/contracts/frontend-types.ts

@@ -56,7 +56,7 @@ export interface GerritTestResponse {
   error?: string
 }
 
-export interface GerritInstancesListResponse {
+export interface GerritInstancesResponse {
   instances: GerritInstanceStatus[]
 }
 

specs/001-gerrit-integration/contracts/gerrit-api.yaml

@@ -117,7 +117,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/GerritInstancesListResponse'
+                $ref: '#/components/schemas/GerritInstancesResponse'
 
   /api/projects/{projectName}/agentic-sessions/{sessionName}/credentials/gerrit:
     get:
@@ -177,6 +177,8 @@ components:
           type: string
           enum: [http_basic, git_cookies]
           description: Authentication method
+      discriminator:
+        propertyName: authMethod
       oneOf:
         - properties:
             authMethod:
@@ -207,6 +209,8 @@ components:
           type: string
           enum: [http_basic, git_cookies]
           description: Authentication method
+      discriminator:
+        propertyName: authMethod
       oneOf:
         - properties:
             authMethod:
@@ -260,7 +264,7 @@ components:
           type: string
           description: Error message if validation failed
 
-    GerritInstancesListResponse:
+    GerritInstancesResponse:
       type: object
       properties:
         instances:

specs/001-gerrit-integration/spec.md

@@ -122,7 +122,7 @@ A platform user who contributes to multiple Gerrit-hosted projects (e.g., OpenSt
 - The open-source Gerrit MCP server from `gerrit.googlesource.com/gerrit-mcp-server` is suitable for bundling into the platform's runner environment.
 - Two authentication methods are supported: HTTP credentials (username + HTTP password/access token) and gitcookies file content. Both are widely used across Gerrit deployments.
 - The Gerrit MCP server will be run in STDIO mode within the runner pod, consistent with how other MCP servers (e.g., mcp-atlassian, google-workspace) are launched.
-- The platform's existing generic MCP server credential storage pattern (`mcp-server-credentials` secret with `serverName:userID` keying) can be extended to support Gerrit.
+- Gerrit credentials are stored in per-user Kubernetes Secrets named `gerrit-credentials-{userID}` with `instanceName` keys, providing user isolation and avoiding unbounded Secret growth.
 - Users are responsible for obtaining their own credentials: either generating an HTTP password from their Gerrit instance's Settings page, or obtaining their gitcookies file content.
 
 ## Dependencies