Merge branch 'main' into konflux-google-lightspeed-agent

Author: IlonaShishov

.env.example

@@ -35,25 +35,18 @@ AGENT_REQUIRED_SCOPE=agent:insights
 # Red Hat Lightspeed MCP Server Configuration
 # -----------------------------------------------------------------------------
 # The MCP server provides tools to access Red Hat Insights APIs.
-# It runs as a sidecar container and authenticates with console.redhat.com
-# using Lightspeed service account credentials.
+# It runs as a sidecar container. The agent forwards the caller's JWT token
+# to the MCP server, which uses it to authenticate with console.redhat.com
+# on behalf of the calling user.
 #
-# To obtain Lightspeed credentials:
-#   1. Go to console.redhat.com
-#   2. Navigate to Settings -> Integrations -> Red Hat Lightspeed
-#   3. Create a service account
-#   4. Copy the Client ID and Client Secret
-#
-# These credentials allow the MCP server to access:
+# The MCP server can access:
 #   - Advisor (recommendations)
 #   - Inventory (registered systems)
 #   - Vulnerability (CVE data)
 #   - Remediations (playbooks)
 #   - Patch (system updates)
 #   - Image Builder (custom images)
 #
-LIGHTSPEED_CLIENT_ID=your_lightspeed_client_id
-LIGHTSPEED_CLIENT_SECRET=your_lightspeed_client_secret
 
 # MCP server transport mode:
 #   - stdio: Agent spawns MCP server as subprocess (development)

.github/workflows/ci.yml

@@ -0,0 +1,71 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/centos/centos:stream9
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Python
+        run: dnf install -y python3.12 python3.12-pip python3.12-devel
+
+      - name: Install dependencies
+        run: python3.12 -m pip install -e ".[agent,dev]"
+
+      - name: Run ruff
+        run: python3.12 -m ruff check src/ tests/
+
+      - name: Run mypy
+        run: python3.12 -m mypy src/lightspeed_agent/ --ignore-missing-imports
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/centos/centos:stream9
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Python
+        run: dnf install -y python3.12 python3.12-pip python3.12-devel
+
+      - name: Install dependencies
+        run: python3.12 -m pip install -e ".[agent,dev]"
+
+      - name: Run tests
+        run: python3.12 -m pytest tests/ -v
+
+  build:
+    name: Build container image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: podman build -t lightspeed-agent:ci -f Containerfile .
+
+  ci-gate:
+    name: CI Gate
+    if: always()
+    needs: [lint, test, build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all jobs passed
+        run: |
+          if [[ "${{ needs.lint.result }}" != "success" || "${{ needs.test.result }}" != "success" || "${{ needs.build.result }}" != "success" ]]; then
+            echo "One or more CI jobs failed or were cancelled."
+            echo "  lint:  ${{ needs.lint.result }}"
+            echo "  test:  ${{ needs.test.result }}"
+            echo "  build: ${{ needs.build.result }}"
+            exit 1
+          fi
+          echo "All CI jobs passed."

Makefile

@@ -1,7 +1,7 @@
 # Red Hat Lightspeed Agent for Google Cloud - Makefile
 # Common development and deployment commands
 
-.PHONY: help build run stop logs logs-mcp clean test lint dev check-env
+.PHONY: help build build-agent build-marketplace run stop logs logs-mcp clean test lint dev check-env
 
 # Default target
 help:
@@ -13,7 +13,9 @@ help:
 	@echo "  make lint         - Run linter and type checker"
 	@echo ""
 	@echo "Container (Podman):"
-	@echo "  make build        - Build container image"
+	@echo "  make build             - Build all container images (agent + marketplace handler)"
+	@echo "  make build-agent       - Build agent container image only"
+	@echo "  make build-marketplace - Build marketplace handler container image only"
 	@echo "  make run          - Start the pod with all services"
 	@echo "  make stop         - Stop and remove the pod"
 	@echo "  make logs         - View agent container logs"
@@ -27,8 +29,6 @@ help:
 	@echo ""
 	@echo "Required Environment Variables:"
 	@echo "  GOOGLE_API_KEY           - Google AI Studio API key"
-	@echo "  LIGHTSPEED_CLIENT_ID     - Red Hat Insights service account ID"
-	@echo "  LIGHTSPEED_CLIENT_SECRET - Red Hat Insights service account secret"
 	@echo ""
 
 # =============================================================================
@@ -54,13 +54,20 @@ lint:
 # =============================================================================
 
 IMAGE_NAME ?= localhost/lightspeed-agent
+MARKETPLACE_IMAGE_NAME ?= localhost/marketplace-handler
 IMAGE_TAG ?= latest
 POD_NAME = lightspeed-agent-pod
 
-build:
-	@echo "Building container image..."
+build: build-agent build-marketplace
+
+build-agent:
+	@echo "Building agent container image..."
 	podman build -t $(IMAGE_NAME):$(IMAGE_TAG) -f Containerfile .
 
+build-marketplace:
+	@echo "Building marketplace handler container image..."
+	podman build -t $(MARKETPLACE_IMAGE_NAME):$(IMAGE_TAG) -f Containerfile.marketplace-handler .
+
 run: check-env build
 	@echo "Starting pod..."
 	@if podman pod exists $(POD_NAME); then \
@@ -87,6 +94,10 @@ stop:
 	podman pod rm $(POD_NAME) 2>/dev/null || true
 	@echo "Pod stopped and removed."
 
+cve-scan:
+	@echo "Scanning for CVEs with trivy"
+	podman run --rm -v $$(pwd):/app:Z aquasec/trivy fs --file-patterns pip:requirements-.*\.txt /app
+
 logs:
 	@echo "Showing agent logs..."
 	podman logs -f $(POD_NAME)-lightspeed-agent
@@ -119,18 +130,6 @@ check-env:
 	else \
 		echo "  ✓ GOOGLE_API_KEY is set (or using Vertex AI)"; \
 	fi; \
-	if [ -z "$$LIGHTSPEED_CLIENT_ID" ]; then \
-		echo "  ✗ LIGHTSPEED_CLIENT_ID is not set"; \
-		missing=1; \
-	else \
-		echo "  ✓ LIGHTSPEED_CLIENT_ID is set"; \
-	fi; \
-	if [ -z "$$LIGHTSPEED_CLIENT_SECRET" ]; then \
-		echo "  ✗ LIGHTSPEED_CLIENT_SECRET is not set"; \
-		missing=1; \
-	else \
-		echo "  ✓ LIGHTSPEED_CLIENT_SECRET is set"; \
-	fi; \
 	if [ $$missing -eq 1 ]; then \
 		echo ""; \
 		echo "Missing required environment variables!"; \
@@ -146,8 +145,9 @@ check-env:
 # =============================================================================
 
 clean: stop
-	@echo "Removing container image..."
+	@echo "Removing container images..."
 	podman rmi $(IMAGE_NAME):$(IMAGE_TAG) 2>/dev/null || true
+	podman rmi $(MARKETPLACE_IMAGE_NAME):$(IMAGE_TAG) 2>/dev/null || true
 	@echo "Removing dangling images..."
 	podman image prune -f
 	@echo "Cleanup complete."

README.md

@@ -183,13 +183,9 @@ See [Container Deployment](#container-deployment) for full details.
 
 #### Option 3: Development without MCP (Limited)
 
-If MCP credentials are not configured, the agent will start without tools (limited functionality):
+If the MCP server is not running, the agent will start without tools (limited functionality):
 
 ```bash
-# Unset MCP credentials to skip MCP connection
-unset LIGHTSPEED_CLIENT_ID
-unset LIGHTSPEED_CLIENT_SECRET
-
 # Run agent (will work but without Insights API access)
 adk web agents
 ```
@@ -203,30 +199,11 @@ See `.env.example` for all available configuration options.
 | Variable | Description |
 |----------|-------------|
 | `GOOGLE_API_KEY` | Google AI Studio API key |
-| `LIGHTSPEED_CLIENT_ID` | Red Hat Insights service account ID |
-| `LIGHTSPEED_CLIENT_SECRET` | Red Hat Insights service account secret |
 | `RED_HAT_SSO_CLIENT_ID` | OAuth client ID for Red Hat SSO |
 | `RED_HAT_SSO_CLIENT_SECRET` | OAuth client secret for Red Hat SSO |
 
 ### Obtaining Credentials
 
-#### Lightspeed Service Account (for MCP Server)
-
-The MCP server uses Lightspeed service account credentials to authenticate with console.redhat.com APIs. To obtain these:
-
-1. Go to [console.redhat.com](https://console.redhat.com)
-2. Navigate to **Settings** → **Integrations** → **Red Hat Lightspeed**
-3. Create a new service account
-4. Copy the **Client ID** and **Client Secret**
-
-These credentials allow the MCP server to access:
-- Advisor (system recommendations)
-- Inventory (registered systems)
-- Vulnerability (CVE information)
-- Remediations (playbook management)
-- Patch (system updates)
-- Image Builder (custom RHEL images)
-
 #### Red Hat SSO OAuth Credentials
 
 For user authentication via OAuth 2.0:
@@ -320,7 +297,6 @@ The system is deployed as **three separate pods**:
 
 - Podman 4.0+
 - Access to Red Hat container registry (for RHEL-based images)
-- Red Hat Insights Lightspeed service account credentials
 - Google API key or Vertex AI access
 
 ### Build the Container Images
@@ -362,8 +338,6 @@ podman build -t localhost/a2a-inspector:latest /tmp/a2a-inspector
 
    **API Credentials:**
    - `GOOGLE_API_KEY`: Your Google AI Studio API key
-   - `LIGHTSPEED_CLIENT_ID`: Red Hat Insights service account ID
-   - `LIGHTSPEED_CLIENT_SECRET`: Red Hat Insights service account secret
    - `RED_HAT_SSO_CLIENT_ID`: OAuth client ID for Red Hat SSO
    - `RED_HAT_SSO_CLIENT_SECRET`: OAuth client secret for Red Hat SSO
 
@@ -455,14 +429,14 @@ for i in {1..70}; do
   code=$(curl -s -o /tmp/resp.json -w "%{http_code}" \
     -X POST http://localhost:8000/ \
     -H "Content-Type: application/json" \
-    -d '{"jsonrpc":"2.0","method":"message/send","id":"'$i'","params":{"message":{"role":"user","parts":[{"type":"text","text":"test"}]}}}')
+    -d '{"jsonrpc":"2.0","method":"message/send","id":"'$i'","params":{"message":{"messageId":"'$i'","role":"user","parts":[{"type":"text","text":"test"}]}}}')
   echo "$i -> $code"
 done
 
 # Inspect 429 details and headers
 curl -i -X POST http://localhost:8000/ \
   -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","method":"message/send","id":"x","params":{"message":{"role":"user","parts":[{"type":"text","text":"test"}]}}}'
+  -d '{"jsonrpc":"2.0","method":"message/send","id":"x","params":{"message":{"messageId":"x","role":"user","parts":[{"type":"text","text":"test"}]}}}'
 
 # Inspect Redis rate-limit keys
 podman exec -it lightspeed-redis-redis redis-cli KEYS "lightspeed:ratelimit:*"
@@ -548,6 +522,7 @@ curl -X POST http://localhost:8000/ \
     "method": "message/send",
     "params": {
       "message": {
+        "messageId": "1",
         "role": "user",
         "parts": [{"type": "text", "text": "Show my systems"}]
       }
@@ -860,12 +835,12 @@ This separation ensures:
 The MCP server runs as a sidecar container and provides tools for the agent to interact with Red Hat Insights APIs:
 
 1. **Agent receives a request** (e.g., "Show me my system vulnerabilities")
-2. **Agent calls MCP tools** via HTTP to the MCP server (localhost:8081), passing credentials in headers
-3. **MCP server authenticates** with console.redhat.com using the credentials from headers
+2. **Agent calls MCP tools** via HTTP to the MCP server (localhost:8081), forwarding the caller's JWT token in the Authorization header
+3. **MCP server authenticates** with console.redhat.com using the forwarded JWT token
 4. **MCP server calls Insights APIs** and returns results to the agent
 5. **Agent formats the response** and returns it to the user
 
-The Lightspeed credentials (`LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET`) are configured on the **agent** container, which passes them to the MCP server via HTTP headers on each request. The MCP server itself does not need credentials configured.
+The agent forwards the caller's JWT token to the MCP server via the `Authorization: Bearer` header on each request. The MCP server itself does not need credentials configured.
 
 ### Persistent Storage
 

cloudbuild.yaml

@@ -82,7 +82,7 @@ steps:
       - '--set-env-vars'
       - 'GOOGLE_GENAI_USE_VERTEXAI=TRUE,GOOGLE_CLOUD_PROJECT=${PROJECT_ID},GOOGLE_CLOUD_LOCATION=${_REGION},AGENT_HOST=0.0.0.0,AGENT_PORT=8000,LOG_FORMAT=json'
       - '--set-secrets'
-      - 'LIGHTSPEED_CLIENT_ID=lightspeed-client-id:latest,LIGHTSPEED_CLIENT_SECRET=lightspeed-client-secret:latest,RED_HAT_SSO_CLIENT_ID=redhat-sso-client-id:latest,RED_HAT_SSO_CLIENT_SECRET=redhat-sso-client-secret:latest,DATABASE_URL=database-url:latest,REDIS_URL=redis-url:latest'
+      - 'RED_HAT_SSO_CLIENT_ID=redhat-sso-client-id:latest,RED_HAT_SSO_CLIENT_SECRET=redhat-sso-client-secret:latest,DATABASE_URL=database-url:latest,REDIS_URL=redis-url:latest'
       - '--service-account'
       - 'lightspeed-agent@${PROJECT_ID}.iam.gserviceaccount.com'
       - '--allow-unauthenticated'

deploy/cloudrun/README.md

@@ -62,7 +62,7 @@ The deployment consists of **two separate Cloud Run services** plus **Cloud Memo
 2. **Deploy Marketplace Handler first** - Must be running to receive provisioning events
 3. **Deploy Agent after provisioning** - Can be deployed when customers are ready to use the agent
 
-The MCP server runs as a sidecar in the Agent service. The agent forwards the caller's JWT token to the MCP server, which uses it to authenticate with console.redhat.com on behalf of the user. Alternatively, if Lightspeed service account credentials are configured, the agent sends those instead (see [MCP Authentication](#mcp-authentication)).
+The MCP server runs as a sidecar in the Agent service. The agent forwards the caller's JWT token to the MCP server, which uses it to authenticate with console.redhat.com on behalf of the user (see [MCP Authentication](#mcp-authentication)).
 
 ## Service Accounts
 
@@ -551,30 +551,20 @@ When the agent needs to access Insights data (e.g., system vulnerabilities, reco
 
 ### MCP Authentication
 
-The agent supports two modes for authenticating with the MCP server, determined
-by whether Lightspeed credentials are configured:
-
-| Mode | When | Headers sent to MCP |
-|------|------|---------------------|
-| **JWT pass-through** (default) | `LIGHTSPEED_CLIENT_ID/SECRET` not set | `Authorization: Bearer <caller's token>` |
-| **Lightspeed credentials** | `LIGHTSPEED_CLIENT_ID/SECRET` set | `lightspeed-client-id` + `lightspeed-client-secret` |
-
-**JWT pass-through** is the recommended mode. The caller's Red Hat SSO token
-is forwarded to the MCP server, which uses it to call console.redhat.com APIs
-on behalf of the user.
+The agent forwards the caller's JWT token to the MCP server via the
+`Authorization: Bearer` header. The MCP server uses this token to call
+console.redhat.com APIs on behalf of the user.
 
 ### Credential Flow
 
-**Mode A: JWT pass-through (default)**
-
 ```
 Client                     Agent                   MCP Server        console.redhat.com
   │                          │                         │                     │
   │  POST / (A2A)            │                         │                     │
   │  Authorization: Bearer T │                         │                     │
   ├─────────────────────────►│                         │                     │
   │                          │  MCP tool call          │                     │
-  │                          │  Authorization: Bearer T|                     │
+  │                          │  Authorization: Bearer T│                     │
   │                          ├────────────────────────►│                     │
   │                          │                         │  API Request + T    │
   │                          │                         ├────────────────────►│
@@ -586,24 +576,6 @@ Client                     Agent                   MCP Server        console.red
   │◄─────────────────────────┤                         │                     │
 ```
 
-**Mode B: Lightspeed credentials (optional)**
-
-```
-Secret Manager                    MCP Server              console.redhat.com
-     │                               │                           │
-     │  LIGHTSPEED_CLIENT_ID         │                           │
-     │  LIGHTSPEED_CLIENT_SECRET     │                           │
-     ├──────────────────────────────►│                           │
-     │                               │   OAuth2 Token Request    │
-     │                               ├──────────────────────────►│
-     │                               │   Access Token            │
-     │                               │◄──────────────────────────┤
-     │                               │   API Request + Token     │
-     │                               ├──────────────────────────►│
-     │                               │   API Response            │
-     │                               │◄──────────────────────────┤
-```
-
 ## Authentication
 
 The agent uses **Red Hat SSO** (Keycloak) for authentication via **token
@@ -635,7 +607,7 @@ Bearer token that is active and carries the `agent:insights` scope.
      │                 ├───────────────────►│                   │                     │
      │                 │                    │                   │                     │
      │                 │ 5. MCP tool call   │                   │                     │
-     │                 │  + Bearer token (or Lightspeed creds)  │                     │
+     │                 │  + Bearer token    │                   │                     │
      │                 ├───────────────────────────────────────►│                     │
      │                 │                    │                   │ 6. Insights API     │
      │                 │                    │                   │    (using token)    │
@@ -650,7 +622,7 @@ Bearer token that is active and carries the `agent:insights` scope.
 
 **Credential sets:**
 - **Red Hat SSO credentials** (`RED_HAT_SSO_CLIENT_ID/SECRET`): Used by the agent as Resource Server credentials for token introspection (step 4)
-- **MCP authentication** (step 5): By default the caller's Bearer token is forwarded. If `LIGHTSPEED_CLIENT_ID/SECRET` are configured, those are sent instead (see [MCP Authentication](#mcp-authentication))
+- **MCP authentication** (step 5): The caller's Bearer token is forwarded to the MCP server (see [MCP Authentication](#mcp-authentication))
 
 ### Configuration