fix(runner): wire CP-fetched OIDC token into get_bot_token() for backend API calls

[markturansky]

Summary

• After fetching from the CP token endpoint, _fetch_token_from_cp() now calls set_bot_token(token) to store the OIDC token in a module-level cache in utils.py
• get_bot_token() checks that cache first, so auth.py credential fetches to the backend API use the OIDC token instead of an empty string
• Adds a regression test that verifies get_bot_token() is empty before a CP fetch and returns the token after — confirmed to fail without the fix

Root cause

The CP-fetched OIDC token was stored only in AmbientGRPCClient._token (gRPC channel auth). auth.py's get_bot_token() had no access to it, so credential token fetches went out unauthenticated → HTTP 401 on every session run.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added caching for bot tokens fetched from the control plane for improved performance.
  • Updated token sourcing priority to prefer control-plane tokens over other sources.

• Tests

  • Added integration tests for token fetching and caching mechanisms.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4fcef42d-6089-4e3f-9c5a-1111538de8de

📥 Commits

Reviewing files that changed from the base of the PR and between b0ed2b8 and 1d2faab.

📒 Files selected for processing (3)

• components/runners/ambient-runner/ambient_runner/_grpc_client.py
• components/runners/ambient-runner/ambient_runner/platform/utils.py
• components/runners/ambient-runner/tests/test_grpc_client.py

---

📝 Walkthrough

Walkthrough

Introduces a token caching mechanism where tokens fetched from CP are stored in-process and prioritized during token resolution. The gRPC client calls set_bot_token() after successful CP token fetch, and get_bot_token() now checks the cache first before falling back to file mount and environment variable.

Changes

Cohort / File(s)	Summary
Token Cache Infrastructure ambient_runner/platform/utils.py	Added in-process token cache (_cp_fetched_token) and public set_bot_token() setter. Updated get_bot_token() to prioritize cached CP token over file mount and environment variable.
Token Fetch Integration ambient_runner/_grpc_client.py	Integrated token caching by calling set_bot_token() after successful CP token fetch in _fetch_token_from_cp().
Integration Tests tests/test_grpc_client.py	Added TestSetBotTokenIntegration class with tests verifying end-to-end token caching between CP fetch and get_bot_token() retrieval.

Sequence Diagram(s)

sequenceDiagram
    participant Client as gRPC Client
    participant CP as Control Plane
    participant Utils as Token Utils
    participant Cache as Token Cache

    Client->>CP: Fetch token from /token endpoint
    CP-->>Client: Return token response
    Client->>Utils: Call set_bot_token(token)
    Utils->>Cache: Store token in _cp_fetched_token
    Client->>Utils: Call get_bot_token()
    Utils->>Cache: Check cached CP token
    Cache-->>Utils: Return cached token
    Utils-->>Client: Return prioritized token

Loading

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with 'fix' type and 'runner' scope, and clearly describes the main change: wiring CP-fetched OIDC token into get_bot_token().
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	Cache implementation introduces no performance regressions; set_bot_token() called once at startup, get_bot_token() performs O(1) lookups with short-circuit evaluation, never called inside loops.
Security And Secret Handling	✅ Passed	Token handling uses secure in-process caching without plaintext logging, hardcoding, or insecure storage of secrets.
Kubernetes Resource Safety	✅ Passed	Pull request modifies only Python application code in token fetching and authentication utilities; no Kubernetes resource definitions present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/runner-cp-token-bot-token

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/runner-cp-token-bot-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}