-
Notifications
You must be signed in to change notification settings - Fork 34
fix: MCP-first Jira auth and diagnose Ambient env var accessibility #104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
bobbravo2
merged 15 commits into
ambient-code:main
from
angaduom:fix-jira-auth-detection
Apr 10, 2026
Merged
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
d238e1a
fix: MCP-first Jira auth + diagnose Ambient env var accessibility
vmrh21 16eaf6c
feat: add --automerge flag to cve.fix
vmrh21 effc57b
feat: add post-fix CVE re-scan to verify fix actually works (Step 10.5)
vmrh21 9f94c2f
fix: check for Dependabot/Renovate PRs when detecting existing fixes
vmrh21 5e46a41
fix: make Step 10.5 CRITICAL and use binary scan for Go CVE verification
vmrh21 4cdb7b5
fix: enforce all steps are mandatory, mark Step 4.5 as CRITICAL
vmrh21 5d0e621
fix: sync fork branches with upstream before creating fix branch
vmrh21 ca57c02
feat: add /onboard command for self-service component onboarding
vmrh21 c5a3928
fix: don't stop on bash env var check, always attempt Jira API call
vmrh21 6158357
fix: use targeted ToolSearch to find mcp-atlassian Jira tool
vmrh21 4d5269b
fix: read available-deferred-tools list directly, skip keyword ToolSe…
vmrh21 bf9ca46
fix: always use select: syntax for Jira MCP, never generic keyword se…
vmrh21 7a88384
docs: add /onboard to README and startup prompt
vmrh21 1b8f24f
fix: address all CodeRabbit comments on PR 104
vmrh21 af906eb
fix: apply base64 | tr -d newline fix to all auth lines (matches PR 106)
vmrh21 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -54,13 +54,45 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md | |
|
|
||
| 2. **Verify Jira Access** | ||
|
|
||
| Secrets may be injected by the Ambient session, a secrets manager, or an MCP server — do NOT rely solely on bash env var checks. Instead, attempt a lightweight test API call and let the response determine whether credentials are available. | ||
| **ALWAYS check for a Jira MCP server first** before attempting any curl/env var approach. | ||
|
|
||
| **2.1: Check for Jira MCP server (do this first, every time)** | ||
|
|
||
| Look at the available tools in the current session. If any tool matching `mcp__jira*`, | ||
| `mcp__atlassian*`, or any Jira-related MCP tool is present: | ||
| - Use the MCP tool directly for all Jira queries in Step 3 | ||
| - Skip the curl/auth setup entirely | ||
| - Print: "✅ Using Jira MCP server — no credentials required" | ||
|
|
||
| **Do NOT assume MCP is unavailable just because the user has not mentioned it.** | ||
| Always proactively check the available tool list before falling back to curl. | ||
|
|
||
| **2.2: Fallback — curl with credentials (only if no MCP found)** | ||
|
|
||
| If no Jira MCP server is available, first check whether the credentials are accessible | ||
| to the bash shell — Ambient custom env vars are sometimes available to Claude but not | ||
| automatically exported to bash subprocesses: | ||
|
|
||
| ```bash | ||
| # Diagnose accessibility before attempting auth | ||
| TOKEN_SET=$([ -n "${JIRA_API_TOKEN}" ] && echo "yes" || echo "no") | ||
| EMAIL_SET=$([ -n "${JIRA_EMAIL}" ] && echo "yes" || echo "no") | ||
| echo "JIRA_API_TOKEN accessible to bash: $TOKEN_SET" | ||
| echo "JIRA_EMAIL accessible to bash: $EMAIL_SET" | ||
| ``` | ||
|
|
||
| - If either is **"no"** → the Ambient custom env vars are not being passed to bash | ||
| subprocesses. Ask the user to export them explicitly in the session: | ||
| ```bash | ||
| export JIRA_API_TOKEN="your-token-here" | ||
| export JIRA_EMAIL="[email protected]" | ||
| ``` | ||
| - If both are **"yes"** → proceed with the auth test call: | ||
|
|
||
| ```bash | ||
| JIRA_BASE_URL="https://redhat.atlassian.net" | ||
| AUTH=$(echo -n "${JIRA_EMAIL}:${JIRA_API_TOKEN}" | base64) | ||
|
|
||
| # Retry once on network failure (curl exit code 000 = timeout/no response) | ||
| for ATTEMPT in 1 2; do | ||
| TEST_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X GET \ | ||
| --connect-timeout 10 --max-time 15 \ | ||
|
|
@@ -74,29 +106,22 @@ Report: artifacts/cve-fixer/find/cve-issues-20260226-145018.md | |
| ``` | ||
|
|
||
| - **HTTP 200** → credentials valid, proceed | ||
| - **HTTP 401** → credentials missing or invalid. Note: `/rest/api/3/myself` returns 401 for all authentication failures — there is no separate 403 for this endpoint. Only now inform the user: | ||
| - Check if `JIRA_API_TOKEN` and `JIRA_EMAIL` are configured as Ambient session secrets | ||
| - If not, generate a token at https://id.atlassian.com/manage-profile/security/api-tokens and export: | ||
|
|
||
| ```bash | ||
| export JIRA_API_TOKEN="your-token-here" | ||
| export JIRA_EMAIL="[email protected]" | ||
| ``` | ||
| - **HTTP 000 after retry** → persistent network issue — inform user and stop | ||
|
|
||
| **Do NOT pre-check env vars with `[ -z "$JIRA_API_TOKEN" ]` and stop.** The variables may be available to the API call even if not visible to the shell check (e.g. Ambient secrets injection). | ||
| - **HTTP 401** → token is invalid or expired. Generate a new token at | ||
| https://id.atlassian.com/manage-profile/security/api-tokens and export it | ||
| - **HTTP 000 after retry** → network issue — inform user and stop | ||
|
|
||
| 3. **Query Jira for CVE Issues** | ||
|
|
||
| a. Set up variables (AUTH already set from Step 2): | ||
| a. Set up variables: | ||
|
|
||
| ```bash | ||
| COMPONENT_NAME="[from step 1]" | ||
| JIRA_BASE_URL="https://redhat.atlassian.net" | ||
| # AUTH already constructed in Step 2 — reuse it | ||
| # If using MCP (Step 2.1): pass JQL directly to MCP tool — no AUTH needed | ||
| # If using curl (Step 2.2): AUTH already constructed in Step 2 — reuse it | ||
| ``` | ||
|
|
||
| b. Construct JQL query and execute API call: | ||
| b. Construct JQL query and execute via MCP or curl: | ||
|
|
||
| ```bash | ||
| # Normalize component name with case-insensitive lookup against mapping file | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.