Merge branch 'main' into fix/bedrock-thinking-tool-use

Author: EItanya

.editorconfig

@@ -0,0 +1,19 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+tab_width = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[{Makefile,*.go,go.*}]
+indent_style = tab
+indent_size = 4
+tab_width = 4
+
+[*.py]
+indent_size = 4
+tab_width = 4

helm/kagent/values.yaml

@@ -556,6 +556,7 @@ querydoc:
       memory: 512Mi
   openai:
     apiKey: ""
+    # secretRef: ""  # Name of existing Secret containing OPENAI_API_KEY. Takes precedence over apiKey.
 
 # ==============================================================================
 # OAUTH2-PROXY CONFIGURATION (Optional)

helm/tools/querydoc/templates/deployment.yaml

@@ -14,7 +14,7 @@ spec:
     metadata:
       annotations:
         checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        {{- if .Values.openai.apiKey }}
+        {{- if and .Values.openai.apiKey (not .Values.openai.secretRef) }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- end }}
       labels:
@@ -46,9 +46,9 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "querydoc.fullname" . }}
-            {{- if .Values.openai.apiKey }}
+            {{- if or .Values.openai.apiKey .Values.openai.secretRef }}
             - secretRef:
-                name: {{ include "querydoc.fullname" . }}
+                name: {{ .Values.openai.secretRef | default (include "querydoc.fullname" .) | quote }}
             {{- end }}
           ports:
             - name: http

helm/tools/querydoc/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.openai.apiKey }}
+{{- if and .Values.openai.apiKey (not .Values.openai.secretRef) }}
 apiVersion: v1
 kind: Secret
 metadata:

helm/tools/querydoc/tests/deployment_test.yaml

@@ -2,6 +2,7 @@ suite: test querydoc deployment
 templates:
   - deployment.yaml
   - configmap.yaml
+  - secret.yaml
 tests:
   - it: should render deployment with default values
     template: deployment.yaml
@@ -163,3 +164,57 @@ tests:
             value: AI
             effect: NoSchedule
             operator: Equal
+
+  - it: should not include secretRef by default
+    template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].envFrom
+          value:
+            - configMapRef:
+                name: RELEASE-NAME-querydoc
+      - notExists:
+          path: spec.template.metadata.annotations.checksum/secret
+
+  - it: should reference chart-owned Secret when only openai.apiKey is set
+    template: deployment.yaml
+    set:
+      openai:
+        apiKey: foo
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].envFrom
+          content:
+            secretRef:
+              name: RELEASE-NAME-querydoc
+      - exists:
+          path: spec.template.metadata.annotations.checksum/secret
+
+  - it: should reference external Secret when openai.secretRef is set
+    template: deployment.yaml
+    set:
+      openai:
+        secretRef: my-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].envFrom
+          content:
+            secretRef:
+              name: my-secret
+      - notExists:
+          path: spec.template.metadata.annotations.checksum/secret
+
+  - it: secretRef should win over apiKey when both are set
+    template: deployment.yaml
+    set:
+      openai:
+        apiKey: foo
+        secretRef: my-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].envFrom
+          content:
+            secretRef:
+              name: my-secret
+      - notExists:
+          path: spec.template.metadata.annotations.checksum/secret

helm/tools/querydoc/tests/secret_test.yaml

@@ -0,0 +1,41 @@
+suite: test querydoc secret
+templates:
+  - secret.yaml
+tests:
+  - it: should not render a Secret with default values
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render a Secret when openai.apiKey is set
+    set:
+      openai:
+        apiKey: foo
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Secret
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-querydoc
+      - equal:
+          path: data.OPENAI_API_KEY
+          value: Zm9v # `foo` base64 encoded
+
+  - it: should not render a Secret when openai.secretRef is set
+    set:
+      openai:
+        secretRef: my-secret
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not render a Secret when both apiKey and secretRef are set (secretRef wins)
+    set:
+      openai:
+        apiKey: foo
+        secretRef: my-secret
+    asserts:
+      - hasDocuments:
+          count: 0

helm/tools/querydoc/values.yaml

@@ -52,6 +52,7 @@ config:
 # Secret configuration
 openai:
   apiKey: ""
+  # secretRef: ""  # Name of existing Secret containing OPENAI_API_KEY. Takes precedence over apiKey.
 
 # OTEL configuration
 otel:

python/packages/kagent-adk/src/kagent/adk/_session_service.py

@@ -46,8 +46,14 @@ async def create_session(
             request_data["source"] = state.get("source", "")
 
         # Make API call to create session
+        # Pass user_id as a query param so the controller's auth middleware
+        # (UnsecureAuthenticator) reads it consistently — matching the user_id
+        # used by get_session, list_sessions, delete_session, and append_event.
+        # Without this, unsecure-mode requests fall back to "admin@kagent.dev"
+        # while all lookups use the A2A-derived user_id, causing SessionNotFoundError.
         response = await self.client.post(
             "/api/sessions",
+            params={"user_id": user_id},
             json=request_data,
         )
         response.raise_for_status()

python/packages/kagent-adk/tests/unittests/test_session_service.py

@@ -66,6 +66,37 @@ def _factory(response_json: dict | None, status_code: int = 200) -> KAgentSessio
     return _factory
 
 
+@pytest.mark.asyncio
+async def test_create_session_passes_user_id_as_query_param():
+    """create_session must include user_id as a query param on POST /api/sessions.
+
+    Regression test for the SessionNotFoundError caused by a user_id mismatch:
+    the controller's UnsecureAuthenticator resolves identity from the query param
+    (or X-User-Id header), not the JSON body.  Without the query param the
+    controller falls back to "admin@kagent.dev" for the session create, while
+    every subsequent GET uses the A2A-derived user_id — guaranteeing a 404.
+    Fixes: https://github.com/kagent-dev/kagent/issues/1882
+    """
+    mock_response = MagicMock(spec=httpx.Response)
+    mock_response.status_code = 201
+    mock_response.json.return_value = {"data": {"id": "sess-1", "user_id": "A2A_USER_ctx123"}}
+    mock_response.raise_for_status = MagicMock()
+
+    client = MagicMock(spec=httpx.AsyncClient)
+    client.post = AsyncMock(return_value=mock_response)
+
+    svc = KAgentSessionService(client)
+    await svc.create_session(app_name="my-agent", user_id="A2A_USER_ctx123", session_id="ctx123")
+
+    client.post.assert_called_once()
+    call_kwargs = client.post.call_args.kwargs
+    assert call_kwargs.get("params", {}).get("user_id") == "A2A_USER_ctx123", (
+        f"Expected params['user_id']='A2A_USER_ctx123', got params={call_kwargs.get('params')!r}. "
+        "Without this query param the controller's UnsecureAuthenticator falls back "
+        "to 'admin@kagent.dev', causing a SessionNotFoundError on subsequent lookups."
+    )
+
+
 @pytest.mark.asyncio
 async def test_get_session_returns_none_on_404(mock_client):
     """A 404 response returns None without raising."""