Address Copilot PR review feedback across 11 files

- Fix job status vocabulary: standardize on succeeded/failed/cancelled
  across backend SSE stream, frontend page, and API schemas
- Fix jobs page using wrong field name (type → job_type) to match API
- Add SSE auth support: get_current_user now accepts token via query
  param for EventSource which cannot set Authorization headers
- Fix workspace status vocabulary: add creating to filter, remove unused
  starting/stopping, sync creating phase from CRD
- Return HTTP 500 when workspace CRD creation fails instead of 201
- Fix NodePort default range (31299 → 31209) to match Kind config
- Make workspace access_url configurable via WORKSPACE_ACCESS_BASE_URL
- Add datashader/geopandas auto-detection to SDK visualization module
- Pin workspace Dockerfile base image to python-3.11 (was :latest)
- Add security comments to Dockerfile and RBAC noting production needs
- Fix conftest.py default DB credentials (gacwr → openuba)
- Log warnings on operator handler import failures instead of silently
  swallowing errors
- Fix port-forward.sh comment claiming setsid when not used
- Only emit SSE status events when status actually changes

Author: Jovonni

core/api_routers/jobs.py

@@ -198,6 +198,7 @@ async def stream_job_metrics(
 
     async def event_generator():
         last_count = 0
+        last_status = job.status
         while True:
             if await request.is_disconnected():
                 break
@@ -220,20 +221,22 @@ async def event_generator():
                     }
                 last_count = current_count
 
-            # also send job status updates
+            # send job status updates only when something changed
             job_now = repo.get_by_id(job_id)
             if job_now:
-                yield {
-                    "event": "status",
-                    "data": json.dumps({
-                        "status": job_now.status,
-                        "progress": job_now.progress,
-                        "epoch_current": job_now.epoch_current,
-                        "epoch_total": job_now.epoch_total,
-                        "loss": job_now.loss,
-                    })
-                }
-                if job_now.status in ("completed", "failed", "cancelled"):
+                if job_now.status != last_status or current_count > last_count:
+                    yield {
+                        "event": "status",
+                        "data": json.dumps({
+                            "status": job_now.status,
+                            "progress": job_now.progress,
+                            "epoch_current": job_now.epoch_current,
+                            "epoch_total": job_now.epoch_total,
+                            "loss": job_now.loss,
+                        })
+                    }
+                    last_status = job_now.status
+                if job_now.status in ("succeeded", "failed", "cancelled"):
                     yield {"event": "done", "data": json.dumps({"status": job_now.status})}
                     break
 

core/api_routers/workspaces.py

@@ -102,13 +102,21 @@ async def launch_workspace(
     repo = WorkspaceRepository(db)
     _create_workspace_crd(workspace, repo, workspace_token=workspace_token)
 
+    # re-read workspace to reflect any status changes from CRD creation
+    workspace = repo.get_by_id(workspace.id)
+    if workspace.status == "failed":
+        raise HTTPException(
+            status_code=500,
+            detail=workspace.error_message or "failed to create workspace CRD"
+        )
+
     logger.info(f"workspace launched: {workspace.id}")
     return workspace
 
 
 @router.get("/workspaces", response_model=List[WorkspaceResponse])
 async def list_workspaces(
-    status: Optional[str] = Query(None, pattern="^(pending|starting|running|stopping|stopped|failed)$"),
+    status: Optional[str] = Query(None, pattern="^(pending|creating|running|stopped|failed)$"),
     limit: int = Query(100, ge=1, le=1000),
     offset: int = Query(0, ge=0),
     db: Session = Depends(get_db),
@@ -188,6 +196,8 @@ def _sync_workspace_crd_status(workspace, repo: WorkspaceRepository):
                 access_url=cr_status.get("access_url", workspace.access_url),
                 node_port=cr_status.get("node_port", workspace.node_port),
             )
+        elif cr_phase == "creating" and workspace.status == "pending":
+            workspace = repo.update(workspace.id, status="creating")
         elif cr_phase == "failed" and workspace.status != "failed":
             workspace = repo.update(
                 workspace.id,

core/auth.py

@@ -7,7 +7,7 @@
 import logging
 from typing import Optional
 from datetime import datetime, timedelta
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException, Request, status
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from jose import JWTError, jwt
 from passlib.context import CryptContext
@@ -54,24 +54,33 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -
 
 
 async def get_current_user(
-    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
 ) -> dict:
     '''
     get current user from jwt token
     validates that the user still exists in the database (handles stale tokens
     after database resets)
+    supports token via Authorization header or query param (for SSE/EventSource)
     '''
     credentials_exception = HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
         detail="could not validate credentials",
         headers={"WWW-Authenticate": "Bearer"},
     )
 
-    if credentials is None:
+    # try bearer token from header first, fall back to query param
+    # query param is needed for SSE (EventSource can't set headers)
+    token = None
+    if credentials:
+        token = credentials.credentials
+    else:
+        token = request.query_params.get("token")
+
+    if not token:
         raise credentials_exception
 
     try:
-        token = credentials.credentials
         payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
         username: str = payload.get("sub")
         if username is None:

core/operator/main.py

@@ -3,24 +3,25 @@
 import yaml
 import os
 import json
+import logging
 
 # import workspace handler to register its kopf handlers
 try:
     import workspace_handler  # noqa: F401
 except ImportError:
     try:
         import core.operator.workspace_handler  # noqa: F401
-    except ImportError:
-        pass
+    except ImportError as e:
+        logging.getLogger(__name__).warning(f"workspace handler not available: {e}")
 
 # import pipeline handler to register its kopf handlers
 try:
     import pipeline_handler  # noqa: F401
 except ImportError:
     try:
         import core.operator.pipeline_handler  # noqa: F401
-    except ImportError:
-        pass
+    except ImportError as e:
+        logging.getLogger(__name__).warning(f"pipeline handler not available: {e}")
 
 # Setup K8s client
 if os.getenv("KUBERNETES_SERVICE_HOST"):

core/services/workspace_service.py

@@ -37,7 +37,7 @@
 
 # nodeport range for workspaces
 NODE_PORT_START = int(os.getenv("WORKSPACE_NODE_PORT_START", "31200"))
-NODE_PORT_END = int(os.getenv("WORKSPACE_NODE_PORT_END", "31299"))
+NODE_PORT_END = int(os.getenv("WORKSPACE_NODE_PORT_END", "31209"))
 
 
 class WorkspaceService:
@@ -78,7 +78,8 @@ def launch_workspace(
 
         # set allocated nodeport and access_url
         # access_url is set now so the frontend can start probing immediately
-        access_url = f"http://localhost:{node_port}"
+        base_url = os.getenv("WORKSPACE_ACCESS_BASE_URL", "http://localhost")
+        access_url = f"{base_url}:{node_port}"
         workspace = self.repo.update(
             workspace.id,
             node_port=node_port,

core/tests/e2e/conftest.py

@@ -24,7 +24,7 @@
 E2E_BACKEND_PORT = int(os.getenv("E2E_BACKEND_PORT", "8000"))
 E2E_DATABASE_URL = os.getenv(
     "E2E_DATABASE_URL",
-    "postgresql://gacwr:gacwr@localhost:5432/openuba"
+    "postgresql://openuba:openuba@localhost:5432/openuba"
 )
 
 

docker/workspace/Dockerfile

@@ -1,4 +1,4 @@
-FROM jupyter/scipy-notebook:latest
+FROM jupyter/scipy-notebook:python-3.11
 
 USER root
 
@@ -36,6 +36,9 @@ RUN pip install --no-cache-dir \
 
 # configure JupyterLab for iframe embedding (token-less, XSRF-disabled, CSP-allowed)
 # this allows the OpenUBA frontend to embed JupyterLab seamlessly in an iframe
+# SECURITY: this is for local development only. For production, use per-workspace
+# tokens (via OPENUBA_TOKEN / K8s Secret), restrict allow_origin to the frontend
+# origin, and keep XSRF enabled.
 # NOTE: we append to the base image config AND write a user-level config to ensure
 # our settings take effect regardless of base image entrypoint behavior
 RUN cat >> /etc/jupyter/jupyter_server_config.py << 'JCONF'

interface/app/jobs/page.tsx

@@ -10,9 +10,9 @@ const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8000'
 const statusColors: Record<string, string> = {
   pending: 'bg-yellow-500/20 text-yellow-400',
   running: 'bg-blue-500/20 text-blue-400',
-  completed: 'bg-green-500/20 text-green-400',
+  succeeded: 'bg-green-500/20 text-green-400',
   failed: 'bg-red-500/20 text-red-400',
-  stopped: 'bg-gray-500/20 text-gray-400',
+  cancelled: 'bg-gray-500/20 text-gray-400',
 }
 
 const typeColors: Record<string, string> = {
@@ -23,7 +23,7 @@ const typeColors: Record<string, string> = {
 
 interface Job {
   id: string
-  type: string
+  job_type: string
   model?: string
   model_id?: string
   status: string
@@ -97,8 +97,8 @@ export default function JobsPage() {
               {jobs.map((job) => (
                 <tr key={job.id} className="hover:bg-muted/20 transition-colors">
                   <td className="px-4 py-3">
-                    <span className={`inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium ${typeColors[job.type] || 'bg-gray-500/20 text-gray-400'}`}>
-                      {job.type}
+                    <span className={`inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium ${typeColors[job.job_type] || 'bg-gray-500/20 text-gray-400'}`}>
+                      {job.job_type}
                     </span>
                   </td>
                   <td className="px-4 py-3 font-mono text-xs">
@@ -114,15 +114,15 @@ export default function JobsPage() {
                       <div className="h-1.5 w-20 rounded-full bg-muted/40 overflow-hidden">
                         <div
                           className={`h-full rounded-full transition-all ${
-                            job.status === 'completed' ? 'bg-green-500' :
+                            job.status === 'succeeded' ? 'bg-green-500' :
                             job.status === 'failed' ? 'bg-red-500' :
                             'bg-blue-500'
                           }`}
-                          style={{ width: `${job.progress ?? (job.status === 'completed' ? 100 : 0)}%` }}
+                          style={{ width: `${job.progress ?? (job.status === 'succeeded' ? 100 : 0)}%` }}
                         />
                       </div>
                       <span className="text-xs text-muted-foreground tabular-nums">
-                        {job.progress ?? (job.status === 'completed' ? 100 : 0)}%
+                        {job.progress ?? (job.status === 'succeeded' ? 100 : 0)}%
                       </span>
                     </div>
                   </td>

k8s/operator-rbac.yaml

@@ -8,6 +8,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: openuba-operator-role
+  # NOTE: ClusterRole is required because CRDs (openuba.io/*) are cluster-scoped.
+  # The operator only manages resources in the openuba namespace (enforced in code).
+  # For multi-tenant production, consider namespace-scoped Roles for core resources.
 rules:
   # Framework: knowing which other operators are running (i.e. peering).
   - apiGroups: [kopf.dev]

scripts/port-forward.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # scripts/port-forward.sh
-# Starts kubectl port-forwards as a persistent background process group.
-# Survives parent shell/make exit via setsid.
+# Starts kubectl port-forwards as background processes.
+# Lives as long as this script is running (killed when parent exits).
 
 pkill -f "kubectl.*port-forward.*openuba" 2>/dev/null || true
 sleep 1