refactor: enhance encryption handling and error reporting in agent re…#143
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes several production-environment issues in the AI agent service: encryption key misconfiguration, repo tools unavailability in production containers, and silent swallowing of agent errors.
Changes
Fix encryption key propagation (
deploy/docker-compose.prod.yml,scripts/install.sh)ENCRYPTION_KEYto the ai-agent service in the production docker-compose — without it, the service couldn't decrypt LLM API keys stored encrypted by the API service.Fix repo tools injection in production (
docker_workspace.py)/appis bind-mounted from the host into the agent container, so sibling sandbox containers could share it via a volume mount. In production,/appis baked into the image and the host path detection fails._copy_repo_tools_to_container()which uses Docker'sput_archiveAPI to injectrepo_tools.pyand the required__init__.pyfiles directly into the running sandbox container at/tmp/paca_toolswhen no bind-mount is detected.OH_EXTRA_PYTHON_PATHis now always set — to/app(dev) or/tmp/paca_tools(prod)./mcp) volume sharing, which is no longer needed.Improve error reporting (
executor.py)_wait_for_done_or_stopnow returns(stopped, errored)instead of a single bool.ERRORorSTUCKstatus now correctly set the conversation to"failed"and emitagent.conversation.failed, instead of being reported as finished._get_conversation_error_detail()to extract and log theConversationErrorEventdetail for observability.visualizer=_QuietVisualizer→visualizer=_QuietVisualizer()(was passing the class, not an instance).Improve decryption failure handling (
agent_repository.py)""instead of the raw ciphertext. Forwarding ciphertext to the LLM provider produced misleading "token expired / incorrect key" errors; an empty key surfaces a clear "missing API key" error instead.ENCRYPTION_KEYis unset, pointing to the fix.