feat(api-server): sync user account in OneCLI on login (#98)

* feat(api-server): sync user account in OneCLI on first authentication

Calls POST /api/auth/sync on OneCLI (v0.0.8+) to ensure the user
account exists. Uses an RxJS saga with distinct() dedup so the sync
only fires once per user per server lifetime, without blocking requests.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* chore: bump onecli to v0.0.8

Required for the /api/auth/sync endpoint used by the new user sync saga.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* fix: e2e cluster install timeout and OneCLI sync method

- Add --no-restart flag to cluster:install, used in e2e to skip
  unnecessary pod restarts that caused a deadlock (OneCLI waiting
  for Keycloak while both are restarting)
- Add --wait to helm upgrade so readiness is guaranteed without restarts
- Only restart locally-built image deployments (not OneCLI/Keycloak)
- Fix syncUser to use GET instead of POST (OneCLI returns 405 on POST)

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* fix(e2e): remove restrictive resource overrides causing OOM on startup

Delete values-test.yaml — its 512Mi limits for OneCLI and Keycloak
were too tight during startup (Keycloak sits at 454Mi at idle alone,
Next.js in OneCLI spikes during boot). Default requests total ~1.66 GiB
which fits comfortably in the 3 GiB test VM.

Keep --set domain=localtest.me --set port=5555 since test helpers
hardcode those values.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* ci(e2e): maximize CI disk space and dump cluster diagnostics on failure

- Port maximize-build-space action from kagenti-adk to free CI disk
  space for the Lima VM image and k3s state (removes dotnet/android/
  haskell/codeql tooling)
- Add diagnostics dump (nodes, pods, events, describe, logs) on
  api-server:test failure to make CI debugging possible
- Bump helm install timeout to 15m

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* ci(e2e): re-checkout after maximize-build-space

The action mounts an LVM volume at $GITHUB_WORKSPACE which wipes the
initial checkout. Re-checkout after to restore the repo contents.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* fix(onecli): remove wait-for-keycloak init container

It created a deadlock with helm --wait: the init container polled
/realms/humr, but the humr realm is created by the keycloak-provision
post-install hook, which runs AFTER --wait completes.

OneCLI doesn't need Keycloak at boot — JWKS fetching is lazy, and by
the time a user authenticates, the full stack is up.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* fix(e2e): restore wait-for-keycloak, drop helm --wait

OneCLI's gateway fetches JWKS from /realms/humr at startup and crashes
with "missing field keys" if the realm doesn't exist. So the
wait-for-keycloak init container is actually necessary.

The humr realm is imported by the keycloak-provision post-install
hook. With helm --wait, hooks only run AFTER resources become Ready,
creating a deadlock. Removing --wait lets the hook run immediately
after resources are submitted, so the realm exists by the time
OneCLI's init container polls for it.

Replace --wait with an explicit kubectl wait on deployments after
the install, so we still guarantee readiness before tests run.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

* fix(test): share auth token across vitest globalSetup → workers

The global authenticated client used module-level `_token` set by
`setToken()` in globalSetup. But globalSetup runs in a separate
process from test workers — module state can't cross that boundary,
so `_token` was undefined in tests, and authenticated requests
silently went out without a Bearer header. The 401 response then
failed JSON parsing in tRPC's batch link as "Unable to transform
response from server".

Use vitest's `provide()`/`inject()` API to share the token across
the process boundary instead.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

---------

Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

Author: jezekra1

.github/actions/maximize-build-space/action.yml

@@ -0,0 +1,221 @@
+# Modified version of https://github.com/easimon/maximize-build-space
+name: 'Maximize build disk space'
+description: 'Maximize the available disk space for your build job'
+branding:
+  icon: 'crop'
+  color: 'orange'
+inputs:
+  root-reserve-mb:
+    description: 'Space to be left free on the root filesystem, in Megabytes.'
+    required: false
+    default: '1024'
+  temp-reserve-mb:
+    description: 'Space to be left free on the temp filesystem (/mnt), in Megabytes.'
+    required: false
+    default: '100'
+
+  swap-size-mb:
+    description: 'Swap space to create, in Megabytes.'
+    required: false
+    default: '4096'
+  overprovision-lvm:
+    description: |
+      Create the LVM disk images as sparse files, making the space required for the LVM image files *appear* unused on the
+      hosting volumes until actually allocated. Use with care, this can lead to surprising out-of-disk-space situations.
+      You should prefer adjusting root-reserve-mb/temp-reserve-mb over using this option.
+    required: false
+    default: 'false'
+  build-mount-path:
+    description: 'Absolute path to the mount point where the build space will be available, defaults to $GITHUB_WORKSPACE if unset.'
+    required: false
+  build-mount-path-ownership:
+    description: 'Ownership of the mount point path, defaults to standard "runner" user and group.'
+    required: false
+    default: 'runner:runner'
+  pv-loop-path:
+    description: 'Absolute file path for the LVM image created on the root filesystem, the default is usually fine.'
+    required: false
+    default: '/pv.img'
+  tmp-pv-loop-path:
+    description: 'Absolute file path for the LVM image created on the temp filesystem, the default is usually fine. Must reside on /mnt'
+    required: false
+    default: '/mnt/tmp-pv.img'
+
+  remove-dotnet:
+    description: 'Removes .NET runtime and libraries. (frees ~17 GB)'
+    required: false
+    default: 'false'
+  remove-android:
+    description: 'Removes Android SDKs and Tools. (frees ~11 GB)'
+    required: false
+    default: 'false'
+  remove-haskell:
+    description: 'Removes GHC (Haskell) artifacts. (frees ~2.7 GB)'
+    required: false
+    default: 'false'
+  remove-codeql:
+    description: 'Removes CodeQL Action Bundles. (frees ~5.4 GB)'
+    required: false
+    default: 'false'
+  remove-docker-images:
+    description: 'Removes cached Docker images. (frees ~3 GB)'
+    required: false
+    default: 'false'
+runs:
+  using: "composite"
+  steps:
+    - name: Disk space report before modification
+      shell: bash
+      run: |
+        echo "Memory and swap:"
+        sudo free -h
+        echo
+        sudo swapon --show
+        echo
+
+        echo "Available storage:"
+        sudo df -h
+        echo
+
+    - name: Maximize build disk space
+      shell: bash
+      run: |
+          set -euo pipefail
+
+          BUILD_MOUNT_PATH="${{ inputs.build-mount-path }}"
+          if [[ -z "${BUILD_MOUNT_PATH}" ]]; then
+            BUILD_MOUNT_PATH="${GITHUB_WORKSPACE}"
+          fi
+
+          echo "Arguments:"
+          echo
+          echo "  Root reserve:      ${{ inputs.root-reserve-mb }} MiB"
+          echo "  Temp reserve:      ${{ inputs.temp-reserve-mb }} MiB"
+          echo "  Swap space:        ${{ inputs.swap-size-mb }} MiB"
+          echo "  Overprovision LVM: ${{ inputs.overprovision-lvm }}"
+          echo "  Mount path:        ${BUILD_MOUNT_PATH}"
+          echo "  Root PV loop path: ${{ inputs.pv-loop-path }}"
+          echo "  Temp PV loop path: ${{ inputs.tmp-pv-loop-path }}"
+
+          echo -n "  Removing:     "
+          if [[ ${{ inputs.remove-dotnet }} == 'true' ]]; then
+            echo -n "dotnet "
+          fi
+          if [[ ${{ inputs.remove-android }} == 'true' ]]; then
+            echo -n "android "
+          fi
+          if [[ ${{ inputs.remove-haskell }} == 'true' ]]; then
+            echo -n "haskell "
+          fi
+          if [[ ${{ inputs.remove-codeql }} == 'true' ]]; then
+            echo -n "codeql "
+          fi
+          if [[ ${{ inputs.remove-docker-images }} == 'true' ]]; then
+            echo -n "docker "
+          fi
+          echo
+
+          # store owner of $GITHUB_WORKSPACE in case the action deletes it
+          WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")"
+
+          # ensure mount path exists before the action
+          sudo mkdir -p "${BUILD_MOUNT_PATH}"
+          sudo find "${BUILD_MOUNT_PATH}" -maxdepth 0 ! -empty -exec echo 'WARNING: directory [{}] is not empty, data loss might occur. Content:' \; -exec ls -al "{}" \;
+
+          echo "Removing unwanted software... "
+          if [[ ${{ inputs.remove-dotnet }} == 'true' ]]; then
+            sudo rm -rf /usr/share/dotnet
+          fi
+          if [[ ${{ inputs.remove-android }} == 'true' ]]; then
+            sudo rm -rf /usr/local/lib/android
+          fi
+          if [[ ${{ inputs.remove-haskell }} == 'true' ]]; then
+            sudo rm -rf /opt/ghc
+          fi
+          if [[ ${{ inputs.remove-codeql }} == 'true' ]]; then
+            sudo rm -rf /opt/hostedtoolcache/CodeQL
+          fi
+          if [[ ${{ inputs.remove-docker-images }} == 'true' ]]; then
+            sudo docker image prune --all --force
+          fi
+          echo "... done"
+
+          VG_NAME=buildvg
+
+          # github runners have an active swap file in /mnt/swapfile
+          # we want to reuse the temp disk, so first unmount swap and clean the temp disk
+          echo "Unmounting and removing swap file."
+          sudo swapoff -a
+          sudo rm -f /mnt/swapfile
+
+          echo "Creating LVM Volume."
+          echo "  Creating LVM PV on root fs."
+          # create loop pv image on root fs
+          ROOT_RESERVE_KB=$(expr ${{ inputs.root-reserve-mb }} \* 1024)
+          ROOT_FREE_KB=$(df --block-size=1024 --output=avail / | tail -1)
+          ROOT_LVM_SIZE_KB=$(expr $ROOT_FREE_KB - $ROOT_RESERVE_KB)
+          ROOT_LVM_SIZE_BYTES=$(expr $ROOT_LVM_SIZE_KB \* 1024)
+          sudo touch "${{ inputs.pv-loop-path }}" && sudo fallocate -z -l "${ROOT_LVM_SIZE_BYTES}" "${{ inputs.pv-loop-path }}"
+          export ROOT_LOOP_DEV=$(sudo losetup --find --show "${{ inputs.pv-loop-path }}")
+          sudo pvcreate -f "${ROOT_LOOP_DEV}"
+
+
+
+          # create volume group from these pvs
+          # create pv on temp disk if it is on a different filesystem than root
+          TMP_LOOP_DEV=""
+          
+          if mountpoint -q /mnt; then
+            echo "  /mnt is a mountpoint. Creating LVM PV on temp fs."
+            TMP_RESERVE_KB=$(expr ${{ inputs.temp-reserve-mb }} \* 1024)
+            TMP_FREE_KB=$(df --block-size=1024 --output=avail /mnt | tail -1)
+            TMP_LVM_SIZE_KB=$(expr $TMP_FREE_KB - $TMP_RESERVE_KB)
+            TMP_LVM_SIZE_BYTES=$(expr $TMP_LVM_SIZE_KB \* 1024)
+            sudo touch "${{ inputs.tmp-pv-loop-path }}" && sudo fallocate -z -l "${TMP_LVM_SIZE_BYTES}" "${{ inputs.tmp-pv-loop-path }}"
+            export TMP_LOOP_DEV=$(sudo losetup --find --show "${{ inputs.tmp-pv-loop-path }}")
+            sudo pvcreate -f "${TMP_LOOP_DEV}"
+          else
+            echo "  /mnt is NOT a mountpoint. Skipping LVM PV on temp fs."
+          fi
+
+          # create volume group from these pvs
+          if [[ -n "${TMP_LOOP_DEV}" ]]; then
+            sudo vgcreate "${VG_NAME}" "${TMP_LOOP_DEV}" "${ROOT_LOOP_DEV}"
+          else
+            sudo vgcreate "${VG_NAME}" "${ROOT_LOOP_DEV}"
+          fi
+
+          echo "Recreating swap"
+          # create and activate swap
+          sudo lvcreate -L "${{ inputs.swap-size-mb }}M" -n swap "${VG_NAME}"
+          sudo mkswap "/dev/mapper/${VG_NAME}-swap"
+          sudo swapon "/dev/mapper/${VG_NAME}-swap"
+
+          echo "Creating build volume"
+          # create and mount build volume
+          sudo lvcreate -l 100%FREE -n buildlv "${VG_NAME}"
+          if [[ ${{ inputs.overprovision-lvm }} == 'true' ]]; then
+            sudo mkfs.ext4 -m0 "/dev/mapper/${VG_NAME}-buildlv"
+          else
+            sudo mkfs.ext4 -Enodiscard -m0 "/dev/mapper/${VG_NAME}-buildlv"
+          fi
+          sudo mount "/dev/mapper/${VG_NAME}-buildlv" "${BUILD_MOUNT_PATH}"
+          sudo chown -R "${{ inputs.build-mount-path-ownership }}" "${BUILD_MOUNT_PATH}"
+
+          # if build mount path is a parent of $GITHUB_WORKSPACE, and has been deleted, recreate it
+          if [[ ! -d "${GITHUB_WORKSPACE}" ]]; then
+            sudo mkdir -p "${GITHUB_WORKSPACE}"
+            sudo chown -R "${WORKSPACE_OWNER}" "${GITHUB_WORKSPACE}"
+          fi
+
+    - name: Disk space report after modification
+      shell: bash
+      run: |
+        echo "Memory and swap:"
+        sudo free -h
+        echo
+        sudo swapon --show
+        echo
+
+        echo "Available storage:"
+        sudo df -h

.github/workflows/e2e.yml

@@ -25,6 +25,22 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
+      # Initial checkout required to resolve the local maximize-build-space action.
+      - uses: actions/checkout@v4
+
+      - name: Maximize build disk space
+        uses: ./.github/actions/maximize-build-space
+        with:
+          root-reserve-mb: 15360
+          temp-reserve-mb: 2048
+          swap-size-mb: 1024
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+
+      # Re-checkout — maximize-build-space mounts an LVM volume at $GITHUB_WORKSPACE,
+      # replacing the earlier checkout contents.
       - uses: actions/checkout@v4
 
       - name: Enable KVM + install QEMU

deploy/helm/humr/templates/onecli/app.yaml

@@ -79,6 +79,10 @@ spec:
           image: {{ .Values.controller.caCertInitImage | default "busybox:stable" }}
           command: ["sh", "-c"]
           args:
+            # Wait for the humr realm — OneCLI gateway fetches JWKS at startup and
+            # crashes if the realm doesn't exist yet. The realm is imported by the
+            # keycloak-provision post-install hook; helm install must be invoked
+            # without --wait so that hook runs before OneCLI tries to start.
             - |
               until wget -qO- http://{{ include "humr.keycloak.fullname" . }}:{{ .Values.keycloak.port }}/realms/{{ .Values.keycloak.realm }} >/dev/null 2>&1; do
                 echo "Waiting for Keycloak..."

deploy/helm/humr/values-test.yaml

@@ -40,7 +40,7 @@ postgres:
 # -- OneCLI (credential proxy — gateway + web run in a single container)
 onecli:
   # Single Docker image containing both Rust gateway and Node.js web app
-  image: ghcr.io/kagenti/onecli:0.0.7
+  image: ghcr.io/kagenti/onecli:0.0.8
   replicas: 1
 
   # -- Database connection (empty host = use shared local postgres)
@@ -153,7 +153,7 @@ keycloak:
 
   # -- Test user bootstrapped via realm import.
   # DISABLED by default — production deployments must not ship a known credential.
-  # Local dev (values-local.yaml) and e2e tests (values-test.yaml) enable it.
+  # Local dev and e2e tests (via values-local.yaml) enable it.
   testUser:
     enabled: false
     username: ""