chore: Address code review feedback

jwm4 · jwm4 · commit 47b790c3848f · 2025-11-26T15:09:19.000-05:00
Addresses Claude Code Review feedback items:

1. Delete deprecated setup-vertex-ai.sh script
   - Script was replaced by Makefile automation
   - Prevents confusion and risk of modifying tracked files

2. Replace hardcoded sleeps with kubectl wait
   - Use 'kubectl wait --for=condition=ready' for pods
   - More reliable than fixed timeouts
   - Reduced final sleep from 2s to 1s

3. Update SECURITY_DEV_MODE.md to reflect allow-list implementation
   - Code uses allow-list (ambient-code, default, vteam-dev)
   - Documentation was describing old deny-list approach
   - Now accurately documents current security posture

4. Add ShellCheck directive for intentional set +e
   - Documents why we continue on errors (collect all test results)

5. Document sys.path.insert in wrapper.py
   - Explains why runner-shell path manipulation is necessary
   - Clarifies dependency on RunnerShell framework

All changes improve code quality, documentation accuracy, and reliability.
diff --git a/Makefile b/Makefile
@@ -521,17 +521,18 @@ _auto-port-forward: ## Internal: Auto-start port forwarding on macOS with Podman
 		echo ""; \
 		echo "$(COLOR_BLUE)▶$(COLOR_RESET) Starting port forwarding in background..."; \
 		echo "  Waiting for services to be ready..."; \
-		sleep 3; \
+		kubectl wait --for=condition=ready pod -l app=backend -n $(NAMESPACE) --timeout=60s 2>/dev/null || true; \
+		kubectl wait --for=condition=ready pod -l app=frontend -n $(NAMESPACE) --timeout=60s 2>/dev/null || true; \
 		mkdir -p /tmp/ambient-code; \
 		kubectl port-forward -n $(NAMESPACE) svc/backend-service 8080:8080 > /tmp/ambient-code/port-forward-backend.log 2>&1 & \
 		echo $$! > /tmp/ambient-code/port-forward-backend.pid; \
 		kubectl port-forward -n $(NAMESPACE) svc/frontend-service 3000:3000 > /tmp/ambient-code/port-forward-frontend.log 2>&1 & \
 		echo $$! > /tmp/ambient-code/port-forward-frontend.pid; \
-		sleep 2; \
+		sleep 1; \
 		if ps -p $$(cat /tmp/ambient-code/port-forward-backend.pid 2>/dev/null) > /dev/null 2>&1 && \
 		   ps -p $$(cat /tmp/ambient-code/port-forward-frontend.pid 2>/dev/null) > /dev/null 2>&1; then \
 			echo "$(COLOR_GREEN)✓$(COLOR_RESET) Port forwarding started"; \
-			echo "  $(COLOR_BOLD)Wait ~30s for pods to be ready, then access:$(COLOR_RESET)"; \
+			echo "  $(COLOR_BOLD)Access at:$(COLOR_RESET)"; \
 			echo "    Frontend: $(COLOR_BLUE)http://localhost:3000$(COLOR_RESET)"; \
 			echo "    Backend:  $(COLOR_BLUE)http://localhost:8080$(COLOR_RESET)"; \
 		else \
diff --git a/components/runners/claude-code-runner/wrapper.py b/components/runners/claude-code-runner/wrapper.py
@@ -20,6 +20,8 @@
 os.umask(0o022)
 
 # Add runner-shell to Python path
+# Required: runner-shell is installed in /app/runner-shell and contains the core RunnerShell framework
+# that this wrapper depends on. Must be imported before runner_shell module below.
 sys.path.insert(0, '/app/runner-shell')
 
 from runner_shell.core.shell import RunnerShell
diff --git a/docs/SECURITY_DEV_MODE.md b/docs/SECURITY_DEV_MODE.md
@@ -62,23 +62,26 @@ func isLocalDevEnvironment() bool {
 
 ## Identified Risks
 
-### 🔴 **HIGH RISK: Weak Namespace Check**
+### 🟢 **MITIGATED: Allow-List Namespace Validation**
 
-**Current:** Only rejects if namespace contains "prod"
+**Current:** Uses allow-list of specific namespaces (ambient-code, default, vteam-dev)
 
-**Risk Scenarios:**
+**Protection:**
 ```bash
-# Would PASS (incorrectly enable dev mode):
-NAMESPACE=staging DISABLE_AUTH=true ENVIRONMENT=local  # ❌ Dangerous
-NAMESPACE=qa-env DISABLE_AUTH=true ENVIRONMENT=local   # ❌ Dangerous
-NAMESPACE=demo DISABLE_AUTH=true ENVIRONMENT=local     # ❌ Dangerous
-NAMESPACE=customer-abc DISABLE_AUTH=true ENVIRONMENT=local # ❌ Dangerous
+# Would PASS (correctly enable dev mode):
+NAMESPACE=ambient-code DISABLE_AUTH=true ENVIRONMENT=local  # ✅ Allowed
+NAMESPACE=default DISABLE_AUTH=true ENVIRONMENT=local       # ✅ Allowed
+NAMESPACE=vteam-dev DISABLE_AUTH=true ENVIRONMENT=local     # ✅ Allowed
 
 # Would FAIL (correctly reject):
-NAMESPACE=production DISABLE_AUTH=true ENVIRONMENT=local # ✅ Good
-NAMESPACE=prod-east DISABLE_AUTH=true ENVIRONMENT=local  # ✅ Good
+NAMESPACE=staging DISABLE_AUTH=true ENVIRONMENT=local       # ❌ Rejected
+NAMESPACE=qa-env DISABLE_AUTH=true ENVIRONMENT=local        # ❌ Rejected
+NAMESPACE=production DISABLE_AUTH=true ENVIRONMENT=local    # ❌ Rejected
+NAMESPACE=customer-abc DISABLE_AUTH=true ENVIRONMENT=local  # ❌ Rejected
 ```
 
+**Implementation:** See `components/backend/handlers/middleware.go:315-327`
+
 ### 🟡 **MEDIUM RISK: No Cluster Type Detection**
 
 Dev mode could activate on real Kubernetes clusters if someone:
diff --git a/scripts/setup-vertex-ai.sh b/scripts/setup-vertex-ai.sh
diff --git a/tests/local-dev-test.sh b/tests/local-dev-test.sh
@@ -11,6 +11,7 @@
 #
 
 # Don't exit on error - we want to collect all test results
+# shellcheck disable=SC2103  # Intentional: continue on errors to collect all test results
 set +e
 
 # Colors for output

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`#`
`12`	`12`
`13`	`13`	`# Don't exit on error - we want to collect all test results`
	`14`	`+# shellcheck disable=SC2103 # Intentional: continue on errors to collect all test results`
`14`	`15`	`set +e`
`15`	`16`
`16`	`17`	`# Colors for output`