fix(cli): correct mcp secrets sync apply behavior and thread cobra ctx (#1814)

## summary

three issues in `mcp secrets sync`:

- `SyncSecretsMcp` and `applySecretToCluster` passed `context.TODO()` to
every clientset Get/Create/Update call. ctrl-c during a slow apply
(remote cluster, hung api-server connection) silently fell through to
whatever the kubernetes client default did rather than honoring
cancellation. fix: thread `cmd.Context()` from the cobra `RunE` through
`SyncSecretsMcp` and `applySecretToCluster`. matches the existing kagent
cli convention used by `InstallCmd`, `UninstallCmd`, `InvokeCmd`,
`DashboardCmd`, and `DeployCmd`, which all take `ctx` as the first
argument and are wired from `cmd.Context()` at the top level in
`cmd/kagent/main.go`.
- the Get error path was treated as "secret does not exist" without
inspecting the error, so RBAC forbidden, network errors, and
ctx-cancellation all surfaced as confusing `"failed to create secret"`
messages instead of the real cause. fix: branch on
`apierrors.IsNotFound(err)` so only true-NotFound triggers Create; any
other Get error returns a wrapped message immediately.
- the update path discarded the Get result, so the Secret being sent to
Update had no `metadata.resourceVersion`. kubernetes Update requires
`resourceVersion` and rejects optimistic-concurrency-violating writes,
so updates against a populated cluster would fail with a validation
error. fix: capture the live object from Get and copy its
`resourceVersion` onto the secret built from `.env` before calling
Update.

the second and third items were flagged by copilot on the initial
revision of this PR; addressed in the follow-up commit `cf8b5efd`.

## ai model disclosure

used claude code (claude opus 4.7) to triage the `context.TODO()` call
sites and draft the diff. self-reviewed against
`go/core/cli/internal/cli/agent/deploy.go` to confirm the `apierrors`
import alias and the ctx-as-first-arg pattern, and against
`cmd/kagent/main.go` to confirm `cmd.Context()` is the established
wiring point. verified locally via:

```bash
go vet ./core/cli/...
./bin/golangci-lint run ./core/cli/internal/cli/mcp/...   # 0 issues
go build ./core/cli/...
go test -race -count=1 ./core/cli/internal/cli/mcp/...    # ok
```

---------

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>

Author: SarthakB11

go/core/cli/internal/cli/mcp/root.go

@@ -393,8 +393,8 @@ Examples:
   kagent mcp secrets sync production --dry-run
 `,
 		Args: cobra.ExactArgs(1),
-		RunE: func(_ *cobra.Command, args []string) error {
-			return SyncSecretsMcp(cfg, args[0])
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return SyncSecretsMcp(cmd.Context(), cfg, args[0])
 		},
 	}
 

go/core/cli/internal/cli/mcp/secrets.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/kagent-dev/kagent/go/core/cli/internal/mcp/manifests"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
@@ -22,7 +23,7 @@ type SecretsCfg struct {
 	ProjectDir string
 }
 
-func SyncSecretsMcp(cfg *SecretsCfg, environment string) error {
+func SyncSecretsMcp(ctx context.Context, cfg *SecretsCfg, environment string) error {
 	// Determine project root
 	projectRoot := cfg.ProjectDir
 	if projectRoot == "" {
@@ -109,10 +110,10 @@ func SyncSecretsMcp(cfg *SecretsCfg, environment string) error {
 	}
 
 	// Apply to cluster
-	return applySecretToCluster(secret)
+	return applySecretToCluster(ctx, secret)
 }
 
-func applySecretToCluster(secret *corev1.Secret) error {
+func applySecretToCluster(ctx context.Context, secret *corev1.Secret) error {
 	// Get kubeconfig
 	cfg, err := config.GetConfig()
 	if err != nil {
@@ -125,18 +126,25 @@ func applySecretToCluster(secret *corev1.Secret) error {
 		return fmt.Errorf("failed to create kubernetes clientset: %w", err)
 	}
 
-	// Check if secret exists
-	_, err = clientset.CoreV1().Secrets(secret.Namespace).Get(context.TODO(), secret.Name, metav1.GetOptions{})
-	if err != nil {
-		// Create if it doesn't exist
-		_, err = clientset.CoreV1().Secrets(secret.Namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	// Check if secret exists. Branch on IsNotFound so RBAC, network, or
+	// context-cancellation failures from Get aren't silently treated as
+	// "secret does not exist" and don't fall through to a Create that masks
+	// the real error.
+	existing, err := clientset.CoreV1().Secrets(secret.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
+	switch {
+	case apierrors.IsNotFound(err):
+		_, err = clientset.CoreV1().Secrets(secret.Namespace).Create(ctx, secret, metav1.CreateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to create secret: %w", err)
 		}
 		fmt.Printf("✅ Secret '%s' created in namespace '%s'.\n", secret.Name, secret.Namespace)
-	} else {
-		// Update if it exists
-		_, err = clientset.CoreV1().Secrets(secret.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{})
+	case err != nil:
+		return fmt.Errorf("failed to get secret: %w", err)
+	default:
+		// Update requires the live resourceVersion from the existing object;
+		// the Secret we built from .env has none.
+		secret.ResourceVersion = existing.ResourceVersion
+		_, err = clientset.CoreV1().Secrets(secret.Namespace).Update(ctx, secret, metav1.UpdateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to update secret: %w", err)
 		}