fix: address CodeRabbit review feedback

- Sort Gerrit instances by name for deterministic API responses
- Register missing /version route in backend
- Encode instanceName in frontend proxy routes to prevent path injection
- Clean up stale Gerrit config when instance list is empty
- Add debug logging to bare except blocks in MCP credential checks
- Update integrations-panel tests for 5th integration (Gerrit)
- Fix markdown heading spacing (MD022)
- Clarify K8s Secrets encryption-at-rest requires cluster config
- Align contract types with implementation (required fields)
- Fix instanceName char range in spec (2-63, not 1-63)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sbauza

components/backend/handlers/integrations_status.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"log"
 	"net/http"
+	"sort"
 
 	"github.com/gin-gonic/gin"
 )
@@ -141,6 +142,10 @@ func getGerritStatusForUser(ctx context.Context, userID string) gin.H {
 		return gin.H{"instances": []gin.H{}}
 	}
 
+	sort.Slice(instances, func(i, j int) bool {
+		return instances[i].InstanceName < instances[j].InstanceName
+	})
+
 	result := make([]gin.H, 0, len(instances))
 	for _, creds := range instances {
 		result = append(result, gin.H{

components/backend/routes.go

@@ -12,6 +12,7 @@ func registerRoutes(r *gin.Engine) {
 	api := r.Group("/api")
 	{
 		// Public endpoints (no auth required)
+		api.GET("/version", handlers.GetVersion)
 		api.GET("/workflows/ootb", handlers.ListOOTBWorkflows)
 		// Global runner-types endpoint (no workspace overrides — for admin pages)
 		api.GET("/runner-types", handlers.GetRunnerTypesGlobal)

components/frontend/src/app/api/auth/gerrit/[instanceName]/disconnect/route.ts

@@ -6,9 +6,10 @@ export async function DELETE(
   { params }: { params: Promise<{ instanceName: string }> }
 ) {
   const { instanceName } = await params
+  const safeInstanceName = encodeURIComponent(instanceName)
   const headers = await buildForwardHeadersAsync(request)
 
-  const resp = await fetch(`${BACKEND_URL}/auth/gerrit/${instanceName}/disconnect`, {
+  const resp = await fetch(`${BACKEND_URL}/auth/gerrit/${safeInstanceName}/disconnect`, {
     method: 'DELETE',
     headers,
   })

components/frontend/src/app/api/auth/gerrit/[instanceName]/status/route.ts

@@ -6,9 +6,10 @@ export async function GET(
   { params }: { params: Promise<{ instanceName: string }> }
 ) {
   const { instanceName } = await params
+  const safeInstanceName = encodeURIComponent(instanceName)
   const headers = await buildForwardHeadersAsync(request)
 
-  const resp = await fetch(`${BACKEND_URL}/auth/gerrit/${instanceName}/status`, {
+  const resp = await fetch(`${BACKEND_URL}/auth/gerrit/${safeInstanceName}/status`, {
     method: 'GET',
     headers,
   })

components/frontend/src/app/projects/[name]/sessions/[sessionName]/components/settings/__tests__/integrations-panel.test.tsx

@@ -7,6 +7,7 @@ type IntegrationsData = {
   gitlab: { connected: boolean };
   jira: { connected: boolean };
   google: { connected: boolean };
+  gerrit: { instances: Array<{ connected: boolean; instanceName: string }> };
 } | null;
 
 const mockUseIntegrationsStatus = vi.fn((): { data: IntegrationsData; isPending: boolean } => ({
@@ -36,13 +37,14 @@ describe('IntegrationsPanel', () => {
     expect(skeletons.length).toBeGreaterThan(0);
   });
 
-  it('renders integration cards (GitHub, GitLab, Google Workspace, Jira)', () => {
+  it('renders integration cards (GitHub, GitLab, Google Workspace, Jira, Gerrit)', () => {
     mockUseIntegrationsStatus.mockReturnValue({
       data: {
         github: { active: null },
         gitlab: { connected: false },
         jira: { connected: false },
         google: { connected: false },
+        gerrit: { instances: [] },
       },
       isPending: false,
     });
@@ -51,6 +53,7 @@ describe('IntegrationsPanel', () => {
     expect(screen.getByText('GitLab')).toBeDefined();
     expect(screen.getByText('Google Workspace')).toBeDefined();
     expect(screen.getByText('Jira')).toBeDefined();
+    expect(screen.getByText('Gerrit')).toBeDefined();
   });
 
   it('shows connected status for configured integrations', () => {
@@ -60,11 +63,12 @@ describe('IntegrationsPanel', () => {
         gitlab: { connected: true },
         jira: { connected: true },
         google: { connected: false },
+        gerrit: { instances: [] },
       },
       isPending: false,
     });
     render(<IntegrationsPanel />);
-    // 3 out of 4 configured: badge should show 3/4
-    expect(screen.getByText('3/4')).toBeDefined();
+    // 3 out of 5 configured: badge should show 3/5
+    expect(screen.getByText('3/5')).toBeDefined();
   });
 });

components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py

@@ -39,10 +39,13 @@ def generate_gerrit_config(instances: list[dict]) -> None:
 
     Sets GERRIT_CONFIG_PATH env var to point to the generated config.
     """
+    config_dir = Path("/tmp/gerrit-mcp")
+    if config_dir.exists():
+        import shutil
+        shutil.rmtree(config_dir)
     if not instances:
+        os.environ.pop("GERRIT_CONFIG_PATH", None)
         return
-
-    config_dir = Path("/tmp/gerrit-mcp")
     config_dir.mkdir(parents=True, exist_ok=True)
 
     gerrit_hosts = []
@@ -323,10 +326,10 @@ def check_mcp_authentication(server_name: str) -> tuple[bool | None, str | None]
                                 True,
                                 "Jira credentials available (not yet loaded in session)",
                             )
-                except Exception:
-                    pass
-        except Exception:
-            pass
+                except Exception as e:
+                    logger.debug(f"Jira credential probe failed: {e}")
+        except Exception as e:
+            logger.debug(f"Jira credential check setup failed: {e}")
 
         return False, "Jira not configured - connect on Integrations page"
 

docs/internal/integrations/README.md

@@ -63,6 +63,7 @@ Documentation for integrating the Ambient Code Platform with external services.
 - **Instance URL** - Support for self-hosted
 
 ### Gerrit
+
 - **HTTP Basic** - Username + HTTP password
 - **Gitcookies** - Cookie-based authentication
 - **Multi-instance** - Connect multiple Gerrit servers
@@ -92,6 +93,7 @@ All integrations are configured per-project via:
 - [GitLab API Endpoints](../api/gitlab-endpoints.md) - API reference
 
 ### Gerrit
+
 - [Gerrit Integration](gerrit-integration.md) - Setup and usage guide
 
 ### Google Workspace

docs/internal/integrations/gerrit-integration.md

@@ -207,7 +207,7 @@ Both instances will be available to the MCP server during AgenticSessions.
 
 - Credentials are stored in a Kubernetes Secret named `gerrit-credentials`
 - Each credential entry uses a compound key: `instanceName.userID`
-- Secrets are encrypted at rest (standard Kubernetes Secret encryption)
+- Stored in Kubernetes Secrets (encrypted at rest when cluster-level encryption is configured)
 - Credentials are never logged in plaintext
 - Credentials are not exposed in API responses after storage
 

specs/001-gerrit-integration/contracts/frontend-types.ts

@@ -26,9 +26,9 @@ export interface GerritConnectResponse {
 export interface GerritInstanceStatus {
   connected: boolean
   instanceName: string
-  url?: string
-  authMethod?: GerritAuthMethod
-  updatedAt?: string
+  url: string
+  authMethod: GerritAuthMethod
+  updatedAt: string
 }
 
 export interface GerritTestResponse {

specs/001-gerrit-integration/data-model.md

@@ -23,7 +23,7 @@ Represents a user's connection to a single Gerrit instance.
 
 **Validation rules**:
 - `url` must be a valid HTTPS URL (HTTP allowed for local development only)
-- `instanceName` must match `^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$` (lowercase, alphanumeric with hyphens, 1-63 chars)
+- `instanceName` must match `^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$` (lowercase, alphanumeric with hyphens, 2-63 chars)
 - When `authMethod` is `http_basic`: both `username` and `httpToken` must be non-empty
 - When `authMethod` is `git_cookies`: `gitcookiesContent` must be non-empty and contain at least one cookie line for the target host