feat: adds ambient-sdk w/ python,go,typescript sdks#677
feat: adds ambient-sdk w/ python,go,typescript sdks#677jeremyeder merged 9 commits intoambient-code:mainfrom
Conversation
markturansky
force-pushed
the
feat/ambient-sdk3
branch
from
df7b1d3 to
fe6d570
Compare
This comment has been minimized.
This comment has been minimized.
Claude Code ReviewSummaryPR #677 adds a multi-language SDK ( Issues by Severity🚫 Blocker Issues1. Go SDK is missing its core HTTP client ( All five generated API files ( 2. Python SDK is missing its core HTTP client ( All generated API files call 3. Python SDK is missing
🔴 Critical Issues4. TypeScript
5. URL injection risk in all Go SDK ID path construction All // go-sdk/client/session_api.go:37
a.client.do(ctx, http.MethodGet, "/sessions/"+id, ...)If 6. Generator tests are absent
🟡 Major Issues7.
8.
9. No SDK CI pipeline None of the existing GitHub Actions workflows build, lint, or test the SDK components. The 10. The README documents 🔵 Minor Issues11. Python # python-sdk/ambient_platform/_session_api.py:47
def list_all(self, size: int = 100, **kwargs: Any) -> Iterator[Session]:
12. Python
13. Python return {k: v for k, v in self._params.items() if v}This silently drops 14. TypeScript errorData = await resp.json() as APIError; // ts-sdk/src/base.ts:97and return resp.json() as Promise<T>; // base.ts:118These are unchecked casts. While unavoidable at the HTTP boundary, the error path silently accepts malformed server responses. Consider adding a 15. The production manifest comment move ( Positive Highlights
Recommendations
🤖 Generated with Claude Code 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
Claude Code ReviewSummaryPR #677 introduces a multi-language SDK generator and generated Go, Python, and TypeScript client libraries for the Ambient Platform public API. The overall architecture is sound — OpenAPI-spec-driven generation, consistent builder patterns, good security defaults for token handling, and proper pagination iterators across all three languages. However, there are critical bugs that prevent the Go SDK from compiling, a functional routing bug in the TypeScript SDK, and a public API typo in the Python SDK. Issues by Severity🚫 Blocker Issues1. Go SDK does not compile —
// client.go:147 — COMPILE ERROR: types.ErrorResponse undefined
var apiErr types.ErrorResponseThe README.md documents this type as: type ErrorResponse struct { Error string; Details string }...but this struct was never generated into the 2. Go SDK does not compile —
// client.go:151-158 — COMPILE ERROR: unknown fields Message, Details
return &types.APIError{
StatusCode: resp.StatusCode,
Message: apiErr.Error, // field does not exist
Details: apiErr.Details, // field does not exist
}Both blockers are in the same generated file and stem from the 🔴 Critical Issues3. TypeScript SDK hits wrong API paths — missing The Go and Python SDKs prepend the base path before every request: // client.go
url := c.baseURL + "/api/ambient-api-server/v1" + path# client.py
url = urljoin(self._base_url + "/", f"api/ambient-api-server/v1{path}")The TypeScript // base.ts
const url = `${config.baseUrl}${path}`;
// session_api.ts calls: ambientFetch(config, 'POST', '/sessions', ...)
// Result: http://localhost:8080/sessions ← WRONG
// Expected: http://localhost:8080/api/ambient-api-server/v1/sessionsTypeScript users with Fix: add the prefix in 4. Developer's local filesystem path in every generated file header All generated files include: This leaks the original developer's home directory path to every SDK consumer. Remove the 🟡 Major Issues5. Python
def project_settingss(self) -> ProjectSettingsAPI: # double-sThis is a generator bug: the template naively appends 6.
func sanitizeLogURL(rawURL string) string {
tokenPattern := regexp.MustCompile(`([Bb]earer\s+)[a-zA-Z0-9\-_~.+/=]+`)
return tokenPattern.ReplaceAllString(rawURL, "${1}[REDACTED]")
}This function applies a Bearer-token redaction regex to URL strings. Tokens appear in 7. CLAUDE.md contains development scaffolding — coordinator server at
This is active-development scaffolding that should not be committed to the repository. External contributors and CI pipelines should not see (or attempt to reach) a local development server. Remove or replace with standard contribution guidelines before merge. 8. README.md shows incorrect Go module path
go get github.com/ambient/platform-sdkThe actual module path (from This will mislead users attempting to install the SDK. Also, the README still lists Python and TypeScript SDKs as "Phase 3" / "future" checkboxes, but both are already implemented in this PR. 🔵 Minor Issues9. Python
import re # never referenced in client.pyDead import from the generator template. Remove it. 10.
11. Hand-rolled
12. TypeScript
params.set('size', String(Math.min(opts.size, 65500)));
13.
Positive Highlights
RecommendationsPrioritized action items before merge:
🤖 Generated with Claude Code 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
Claude Code ReviewSummaryThis PR introduces a new Issues by Severity🚫 Blocker Issues1. Python test suite references non-existent API accessors — tests will fail
The tests appear to have been written for a broader OpenAPI spec that includes more resources than are currently in the generated output. Either the tests need to be pruned to match the current generated code, or the spec needs to be expanded to generate the missing resources. 2. Python SDK public API typo:
def project_settingss(self) -> ProjectSettingsAPI: # ← typo: extra 's'This is a public method name bug in a generated SDK. The generator template ( 3. Token validation missing in generated Python client, contradicting tests
These tests will fail because no token validation exists in the generated client. The CLAUDE.md for this component also states: "Tokens are validated on client construction". The token validation needs to be added to the generator template. 🔴 Critical Issues4. Developer's local filesystem paths leaked in all generated file headers Every generated file (Go, Python, TypeScript) contains: This leaks the developer's username ( 5. Developer cluster URL and username in committed README
This exposes a specific developer's production OpenShift cluster hostname. Replace with a placeholder like 6. Go SDK token stored as plain string, not The 🟡 Major Issues7. Generator:
files := []string{
specPath,
filepath.Join(specDir, "openapi.sessions.yaml"),
filepath.Join(specDir, "openapi.projects.yaml"),
// ...
}If a new resource is added (e.g., 8. Go SDK:
func (c *Client) do(ctx context.Context, method, path string, ...) error {
url := c.baseURL + "/api/ambient-api-server/v1" + path // shadows "url" packageThe 9. README.md module paths do not match actual module
go get github.com/ambient/platform-sdk // ← wrong
import "github.com/ambient/platform-sdk/client" // ← wrongThe actual Go module is 10.
11. No CI coverage for the new SDK component No CI workflow is added or modified to run 12. Default port inconsistency between SDKs
🔵 Minor Issues13. Custom The 20-line hand-rolled 14. TypeScript SDK lacks URL validation present in Go and Python SDKs Go and Python SDKs reject 15. Ignored error in Go example
reposJSON, _ := json.Marshal(...) // error silently discardedExample code is often copy-pasted. Unhandled errors in examples encourage bad practices. 16. "Development Status :: 5 - Production/Stable",The SDK is new and the smoke test currently returns 404 (per 17. Generator template path resolution is fragile
18.
These appear to be AI agent coordination instructions from an active development session and were likely not intended to be committed as permanent documentation. They should be removed before the SDK is public-facing. Positive Highlights
RecommendationsPriority order:
🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
markturansky
force-pushed
the
feat/ambient-sdk3
branch
from
acaaa17 to
21be30f
Compare
Claude Code ReviewSummaryPR #677 introduces a new Issues by Severity🚫 Blocker Issues1. Developer machine path embedded in generated Python files
The Go SDK correctly uses a relative path ( 2. Python SDK is duplicated — generator bug Files exist at BOTH
The generator writes to 3. Test suite in # test_client.py:149-178 — all of these fail with AttributeError
def test_agents_accessor(self):
assert self.client.agents is not None # AmbientClient has no .agents
def test_tasks_accessor(self):
assert self.client.tasks is not None # AmbientClient has no .tasks
def test_skills_accessor(self):
assert self.client.skills is not None # AmbientClient has no .skillsThe generated 4. Token validation tests will fail —
5.
assert client._base_path == "/api/ambient-api-server/v1"No 🔴 Critical Issues6.
def project_settingss(self) -> ProjectSettingsAPI: # typo: double 's'Should be 7. Go client stores token as plain
type Client struct {
token string // plain string, no SecureToken wrapperThe component's own 8. Generator uses deprecated
"title": strings.Title,Deprecated since Go 1.18. 🟡 Major Issues9. README Go module path is wrong
10. README directory structure doesn't match reality
11.
This is development-time multi-agent tooling with a localhost server reference that won't exist in any environment. The 12.
13. Python accessors are methods, not properties — inconsistent with test expectations Tests call 14. No CI integration for the SDK The 🔵 Minor Issues15. Empty 16. Non-idiomatic HTTP body construction in Go client
17. TypeScript client lacks URL/token format validation — Go and Python validate URLs (reject 18. Tests assert on private attributes — 19. Python Positive Highlights
RecommendationsPriority 1 — must fix before merge:
Priority 2 — should fix before merge: Priority 3 — follow-up PR: 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
Claude Code ReviewSummaryThis PR introduces a substantial new Overall the approach is solid, but there are several issues ranging from test/implementation drift (tests reference APIs that don't exist yet) to a leaked absolute local path in committed files, a method name typo, and silent parameter drops in the Go client. Issues by Severity⛔ Blocker Issues1. Test suite references resources that don't exist in generated SDK
Action: Reconcile the test file with the current generated output OR regenerate the SDK from the complete OpenAPI spec. 🔴 Critical Issues2. Absolute local developer path leaked in generated file header
This exposes a contributor's home directory in committed, public-facing SDK code. The Go SDK correctly uses a relative path. Fix the Python generator template ( 3.
4. Go
5. Python
🟡 Major Issues6.
7. CLAUDE.md commits localhost coordinator server protocol
8. Stale duplicate Python files at The PR includes 9. Go/TypeScript validation inconsistency on
10. Python Go SDK falls back to 11. No Go unit tests Python and TypeScript both ship unit test suites. The Go SDK has only examples. Unit tests for client construction, URL validation, error parsing, and :blue_circle: Minor Issues12. Inefficient body encoding in Go
13. 14. 15. No SDK integration in root Makefile or CI pipeline — SDKs won't be validated in PR checks without explicit CI steps. Positive Highlights
RecommendationsPriority order before merge:
🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
…nerator docs Key changes: - Add generated Python SDK with full CRUD client for all 4 resources - Regenerate Go and TypeScript SDKs with relative spec paths and corrected default URL (8080) - Update generator.md with TypeScript support, CI integration, and security documentation - Update production kustomization overlay
markturansky
force-pushed
the
feat/ambient-sdk3
branch
from
21be30f to
cca1084
Compare
|
Rebased. All feedback addressed to date. |
Claude Code ReviewSummaryThis PR introduces a new components/ambient-sdk/ component: a Go-based SDK generator driven by OpenAPI spec, and generated Go, Python, and TypeScript SDKs with CRUD and action support for sessions, projects, project settings, and users. The architecture (generator to spec to SDKs) is sound and the documentation is excellent. However, several blockers prevent the generated code from passing its own test suite, and there are structural bugs in the generator. Issues by SeverityBlocker Issues1. Generated Python client.py fails its own test suite test_client.py tests features NOT implemented in the generated client.py. Pytest would fail:
The template http_client.py.tmpl is the source of truth and also lacks these validations. Fix the template then regenerate. 2. Missing @Property decorator on Python accessor methods http_client.py.tmpl line 155 generates plain methods. Tests access them as properties (client.sessions not client.sessions()). Without @Property, client.sessions returns a bound method, not a SessionAPI. The test self.client.sessions is api will fail because each attribute access creates a distinct bound-method object in Python. 3. Generator pluralization bug: project_settingss double-s generator/model.go lines 208-209 appends 'es' when a name ends in 's'. ProjectSettings snake_cases to project_settings (ends in 's'), yielding project_settingses via the template. The committed generated code shows project_settingss (simple +s), meaning the committed output was built from a different generator version. Either way both are wrong API names. The generator needs an exceptions map for already-plural words. Critical Issues4. Template/generated code divergence The committed generated files were not produced by the templates in this PR:
Run make generate-sdk and commit freshly generated output before merging. 5. TypeScript SDK excluded from Makefile Makefile lines 11-21 only generate Go and Python. The TS SDK is hand-managed with no regeneration path. If the OpenAPI spec changes, the TS SDK will silently drift. Major Issues6. _base_path should be a named attribute -- tests expect client._base_path == /api/ambient-api-server/v1 on line 81 of test_client.py. Extract as a class constant in the template. 7. pluralize() fragile for irregular plurals -- model.go:206-215 uses simplistic suffix-replacement. Any future resource ending in 's' produces wrong accessor names. Consider github.com/gertd/go-pluralize or an explicit exceptions map. 8. toGoName() can panic on empty rune slice (model.go:54) -- a leading underscore in an OpenAPI field name produces an empty part after splitting, causing runes[0] to panic. Add: if len(runes) == 0 { continue } 9. Silent schema parsing failures in parser.go -- bare ok checks with silent continue (~lines 195, 214, 284) swallow schema errors. Convert to log.Printf WARN or return explicit errors. 10. Token validation documented but not implemented -- authentication.md specifies sha256~ prefix, JWT dot-structure, GitHub ghp_/gho_/ghu_/ghs_ prefixes, 20-char minimum. None is implemented in any http_client.*.tmpl template. Add validation to all three language templates. Minor Issues
Positive Highlights
Recommendations (priority order before merge)
Generated with Claude Code 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
Claude Code ReviewSummaryPR 677 introduces a new components/ambient-sdk component: a code generator (Go) that reads an OpenAPI spec and emits client libraries in Go, Python, and TypeScript. The security fundamentals are strong (dual-layer token redaction in Go, input validation, no K8s dependencies in the SDK) but there are several gaps between the template/generated code, inconsistent documentation, a leaked internal environment variable name, and a missing TypeScript flag in the Makefile that should be addressed before merge. Issues by SeverityBlocker Issues1. Generated client.go is out of sync with the generator template generator/templates/go/http_client.go.tmpl includes OrderBy and Fields query parameter handling in doWithQuery() (template lines 195-199), but go-sdk/client/client.go (generated 2026-02-24) is missing both parameters entirely. Running make generate-sdk would produce a different file than what is committed. Either regenerate after template finalization, or lock the template to match the committed output before merging. 2. Makefile generate-sdk target is missing --ts-out The generator binary accepts a -ts-out flag (confirmed in generator/main.go) and the TypeScript SDK exists in ts-sdk/, but the Makefile only passes -go-out and -python-out. Additionally, verify-sdk only compiles Go and does a Python import check -- it never runs npm run build or tsc for TypeScript. After the first API spec update, the TypeScript SDK will silently diverge. Critical Issues3. ANTHROPIC_VERTEX_PROJECT_ID leaks an internal implementation concept into a public SDK go-sdk/client/client.go:99 and the generator template both fall back to ANTHROPIC_VERTEX_PROJECT_ID as an alias for AMBIENT_PROJECT, and this internal env var name appears directly in the error message returned to SDK users. The same pattern appears in go-sdk/examples/main.go:32. External users have no context for what ANTHROPIC_VERTEX_PROJECT_ID means. Remove this fallback or restrict it to strictly internal usage. 4. README.md is severely stale and contradicts the actual implementation
This README will immediately mislead first-time SDK users. Major Issues5. CLAUDE.md references SecureToken type that does not exist in generated code components/ambient-sdk/CLAUDE.md states that SecureToken wraps tokens and implements slog.LogValuer, and that sanitizeLogAttrs provides defense-in-depth log sanitization. Neither SecureToken nor sanitizeLogAttrs appear in go-sdk/client/client.go -- the token is stored as a plain string and only sanitizeLogURL() is present. CLAUDE.md describes aspirational security architecture that was not implemented. Update CLAUDE.md to match the actual implementation, or implement the described types. 6. Production kustomization change lacks PR description context components/manifests/overlays/production/kustomization.yaml has a +1/-1 change with no mention in the PR description. Production manifest changes should always be explicitly described to support rollback decisions and audit trails. 7. SDK ships with a known-broken end-to-end smoke test CLAUDE.md documents: It currently returns 404 because the API server has not been migrated to serve /api/ambient-api-server/v1/sessions yet. This should be captured as a follow-up issue so it does not silently persist. 8. io.NopCloser(strings.NewReader(string(body))) is unnecessarily verbose go-sdk/client/client.go:117 converts []byte body to string, wraps in strings.NewReader, then wraps in io.NopCloser. More idiomatic: pass bytes.NewReader(body) directly to http.NewRequestWithContext. Since this is in the generator template, fixing it propagates to all generated clients. Minor Issues9. sanitizeLogURL() will never match tokens in practice The function is called with the bare URL -- tokens are passed in headers, not query strings. The regex is correct but will never trigger on a URL. 10. go.sum files are empty -- verify go mod tidy was run Both go-sdk/go.sum (0 lines) and examples/go.sum (0 lines) are committed empty. For the examples module which depends on go-sdk via a replace directive, confirm go mod tidy was run and the replace directive is in examples/go.mod. 11. test.sh relationship to pytest-based tests is undocumented python-sdk/test.sh (231 lines) coexists with pytest-based unit tests in python-sdk/tests/ with no documentation of when to run which or which is required for CI. 12. docs/architecture.md references ../working.md as a coordination protocol This appears to be a session-level coordination artifact, not a committed project file. Linking it from architecture docs that external contributors will read is confusing. Positive Highlights
RecommendationsBefore merge (in priority order):
Follow-up issues to file:
🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
Claude Code ReviewSummaryThis PR introduces a significant new component: a multi-language SDK generator plus generated Go, Python, and TypeScript client libraries for the Ambient Platform public API. The overall architecture is clean — a Go-based code generator reads OpenAPI specs and produces idiomatic clients in all three languages. Token security is handled well across the board, and the builder patterns are ergonomic. However, there are two failing tests and one compile error in the Go examples that need to be fixed before merge. Issues by Severity🚫 Blocker Issues1. Python test The actual error raised by 2. Python test typo causes assert self.client.project_settingss is not None # double 's'The property is 3. Go examples won't compile —
Fix: either add 🔴 Critical Issues4.
5. Validation inconsistency across SDKs — project name charset
Go checks length but not the character set that Python enforces. TypeScript validates nothing beyond non-empty. Users switching SDKs will hit surprising failures. 🟡 Major Issues6. TypeScript client has no URL validation Go and Python reject 7.
8. Hardcoded resource and action lists in parser Resources ( 9. Frozen dataclasses block 🔵 Minor Issues10. Go 11. 12. 13. Positive Highlights
RecommendationsPriority order before merge:
Review by Claude Code (claude-sonnet-4-6) 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
…nd bug fixes Key changes: - Replace deprecated strings.Title with safe rune-based title function in generator - Replace custom itoa() with strconv.Itoa() in Go SDK - Add input validation to TS SDK (token length, placeholder, project length, URL scheme) - Fix URL construction in Python SDK (urljoin → string concat) - Allow underscores in project names across SDKs - Remove Interactive field from session - Fix struct field alignment and trailing whitespace in Go SDK - Simplify Python test suite
Claude Code ReviewSummaryPR #677 introduces a code-generated multi-language SDK (Go, Python, TypeScript) for the Ambient Platform's public REST API. The design is solid — clean builder pattern, good token security posture, and proper API/query layer separation. However, there are a few issues ranging from a committed binary (blocker) to a nil-dereference bug and a failing test that should be addressed before merge. Issues by Severity🚫 Blocker Issues1. Compiled binary committed to git — The PR includes a 5.3MB ELF x86-64 executable committed directly into the repository (
Fix: Add 🔴 Critical Issues2. Nil pointer dereference in all Every resource's // go-sdk/client/session_api.go:95
func (a *SessionAPI) ListAll(ctx context.Context, opts *types.ListOptions) *Iterator[types.Session] {
return NewIterator(func(page int) (*types.SessionList, error) {
o := *opts // ⚠️ PANIC if opts is nil
o.Page = page
return a.List(ctx, &o)
})
}A caller using Fix: Guard against nil opts: var o types.ListOptions
if opts \!= nil {
o = *opts
}
o.Page = page3. Failing test —
def test_project_settingss_accessor(self):
assert self.client.project_settingss is not None # double 's' — AttributeErrorThe correct attribute is Fix: Rename to 🟡 Major Issues4. Generator hardcodes spec source path, ignoring the
// Uses -spec flag for parsing, but overrides it with a hardcoded path for the generated comment
relativeSpecPath := "../../ambient-api-server/openapi/openapi.yaml"
header := GeneratedHeader{
SpecPath: relativeSpecPath, // always this, regardless of -spec
...
}The Fix: Derive 5. Generated timestamps cause unnecessary churn in version control Every generated file includes: Re-running the generator with an unchanged spec will modify every generated file's timestamp, creating meaningless diffs and making Fix: Remove the 6. Inconsistent URL validation across SDKs — TS SDK missing placeholder domain check Go and Python SDKs both reject placeholder domains: // Go
if strings.Contains(rawURL, "example.com") || strings.Contains(rawURL, "placeholder") { ... }# Python
if "example.com" in self._base_url or "placeholder" in self._base_url: ...The TypeScript Fix: Add placeholder domain validation to the TS 7. Python
def _request(
self,
method: str,
path: str,
*,
json: Optional[dict[str, Any]] = None, # shadows the 'import json' module
...
) -> Any:Within Fix: Rename the parameter (e.g., 🔵 Minor Issues8. Production kustomization change included in SDK PR
9.
10. Python PEP 8: missing blank lines before property definitions
11.
Positive Highlights
Recommendations
🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
…o, harden test inputs
Claude Code ReviewSummaryThis PR introduces a substantial new component: a code generator and three SDK implementations (Go, Python, TypeScript) for the Ambient Platform public API. The overall design is solid — consistent builder patterns, input validation across all three SDKs, and a clean OpenAPI-driven generator. The SDK is correctly scoped as an external client library with no Kubernetes dependencies, matching its stated intent. Key facts: 14,763 lines added across 88 files. Only 1 line deleted (the kustomization.yaml change). Issues by SeverityBlocker IssuesNone. This is additive — it does not touch existing platform components and failing SDKs will not break the running system. Critical Issues1. Nil pointer dereference in Go SDK ListAll File: components/ambient-sdk/go-sdk/client/session_api.go:93-99 The opts parameter is a pointer with no nil guard. Callers passing nil will get a runtime panic inside the iterator's first Next() call (not at construction), making it hard to debug. The same pattern applies to all other resource ListAll methods generated from the template. Concrete example: o := *opts panics if opts is nil. Fix: Add a nil check before the copy: if opts == nil { opts = &types.ListOptions{} } 2. TypeScript SDK allows example.com as baseURL; test validates this behavior File: components/ambient-sdk/ts-sdk/tests/client.test.ts:41-48 The test 'strips trailing slashes from baseUrl' uses https://api.example.com/// and expects the client to be created successfully. The Go SDK (validateURL) and Python SDK (_validate_config) both reject URLs containing example.com. The TypeScript AmbientClient constructor has no equivalent guard. This inconsistency is a correctness issue — the test accidentally documents it as expected behavior. Major Issues3. Parameter name json shadows the standard library import in Python client File: components/ambient-sdk/python-sdk/ambient_platform/client.py:105-113 The _request method has a parameter named json which shadows the json module imported at the top of the file. While httpx handles JSON serialization internally (so the shadowed module is not invoked inside _request), mypy strict mode should catch this and the naming creates unnecessary confusion. A name like body or json_body avoids the collision. The fix belongs in http_client.py.tmpl. 4. Page size cap is inconsistent across SDKs
The magic number 65500 is undocumented and only enforced in two of three SDKs. The Go SDK silently allows unbounded page sizes. Either document why this cap exists and enforce it consistently, or remove it if the API server enforces its own limit. 5. Generator computeSpecHash has a hardcoded file list File: components/ambient-sdk/generator/main.go:357-364 The function hardcodes exactly four OpenAPI sub-spec filenames. When new OpenAPI resource files are added, the hash will not include them, causing generated files to appear up-to-date when they are stale. The file list should be derived from the resourceFiles map in parser.go or auto-detected by globbing openapi.*.yaml. 6. Token format validation described in CLAUDE.md is not implemented File: components/ambient-sdk/CLAUDE.md:92 The CLAUDE.md states token format validation covers OpenShift sha256~, JWT (3 dot-separated base64 parts), and GitHub ghp_/gho_/ghu_/ghs_ prefixes. All three SDKs only check len(token) >= 20 and reject literal placeholder strings. Either implement the format validation (catches misconfiguration early) or remove the claim from CLAUDE.md to avoid misleading future contributors. 7. PEP 8 violation in generated Python — missing blank lines before @Property File: components/ambient-sdk/python-sdk/ambient_platform/client.py:171-173 PEP 8 requires two blank lines between method definitions at class level. There is no blank line between exit and the first @Property. Since client.py is generated, the fix belongs in http_client.py.tmpl. Minor Issues8. Three identical template data structs File: components/ambient-sdk/generator/main.go:82-98 goTemplateData, pythonTemplateData, and tsTemplateData are structurally identical. A single templateData struct would simplify the generator and reduce future drift. 9. resourceFiles map iteration order is non-deterministic File: components/ambient-sdk/generator/parser.go:40-54 Go maps randomize iteration order. Resources are sorted by name afterward so the final output is deterministic, but error messages during the resource loop may appear in arbitrary order. Cosmetic, but worth noting. 10. ListOptions.to_params silently drops explicitly-set falsy values File: components/ambient-sdk/python-sdk/ambient_platform/_base.py:106 The comprehension {k: v for k, v in self._params.items() if v} will silently omit page=0 because 0 is falsy. The default initializes page=1 so this is unlikely in practice, but if v is not None would be more correct semantics. 11. Broken kustomization.yaml target indentation (pre-existing, touched by PR) File: components/manifests/overlays/production/kustomization.yaml:38-44 The target: block immediately after the commented-out postgresql-json-patch.yaml path appears intended for that patch but is parsed as the target for unleash-init-db-patch.yaml. Since this file was touched in this PR it is worth confirming whether this matches the intended behavior. 12. Go SDK generator writes partial output on template error File: components/ambient-sdk/generator/main.go:343-351 If tmpl.Execute(f, data) fails midway through, a partially-written file remains on disk. Writing to a bytes.Buffer first and then flushing to disk atomically would prevent confusing half-generated files. Low risk for a developer tool. Positive Highlights
RecommendationsPrioritized action items:
Generated with Claude Code 🔍 View AI decision process (logs available for 90 days) 📋 View memory system files loaded (click to expand)What Amber Loaded for Code ReviewAmber automatically loaded these repository standards from the memory system:
Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines. |
3 participants
Based on new ambient-api-server: