feat(ambient-ui): session log details tab (#1633)

## Summary

- **Logs tab**: Structured operational event viewer with filter chips,
error summary banner, live-tail auto-scroll, tool call/result visual
pairing, and a11y (semantic markup, aria-live, contrast fixes)
- **Operational event persistence**: Runner now pushes `tool_use`,
`tool_result`, `error`, and `lifecycle` events to the session messages
API via new `OperationalEventWriter` (previously only `user`/`assistant`
were persisted)
- **Auth simplification**: Removed oauth-proxy and none auth modes;
native-sso only via Keycloak OIDC
- **User menu**: Initials avatar + dropdown with sign-out in nav header
- **OOMKilled detection**: Control plane pod syncer now detects
OOMKilled/Error terminated containers
- **Runner OOM fix**: Pre-install `mcp-server-fetch` in Dockerfile
instead of downloading via `uvx` at runtime (eliminated 15GB memory
spike)
- **Smart polling**: Restored phase-aware polling — 1s transitioning, 3s
active, stopped for terminal sessions, 30s for projects
- **Dev experience**: `make dev COMPONENT=ambient-ui` handles
port-forwards, Keycloak hostname patching, `.env.local` generation
- **Test suite**: 23 files, 227 unit tests in 2.9s (vitest) + Playwright
e2e scaffold

## Runner changes (SDD-managed, warn mode)

The `.mcp.json` and `Dockerfile` changes fix a critical OOM issue: `uvx
mcp-server-fetch` was downloading and installing packages into a temp
venv at runtime, spiking memory to 15GB. Now pre-installed at build time
with a pinned version (`mcp-server-fetch==2025.4.7`).

## Test plan

- [x] `npx vitest run` — 227 tests pass
- [x] `npx tsc --noEmit` — zero type errors
- [x] Logs tab renders with filter chips, error banner, live tail
indicator
- [x] Runner pushes operational events visible in Logs tab (requires
rebuilt runner image)
- [x] SSO login flow works against Kind Keycloak
- [x] `make dev COMPONENT=ambient-ui` starts dev server with working
auth
- [x] Smart polling stops for terminal sessions
- [ ] Verify on staging with real agent sessions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Ambient UI added with SSO login, top-right user menu and sign-out,
session event log viewer (filters, live-tail, accessible announcements),
and a new /api/me endpoint.

* **Bug Fixes**
* Better pod crash detection (includes OOMKilled/Error) and increased
runner memory.

* **Developer Experience**
* Local dev improvements: new make targets and automatic port-forwards
for Ambient UI and Keycloak.

* **Tests**
  * Added unit and Playwright E2E tests and test coverage scripts.

* **Documentation**
  * Ambient UI development guide and architecture notes added.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: 3 people

Makefile

@@ -101,6 +101,10 @@ KIND_FWD_BACKEND_PORT ?= $(shell echo $$((12000 + $(KIND_PORT_OFFSET))))
 KIND_FWD_BACKEND_PORT := $(KIND_FWD_BACKEND_PORT)
 KIND_FWD_API_SERVER_PORT ?= $(shell echo $$((13000 + $(KIND_PORT_OFFSET))))
 KIND_FWD_API_SERVER_PORT := $(KIND_FWD_API_SERVER_PORT)
+KIND_FWD_AMBIENT_UI_PORT ?= $(shell echo $$((14000 + $(KIND_PORT_OFFSET))))
+KIND_FWD_AMBIENT_UI_PORT := $(KIND_FWD_AMBIENT_UI_PORT)
+KIND_FWD_KEYCLOAK_PORT ?= $(shell echo $$((18000 + $(KIND_PORT_OFFSET))))
+KIND_FWD_KEYCLOAK_PORT := $(KIND_FWD_KEYCLOAK_PORT)
 # Remote kind host — set to Tailscale IP/hostname of the Linux build machine.
 # When set, kubeconfig is rewritten so kubectl/port-forward work from Mac.
 KIND_HOST ?=
@@ -675,9 +679,9 @@ preflight: preflight-cluster ## Validate dev environment (cluster tools + option
 			p=$$(echo "$$piece" | sed 's/^[[:space:]]*//;s/[[:space:]]*$$//'); \
 			[ -z "$$p" ] && continue; \
 			case "$$p" in \
-				frontend) NEED_NODE=1 ;; \
+				frontend|ambient-ui) NEED_NODE=1 ;; \
 				backend) NEED_GO=1 ;; \
-				*) echo "$(COLOR_RED)✗$(COLOR_RESET) Unknown COMPONENT: $$p (use frontend, backend, or frontend,backend)"; FAILED=1 ;; \
+				*) echo "$(COLOR_RED)✗$(COLOR_RESET) Unknown COMPONENT: $$p (use frontend, backend, ambient-ui, or comma-separated)"; FAILED=1 ;; \
 			esac; \
 		done; \
 	fi; \
@@ -753,7 +757,30 @@ dev-env: check-kubectl check-local-context ## Generate components/frontend/.env.
 		echo "$(COLOR_GREEN)✓$(COLOR_RESET) Wrote $$ENV_FILE"; \
 	fi
 
-dev: ## Local dev: preflight, cluster, dev-env, port-forwards; COMPONENT=frontend|backend|frontend,backend for hot-reload
+dev-env-ambient-ui: check-kubectl ## Generate components/ambient-ui/.env.local from cluster state
+	@kubectl config use-context kind-$(KIND_CLUSTER_NAME) >/dev/null 2>&1 || true
+	@set -e; \
+	SESSION_SECRET=$$(printf '%s-ambient-ui' '$(KIND_CLUSTER_NAME)' | sha256sum | cut -c1-32); \
+	ENV_FILE="components/ambient-ui/.env.local"; \
+	{ \
+		echo "# Generated by make dev-env-ambient-ui — do not commit"; \
+		echo "API_SERVER_URL=http://localhost:$(KIND_FWD_API_SERVER_PORT)"; \
+		echo "NEXT_PUBLIC_PREVIEW_ALLOWED_HOSTS=localhost:*,127.0.0.1:*"; \
+		echo "SSO_ISSUER_URL=http://localhost:$(KIND_FWD_KEYCLOAK_PORT)/realms/ambient-code"; \
+		echo "SSO_CLIENT_ID=ambient-frontend"; \
+		echo "SSO_CLIENT_SECRET=dev-secret-do-not-use-in-prod"; \
+		echo "SSO_REDIRECT_URI=http://localhost:3001/api/auth/sso/callback"; \
+		echo "SESSION_SECRET=$$SESSION_SECRET"; \
+	} > "$$ENV_FILE.tmp"; \
+	if [ -f "$$ENV_FILE" ] && cmp -s "$$ENV_FILE.tmp" "$$ENV_FILE"; then \
+		rm -f "$$ENV_FILE.tmp"; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) $$ENV_FILE unchanged"; \
+	else \
+		mv "$$ENV_FILE.tmp" "$$ENV_FILE"; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) Wrote $$ENV_FILE"; \
+	fi
+
+dev: ## Local dev: preflight, cluster, dev-env, port-forwards; COMPONENT=frontend|backend|ambient-ui for hot-reload
 	@if [ -z "$(COMPONENT)" ]; then $(MAKE) --no-print-directory preflight-cluster; else $(MAKE) --no-print-directory preflight; fi
 	@set -e; \
 	if [ "$(CONTAINER_ENGINE)" = "podman" ]; then export KIND_EXPERIMENTAL_PROVIDER=podman; fi; \
@@ -781,10 +808,10 @@ dev: ## Local dev: preflight, cluster, dev-env, port-forwards; COMPONENT=fronten
 		kubectl config use-context kind-$(KIND_CLUSTER_NAME); \
 	fi; \
 	COMP="$(COMPONENT)"; \
-	HAS_FRONT=0; HAS_BACK=0; \
+	HAS_FRONT=0; HAS_BACK=0; HAS_AUI=0; \
 	for piece in $$(echo "$$COMP" | tr ',' ' '); do \
 		p=$$(echo "$$piece" | sed 's/^[[:space:]]*//;s/[[:space:]]*$$//'); \
-		case "$$p" in frontend) HAS_FRONT=1 ;; backend) HAS_BACK=1 ;; esac; \
+		case "$$p" in frontend) HAS_FRONT=1 ;; backend) HAS_BACK=1 ;; ambient-ui) HAS_AUI=1 ;; esac; \
 	done; \
 	DEV_LOCAL=0; \
 	if [ "$$HAS_FRONT" -eq 1 ] && [ "$$HAS_BACK" -eq 1 ]; then DEV_LOCAL=1; \
@@ -829,6 +856,33 @@ dev: ## Local dev: preflight, cluster, dev-env, port-forwards; COMPONENT=fronten
 		(cd components/frontend && npm run dev) & NPM_PID=$$!; \
 		trap 'kill $$GO_PID $$NPM_PID 2>/dev/null; cleanup' INT TERM; \
 		wait $$GO_PID $$NPM_PID; \
+	elif [ "$$HAS_AUI" -eq 1 ]; then \
+		echo "$(COLOR_BLUE)▶$(COLOR_RESET) ambient-ui dev: setting up API server + Keycloak..."; \
+		pkill -f "port-forward.*ambient-api-server-service" 2>/dev/null || true; \
+		pkill -f "port-forward.*keycloak-service" 2>/dev/null || true; \
+		WANT_KC="http://localhost:$(KIND_FWD_KEYCLOAK_PORT)"; \
+		CUR_KC=$$(kubectl get deployment keycloak -n $(NAMESPACE) -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="KC_HOSTNAME")].value}' 2>/dev/null); \
+		if [ "$$CUR_KC" != "$$WANT_KC" ]; then \
+			echo "$(COLOR_BLUE)▶$(COLOR_RESET) Patching Keycloak hostname: $$CUR_KC → $$WANT_KC"; \
+			kubectl set env deployment/keycloak -n $(NAMESPACE) KC_HOSTNAME="$$WANT_KC" >/dev/null 2>&1; \
+			kubectl rollout status deployment/keycloak -n $(NAMESPACE) --timeout=120s >/dev/null 2>&1 || true; \
+			echo "$(COLOR_GREEN)✓$(COLOR_RESET) Keycloak hostname patched"; \
+		else \
+			echo "$(COLOR_GREEN)✓$(COLOR_RESET) Keycloak hostname already correct"; \
+		fi; \
+		kubectl port-forward -n $(NAMESPACE) svc/ambient-api-server-service $(KIND_FWD_API_SERVER_PORT):8000 >/tmp/acp-dev-pf-api.log 2>&1 & PF_PIDS="$$PF_PIDS $$!"; \
+		kubectl port-forward -n $(NAMESPACE) svc/keycloak-service $(KIND_FWD_KEYCLOAK_PORT):8080 >/tmp/acp-dev-pf-keycloak.log 2>&1 & PF_PIDS="$$PF_PIDS $$!"; \
+		sleep 2; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) API server  → http://localhost:$(KIND_FWD_API_SERVER_PORT)"; \
+		echo "$(COLOR_GREEN)✓$(COLOR_RESET) Keycloak    → http://localhost:$(KIND_FWD_KEYCLOAK_PORT)"; \
+		$(MAKE) --no-print-directory dev-env-ambient-ui; \
+		echo ""; \
+		echo "$(COLOR_BOLD)Access:$(COLOR_RESET)"; \
+		echo "  Ambient UI: $(COLOR_BLUE)http://localhost:3001$(COLOR_RESET)"; \
+		echo "  API server: http://localhost:$(KIND_FWD_API_SERVER_PORT)"; \
+		echo "  Keycloak:   http://localhost:$(KIND_FWD_KEYCLOAK_PORT)"; \
+		echo ""; \
+		cd components/ambient-ui && npm run dev; \
 	fi
 
 ##@ Benchmarking
@@ -969,14 +1023,18 @@ kind-login: check-kubectl check-local-context ## Set kubectl context, port-forwa
 kind-port-forward: check-kubectl check-local-context ## Port-forward kind services (for remote Podman)
 	@echo "$(COLOR_BOLD)Port forwarding kind services ($(KIND_CLUSTER_NAME))$(COLOR_RESET)"
 	@echo ""
-	@echo "  Frontend: http://localhost:$(KIND_FWD_FRONTEND_PORT)"
-	@echo "  Backend:  http://localhost:$(KIND_FWD_BACKEND_PORT)"
+	@echo "  Frontend:   http://localhost:$(KIND_FWD_FRONTEND_PORT)"
+	@echo "  Backend:    http://localhost:$(KIND_FWD_BACKEND_PORT)"
+	@echo "  Ambient UI: http://localhost:$(KIND_FWD_AMBIENT_UI_PORT)"
+	@echo "  Keycloak:   http://localhost:$(KIND_FWD_KEYCLOAK_PORT)"
 	@echo ""
 	@echo "$(COLOR_YELLOW)Press Ctrl+C to stop$(COLOR_RESET)"
 	@echo ""
 	@trap 'echo ""; echo "$(COLOR_GREEN)✓$(COLOR_RESET) Port forwarding stopped"; exit 0' INT; \
 	(kubectl port-forward -n ambient-code svc/frontend-service $(KIND_FWD_FRONTEND_PORT):3000 >/dev/null 2>&1 &); \
 	(kubectl port-forward -n ambient-code svc/backend-service $(KIND_FWD_BACKEND_PORT):8080 >/dev/null 2>&1 &); \
+	(kubectl port-forward -n ambient-code svc/ambient-ui-service $(KIND_FWD_AMBIENT_UI_PORT):3000 >/dev/null 2>&1 &); \
+	(kubectl port-forward -n ambient-code svc/keycloak-service $(KIND_FWD_KEYCLOAK_PORT):8080 >/dev/null 2>&1 &); \
 	wait
 
 dev-bootstrap: check-kubectl check-local-context ## Bootstrap developer workspace with API key and integrations
@@ -1169,7 +1227,7 @@ kind-status: check-kind ## Show all kind clusters and their port assignments
 	@echo "  Cluster:  $(KIND_CLUSTER_NAME)"
 	@if [ -n "$(KIND_HOST)" ]; then echo "  Host:     $(KIND_HOST) (remote)"; else echo "  Host:     localhost"; fi
 	@echo "  NodePort: $(KIND_HTTP_PORT) (HTTP) / $(KIND_HTTPS_PORT) (HTTPS)"
-	@echo "  Forward:  $(KIND_FWD_FRONTEND_PORT) (frontend) / $(KIND_FWD_BACKEND_PORT) (backend)"
+	@echo "  Forward:  $(KIND_FWD_FRONTEND_PORT) (frontend) / $(KIND_FWD_BACKEND_PORT) (backend) / $(KIND_FWD_KEYCLOAK_PORT) (keycloak)"
 	@echo ""
 	@CLUSTERS=$$($(if $(filter podman,$(CONTAINER_ENGINE)),KIND_EXPERIMENTAL_PROVIDER=podman) kind get clusters 2>/dev/null); \
 	if [ -z "$$CLUSTERS" ]; then \

components/ambient-control-plane/internal/reconciler/kube_reconciler.go

@@ -515,7 +515,7 @@ func (r *SimpleKubeReconciler) ensurePod(ctx context.Context, namespace string,
 			"resources": map[string]interface{}{
 				"requests": map[string]interface{}{
 					"cpu":    "500m",
-					"memory": "512Mi",
+					"memory": "1Gi",
 				},
 				"limits": map[string]interface{}{
 					"cpu":    "2000m",

components/ambient-control-plane/internal/reconciler/pod_sync.go

@@ -188,6 +188,14 @@ func (s *PodStatusSyncer) hasContainerCrashLoop(pod *unstructured.Unstructured)
 				return true
 			}
 		}
+		name, _, _ := unstructured.NestedString(csMap, "name")
+		terminated, found, _ := unstructured.NestedMap(csMap, "state", "terminated")
+		if found && name == "ambient-code-runner" {
+			reason, _, _ := unstructured.NestedString(terminated, "reason")
+			if reason == "OOMKilled" || reason == "Error" {
+				return true
+			}
+		}
 	}
 
 	initStatuses, found, _ := unstructured.NestedSlice(pod.Object, "status", "initContainerStatuses")

components/ambient-ui/README.md

@@ -0,0 +1,45 @@
+# Ambient UI
+
+Operations console for the Ambient Code Platform. Next.js BFF with OIDC authentication (Keycloak), shadcn/ui components, and Red Hat design system.
+
+## Local Development
+
+Prerequisites: Kind cluster running (`make kind-up`).
+
+```bash
+make dev COMPONENT=ambient-ui
+```
+
+This single command:
+1. Sets kubectl context to the correct Kind cluster
+2. Port-forwards the API server and Keycloak
+3. Patches Keycloak's `KC_HOSTNAME` so OIDC redirects work locally
+4. Generates `.env.local` with correct SSO config
+5. Starts the Next.js dev server on `http://localhost:3001`
+
+Login with the Keycloak admin credentials (`admin` / `admin`) or any user configured in the `ambient-code` realm.
+
+### Other useful commands
+
+```bash
+make dev-env-ambient-ui     # Regenerate .env.local without starting the dev server
+make kind-reload-ambient-ui # Rebuild image and redeploy to Kind
+make kind-status            # Show cluster ports (including Keycloak)
+```
+
+## Testing
+
+```bash
+npm test              # Unit tests (vitest, ~3s)
+npm run test:watch    # Watch mode
+npm run test:coverage # With coverage
+
+# E2E (requires: npm install && npx playwright install chromium)
+npm run test:e2e
+```
+
+## Architecture
+
+- **BFF pattern**: Next.js server handles OIDC auth, proxies API calls with JWT injection. Browser never sees raw tokens.
+- **Port/Adapter**: Domain types in `src/domain/`, ports in `src/ports/`, SDK adapters in `src/adapters/`. Components consume ports, never SDK types.
+- **iron-session**: Per-user encrypted cookie sessions for connection context and auth state.

components/ambient-ui/e2e/auth.spec.ts

@@ -0,0 +1,24 @@
+import { test, expect } from '@playwright/test'
+
+test.describe('Authentication endpoints', () => {
+  test('GET /api/me returns unauthenticated when no session cookie', async ({
+    request,
+  }) => {
+    const response = await request.get('/api/me')
+
+    expect(response.status()).toBe(200)
+    const body = await response.json()
+    expect(body.authenticated).toBe(false)
+  })
+
+  test('GET /api/config returns config shape', async ({ request }) => {
+    const response = await request.get('/api/config')
+
+    expect(response.status()).toBe(200)
+    const body = await response.json()
+    expect(body).toHaveProperty('apiServerUrl')
+    expect(body).toHaveProperty('isCustomContext')
+    expect(typeof body.apiServerUrl).toBe('string')
+    expect(typeof body.isCustomContext).toBe('boolean')
+  })
+})

components/ambient-ui/e2e/healthz.spec.ts

@@ -0,0 +1,11 @@
+import { test, expect } from '@playwright/test'
+
+test.describe('Health check endpoint', () => {
+  test('GET /api/healthz returns 200 with status ok', async ({ request }) => {
+    const response = await request.get('/api/healthz')
+
+    expect(response.status()).toBe(200)
+    const body = await response.json()
+    expect(body).toEqual({ status: 'ok' })
+  })
+})

components/ambient-ui/e2e/proxy.spec.ts

@@ -0,0 +1,15 @@
+import { test, expect } from '@playwright/test'
+
+test.describe('BFF proxy endpoint', () => {
+  test('GET /api/ambient/v1/sessions without auth returns 401 or 502', async ({
+    request,
+  }) => {
+    const response = await request.get('/api/ambient/v1/sessions', {
+      failOnStatusCode: false,
+    })
+
+    // Without auth: 401 (no token). Without backend: 502 (upstream unreachable).
+    // 404/405 would indicate a broken route — reject those.
+    expect([401, 502]).toContain(response.status())
+  })
+})

components/ambient-ui/package-lock.json

@@ -9,7 +9,8 @@
     "lint": "eslint",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage"
+    "test:coverage": "vitest run --coverage",
+    "test:e2e": "npx playwright test"
   },
   "dependencies": {
     "@radix-ui/react-avatar": "^1.1.10",
@@ -42,6 +43,7 @@
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3",
+    "@playwright/test": "^1.52.0",
     "@tailwindcss/postcss": "^4",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",

components/ambient-ui/package.json

@@ -0,0 +1,22 @@
+import { defineConfig, devices } from '@playwright/test'
+
+export default defineConfig({
+  testDir: './e2e',
+  fullyParallel: true,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 1 : 0,
+  workers: process.env.CI ? 1 : undefined,
+  reporter: 'list',
+  use: {
+    baseURL: 'http://localhost:3001',
+    trace: 'on-first-retry',
+  },
+  projects: [
+    {
+      name: 'chromium',
+      use: { ...devices['Desktop Chrome'] },
+    },
+  ],
+  // Start the dev server before running: npm run dev
+  // webServer is omitted — tests expect an already-running server.
+})