airbyte-internal-ops 0.3.0__py3-none-any.whl → 0.3.1__py3-none-any.whl

{airbyte_internal_ops-0.3.0.dist-info → airbyte_internal_ops-0.3.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: airbyte-internal-ops
-Version: 0.3.0
+Version: 0.3.1
 Summary: MCP and API interfaces that let the agents do the admin work
 Author-email: Aaron Steers <aj@airbyte.io>
 Keywords: admin,airbyte,api,mcp

{airbyte_internal_ops-0.3.0.dist-info → airbyte_internal_ops-0.3.1.dist-info}/RECORD

@@ -1,7 +1,7 @@
 airbyte_ops_mcp/__init__.py,sha256=tuzdlMkfnWBnsri5KGHM2M_xuNnzFk2u_aR79mmN7Yg,772
 airbyte_ops_mcp/_annotations.py,sha256=MO-SBDnbykxxHDESG7d8rviZZ4WlZgJKv0a8eBqcEzQ,1757
 airbyte_ops_mcp/constants.py,sha256=khcv9W3WkApIyPygEGgE2noBIqLomjoOMLxFBU1ArjA,5308
-airbyte_ops_mcp/gcp_auth.py,sha256=5k-k145ZoYhHLjyDES8nrA8f8BBihRI0ykrdD1IcfOs,3599
+airbyte_ops_mcp/gcp_auth.py,sha256=i0cm1_xX4fj_31iKlfARpNvTaSr85iGTSw9KMf4f4MU,7206
 airbyte_ops_mcp/github_actions.py,sha256=wKnuIVmF4u1gMYNdSoryD_PUmvMz5SaHgOvbU0dsolA,9957
 airbyte_ops_mcp/github_api.py,sha256=uupbYKAkm7yLHK_1cDXYKl1bOYhUygZhG5IHspS7duE,8104
 airbyte_ops_mcp/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -363,11 +363,11 @@ airbyte_ops_mcp/cloud_admin/auth.py,sha256=qE2Aqe0qbZB755KscL65s54Jz78-F-X5a8fXK
 airbyte_ops_mcp/cloud_admin/connection_config.py,sha256=9opGQer-cGMJANmm-LFLMwvMCNu3nzxa2n2XHkZj9Fw,4899
 airbyte_ops_mcp/cloud_admin/models.py,sha256=YZ3FbEW-tZa50khKTTl4Bzvy_LsGyyQd6qcpXo62jls,2670
 airbyte_ops_mcp/connection_config_retriever/__init__.py,sha256=Xoi-YvARrNPhECdpwEDDkdwEpnvj8zuUlwULpf4iRrU,800
-airbyte_ops_mcp/connection_config_retriever/audit_logging.py,sha256=GjT4dVa0TtvGDmiBz9qwzcYCnSf9hTo7UM6l7ubUNE8,2846
+airbyte_ops_mcp/connection_config_retriever/audit_logging.py,sha256=QdOG9984NXeMaKeJnFUZ4oCOmqi37PBRG2NRBBjrZQQ,2753
 airbyte_ops_mcp/connection_config_retriever/retrieval.py,sha256=s6yeCyrboWkUd6KdaheEo87x-rLtQNTL8XeR8O9z2HI,12160
 airbyte_ops_mcp/connection_config_retriever/secrets_resolution.py,sha256=12g0lZzhCzAPl4Iv4eMW6d76mvXjIBGspOnNhywzks4,3644
 airbyte_ops_mcp/gcp_logs/__init__.py,sha256=IqkxclXJnD1U4L2at7aC9GYqPXnuLdYLgmkm3ZiIu6s,409
-airbyte_ops_mcp/gcp_logs/error_lookup.py,sha256=wtC2pXwUuJQcVyonIcduDyGxk8kjJ8Dj-Vyq9AdnYh4,12763
+airbyte_ops_mcp/gcp_logs/error_lookup.py,sha256=Ufl1FtNQJKP_yWndVT1Xku1mT-gxW_0atmNMCYMXvOo,12757
 airbyte_ops_mcp/mcp/__init__.py,sha256=QqkNkxzdXlg-W03urBAQ3zmtOKFPf35rXgO9ceUjpng,334
 airbyte_ops_mcp/mcp/_guidance.py,sha256=48tQSnDnxqXtyGJxxgjz0ZiI814o_7Fj7f6R8jpQ7so,2375
 airbyte_ops_mcp/mcp/_http_headers.py,sha256=9TAH2RYhFR3z2JugW4Q3WrrqJIdaCzAbyA1GhtQ_EMM,7278
@@ -380,7 +380,7 @@ airbyte_ops_mcp/mcp/github.py,sha256=h3M3VJrq09y_F9ueQVCq3bUbVBNFuTNKprHtGU_ttio
 airbyte_ops_mcp/mcp/github_repo_ops.py,sha256=PiERpt8abo20Gz4CfXhrDNlVM4o4FOt5sweZJND2a0s,5314
 airbyte_ops_mcp/mcp/metadata.py,sha256=fwGW97WknR5lfKcQnFtK6dU87aA6TmLj1NkKyqDAV9g,270
 airbyte_ops_mcp/mcp/prerelease.py,sha256=nc6VU03ADVHWM3OjGKxbS5XqY4VoyRyrZNU_fyAtaOI,10465
-airbyte_ops_mcp/mcp/prod_db_queries.py,sha256=FfGoq3aEj6ZUT4ysBIs1w7LzzwBeRXTaRvPGEx62RzI,25474
+airbyte_ops_mcp/mcp/prod_db_queries.py,sha256=DPzyHCT3yxj2kjkucefoVpsR71vscuJQ8tGgLs_lhv0,32068
 airbyte_ops_mcp/mcp/prompts.py,sha256=mJld9mdPECXYZffWXGSvNs4Xevx3rxqUGNlzGKVC2_s,1599
 airbyte_ops_mcp/mcp/registry.py,sha256=PW-VYUj42qx2pQ_apUkVaoUFq7VgB9zEU7-aGrkSCCw,290
 airbyte_ops_mcp/mcp/regression_tests.py,sha256=S1h-5S5gcZA4WEtIZyAQ836hd04tjSRRqMiYMx0S93g,16079
@@ -389,8 +389,8 @@ airbyte_ops_mcp/mcp/server_info.py,sha256=Yi4B1auW64QZGBDas5mro_vwTjvrP785TFNSBP
 airbyte_ops_mcp/prod_db_access/__init__.py,sha256=5pxouMPY1beyWlB0UwPnbaLTKTHqU6X82rbbgKY2vYU,1069
 airbyte_ops_mcp/prod_db_access/db_engine.py,sha256=VUqEWZtharJUR-Cri_pMwtGh1C4Neu4s195mbEXlm-w,9190
 airbyte_ops_mcp/prod_db_access/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-airbyte_ops_mcp/prod_db_access/queries.py,sha256=BBPAQEfcing4G0Q9PEmI8C_9kN26sZc65ZGXd9WuFSw,14257
-airbyte_ops_mcp/prod_db_access/sql.py,sha256=hTbPY4r_rrtJ34B5eVpwyuBMLotyuP--UTv0vl3ZwBw,19432
+airbyte_ops_mcp/prod_db_access/queries.py,sha256=TNxTY5Hf3ImHBX0_e_20-VbF3yzYm2mX3ykWzQXgpno,17754
+airbyte_ops_mcp/prod_db_access/sql.py,sha256=xB7SJGnBSlY-ZB7ku_9QfvNIEldGEmCn-jJcAdes_LY,30407
 airbyte_ops_mcp/registry/__init__.py,sha256=iEaPlt9GrnlaLbc__98TguNeZG8wuQu7S-_2QkhHcbA,858
 airbyte_ops_mcp/registry/models.py,sha256=B4L4TKr52wo0xs0CqvCBrpowqjShzVnZ5eTr2-EyhNs,2346
 airbyte_ops_mcp/registry/publish.py,sha256=VoPxsM2_0zJ829orzCRN-kjgcJtuBNyXgW4I9J680ro,12717
@@ -399,7 +399,7 @@ airbyte_ops_mcp/regression_tests/cdk_secrets.py,sha256=iRjqqBS96KZoswfgT7ju-pE_p
 airbyte_ops_mcp/regression_tests/ci_output.py,sha256=rrvCVKKShc1iVPMuQJDBqSbsiAHIDpX8SA9j0Uwl_Cg,12718
 airbyte_ops_mcp/regression_tests/config.py,sha256=dwWeY0tatdbwl9BqbhZ7EljoZDCtKmGO5fvOAIxeXmA,5873
 airbyte_ops_mcp/regression_tests/connection_fetcher.py,sha256=5wIiA0VvCFNEc-fr6Po18gZMX3E5fyPOGf2SuVOqv5U,12799
-airbyte_ops_mcp/regression_tests/connection_secret_retriever.py,sha256=_qd_nBLx6Xc6yVQHht716sFELX8SgIE5q3R3R708tfw,4879
+airbyte_ops_mcp/regression_tests/connection_secret_retriever.py,sha256=FhWNVWq7sON4nwUmVJv8BgXBOqg1YV4b5WuWyCzZ0LU,4695
 airbyte_ops_mcp/regression_tests/connector_runner.py,sha256=bappfBSq8dn3IyVAMS_XuzYEwWus23hkDCHLa2RFysI,9920
 airbyte_ops_mcp/regression_tests/evaluation_modes.py,sha256=lAL6pEDmy_XCC7_m4_NXjt_f6Z8CXeAhMkc0FU8bm_M,1364
 airbyte_ops_mcp/regression_tests/http_metrics.py,sha256=oTD7f2MnQOvx4plOxHop2bInQ0-whvuToSsrC7TIM-M,12469
@@ -414,7 +414,7 @@ airbyte_ops_mcp/regression_tests/regression/comparators.py,sha256=MJkLZEKHivgrG0
 airbyte_ops_mcp/regression_tests/validation/__init__.py,sha256=MBEwGOoNuqT4_oCahtoK62OKWIjUCfWa7vZTxNj_0Ek,1532
 airbyte_ops_mcp/regression_tests/validation/catalog_validators.py,sha256=jqqVAMOk0mtdPgwu4d0hA0ZEjtsNh5gapvGydRv3_qk,12553
 airbyte_ops_mcp/regression_tests/validation/record_validators.py,sha256=RjauAhKWNwxMBTu0eNS2hMFNQVs5CLbQU51kp6FOVDk,7432
-airbyte_internal_ops-0.3.0.dist-info/METADATA,sha256=Gx40HXaZtFle9mxFDJQNYMGccjrZ3d0xirHsaWcg04s,5679
-airbyte_internal_ops-0.3.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-airbyte_internal_ops-0.3.0.dist-info/entry_points.txt,sha256=WxP0l7bRFss4Cr5uQqVj9mTEKwnRKouNuphXQF0lotA,171
-airbyte_internal_ops-0.3.0.dist-info/RECORD,,
+airbyte_internal_ops-0.3.1.dist-info/METADATA,sha256=kx1iQ0YE42LjpsFpjJD7SECaYMHEjo36VjvSVf3BwHk,5679
+airbyte_internal_ops-0.3.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+airbyte_internal_ops-0.3.1.dist-info/entry_points.txt,sha256=WxP0l7bRFss4Cr5uQqVj9mTEKwnRKouNuphXQF0lotA,171
+airbyte_internal_ops-0.3.1.dist-info/RECORD,,

airbyte_ops_mcp/connection_config_retriever/audit_logging.py

@@ -11,9 +11,8 @@ import logging
 import subprocess
 from typing import TYPE_CHECKING, Any, Callable
 
-from google.cloud import logging as gcloud_logging
-
 from airbyte_ops_mcp.constants import GCP_PROJECT_NAME
+from airbyte_ops_mcp.gcp_auth import get_logging_client
 
 if TYPE_CHECKING:
     from airbyte_ops_mcp.connection_config_retriever.retrieval import (
@@ -23,21 +22,18 @@ if TYPE_CHECKING:
 LOGGER = logging.getLogger(__name__)
 
 # Lazy-initialized to avoid import-time GCP calls
-_logging_client: gcloud_logging.Client | None = None
 _airbyte_gcloud_logger: Any = None
 
 
 def _get_logger() -> Any:
     """Get the GCP Cloud Logger, initializing lazily on first use."""
-    global _logging_client, _airbyte_gcloud_logger
+    global _airbyte_gcloud_logger
 
     if _airbyte_gcloud_logger is not None:
         return _airbyte_gcloud_logger
 
-    _logging_client = gcloud_logging.Client(project=GCP_PROJECT_NAME)
-    _airbyte_gcloud_logger = _logging_client.logger(
-        "airbyte-cloud-connection-retriever"
-    )
+    logging_client = get_logging_client(GCP_PROJECT_NAME)
+    _airbyte_gcloud_logger = logging_client.logger("airbyte-cloud-connection-retriever")
     return _airbyte_gcloud_logger
 
 

airbyte_ops_mcp/gcp_auth.py

@@ -6,94 +6,187 @@ the airbyte-ops-mcp codebase. It supports both standard Application Default
 Credentials (ADC) and the GCP_PROD_DB_ACCESS_CREDENTIALS environment variable
 used internally at Airbyte.
 
+The preferred approach is to pass credentials directly to GCP client constructors
+rather than relying on file-based ADC discovery. This module provides helpers
+that construct credentials from JSON content in environment variables.
+
 Usage:
-    from airbyte_ops_mcp.gcp_auth import get_secret_manager_client
+    from airbyte_ops_mcp.gcp_auth import get_gcp_credentials, get_secret_manager_client
+
+    # Get credentials object to pass to any GCP client
+    credentials = get_gcp_credentials()
+    client = logging.Client(project="my-project", credentials=credentials)
 
-    # Get a properly authenticated Secret Manager client
+    # Or use the convenience helper for Secret Manager
     client = get_secret_manager_client()
 """
 
 from __future__ import annotations
 
+import json
 import logging
 import os
-import tempfile
-from pathlib import Path
+import sys
+import threading
 
+import google.auth
+from google.cloud import logging as gcp_logging
 from google.cloud import secretmanager
+from google.oauth2 import service_account
 
 from airbyte_ops_mcp.constants import ENV_GCP_PROD_DB_ACCESS_CREDENTIALS
 
 logger = logging.getLogger(__name__)
 
-# Environment variable name (internal to GCP libraries)
-ENV_GOOGLE_APPLICATION_CREDENTIALS = "GOOGLE_APPLICATION_CREDENTIALS"
 
-# Module-level cache for the credentials file path
-_credentials_file_path: str | None = None
+def _get_identity_from_service_account_info(info: dict) -> str | None:
+    """Extract service account identity from parsed JSON info.
+
+    Only accesses the 'client_email' key to avoid any risk of leaking
+    other credential material.
 
+    Args:
+        info: Parsed service account JSON as a dict.
 
-def ensure_adc_credentials() -> str | None:
-    """Ensure GCP Application Default Credentials are available.
+    Returns:
+        The client_email if present and a string, otherwise None.
+    """
+    client_email = info.get("client_email")
+    if isinstance(client_email, str):
+        return client_email
+    return None
 
-    If GOOGLE_APPLICATION_CREDENTIALS is not set but GCP_PROD_DB_ACCESS_CREDENTIALS is,
-    write the JSON credentials to a temp file and set GOOGLE_APPLICATION_CREDENTIALS
-    to point to that file. This provides a fallback for internal employees who use
-    GCP_PROD_DB_ACCESS_CREDENTIALS as their standard credential source.
 
-    Note: GOOGLE_APPLICATION_CREDENTIALS must be a file path, not JSON content.
-    The GCP_PROD_DB_ACCESS_CREDENTIALS env var contains the JSON content directly,
-    so we write it to a temp file first.
+def _get_identity_from_credentials(
+    credentials: google.auth.credentials.Credentials,
+) -> str | None:
+    """Extract identity from a credentials object using safe attribute access.
 
-    This function is idempotent and safe to call multiple times.
+    Only accesses known-safe attributes that don't trigger network calls
+    or token refresh.
+
+    Args:
+        credentials: A GCP credentials object.
 
     Returns:
-        The path to the credentials file if one was created, or None if
-        GOOGLE_APPLICATION_CREDENTIALS was already set.
+        The service account email if available, otherwise None.
     """
-    global _credentials_file_path
+    # Try service_account_email first (most common for service accounts)
+    identity = getattr(credentials, "service_account_email", None)
+    if isinstance(identity, str):
+        return identity
+
+    # Try signer_email as fallback (sometimes present on impersonated creds)
+    identity = getattr(credentials, "signer_email", None)
+    if isinstance(identity, str):
+        return identity
+
+    return None
+
 
-    # If GOOGLE_APPLICATION_CREDENTIALS is already set, nothing to do
-    if ENV_GOOGLE_APPLICATION_CREDENTIALS in os.environ:
-        return None
+# Default scopes for GCP services used by this module
+DEFAULT_GCP_SCOPES = ["https://www.googleapis.com/auth/cloud-platform"]
 
-    # Check if we have the fallback credentials
-    gsm_creds = os.getenv(ENV_GCP_PROD_DB_ACCESS_CREDENTIALS)
-    if not gsm_creds:
-        return None
+# Module-level cache for credentials (thread-safe)
+_cached_credentials: google.auth.credentials.Credentials | None = None
+_credentials_lock = threading.Lock()
 
-    # Reuse the same file path if we've already written credentials and file still exists
-    if _credentials_file_path is not None and Path(_credentials_file_path).exists():
-        os.environ[ENV_GOOGLE_APPLICATION_CREDENTIALS] = _credentials_file_path
-        return _credentials_file_path
 
-    # Write credentials to a temp file
-    # Use a unique filename based on PID to avoid collisions between processes
-    creds_file = Path(tempfile.gettempdir()) / f"gcp_prod_db_creds_{os.getpid()}.json"
-    creds_file.write_text(gsm_creds)
+def get_gcp_credentials() -> google.auth.credentials.Credentials:
+    """Get GCP credentials, preferring direct JSON parsing over file-based ADC.
 
-    # Set restrictive permissions (owner read/write only)
-    creds_file.chmod(0o600)
+    This function resolves credentials in the following order:
+    1. GCP_PROD_DB_ACCESS_CREDENTIALS env var (JSON content) - parsed directly
+    2. Standard ADC discovery (workload identity, gcloud auth, GOOGLE_APPLICATION_CREDENTIALS)
 
-    _credentials_file_path = str(creds_file)
-    os.environ[ENV_GOOGLE_APPLICATION_CREDENTIALS] = _credentials_file_path
+    The credentials are cached after first resolution for efficiency.
+    Uses the cloud-platform scope which provides access to all GCP services.
 
-    logger.debug(
-        f"Wrote {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS} to {creds_file} and set "
-        f"{ENV_GOOGLE_APPLICATION_CREDENTIALS}"
-    )
+    Returns:
+        A Credentials object that can be passed to any GCP client constructor.
 
-    return _credentials_file_path
+    Raises:
+        google.auth.exceptions.DefaultCredentialsError: If no credentials can be found.
+    """
+    global _cached_credentials
+
+    # Return cached credentials if available (fast path without lock)
+    if _cached_credentials is not None:
+        return _cached_credentials
+
+    # Acquire lock for thread-safe credential initialization
+    with _credentials_lock:
+        # Double-check after acquiring lock (another thread may have initialized)
+        if _cached_credentials is not None:
+            return _cached_credentials
+
+        # Try GCP_PROD_DB_ACCESS_CREDENTIALS first (JSON content in env var)
+        creds_json = os.getenv(ENV_GCP_PROD_DB_ACCESS_CREDENTIALS)
+        if creds_json:
+            try:
+                creds_dict = json.loads(creds_json)
+                credentials = service_account.Credentials.from_service_account_info(
+                    creds_dict,
+                    scopes=DEFAULT_GCP_SCOPES,
+                )
+                # Extract identity safely (only after successful credential creation)
+                identity = _get_identity_from_service_account_info(creds_dict)
+                identity_str = f" (identity: {identity})" if identity else ""
+                print(
+                    f"GCP credentials loaded from {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS}{identity_str}",
+                    file=sys.stderr,
+                )
+                logger.debug(
+                    f"Loaded GCP credentials from {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS} env var"
+                )
+                _cached_credentials = credentials
+                return credentials
+            except (json.JSONDecodeError, ValueError) as e:
+                # Log only exception type to avoid any risk of leaking credential content
+                logger.warning(
+                    f"Failed to parse {ENV_GCP_PROD_DB_ACCESS_CREDENTIALS}: "
+                    f"{type(e).__name__}. Falling back to ADC discovery."
+                )
+
+        # Fall back to standard ADC discovery
+        credentials, project = google.auth.default(scopes=DEFAULT_GCP_SCOPES)
+        # Extract identity safely from ADC credentials
+        identity = _get_identity_from_credentials(credentials)
+        identity_str = f" (identity: {identity})" if identity else ""
+        project_str = f" (project: {project})" if project else ""
+        print(
+            f"GCP credentials loaded via ADC{project_str}{identity_str}",
+            file=sys.stderr,
+        )
+        logger.debug(f"Loaded GCP credentials via ADC discovery (project: {project})")
+        _cached_credentials = credentials
+        return credentials
 
 
 def get_secret_manager_client() -> secretmanager.SecretManagerServiceClient:
     """Get a Secret Manager client with proper credential handling.
 
-    This function ensures GCP credentials are available (supporting the
-    GCP_PROD_DB_ACCESS_CREDENTIALS fallback) before creating the client.
+    This function uses get_gcp_credentials() to resolve credentials and passes
+    them directly to the client constructor.
 
     Returns:
         A configured SecretManagerServiceClient instance.
     """
-    ensure_adc_credentials()
-    return secretmanager.SecretManagerServiceClient()
+    credentials = get_gcp_credentials()
+    return secretmanager.SecretManagerServiceClient(credentials=credentials)
+
+
+def get_logging_client(project: str) -> gcp_logging.Client:
+    """Get a Cloud Logging client with proper credential handling.
+
+    This function uses get_gcp_credentials() to resolve credentials and passes
+    them directly to the client constructor.
+
+    Args:
+        project: The GCP project ID to use for logging operations.
+
+    Returns:
+        A configured Cloud Logging Client instance.
+    """
+    credentials = get_gcp_credentials()
+    return gcp_logging.Client(project=project, credentials=credentials)

airbyte_ops_mcp/gcp_logs/error_lookup.py

@@ -24,10 +24,12 @@ from datetime import UTC, datetime, timedelta
 from enum import StrEnum
 from typing import Any
 
-from google.cloud import logging
+from google.cloud import logging as gcp_logging
 from google.cloud.logging_v2 import entries
 from pydantic import BaseModel, Field
 
+from airbyte_ops_mcp.gcp_auth import get_logging_client
+
 # Default GCP project for Airbyte Cloud
 DEFAULT_GCP_PROJECT = "prod-ab-cloud-proj"
 
@@ -291,14 +293,13 @@ def fetch_error_logs(
     specified error ID, then fetches related log entries (multi-line stack traces)
     from the same timestamp and resource.
     """
-    client_options = {"quota_project_id": project}
-    client = logging.Client(project=project, client_options=client_options)
+    client = get_logging_client(project)
 
     filter_str = _build_filter(error_id, lookback_days, min_severity_filter)
 
     entries_iterator = client.list_entries(
         filter_=filter_str,
-        order_by=logging.DESCENDING,
+        order_by=gcp_logging.DESCENDING,
     )
 
     initial_matches = list(entries_iterator)
@@ -356,7 +357,7 @@ def fetch_error_logs(
 
         related_entries = client.list_entries(
             filter_=related_filter,
-            order_by=logging.ASCENDING,
+            order_by=gcp_logging.ASCENDING,
         )
 
         for entry in related_entries:

airbyte_ops_mcp/mcp/prod_db_queries.py

@@ -8,6 +8,7 @@ airbyte_ops_mcp.prod_db_access.queries for use by AI agents.
 from __future__ import annotations
 
 from datetime import datetime
+from enum import StrEnum
 from typing import Annotated, Any
 
 import requests
@@ -25,11 +26,21 @@ from airbyte_ops_mcp.prod_db_access.queries import (
     query_dataplanes_list,
     query_failed_sync_attempts_for_connector,
     query_new_connector_releases,
-    query_sync_results_for_version,
+    query_recent_syncs_for_connector,
+    query_syncs_for_version_pinned_connector,
     query_workspace_info,
     query_workspaces_by_email_domain,
 )
 
+
+class StatusFilter(StrEnum):
+    """Filter for job status in sync queries."""
+
+    ALL = "all"
+    SUCCEEDED = "succeeded"
+    FAILED = "failed"
+
+
 # Cloud UI base URL for building connection URLs
 CLOUD_UI_BASE_URL = "https://cloud.airbyte.com"
 
@@ -293,7 +304,7 @@ def query_prod_actors_by_connector_version(
     read_only=True,
     idempotent=True,
 )
-def query_prod_connector_version_sync_results(
+def query_prod_recent_syncs_for_version_pinned_connector(
     connector_version_id: Annotated[
         str,
         Field(description="Connector version UUID to find sync results for"),
@@ -314,11 +325,16 @@ def query_prod_connector_version_sync_results(
         ),
     ] = False,
 ) -> list[dict[str, Any]]:
-    """List sync job results for actors pinned to a specific connector version.
+    """List sync job results for actors PINNED to a specific connector version.
 
-    Returns sync job results for connections using actors that are pinned
-    to the specified version. Useful for monitoring rollout health and
-    identifying issues with specific connector versions.
+    IMPORTANT: This tool ONLY returns results for actors that have been explicitly
+    pinned to the specified version via scoped_configuration. Most connections run
+    unpinned and will NOT appear in these results.
+
+    Use this tool when you want to monitor rollout health for actors that have been
+    explicitly pinned to a pre-release or specific version. For finding healthy
+    connections across ALL actors using a connector type (regardless of pinning),
+    use query_prod_recent_syncs_for_connector instead.
 
     The actor_id field is the actor ID (superset of source_id/destination_id).
 
@@ -327,7 +343,7 @@ def query_prod_connector_version_sync_results(
     pin_origin_type, pin_origin, workspace_id, workspace_name, organization_id,
     dataplane_group_id, dataplane_name
     """
-    return query_sync_results_for_version(
+    return query_syncs_for_version_pinned_connector(
         connector_version_id,
         days=days,
         limit=limit,
@@ -335,6 +351,163 @@ def query_prod_connector_version_sync_results(
     )
 
 
+@mcp_tool(
+    read_only=True,
+    idempotent=True,
+    open_world=True,
+)
+def query_prod_recent_syncs_for_connector(
+    source_definition_id: Annotated[
+        str | None,
+        Field(
+            description=(
+                "Source connector definition ID (UUID) to search for. "
+                "Provide this OR source_canonical_name OR destination_definition_id "
+                "OR destination_canonical_name (exactly one required). "
+                "Example: 'afa734e4-3571-11ec-991a-1e0031268139' for YouTube Analytics."
+            ),
+            default=None,
+        ),
+    ],
+    source_canonical_name: Annotated[
+        str | None,
+        Field(
+            description=(
+                "Canonical source connector name to search for. "
+                "Provide this OR source_definition_id OR destination_definition_id "
+                "OR destination_canonical_name (exactly one required). "
+                "Examples: 'source-youtube-analytics', 'YouTube Analytics'."
+            ),
+            default=None,
+        ),
+    ],
+    destination_definition_id: Annotated[
+        str | None,
+        Field(
+            description=(
+                "Destination connector definition ID (UUID) to search for. "
+                "Provide this OR destination_canonical_name OR source_definition_id "
+                "OR source_canonical_name (exactly one required). "
+                "Example: '94bd199c-2ff0-4aa2-b98e-17f0acb72610' for DuckDB."
+            ),
+            default=None,
+        ),
+    ],
+    destination_canonical_name: Annotated[
+        str | None,
+        Field(
+            description=(
+                "Canonical destination connector name to search for. "
+                "Provide this OR destination_definition_id OR source_definition_id "
+                "OR source_canonical_name (exactly one required). "
+                "Examples: 'destination-duckdb', 'DuckDB'."
+            ),
+            default=None,
+        ),
+    ],
+    status_filter: Annotated[
+        StatusFilter,
+        Field(
+            description=(
+                "Filter by job status: 'all' (default), 'succeeded', or 'failed'. "
+                "Use 'succeeded' to find healthy connections with recent successful syncs. "
+                "Use 'failed' to find connections with recent failures."
+            ),
+            default=StatusFilter.ALL,
+        ),
+    ],
+    organization_id: Annotated[
+        str | OrganizationAliasEnum | None,
+        Field(
+            description=(
+                "Optional organization ID (UUID) or alias to filter results. "
+                "If provided, only syncs from this organization will be returned. "
+                "Accepts '@airbyte-internal' as an alias for the Airbyte internal org."
+            ),
+            default=None,
+        ),
+    ],
+    lookback_days: Annotated[
+        int,
+        Field(description="Number of days to look back (default: 7)", default=7),
+    ],
+    limit: Annotated[
+        int,
+        Field(description="Maximum number of results (default: 100)", default=100),
+    ],
+) -> list[dict[str, Any]]:
+    """List recent sync jobs for ALL actors using a connector type.
+
+    This tool finds all actors with the given connector definition and returns their
+    recent sync jobs, regardless of whether they have explicit version pins. It filters
+    out deleted actors, deleted workspaces, and deprecated connections.
+
+    Use this tool to:
+    - Find healthy connections with recent successful syncs (status_filter='succeeded')
+    - Investigate connector issues across all users (status_filter='failed')
+    - Get an overview of all recent sync activity (status_filter='all')
+
+    Supports both SOURCE and DESTINATION connectors. Provide exactly one of:
+    source_definition_id, source_canonical_name, destination_definition_id,
+    or destination_canonical_name.
+
+    Key fields in results:
+    - job_status: 'succeeded', 'failed', 'cancelled', etc.
+    - connection_id, connection_name: The connection that ran the sync
+    - actor_id, actor_name: The source or destination actor
+    - pin_origin_type, pin_origin, pinned_version_id: Version pin context (NULL if not pinned)
+    """
+    # Validate that exactly one connector parameter is provided
+    provided_params = [
+        source_definition_id,
+        source_canonical_name,
+        destination_definition_id,
+        destination_canonical_name,
+    ]
+    num_provided = sum(p is not None for p in provided_params)
+    if num_provided != 1:
+        raise PyAirbyteInputError(
+            message=(
+                "Exactly one of source_definition_id, source_canonical_name, "
+                "destination_definition_id, or destination_canonical_name must be provided."
+            ),
+        )
+
+    # Determine if this is a destination connector
+    is_destination = (
+        destination_definition_id is not None or destination_canonical_name is not None
+    )
+
+    # Resolve canonical name to definition ID if needed
+    resolved_definition_id: str
+    if source_canonical_name:
+        resolved_definition_id = _resolve_canonical_name_to_definition_id(
+            canonical_name=source_canonical_name,
+        )
+    elif destination_canonical_name:
+        resolved_definition_id = _resolve_canonical_name_to_definition_id(
+            canonical_name=destination_canonical_name,
+        )
+    elif source_definition_id:
+        resolved_definition_id = source_definition_id
+    else:
+        # We've validated exactly one param is provided, so this must be set
+        assert destination_definition_id is not None
+        resolved_definition_id = destination_definition_id
+
+    # Resolve organization ID alias
+    resolved_organization_id = OrganizationAliasEnum.resolve(organization_id)
+
+    return query_recent_syncs_for_connector(
+        connector_definition_id=resolved_definition_id,
+        is_destination=is_destination,
+        status_filter=status_filter,
+        organization_id=resolved_organization_id,
+        days=lookback_days,
+        limit=limit,
+    )
+
+
 @mcp_tool(
     read_only=True,
     idempotent=True,

airbyte_ops_mcp/prod_db_access/queries.py

@@ -29,6 +29,12 @@ from airbyte_ops_mcp.prod_db_access.sql import (
     SELECT_FAILED_SYNC_ATTEMPTS_FOR_CONNECTOR,
     SELECT_NEW_CONNECTOR_RELEASES,
     SELECT_ORG_WORKSPACES,
+    SELECT_RECENT_FAILED_SYNCS_FOR_DESTINATION_CONNECTOR,
+    SELECT_RECENT_FAILED_SYNCS_FOR_SOURCE_CONNECTOR,
+    SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_DESTINATION_CONNECTOR,
+    SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_SOURCE_CONNECTOR,
+    SELECT_RECENT_SYNCS_FOR_DESTINATION_CONNECTOR,
+    SELECT_RECENT_SYNCS_FOR_SOURCE_CONNECTOR,
     SELECT_SUCCESSFUL_SYNCS_FOR_VERSION,
     SELECT_SYNC_RESULTS_FOR_VERSION,
     SELECT_WORKSPACE_INFO,
@@ -227,7 +233,7 @@ def query_actors_pinned_to_version(
     )
 
 
-def query_sync_results_for_version(
+def query_syncs_for_version_pinned_connector(
     connector_version_id: str,
     days: int = 7,
     limit: int = 100,
@@ -320,6 +326,81 @@ def query_failed_sync_attempts_for_connector(
     return results
 
 
+def query_recent_syncs_for_connector(
+    connector_definition_id: str,
+    is_destination: bool = False,
+    status_filter: str = "all",
+    organization_id: str | None = None,
+    days: int = 7,
+    limit: int = 100,
+    *,
+    gsm_client: secretmanager.SecretManagerServiceClient | None = None,
+) -> list[dict[str, Any]]:
+    """Query recent sync jobs for ALL actors using a connector definition.
+
+    Finds all actors with the given actor_definition_id and returns their sync jobs,
+    regardless of whether they have explicit version pins. Filters out deleted actors,
+    deleted workspaces, and deprecated connections.
+
+    This is useful for finding healthy connections with recent successful syncs,
+    or for investigating connector issues across all users.
+
+    Args:
+        connector_definition_id: Connector definition UUID to filter by
+        is_destination: If True, query destination connectors; if False, query sources
+        status_filter: Filter by job status - "all", "succeeded", or "failed"
+        organization_id: Optional organization UUID to filter results by (post-query filter)
+        days: Number of days to look back (default: 7)
+        limit: Maximum number of results (default: 100)
+        gsm_client: GCP Secret Manager client. If None, a new client will be instantiated.
+
+    Returns:
+        List of sync job records with workspace info and optional pin context
+    """
+    cutoff_date = datetime.now(timezone.utc) - timedelta(days=days)
+
+    # Select the appropriate query based on connector type and status filter
+    if is_destination:
+        if status_filter == "succeeded":
+            query = SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_DESTINATION_CONNECTOR
+            query_name = "SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_DESTINATION_CONNECTOR"
+        elif status_filter == "failed":
+            query = SELECT_RECENT_FAILED_SYNCS_FOR_DESTINATION_CONNECTOR
+            query_name = "SELECT_RECENT_FAILED_SYNCS_FOR_DESTINATION_CONNECTOR"
+        else:
+            query = SELECT_RECENT_SYNCS_FOR_DESTINATION_CONNECTOR
+            query_name = "SELECT_RECENT_SYNCS_FOR_DESTINATION_CONNECTOR"
+    else:
+        if status_filter == "succeeded":
+            query = SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_SOURCE_CONNECTOR
+            query_name = "SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_SOURCE_CONNECTOR"
+        elif status_filter == "failed":
+            query = SELECT_RECENT_FAILED_SYNCS_FOR_SOURCE_CONNECTOR
+            query_name = "SELECT_RECENT_FAILED_SYNCS_FOR_SOURCE_CONNECTOR"
+        else:
+            query = SELECT_RECENT_SYNCS_FOR_SOURCE_CONNECTOR
+            query_name = "SELECT_RECENT_SYNCS_FOR_SOURCE_CONNECTOR"
+
+    results = _run_sql_query(
+        query,
+        parameters={
+            "connector_definition_id": connector_definition_id,
+            "cutoff_date": cutoff_date,
+            "limit": limit,
+        },
+        query_name=query_name,
+        gsm_client=gsm_client,
+    )
+
+    # Post-query filter by organization_id if provided
+    if organization_id is not None:
+        results = [
+            r for r in results if str(r.get("organization_id")) == organization_id
+        ]
+
+    return results
+
+
 def query_dataplanes_list(
     *,
     gsm_client: secretmanager.SecretManagerServiceClient | None = None,

airbyte_ops_mcp/prod_db_access/sql.py

@@ -360,6 +360,305 @@ SELECT_SUCCESSFUL_SYNCS_FOR_VERSION = sqlalchemy.text(
     """
 )
 
+# Get recent sync results for ALL actors using a SOURCE connector definition.
+# Finds all actors with the given actor_definition_id and returns their sync attempts,
+# regardless of whether they have explicit version pins.
+# Query starts from jobs table to leverage indexed columns.
+# The LEFT JOIN to scoped_configuration provides pin context when available (pin_origin_type,
+# pin_origin, pinned_version_id will be NULL for unpinned actors).
+# Status filtering ('all', 'succeeded', 'failed') is handled at the application layer by
+# selecting among different SQL query constants; this query returns all statuses.
+SELECT_RECENT_SYNCS_FOR_SOURCE_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.source_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
+# Same as above but filtered to only successful syncs
+SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_SOURCE_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.source_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.status = 'succeeded'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
+# Same as above but filtered to only failed syncs
+SELECT_RECENT_FAILED_SYNCS_FOR_SOURCE_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.source_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.status = 'failed'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
+# Get recent sync results for ALL actors using a DESTINATION connector definition.
+SELECT_RECENT_SYNCS_FOR_DESTINATION_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.destination_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
+# Same as above but filtered to only successful syncs
+SELECT_RECENT_SUCCESSFUL_SYNCS_FOR_DESTINATION_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.destination_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.status = 'succeeded'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
+# Same as above but filtered to only failed syncs
+SELECT_RECENT_FAILED_SYNCS_FOR_DESTINATION_CONNECTOR = sqlalchemy.text(
+    """
+    SELECT
+         jobs.id AS job_id,
+         jobs.scope AS connection_id,
+         jobs.status AS job_status,
+         jobs.started_at AS job_started_at,
+         jobs.updated_at AS job_updated_at,
+         connection.name AS connection_name,
+         actor.id AS actor_id,
+         actor.name AS actor_name,
+         actor.actor_definition_id,
+         actor.tombstone AS actor_tombstone,
+         workspace.id AS workspace_id,
+         workspace.name AS workspace_name,
+         workspace.organization_id,
+         workspace.dataplane_group_id,
+         dataplane_group.name AS dataplane_name,
+         scoped_configuration.origin_type AS pin_origin_type,
+         scoped_configuration.origin AS pin_origin,
+         scoped_configuration.value AS pinned_version_id
+    FROM jobs
+    JOIN connection
+      ON jobs.scope = connection.id::text
+     AND connection.status != 'deprecated'
+    JOIN actor
+      ON connection.destination_id = actor.id
+     AND actor.actor_definition_id = :connector_definition_id
+     AND actor.tombstone = false
+    JOIN workspace
+      ON actor.workspace_id = workspace.id
+     AND workspace.tombstone = false
+    LEFT JOIN dataplane_group
+      ON workspace.dataplane_group_id = dataplane_group.id
+    LEFT JOIN scoped_configuration
+      ON scoped_configuration.scope_id = actor.id
+     AND scoped_configuration.key = 'connector_version'
+     AND scoped_configuration.scope_type = 'actor'
+    WHERE
+         jobs.config_type = 'sync'
+     AND jobs.status = 'failed'
+     AND jobs.updated_at >= :cutoff_date
+    ORDER BY
+         jobs.updated_at DESC
+    LIMIT :limit
+    """
+)
+
 # Get failed attempt results for ALL actors using a connector definition.
 # Finds all actors with the given actor_definition_id and returns their failed sync attempts,
 # regardless of whether they have explicit version pins.

airbyte_ops_mcp/regression_tests/connection_secret_retriever.py

@@ -39,7 +39,6 @@ from airbyte_ops_mcp.connection_config_retriever import (
     ConnectionObject,
     retrieve_objects,
 )
-from airbyte_ops_mcp.gcp_auth import ensure_adc_credentials
 
 if TYPE_CHECKING:
     from airbyte_ops_mcp.regression_tests.connection_fetcher import ConnectionData
@@ -85,9 +84,6 @@ def retrieve_unmasked_config(
     Returns:
         The unmasked source config dict, or None if retrieval fails.
     """
-    # Ensure GCP credentials are available (supports GCP_PROD_DB_ACCESS_CREDENTIALS fallback)
-    ensure_adc_credentials()
-
     # Only request the source config - that's all we need for secrets
     requested_objects = [ConnectionObject.SOURCE_CONFIG]