fix(backend): inherit parent userContext in child sessions (#988)

Gkrumbach07 · Ambient Code Bot · claude · web-flow · commit 6b21778b48bf · 2026-03-23T11:43:55.000-05:00
## Summary - When a runner service account creates a child session, the child now inherits the **parent session's `userContext`** instead of getting the service account identity - The runner API client automatically sets `parentSessionId` to the current session name - Fixes credential resolution (GitHub, Jira, etc.) for child sessions ## Problem Child sessions created by a runner pod had `userContext.userId` set to the service account identity (e.g., `system-serviceaccount-ns-ambient-session-session-123`). When the backend tried to resolve GitHub credentials for the child, it looked up credentials for the service account — which has none — returning 404. ## Changes **`components/backend/handlers/sessions.go`** - When `parentSessionId` is provided, fetch the parent session CR and copy its `spec.userContext` to the child - Falls back to existing identity resolution if no parent or parent lookup fails **`components/runners/ambient-runner/ambient_runner/tools/backend_api.py`** - `create_session()` now automatically sets `parentSessionId` from `AGENTIC_SESSION_NAME` env var ## Test plan - [ ] Create a session that spawns child sessions — verify child sessions have the parent's userId - [ ] Verify child sessions can resolve GitHub credentials - [ ] Verify sessions created directly (no parent) still work as before - [ ] Verify parent lookup failure (e.g., deleted parent) gracefully falls back 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Ambient Code Bot <bot@ambient-code.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/components/backend/handlers/sessions.go b/components/backend/handlers/sessions.go
@@ -826,45 +826,71 @@ func CreateSession(c *gin.Context) {
 	}
 
 	// Add userContext from authenticated caller identity.
-	// Prefer forwarded headers (OAuth proxy); fall back to SelfSubjectReview
+	// When a parent session is specified, inherit the parent's userContext so that
+	// child sessions created by a runner service account retain the original user's
+	// identity (and therefore their credentials, e.g. GitHub tokens).
+	// Otherwise, prefer forwarded headers (OAuth proxy); fall back to SelfSubjectReview
 	// for headless/API callers that authenticate directly with a bearer token.
 	{
-		uidVal, _ := c.Get("userID")
-		uid, _ := uidVal.(string)
-		uid = strings.TrimSpace(uid)
-
-		if uid == "" {
-			if resolved, err := resolveTokenIdentity(c.Request.Context(), reqK8s); err == nil {
-				uid = strings.ReplaceAll(resolved, ":", "-")
-				log.Printf("Resolved token identity via SelfSubjectReview: %s", uid)
+		var parentUserContext map[string]interface{}
+
+		// If this is a child session, fetch the parent's userContext
+		if req.ParentSessionID != "" {
+			gvr := GetAgenticSessionV1Alpha1Resource()
+			parentObj, err := k8sDyn.Resource(gvr).Namespace(project).Get(context.TODO(), req.ParentSessionID, v1.GetOptions{})
+			if err != nil {
+				log.Printf("Warning: could not fetch parent session %s/%s to inherit userContext: %v", project, req.ParentSessionID, err)
 			} else {
-				log.Printf("Could not resolve token identity: %v", err)
+				uc, found, _ := unstructured.NestedMap(parentObj.Object, "spec", "userContext")
+				if found && len(uc) > 0 {
+					parentUserContext = uc
+					log.Printf("Inheriting userContext from parent session %s (userId=%v)", req.ParentSessionID, uc["userId"])
+				}
 			}
 		}
 
-		if uid != "" {
-			displayName := ""
-			if v, ok := c.Get("userName"); ok {
-				if s, ok2 := v.(string); ok2 {
-					displayName = s
+		if parentUserContext != nil {
+			// Use the parent's userContext directly
+			session["spec"].(map[string]interface{})["userContext"] = parentUserContext
+		} else {
+			// No parent — resolve from the caller's identity
+			uidVal, _ := c.Get("userID")
+			uid, _ := uidVal.(string)
+			uid = strings.TrimSpace(uid)
+
+			if uid == "" {
+				if resolved, err := resolveTokenIdentity(c.Request.Context(), reqK8s); err == nil {
+					uid = strings.ReplaceAll(resolved, ":", "-")
+					log.Printf("Resolved token identity via SelfSubjectReview: %s", uid)
+				} else {
+					log.Printf("Could not resolve token identity: %v", err)
 				}
 			}
-			groups := []string{}
-			if v, ok := c.Get("userGroups"); ok {
-				if gg, ok2 := v.([]string); ok2 {
-					groups = gg
+
+			if uid != "" {
+				displayName := ""
+				if v, ok := c.Get("userName"); ok {
+					if s, ok2 := v.(string); ok2 {
+						displayName = s
+					}
+				}
+				groups := []string{}
+				if v, ok := c.Get("userGroups"); ok {
+					if gg, ok2 := v.([]string); ok2 {
+						groups = gg
+					}
+				}
+				if displayName == "" && req.UserContext != nil {
+					displayName = req.UserContext.DisplayName
+				}
+				if len(groups) == 0 && req.UserContext != nil {
+					groups = req.UserContext.Groups
+				}
+				session["spec"].(map[string]interface{})["userContext"] = map[string]interface{}{
+					"userId":      uid,
+					"displayName": displayName,
+					"groups":      groups,
 				}
-			}
-			if displayName == "" && req.UserContext != nil {
-				displayName = req.UserContext.DisplayName
-			}
-			if len(groups) == 0 && req.UserContext != nil {
-				groups = req.UserContext.Groups
-			}
-			session["spec"].(map[string]interface{})["userContext"] = map[string]interface{}{
-				"userId":      uid,
-				"displayName": displayName,
-				"groups":      groups,
 			}
 		}
 	}
diff --git a/components/manifests/base/core/operator-deployment.yaml b/components/manifests/base/core/operator-deployment.yaml
@@ -141,10 +141,10 @@ spec:
         resources:
           requests:
             cpu: 50m
-            memory: 64Mi
+            memory: 128Mi
           limits:
             cpu: 200m
-            memory: 256Mi
+            memory: 512Mi
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/components/manifests/overlays/production/route.yaml b/components/manifests/overlays/production/route.yaml
@@ -4,6 +4,9 @@ metadata:
   name: frontend-route
   labels:
     app: frontend
+  annotations:
+    haproxy.router.openshift.io/balance: roundrobin
+    haproxy.router.openshift.io/disable_cookies: "true"
 spec:
   to:
     kind: Service
diff --git a/components/runners/ambient-runner/ambient_runner/tools/backend_api.py b/components/runners/ambient-runner/ambient_runner/tools/backend_api.py
@@ -132,6 +132,9 @@ def create_session(
     ) -> Dict[str, Any]:
         """Create a new agentic session.
 
+        Automatically sets the current session as the parent so the child
+        inherits the parent's userContext (and therefore credentials).
+
         Args:
             session_name: Unique name for the session (must be DNS-compatible)
             initial_prompt: Optional initial prompt to send to the agent
@@ -148,6 +151,11 @@ def create_session(
             "sessionName": session_name,
         }
 
+        # Set parent session ID so the child inherits the parent's userContext
+        parent_session = os.getenv("AGENTIC_SESSION_NAME", "").strip()
+        if parent_session:
+            payload["parentSessionId"] = parent_session
+
         if initial_prompt:
             payload["initialPrompt"] = initial_prompt
         if display_name:
