airbyte-internal-ops 0.1.10__py3-none-any.whl → 0.2.0__py3-none-any.whl

airbyte_ops_mcp/live_tests/cdk_secrets.py

@@ -0,0 +1,90 @@
+# Copyright (c) 2025 Airbyte, Inc., all rights reserved.
+"""Fetch connector test secrets using the PyAirbyte secrets API.
+
+This module uses the PyAirbyte GoogleGSMSecretManager to retrieve
+integration test secrets from Google Secret Manager for connectors.
+
+Usage:
+    from airbyte_ops_mcp.live_tests.cdk_secrets import get_first_config_from_secrets
+
+    # Fetch the first config for a connector
+    config = get_first_config_from_secrets("source-github")
+    if config:
+        # Use the config dict
+        ...
+
+Note: Requires GCP credentials with access to the integration testing project.
+The credentials can be provided via:
+- GOOGLE_APPLICATION_CREDENTIALS environment variable
+- GCP_GSM_CREDENTIALS environment variable (JSON string)
+- Application Default Credentials
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+
+from airbyte.secrets import GoogleGSMSecretManager
+
+logger = logging.getLogger(__name__)
+
+# Default GCP project for integration test secrets
+DEFAULT_GSM_PROJECT = "dataline-integration-testing"
+
+
+def get_first_config_from_secrets(
+    connector_name: str,
+    project: str = DEFAULT_GSM_PROJECT,
+) -> dict | None:
+    """Fetch the first integration test config for a connector from GSM.
+
+    This function uses the PyAirbyte GoogleGSMSecretManager to fetch secrets
+    labeled with the connector name and returns the first one as a parsed dict.
+
+    Args:
+        connector_name: The connector name (e.g., 'source-github').
+        project: The GCP project ID containing the secrets.
+
+    Returns:
+        The parsed config dict, or None if no secrets are found or fetching fails.
+    """
+    # Get credentials from environment
+    credentials_json: str | None = None
+    credentials_path: str | None = None
+
+    if "GCP_GSM_CREDENTIALS" in os.environ:
+        credentials_json = os.environ["GCP_GSM_CREDENTIALS"]
+    elif "GOOGLE_APPLICATION_CREDENTIALS" in os.environ:
+        credentials_path = os.environ["GOOGLE_APPLICATION_CREDENTIALS"]
+
+    # If no explicit credentials, GoogleGSMSecretManager will try ADC
+    try:
+        gsm = GoogleGSMSecretManager(
+            project=project,
+            credentials_json=credentials_json,
+            credentials_path=credentials_path,
+        )
+    except Exception as e:
+        logger.warning(f"Failed to initialize GSM client: {e}")
+        return None
+
+    logger.info(f"Fetching integration test config for {connector_name} from GSM")
+
+    try:
+        # fetch_connector_secret returns the first secret matching the connector label
+        secret_handle = gsm.fetch_connector_secret(connector_name)
+        # parse_json() calls get_value() internally and parses the result
+        config = secret_handle.parse_json()
+        logger.info(f"Successfully fetched config for {connector_name}")
+        return dict(config) if config else None
+
+    except StopIteration:
+        logger.warning(f"No secrets found for connector {connector_name}")
+        return None
+    except Exception as e:
+        # Log the exception type but not the message (may contain sensitive info)
+        logger.warning(
+            f"Failed to fetch config for {connector_name}: {type(e).__name__}"
+        )
+        return None

airbyte_ops_mcp/live_tests/ci_output.py

@@ -142,6 +142,35 @@ def _format_delta(delta: int) -> str:
     return "0"
 
 
+def _get_github_run_url() -> str | None:
+    """Get the URL to the current GitHub Actions workflow run.
+
+    Returns:
+        The workflow run URL, or None if not running in GitHub Actions.
+    """
+    server_url = os.getenv("GITHUB_SERVER_URL")
+    repository = os.getenv("GITHUB_REPOSITORY")
+    run_id = os.getenv("GITHUB_RUN_ID")
+
+    if not all([server_url, repository, run_id]):
+        return None
+
+    return f"{server_url}/{repository}/actions/runs/{run_id}"
+
+
+def _get_github_artifacts_url() -> str | None:
+    """Get the URL to the artifacts section of the current workflow run.
+
+    Returns:
+        The artifacts section URL, or None if not running in GitHub Actions.
+    """
+    run_url = _get_github_run_url()
+    if not run_url:
+        return None
+
+    return f"{run_url}#artifacts"
+
+
 def generate_regression_report(
     target_image: str,
     control_image: str,
@@ -190,6 +219,9 @@ def generate_regression_report(
         target_image.rsplit(":", 1)[0] if ":" in target_image else target_image
     )
 
+    run_url = _get_github_run_url()
+    artifacts_url = _get_github_artifacts_url()
+
     lines: list[str] = [
         "# Regression Test Report",
         "",
@@ -200,12 +232,23 @@ def generate_regression_report(
         f"- **Control Version:** `{control_version}`",
         f"- **Target Version:** `{target_version}`",
         f"- **Command:** `{command.upper()}`",
-        f"- **Artifacts:** `{artifact_name}`",
-        "",
-        "## Summary",
-        "",
     ]
 
+    if run_url:
+        lines.append(f"- **Workflow Run:** [View Execution]({run_url})")
+    if artifacts_url:
+        lines.append(f"- **Artifacts:** [Download `{artifact_name}`]({artifacts_url})")
+    else:
+        lines.append(f"- **Artifacts:** `{artifact_name}`")
+
+    lines.extend(
+        [
+            "",
+            "## Summary",
+            "",
+        ]
+    )
+
     if regression_detected:
         if target_result["success"] and not control_result["success"]:
             lines.append("**Result:** Target succeeded, control failed (improvement)")
@@ -341,9 +384,16 @@ def get_report_summary(report_path: Path) -> str:
         f"regression-test-artifacts-{run_id}" if run_id else "regression-test-artifacts"
     )
 
+    artifacts_url = _get_github_artifacts_url()
+    artifact_link = (
+        f"[`{artifact_name}`]({artifacts_url})"
+        if artifacts_url
+        else f"`{artifact_name}`"
+    )
+
     return f"""## Regression Test Report
 
-Full report available in the **Regression Test Report** check or in artifact `{artifact_name}`.
+Full report available in the **Regression Test Report** check or in artifact {artifact_link}.
 
 See the Checks tab for the complete report with message counts and execution details.
 """

airbyte_ops_mcp/live_tests/connector_runner.py

@@ -168,6 +168,9 @@ class ConnectorRunner:
 
         with tempfile.TemporaryDirectory() as temp_dir:
             temp_path = Path(temp_dir)
+            # Make temp directory world-readable so non-root container users can access it
+            # Many connector images run as non-root users (e.g., 'airbyte' user)
+            temp_path.chmod(0o755)
             self._prepare_data_directory(temp_path)
 
             docker_cmd = self._build_docker_command(temp_path)

airbyte_ops_mcp/mcp/_http_headers.py

@@ -0,0 +1,198 @@
+# Copyright (c) 2025 Airbyte, Inc., all rights reserved.
+"""HTTP header extraction for Airbyte Cloud credentials.
+
+This module provides internal helper functions for extracting Airbyte Cloud
+authentication credentials from HTTP headers when running as an MCP HTTP server.
+This enables per-request credential passing from upstream services like coral-agents.
+
+The resolution order for credentials is:
+1. HTTP headers (when running as MCP HTTP server)
+2. Environment variables (fallback)
+
+Note: This module is prefixed with "_" to indicate it is internal helper logic
+for the MCP module and should not be imported directly by external code.
+"""
+
+from __future__ import annotations
+
+from airbyte.cloud.auth import (
+    resolve_cloud_api_url,
+    resolve_cloud_client_id,
+    resolve_cloud_client_secret,
+    resolve_cloud_workspace_id,
+)
+from airbyte.secrets.base import SecretString
+from fastmcp.server.dependencies import get_http_headers
+
+from airbyte_ops_mcp.constants import (
+    HEADER_AIRBYTE_CLOUD_API_URL,
+    HEADER_AIRBYTE_CLOUD_CLIENT_ID,
+    HEADER_AIRBYTE_CLOUD_CLIENT_SECRET,
+    HEADER_AIRBYTE_CLOUD_WORKSPACE_ID,
+)
+
+
+def _get_header_value(headers: dict[str, str], header_name: str) -> str | None:
+    """Get a header value from a headers dict, case-insensitively.
+
+    Args:
+        headers: Dictionary of HTTP headers.
+        header_name: The header name to look for (case-insensitive).
+
+    Returns:
+        The header value if found, None otherwise.
+    """
+    header_name_lower = header_name.lower()
+    for key, value in headers.items():
+        if key.lower() == header_name_lower:
+            return value
+    return None
+
+
+def get_client_id_from_headers() -> SecretString | None:
+    """Extract client ID from HTTP headers.
+
+    Returns:
+        The client ID as a SecretString, or None if not found or not in HTTP context.
+    """
+    headers = get_http_headers()
+    if not headers:
+        return None
+
+    value = _get_header_value(headers, HEADER_AIRBYTE_CLOUD_CLIENT_ID)
+    if value:
+        return SecretString(value)
+    return None
+
+
+def get_client_secret_from_headers() -> SecretString | None:
+    """Extract client secret from HTTP headers.
+
+    Returns:
+        The client secret as a SecretString, or None if not found or not in HTTP context.
+    """
+    headers = get_http_headers()
+    if not headers:
+        return None
+
+    value = _get_header_value(headers, HEADER_AIRBYTE_CLOUD_CLIENT_SECRET)
+    if value:
+        return SecretString(value)
+    return None
+
+
+def get_workspace_id_from_headers() -> str | None:
+    """Extract workspace ID from HTTP headers.
+
+    Returns:
+        The workspace ID, or None if not found or not in HTTP context.
+    """
+    headers = get_http_headers()
+    if not headers:
+        return None
+
+    return _get_header_value(headers, HEADER_AIRBYTE_CLOUD_WORKSPACE_ID)
+
+
+def get_api_url_from_headers() -> str | None:
+    """Extract API URL from HTTP headers.
+
+    Returns:
+        The API URL, or None if not found or not in HTTP context.
+    """
+    headers = get_http_headers()
+    if not headers:
+        return None
+
+    return _get_header_value(headers, HEADER_AIRBYTE_CLOUD_API_URL)
+
+
+def resolve_client_id() -> SecretString:
+    """Resolve client ID from HTTP headers or environment variables.
+
+    Resolution order:
+    1. HTTP header X-Airbyte-Cloud-Client-Id
+    2. Environment variable AIRBYTE_CLOUD_CLIENT_ID (via PyAirbyte)
+
+    Returns:
+        The resolved client ID as a SecretString.
+
+    Raises:
+        PyAirbyteSecretNotFoundError: If no client ID can be resolved.
+    """
+    header_value = get_client_id_from_headers()
+    if header_value:
+        return header_value
+
+    return resolve_cloud_client_id()
+
+
+def resolve_client_secret() -> SecretString:
+    """Resolve client secret from HTTP headers or environment variables.
+
+    Resolution order:
+    1. HTTP header X-Airbyte-Cloud-Client-Secret
+    2. Environment variable AIRBYTE_CLOUD_CLIENT_SECRET (via PyAirbyte)
+
+    Returns:
+        The resolved client secret as a SecretString.
+
+    Raises:
+        PyAirbyteSecretNotFoundError: If no client secret can be resolved.
+    """
+    header_value = get_client_secret_from_headers()
+    if header_value:
+        return header_value
+
+    return resolve_cloud_client_secret()
+
+
+def resolve_workspace_id(workspace_id: str | None = None) -> str:
+    """Resolve workspace ID from multiple sources.
+
+    Resolution order:
+    1. Explicit workspace_id parameter (if provided)
+    2. HTTP header X-Airbyte-Cloud-Workspace-Id
+    3. Environment variable AIRBYTE_CLOUD_WORKSPACE_ID (via PyAirbyte)
+
+    Args:
+        workspace_id: Optional explicit workspace ID.
+
+    Returns:
+        The resolved workspace ID.
+
+    Raises:
+        PyAirbyteSecretNotFoundError: If no workspace ID can be resolved.
+    """
+    if workspace_id is not None:
+        return workspace_id
+
+    header_value = get_workspace_id_from_headers()
+    if header_value:
+        return header_value
+
+    return resolve_cloud_workspace_id()
+
+
+def resolve_api_url(api_url: str | None = None) -> str:
+    """Resolve API URL from multiple sources.
+
+    Resolution order:
+    1. Explicit api_url parameter (if provided)
+    2. HTTP header X-Airbyte-Cloud-Api-Url
+    3. Environment variable / default (via PyAirbyte)
+
+    Args:
+        api_url: Optional explicit API URL.
+
+    Returns:
+        The resolved API URL.
+    """
+    if api_url is not None:
+        return api_url
+
+    header_value = get_api_url_from_headers()
+    if header_value:
+        return header_value
+
+    return resolve_cloud_api_url()

airbyte_ops_mcp/mcp/cloud_connector_versions.py

@@ -15,10 +15,6 @@ from typing import Annotated, Literal
 
 from airbyte import constants
 from airbyte.cloud import CloudWorkspace
-from airbyte.cloud.auth import (
-    resolve_cloud_client_id,
-    resolve_cloud_client_secret,
-)
 from airbyte.exceptions import PyAirbyteInputError
 from fastmcp import FastMCP
 from pydantic import Field
@@ -26,19 +22,26 @@ from pydantic import Field
 from airbyte_ops_mcp.cloud_admin import api_client
 from airbyte_ops_mcp.cloud_admin.auth import (
     CloudAuthError,
-    get_admin_user_email,
-    require_internal_admin,
+    require_internal_admin_flag_only,
 )
 from airbyte_ops_mcp.cloud_admin.models import (
     ConnectorVersionInfo,
     VersionOverrideOperationResult,
 )
+from airbyte_ops_mcp.mcp._http_headers import (
+    resolve_client_id,
+    resolve_client_secret,
+)
 from airbyte_ops_mcp.mcp._mcp_utils import mcp_tool, register_mcp_tools
 
 
 def _get_workspace(workspace_id: str) -> CloudWorkspace:
     """Get a CloudWorkspace instance for the specified workspace.
 
+    Credentials are resolved in priority order:
+    1. HTTP headers (X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret)
+    2. Environment variables (AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET)
+
     Args:
         workspace_id: The Airbyte Cloud workspace ID (required).
 
@@ -46,19 +49,21 @@ def _get_workspace(workspace_id: str) -> CloudWorkspace:
         CloudWorkspace instance configured for the specified workspace.
 
     Raises:
-        CloudAuthError: If required environment variables are not set.
+        CloudAuthError: If credentials cannot be resolved from headers or env vars.
     """
     try:
         return CloudWorkspace(
             workspace_id=workspace_id,
-            client_id=resolve_cloud_client_id(),
-            client_secret=resolve_cloud_client_secret(),
+            client_id=resolve_client_id(),
+            client_secret=resolve_client_secret(),
             api_root=constants.CLOUD_API_ROOT,  # Used for workspace operations
         )
     except Exception as e:
         raise CloudAuthError(
-            f"Failed to initialize CloudWorkspace. Ensure AIRBYTE_CLIENT_ID "
-            f"and AIRBYTE_CLIENT_SECRET are set. Error: {e}"
+            f"Failed to initialize CloudWorkspace. Ensure credentials are provided "
+            f"via HTTP headers (X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret) "
+            f"or environment variables (AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET). "
+            f"Error: {e}"
         ) from e
 
 
@@ -85,8 +90,9 @@ def get_cloud_connector_version(
     Returns version details including the current version string and whether
     an override (pin) is applied.
 
-    The `AIRBYTE_CLIENT_ID`, `AIRBYTE_CLIENT_SECRET`, and `AIRBYTE_API_ROOT`
-    environment variables will be used to authenticate with the Airbyte Cloud API.
+    Authentication credentials are resolved in priority order:
+    1. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
+    2. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
     """
     try:
         workspace = _get_workspace(workspace_id)
@@ -163,11 +169,47 @@ def set_cloud_connector_version_override(
             default=None,
         ),
     ],
+    admin_user_email: Annotated[
+        str | None,
+        Field(
+            description="Email of the admin user authorizing this operation. "
+            "Must be an @airbyte.io email address. Required for authorization.",
+            default=None,
+        ),
+    ],
+    issue_url: Annotated[
+        str | None,
+        Field(
+            description="URL to the GitHub issue providing context for this operation. "
+            "Must be a valid GitHub URL (https://github.com/...). Required for authorization.",
+            default=None,
+        ),
+    ],
+    approval_comment_url: Annotated[
+        str | None,
+        Field(
+            description="URL to a GitHub comment where the admin has explicitly "
+            "requested or authorized this deployment. Must be a valid GitHub comment URL. "
+            "Required for authorization.",
+            default=None,
+        ),
+    ],
+    ai_agent_session_url: Annotated[
+        str | None,
+        Field(
+            description="URL to the AI agent session driving this operation, if applicable. "
+            "Provides additional auditability for AI-driven operations.",
+            default=None,
+        ),
+    ],
 ) -> VersionOverrideOperationResult:
     """Set or clear a version override for a deployed connector.
 
-    **Admin-only operation** - Requires AIRBYTE_INTERNAL_ADMIN_FLAG=airbyte.io
-    and AIRBYTE_INTERNAL_ADMIN_USER environment variables.
+    **Admin-only operation** - Requires:
+    - AIRBYTE_INTERNAL_ADMIN_FLAG=airbyte.io environment variable
+    - admin_user_email parameter (must be @airbyte.io email)
+    - issue_url parameter (GitHub issue URL for context)
+    - approval_comment_url parameter (GitHub comment URL with approval)
 
     You must specify EXACTLY ONE of `version` OR `unset=True`, but not both.
     When setting a version, `override_reason` is required.
@@ -177,13 +219,13 @@ def set_cloud_connector_version_override(
     - Production versions: Require strong justification mentioning customer/support/investigation
     - Release candidates (-rc): Any admin can pin/unpin RC versions
 
-    The `AIRBYTE_CLIENT_ID`, `AIRBYTE_CLIENT_SECRET`, and `AIRBYTE_API_ROOT`
-    environment variables will be used to authenticate with the Airbyte Cloud API.
+    Authentication credentials are resolved in priority order:
+    1. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
+    2. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
     """
-    # Validate admin access
+    # Validate admin access (check env var flag)
     try:
-        require_internal_admin()
-        user_email = get_admin_user_email()
+        require_internal_admin_flag_only()
     except CloudAuthError as e:
         return VersionOverrideOperationResult(
             success=False,
@@ -192,6 +234,60 @@ def set_cloud_connector_version_override(
             connector_type=actor_type,
         )
 
+    # Validate new authorization parameters
+    validation_errors: list[str] = []
+
+    if not admin_user_email:
+        validation_errors.append("admin_user_email is required for authorization")
+    elif "@airbyte.io" not in admin_user_email:
+        validation_errors.append(
+            f"admin_user_email must be an @airbyte.io email address, got: {admin_user_email}"
+        )
+
+    if not issue_url:
+        validation_errors.append(
+            "issue_url is required for authorization (GitHub issue URL)"
+        )
+    elif not issue_url.startswith("https://github.com/"):
+        validation_errors.append(
+            f"issue_url must be a valid GitHub URL (https://github.com/...), got: {issue_url}"
+        )
+
+    if not approval_comment_url:
+        validation_errors.append(
+            "approval_comment_url is required for authorization (GitHub comment URL)"
+        )
+    elif not approval_comment_url.startswith("https://github.com/"):
+        validation_errors.append(
+            f"approval_comment_url must be a valid GitHub URL, got: {approval_comment_url}"
+        )
+    elif (
+        "#issuecomment-" not in approval_comment_url
+        and "#discussion_r" not in approval_comment_url
+    ):
+        validation_errors.append(
+            "approval_comment_url must be a GitHub comment URL "
+            "(containing #issuecomment- or #discussion_r)"
+        )
+
+    if validation_errors:
+        return VersionOverrideOperationResult(
+            success=False,
+            message="Authorization validation failed: " + "; ".join(validation_errors),
+            connector_id=actor_id,
+            connector_type=actor_type,
+        )
+
+    # Build enhanced override reason with audit fields (only for 'set' operations)
+    enhanced_override_reason = override_reason
+    if not unset and override_reason:
+        audit_parts = [override_reason]
+        audit_parts.append(f"Issue: {issue_url}")
+        audit_parts.append(f"Approval: {approval_comment_url}")
+        if ai_agent_session_url:
+            audit_parts.append(f"AI Session: {ai_agent_session_url}")
+        enhanced_override_reason = " | ".join(audit_parts)
+
     # Get workspace and current version info
     try:
         workspace = _get_workspace(workspace_id)
@@ -233,9 +329,9 @@ def set_cloud_connector_version_override(
             workspace_id=workspace_id,
             version=version,
             unset=unset,
-            override_reason=override_reason,
+            override_reason=enhanced_override_reason,
             override_reason_reference_url=override_reason_reference_url,
-            user_email=user_email,
+            user_email=admin_user_email,
         )
 
         # Get updated version info after the operation

airbyte_ops_mcp/mcp/github.py

@@ -7,7 +7,6 @@ Docker image availability, and other related operations.
 
 from __future__ import annotations
 
-import os
 import re
 from typing import Annotated
 
@@ -15,9 +14,9 @@ import requests
 from fastmcp import FastMCP
 from pydantic import BaseModel, Field
 
+from airbyte_ops_mcp.github_actions import GITHUB_API_BASE, resolve_github_token
 from airbyte_ops_mcp.mcp._mcp_utils import mcp_tool, register_mcp_tools
 
-GITHUB_API_BASE = "https://api.github.com"
 DOCKERHUB_API_BASE = "https://hub.docker.com/v2"
 
 
@@ -37,24 +36,6 @@ class WorkflowRunStatus(BaseModel):
     jobs_url: str
 
 
-def _get_github_token() -> str:
-    """Get GitHub token from environment.
-
-    Returns:
-        GitHub token string.
-
-    Raises:
-        ValueError: If GITHUB_TOKEN environment variable is not set.
-    """
-    token = os.getenv("GITHUB_TOKEN")
-    if not token:
-        raise ValueError(
-            "GITHUB_TOKEN environment variable is required. "
-            "Please set it to a GitHub personal access token."
-        )
-    return token
-
-
 def _parse_workflow_url(url: str) -> tuple[str, str, int]:
     """Parse a GitHub Actions workflow run URL into components.
 
@@ -162,7 +143,7 @@ def check_workflow_status(
         )
 
     # Guard: Check for required token
-    token = _get_github_token()
+    token = resolve_github_token()
 
     # Get workflow run details
     run_data = _get_workflow_run(owner, repo, run_id, token)