fix(ci,api-server): fix control-plane build context and migration parameter mismatch

[markturansky]

Summary

• Control-plane Docker build: Changed build context from ./components/ambient-control-plane to ./components in both CI workflows. The Dockerfile copies sibling directories (ambient-api-server/, ambient-sdk/go-sdk/), which requires the broader context.
• Agent schema expansion migration: Replaced tx.AutoMigrate(&Agent{}) with explicit ALTER TABLE ADD COLUMN IF NOT EXISTS statements. AutoMigrate with PreferSimpleProtocol: true causes pq: got 2 parameters but the statement requires 1 when scanning *int32/*float64 column types.
• Role seed migrations: Replaced GORM FirstOrCreate with raw INSERT ... ON CONFLICT (name) DO NOTHING in both roles/migration.go and credentials/migration.go to avoid GORM primary key inference causing parameter count errors.

Test plan

• go vet ./... passes
• go build ./... passes
• All integration tests pass locally (AMBIENT_ENV=integration_testing go test -p 1 ./... — 12/12 packages ok)
• CI Docker builds for ambient-control-plane succeed on both amd64 and arm64
• CI API Server integration tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Streamlined Docker build configuration for component deployments to improve build efficiency across deployment pipelines.
  • Extended agent data infrastructure to enable additional configuration and operational capabilities for enhanced resource management and environment control.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows update Docker build contexts for the ambient-control-plane component from ./components/ambient-control-plane to ./components. Concurrently, three database migration files refactor GORM-based upserts and deletes to explicit raw SQL statements for schema modifications and data operations.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/components-build-deploy.yml, .github/workflows/prod-release-deploy.yaml	Updated Docker build context from ./components/ambient-control-plane to ./components for the ambient-control-plane component matrix entry, affecting build context provided to Docker during both standard and release builds.
Database Migrations components/ambient-api-server/plugins/agents/migration.go, components/ambient-api-server/plugins/credentials/migration.go, components/ambient-api-server/plugins/roles/migration.go	Replaced GORM ORM calls with raw SQL statements. Agents migration now uses explicit ALTER TABLE ... ADD COLUMN IF NOT EXISTS with typed columns and index creation. Credentials and roles migrations replaced FirstOrCreate and Delete flows with INSERT ... ON CONFLICT (name) DO NOTHING and direct SQL delete statements, removing intermediate struct definitions.

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title follows Conventional Commits format with type 'fix', scope 'ci,api-server', and accurately summarizes the main changes: Docker build context fixes and migration parameter corrections across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Migration code uses fixed-size loops over constant collections with no N+1 patterns. Role seeding improved from per-item GORM queries to batch INSERT...ON CONFLICT operation.
Security And Secret Handling	✅ Passed	Migration files use parameterized queries, hardcoded DDL literals, and identifier concatenation from fixed lists. No hardcoded secrets, sensitive logging, authorization issues, or Kubernetes Secret handling vulnerabilities detected.
Kubernetes Resource Safety	✅ Passed	PR modifies only CI/CD workflows and database migrations; no Kubernetes manifests in components/manifests/base/ are changed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/migration-automigrate-parameter-mismatch

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/migration-automigrate-parameter-mismatch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	ede64d9
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69e8d727caefa6000828d169

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/components-build-deploy.yml:
- Line 62: The workflow’s path filters for the component image list (see the
ambient-control-plane entry with name "ambient-control-plane" and context
"./components") are missing the SDK path; update the workflow triggers under
on.push.paths and on.pull_request.paths to include "components/ambient-sdk/**"
so changes inside components/ambient-sdk will trigger rebuilds of the
ambient-control-plane image.

In `@components/ambient-api-server/plugins/agents/migration.go`:
- Around line 48-60: The migration builds the SQL statements in the stmts slice
and currently creates owner_user_id as nullable, which conflicts with the
model's gorm:"not null"; update the corresponding statement in stmts to add "NOT
NULL" and a sensible DEFAULT (e.g., empty string) to avoid migration failures,
and likewise change the llm_model, llm_temperature and llm_max_tokens column
statements to include NOT NULL with appropriate DEFAULT values (e.g., '' for
llm_model, 0.0 for llm_temperature, 0 for llm_max_tokens) so the SQL schema
matches the non-pointer model fields; adjust the ALTER TABLE statements that
reference owner_user_id, llm_model, llm_temperature and llm_max_tokens in the
stmts slice accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0110428a-3f55-4c60-9d42-599605b5a5f6

📥 Commits

Reviewing files that changed from the base of the PR and between 36dc70a and ede64d9.

📒 Files selected for processing (5)

• .github/workflows/components-build-deploy.yml
• .github/workflows/prod-release-deploy.yaml
• components/ambient-api-server/plugins/agents/migration.go
• components/ambient-api-server/plugins/credentials/migration.go
• components/ambient-api-server/plugins/roles/migration.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Dockerfile inputs for ambient-control-plane ==="
rg -n '^\s*COPY\s+(ambient-api-server/|ambient-sdk/go-sdk/)' components/ambient-control-plane/Dockerfile

echo
echo "=== Current workflow path filters ==="
rg -n "components/ambient-(api-server|control-plane|sdk)/\*\*" .github/workflows/components-build-deploy.yml

Repository: ambient-code/platform

Length of output: 439

---

Add components/ambient-sdk/** to workflow path filters

The Dockerfile for ambient-control-plane copies from ambient-sdk/go-sdk/ (lines 7–8 of the Dockerfile), but the workflow's on.push.paths and on.pull_request.paths do not include components/ambient-sdk/**. Changes to the SDK will not trigger a rebuild of this image.

Add to both push and pull_request path filters

     paths:
       - '.github/workflows/components-build-deploy.yml'
       - 'components/ambient-api-server/**'
+      - 'components/ambient-sdk/**'
       - 'components/ambient-control-plane/**'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml at line 62, The workflow’s
path filters for the component image list (see the ambient-control-plane entry
with name "ambient-control-plane" and context "./components") are missing the
SDK path; update the workflow triggers under on.push.paths and
on.pull_request.paths to include "components/ambient-sdk/**" so changes inside
components/ambient-sdk will trigger rebuilds of the ambient-control-plane image.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Model field nullability (non-pointer primitives expected non-null DB values):"
rg -n 'OwnerUserId|LlmModel|LlmTemperature|LlmMaxTokens' components/ambient-api-server/plugins/agents/model.go

echo
echo "Migration SQL currently defining these columns:"
rg -n 'owner_user_id|llm_model|llm_temperature|llm_max_tokens' components/ambient-api-server/plugins/agents/migration.go

Repository: ambient-code/platform

Length of output: 1082

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking for follow-up migrations after migration.go ==="
fd -e go migration | head -20

echo
echo "=== Checking if other fields have gorm NOT NULL constraints we missed ==="
rg -n 'gorm:"' components/ambient-api-server/plugins/agents/model.go | grep -E 'LlmModel|LlmTemperature|LlmMaxTokens|OwnerUserId'

echo
echo "=== Looking for any ALTER TABLE that adds NOT NULL to these columns ==="
rg -n 'ALTER TABLE agents' components/ambient-api-server/plugins/agents/ | grep -E 'owner_user_id|llm_model|llm_temperature|llm_max_tokens.*NOT NULL'

Repository: ambient-code/platform

Length of output: 1300

---

Add NOT NULL constraint to owner_user_id column in migration.

Line 50 creates owner_user_id as nullable, but the model at line 12 declares it as gorm:"not null". This violates the model contract and risks scan failures.

Migration fix

 			stmts := []string{
 				`ALTER TABLE agents ADD COLUMN IF NOT EXISTS parent_agent_id TEXT`,
-				`ALTER TABLE agents ADD COLUMN IF NOT EXISTS owner_user_id TEXT`,
+				`ALTER TABLE agents ADD COLUMN IF NOT EXISTS owner_user_id TEXT NOT NULL DEFAULT ''`,
 				`ALTER TABLE agents ADD COLUMN IF NOT EXISTS display_name TEXT`,

Consider applying similar constraints to llm_model, llm_temperature, and llm_max_tokens (lines 55–57), since they are non-pointer primitives. Code-level defaults exist, but nullable columns create unnecessary null-check risk.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	stmts := []string{
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS parent_agent_id TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS owner_user_id TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS display_name TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS description TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS repo_url TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS workflow_id TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_model TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_temperature DOUBLE PRECISION`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_max_tokens INTEGER`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS bot_account_name TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS resource_overrides TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS environment_variables TEXT`,
	stmts := []string{
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS parent_agent_id TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS owner_user_id TEXT NOT NULL DEFAULT ''`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS display_name TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS description TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS repo_url TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS workflow_id TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_model TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_temperature DOUBLE PRECISION`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS llm_max_tokens INTEGER`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS bot_account_name TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS resource_overrides TEXT`,
	`ALTER TABLE agents ADD COLUMN IF NOT EXISTS environment_variables TEXT`,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/ambient-api-server/plugins/agents/migration.go` around lines 48 -
60, The migration builds the SQL statements in the stmts slice and currently
creates owner_user_id as nullable, which conflicts with the model's gorm:"not
null"; update the corresponding statement in stmts to add "NOT NULL" and a
sensible DEFAULT (e.g., empty string) to avoid migration failures, and likewise
change the llm_model, llm_temperature and llm_max_tokens column statements to
include NOT NULL with appropriate DEFAULT values (e.g., '' for llm_model, 0.0
for llm_temperature, 0 for llm_max_tokens) so the SQL schema matches the
non-pointer model fields; adjust the ALTER TABLE statements that reference
owner_user_id, llm_model, llm_temperature and llm_max_tokens in the stmts slice
accordingly.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-22 14:20 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-04-22 14:21 UTC · at ede64d95e34f07aeeb0fef77c6d861d6523ce316 · squash

This pull request spent 12 seconds in the queue, including 1 second running CI.

Required conditions to merge