remove unnecessary/unrelated changes, keep only langfuse changes

Signed-off-by: sallyom <[email protected]>

Author: sallyom

components/backend/handlers/sessions.go

@@ -770,14 +770,10 @@ func MintSessionGitHubToken(c *gin.Context) {
 	tr := &authnv1.TokenReview{Spec: authnv1.TokenReviewSpec{Token: token}}
 	rv, err := K8sClient.AuthenticationV1().TokenReviews().Create(c.Request.Context(), tr, v1.CreateOptions{})
 	if err != nil {
-		log.Printf("GitHub token mint: TokenReview API call failed for session %s/%s (token len=%d): %v",
-			project, sessionName, len(token), err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "token review failed"})
 		return
 	}
 	if rv.Status.Error != "" || !rv.Status.Authenticated {
-		log.Printf("GitHub token mint: TokenReview authentication failed for session %s/%s: authenticated=%v, error=%q",
-			project, sessionName, rv.Status.Authenticated, rv.Status.Error)
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthenticated"})
 		return
 	}

components/backend/server/server.go

@@ -10,8 +10,6 @@ import (
 
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
-	authnv1 "k8s.io/api/authentication/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // RouterFunc is a function that can register routes on a Gin router
@@ -65,11 +63,9 @@ func Run(registerRoutes RouterFunc) error {
 	return nil
 }
 
-// forwardedIdentityMiddleware populates Gin context from common OAuth proxy headers.
-// Fallback: if OAuth headers are not present, performs TokenReview on Authorization Bearer token.
+// forwardedIdentityMiddleware populates Gin context from common OAuth proxy headers
 func forwardedIdentityMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// Try OAuth proxy headers first (production with oauth-proxy)
 		if v := c.GetHeader("X-Forwarded-User"); v != "" {
 			c.Set("userID", v)
 		}
@@ -87,74 +83,6 @@ func forwardedIdentityMiddleware() gin.HandlerFunc {
 		if v := c.GetHeader("X-Forwarded-Groups"); v != "" {
 			c.Set("userGroups", strings.Split(v, ","))
 		}
-
-		// Fallback: if no OAuth headers, try TokenReview on Authorization token
-		// This enables development/testing without oauth-proxy and service account auth
-		if c.GetString("userID") == "" {
-			if auth := c.GetHeader("Authorization"); auth != "" {
-				parts := strings.SplitN(auth, " ", 2)
-				if len(parts) == 2 && strings.EqualFold(parts[0], "Bearer") {
-					token := strings.TrimSpace(parts[1])
-					if token != "" {
-						// Check if K8sClient is initialized
-						if K8sClient == nil {
-							log.Printf("Warning: K8sClient not initialized, cannot perform TokenReview")
-							c.Next()
-							return
-						}
-
-						// Perform TokenReview on every request (no caching)
-						// Rationale:
-						// - Security: Validates token hasn't been revoked or expired
-						// - Simplicity: Avoids complex cache invalidation logic
-						// - Performance: TokenReview is lightweight (~5-10ms) and runs only in fallback path
-						//   (production uses oauth-proxy with X-Forwarded-* headers, bypassing this code)
-						// - Short-lived tokens: ServiceAccount tokens can be rotated frequently
-						// If TokenReview becomes a bottleneck, consider adding TTL-based cache with 1-minute expiry
-						tr := &authnv1.TokenReview{Spec: authnv1.TokenReviewSpec{Token: token}}
-						rv, err := K8sClient.AuthenticationV1().TokenReviews().Create(c.Request.Context(), tr, v1.CreateOptions{})
-						if err != nil {
-							// Log TokenReview API error with context for debugging
-							log.Printf("TokenReview API call failed (token len=%d): %v", len(token), err)
-						} else if !rv.Status.Authenticated {
-							// Log authentication failure with reason
-							log.Printf("TokenReview authentication failed: authenticated=false, error=%q, audiences=%v",
-								rv.Status.Error, rv.Status.Audiences)
-						} else if rv.Status.Error != "" {
-							// Log authentication error from Kubernetes
-							log.Printf("TokenReview returned error: %q (authenticated=%v)", rv.Status.Error, rv.Status.Authenticated)
-						}
-						if err == nil && rv.Status.Authenticated && rv.Status.Error == "" {
-							username := strings.TrimSpace(rv.Status.User.Username)
-							if username != "" {
-								// Parse username: "system:serviceaccount:namespace:sa-name" or regular username
-								if strings.HasPrefix(username, "system:serviceaccount:") {
-									// ServiceAccount: extract namespace and SA name
-									parts := strings.Split(username, ":")
-									if len(parts) >= 4 {
-										namespace := parts[2]
-										saName := parts[3]
-										// Use namespace/sa-name as userID for uniqueness
-										c.Set("userID", fmt.Sprintf("%s/%s", namespace, saName))
-										c.Set("userName", saName)
-									}
-								} else {
-									// Regular user from OAuth/OIDC
-									c.Set("userID", username)
-									c.Set("userName", username)
-								}
-
-								// Extract groups if available
-								if len(rv.Status.User.Groups) > 0 {
-									c.Set("userGroups", rv.Status.User.Groups)
-								}
-							}
-						}
-					}
-				}
-			}
-		}
-
 		// Also expose access token if present
 		auth := c.GetHeader("Authorization")
 		if auth != "" {

components/manifests/overlays/e2e/operator-config.yaml

@@ -11,6 +11,3 @@ data:
   CLOUD_ML_REGION: ""
   ANTHROPIC_VERTEX_PROJECT_ID: ""
   GOOGLE_APPLICATION_CREDENTIALS: ""
-
-  # Note: Langfuse observability configuration is stored in the 'ambient-admin-langfuse-secret'
-  # Secret (platform-admin managed). For e2e testing, Langfuse is typically disabled.

components/manifests/overlays/local-dev/operator-config-crc.yaml

@@ -11,14 +11,3 @@ data:
   CLOUD_ML_REGION: ""
   ANTHROPIC_VERTEX_PROJECT_ID: ""
   GOOGLE_APPLICATION_CREDENTIALS: ""
-
-  # Note: Langfuse observability configuration is stored in the 'ambient-admin-langfuse-secret'
-  # Secret (platform-admin managed). All LANGFUSE_* config is in one place.
-  # For local dev, Langfuse is typically disabled. To enable, create the secret with:
-  #
-  # kubectl create secret generic ambient-admin-langfuse-secret \
-  #   --from-literal=LANGFUSE_PUBLIC_KEY=pk-lf-... \
-  #   --from-literal=LANGFUSE_SECRET_KEY=sk-lf-... \
-  #   --from-literal=LANGFUSE_HOST=http://langfuse-web.langfuse.svc.cluster.local:3000 \
-  #   --from-literal=LANGFUSE_ENABLED=true \
-  #   -n ambient-code

components/manifests/overlays/production/operator-config-openshift.yaml

@@ -11,14 +11,3 @@ data:
   CLOUD_ML_REGION: "global"
   ANTHROPIC_VERTEX_PROJECT_ID: "ambient-code-platform"
   GOOGLE_APPLICATION_CREDENTIALS: "/app/vertex/ambient-code-key.json"
-
-  # Note: Langfuse observability configuration (LANGFUSE_ENABLED, LANGFUSE_HOST,
-  # LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY) is stored in the 'ambient-admin-langfuse-secret'
-  # Secret (platform-admin managed). All LANGFUSE_* config is in one place.
-  #
-  # Create the secret with: kubectl create secret generic ambient-admin-langfuse-secret \
-  #   --from-literal=LANGFUSE_PUBLIC_KEY=pk-lf-... \
-  #   --from-literal=LANGFUSE_SECRET_KEY=sk-lf-... \
-  #   --from-literal=LANGFUSE_HOST=http://langfuse-web.langfuse.svc.cluster.local:3000 \
-  #   --from-literal=LANGFUSE_ENABLED=true \
-  #   -n ambient-code