chore(autorag+automl): improvements - S3 timeout error handling + FileExplorer UX (#7219)

* chore(autorag+automl): S3 timeout error handling improvements

Functional changes:
- Add 10s connect/TLS timeout to S3 HTTP client via custom transport
  so unreachable endpoints (air-gapped, misconfigured) fail fast
  instead of hanging until the OpenShift route 30s gateway timeout.
- Set RetryMaxAttempts=1 on the AWS config to avoid compounding
  the timeout on dead endpoints.
- Add isS3ConnectivityError() to classify net.Error timeouts,
  net.OpError, and net.DNSError as connectivity failures.
- Add s3ConnectivityErrorMessage() to return a user-facing 503
  message explaining the likely cause and remediation steps.
- Wire connectivity error detection into all S3 handlers
  (GetS3File, PostS3File, GetS3Files, GetS3FileSchema) so they
  return 503 with the actionable message instead of a generic 500.

Test coverage:
- isS3ConnectivityError: 9-case table-driven test covering timeout,
  OpError, DNSError, wrapped variants, nil, and non-connectivity
  errors (access denied).
- s3ConnectivityErrorMessage: asserts bucket name and key phrases
  appear in the message.
- Handler-level 503 tests: GetS3File, GetS3Files, PostS3File
  (on key resolution), and PostS3File (on upload) all return 503
  with the connectivity error message when the S3 endpoint is
  unreachable.
- s3ConnectTimeout constant: asserts the value is 10s.
- NewRealS3Client: verifies client construction succeeds with
  the new timeout-aware HTTP transport.

All changes are mirrored across both automl and autorag BFFs.

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: Add UI handling + tests

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: Add UI fix for view details (minor issue)

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: PR feedback

automl: Add TestGetS3FileSchemaHandler_ConnectivityError_Returns503 to
exercise the 503 branch when GetCSVSchema hits an unreachable S3
endpoint. Added GetCSVSchema override to connectivityErrorS3Client.

automl+autorag: Extract buildS3AWSConfig() from NewRealS3Client so
RetryMaxAttempts can be directly asserted in tests. The AWS SDK does
not expose RetryMaxAttempts on the constructed *s3.Client, so the
previous test could only verify client creation — not the config value.
The extracted function returns the raw aws.Config, enabling a real
assertion (cfg.RetryMaxAttempts == 1) without DNS or network
dependencies.

Rename TestNewRealS3Client_SetsRetryMaxAttemptsToOne to
TestNewRealS3Client_CreatesClientWithValidCredentials and switch
endpoint to a literal IP to remove DNS dependency.

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: PR feedback

Add net.ErrClosed sentinel check to isS3ConnectivityError() in both
automl and autorag BFFs. A closed keep-alive socket can surface as
net.ErrClosed without a *net.OpError wrapper, causing it to fall
through to a 500 instead of the intended 503. The new check catches
both direct and wrapped net.ErrClosed errors.

Includes unit tests for both direct and wrapped net.ErrClosed cases
in both packages.

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: PR feedback

Add per-call context deadlines (s3MetadataTimeout = 15s) on read-only
S3 handler operations to bound the response-header phase. net/http's
WriteTimeout sets a conn deadline but does NOT cancel r.Context(), so
if an S3 endpoint accepts the TCP connection but never sends response
headers, metadata calls could hang indefinitely. File-transfer handlers
(GetObject, UploadObject) are intentionally excluded because legitimate
large payloads can exceed any static timeout.

Handlers protected:
- autorag: GetS3FilesHandler (ListObjects)
- automl: GetS3FilesHandler (ListObjects), GetS3FileSchemaHandler (GetCSVSchema)

Tests added:
- Positive: verify ListObjects/GetCSVSchema receive a deadline-aware context
- Negative: verify GetObject does NOT get a handler-imposed deadline

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: Self PR review

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: PR feedback

- isS3ConnectivityError: add context.DeadlineExceeded as first check
  so metadata timeouts produce 503; narrow net.OpError to dial-only
- PostS3FileHandler: wrap resolveNonCollidingS3Key with s3MetadataTimeout
- client.go: remove dead HTTPClient from buildS3AWSConfig, consolidate
  s3ConnectTimeout dial/TLS settings into NewRealS3Client transport
- client_test.go: replace constant self-assertion test with transport
  inspection (TestNewRealS3Client_TransportHasConnectTimeout)
- s3_handler_test.go: add DeadlineExceeded and OpError{write} test
  cases, update upload mock from Op:"write" to Op:"dial", add
  TestPostS3FileHandler_SetsMetadataTimeoutForResolveKey
- autorag s3_handler.go: reorder declarations (constants/types first)
- FileExplorer.spec.tsx: scope dropdown assertions with within() and
  role-based queries instead of global screen.queryByText

All changes applied symmetrically to both automl and autorag packages.

Generated-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* chore: PR feedback

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: PR feedback

Generated-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>

* chore: make fmt

* chore: PR feedback

- Hide "View details" kebab action when file is already being viewed
- Add "Select file"/"Select folder" kebab action for unselected items
- Delegate onRemoveSelection to parent handler to clear filesToView
- Add table row kebab actions test suite (7 tests)
- Fix eye icon test that relied on redundant "View details" click

Generated-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: GAUNSD

packages/automl/bff/internal/api/s3_handler.go

@@ -7,11 +7,13 @@ import (
 	"io"
 	"mime"
 	"mime/multipart"
+	"net"
 	"net/http"
 	"path"
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/julienschmidt/httprouter"
@@ -24,6 +26,15 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
+// s3MetadataTimeout is the deadline for read-only S3 metadata operations
+// (ListObjects, HeadObject, GetCSVSchema, etc.) that should complete quickly.
+// This bounds the response-header phase: if the endpoint accepts the TCP
+// connection but never sends response headers, r.Context() alone won't cancel
+// the call because net/http's WriteTimeout sets a conn deadline, not a context
+// cancellation. File transfers (GetObject, UploadObject) are excluded because
+// legitimate large payloads can exceed any static timeout.
+const s3MetadataTimeout = 15 * time.Second
+
 // resolvedS3 holds a ready-to-use S3 client and the resolved bucket name.
 type resolvedS3 struct {
 	client s3int.S3ClientInterface
@@ -170,6 +181,42 @@ func (app *App) resolveS3Client(w http.ResponseWriter, r *http.Request, secretNa
 	return &resolvedS3{client: s3Client, bucket: bucket}, true
 }
 
+// isS3ConnectivityError checks whether an error is caused by a network-level
+// failure to reach the S3 endpoint (e.g. connection timeout, DNS failure,
+// connection refused, or a metadata timeout deadline). This lets handlers
+// return an actionable 503 instead of a generic 500 when the endpoint is
+// unreachable — common in air-gapped or misconfigured environments.
+func isS3ConnectivityError(err error) bool {
+	if errors.Is(err, context.DeadlineExceeded) {
+		return true
+	}
+	if errors.Is(err, net.ErrClosed) {
+		return true
+	}
+	var netErr net.Error
+	if errors.As(err, &netErr) && netErr.Timeout() {
+		return true
+	}
+	var opErr *net.OpError
+	if errors.As(err, &opErr) && opErr.Op == "dial" {
+		return true
+	}
+	var dnsErr *net.DNSError
+	return errors.As(err, &dnsErr)
+}
+
+// s3ConnectivityErrorMessage returns a user-facing message for S3 connectivity failures.
+func s3ConnectivityErrorMessage(bucket string) string {
+	return fmt.Sprintf(
+		"Unable to connect to the S3 storage endpoint for bucket '%s'. "+
+			"The endpoint may be unreachable from this cluster. "+
+			"If this is a disconnected or air-gapped environment, "+
+			"verify the S3 endpoint URL in the data connection secret "+
+			"points to a storage service accessible within the cluster network.",
+		bucket,
+	)
+}
+
 // GetS3FileHandler retrieves a file from S3 storage.
 // Query parameters:
 //   - secretName (optional): Kubernetes secret with S3 credentials.
@@ -218,6 +265,11 @@ func (app *App) GetS3FileHandler(w http.ResponseWriter, r *http.Request, _ httpr
 			return
 		}
 
+		if isS3ConnectivityError(err) {
+			app.serviceUnavailableResponseWithMessage(w, r, err, s3ConnectivityErrorMessage(s3.bucket))
+			return
+		}
+
 		app.serverErrorResponse(w, r, err)
 		return
 	}
@@ -279,16 +331,21 @@ func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, _ http
 		return
 	}
 
-	ctx := r.Context()
 	bucket := s3.bucket
-	resolvedKey, err := resolveNonCollidingS3Key(ctx, s3.client, bucket, key, app.effectivePostS3CollisionAttempts())
+	metadataCtx, metadataCancel := context.WithTimeout(r.Context(), s3MetadataTimeout)
+	defer metadataCancel()
+	resolvedKey, err := resolveNonCollidingS3Key(metadataCtx, s3.client, bucket, key, app.effectivePostS3CollisionAttempts())
 	if err != nil {
 		if errors.Is(err, ErrMaxCollisionsExceeded) {
 			app.conflictResponse(w, r,
 				fmt.Sprintf("unable to find unique filename after %d attempts; try a different base name",
 					app.effectivePostS3CollisionAttempts()))
 			return
 		}
+		if isS3ConnectivityError(err) {
+			app.serviceUnavailableResponseWithMessage(w, r, err, s3ConnectivityErrorMessage(bucket))
+			return
+		}
 		app.serverErrorResponse(w, r, fmt.Errorf("error resolving S3 key for upload: %w", err))
 		return
 	}
@@ -356,7 +413,7 @@ func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, _ http
 	}
 	limitedFile := http.MaxBytesReader(nil, filePart, maxFilePartBytes)
 	defer limitedFile.Close()
-	if err := s3.client.UploadObject(ctx, bucket, resolvedKey, limitedFile, contentType); err != nil {
+	if err := s3.client.UploadObject(r.Context(), bucket, resolvedKey, limitedFile, contentType); err != nil {
 		var maxBytesErr *http.MaxBytesError
 		if errors.As(err, &maxBytesErr) {
 			app.payloadTooLargeResponse(w, r, s3FilePartTooLargeMsg)
@@ -371,6 +428,10 @@ func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, _ http
 			app.forbiddenResponse(w, r, fmt.Sprintf("access denied uploading to S3 '%s/%s'", bucket, resolvedKey))
 			return
 		}
+		if isS3ConnectivityError(err) {
+			app.serviceUnavailableResponseWithMessage(w, r, err, s3ConnectivityErrorMessage(bucket))
+			return
+		}
 		app.serverErrorResponse(w, r, fmt.Errorf("error uploading file to S3: %w", err))
 		return
 	}
@@ -560,7 +621,9 @@ func (app *App) GetS3FileSchemaHandler(w http.ResponseWriter, r *http.Request, _
 		return
 	}
 
-	ctx := r.Context()
+	ctx, cancel := context.WithTimeout(r.Context(), s3MetadataTimeout)
+	defer cancel()
+
 	schemaResult, err := s3.client.GetCSVSchema(ctx, s3.bucket, key)
 	if err != nil {
 		var noSuchKey *types.NoSuchKey
@@ -595,6 +658,11 @@ func (app *App) GetS3FileSchemaHandler(w http.ResponseWriter, r *http.Request, _
 			return
 		}
 
+		if isS3ConnectivityError(err) {
+			app.serviceUnavailableResponseWithMessage(w, r, err, s3ConnectivityErrorMessage(s3.bucket))
+			return
+		}
+
 		app.serverErrorResponse(w, r, err)
 		return
 	}
@@ -637,7 +705,9 @@ func (app *App) GetS3FilesHandler(w http.ResponseWriter, r *http.Request, _ http
 		return
 	}
 
-	ctx := r.Context()
+	ctx, cancel := context.WithTimeout(r.Context(), s3MetadataTimeout)
+	defer cancel()
+
 	result, err := s3.client.ListObjects(ctx, s3.bucket, s3int.ListObjectsOptions{
 		Path:   params.path,
 		Search: params.search,
@@ -657,6 +727,11 @@ func (app *App) GetS3FilesHandler(w http.ResponseWriter, r *http.Request, _ http
 			return
 		}
 
+		if isS3ConnectivityError(err) {
+			app.serviceUnavailableResponseWithMessage(w, r, err, s3ConnectivityErrorMessage(s3.bucket))
+			return
+		}
+
 		app.serverErrorResponse(w, r, err)
 		return
 	}