Greptile Summary

This PR adds a read-only Argo CD integration covering client auth (bearer token + session login), credential redaction, URL safety enforcement, source detection, and two investigation tools (ArgoCDApplicationStatusTool, ArgoCDApplicationDiffTool). The implementation is well-structured and security-hardened, but there is one logic defect that breaks a stated use case.

• P1 — list-mode evidence loss: _map_argocd_application_status reads data.get("application", {}) (singular), but list_applications() returns "applications" (plural). When ArgoCDApplicationStatusTool runs without an application_name, all fetched application data is silently dropped from evidence — the "Listing visible Argo CD applications" use case is broken end-to-end.

Confidence Score: 4/5

Safe to merge after fixing the list-mode evidence mapper; the P1 is isolated and doesn't affect the single-app status or diff paths.

One confirmed P1 logic defect: _map_argocd_application_status silently drops all application data in list-mode. All other findings are P2 style/quality suggestions. The rest of the integration — auth, redaction, URL validation, drift detection, and tests — is solid.

app/nodes/investigate/processing/post_process.py (lines 325–329) and app/tools/ArgoCDApplicationStatusTool/init.py (list-mode handling)

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant DS as detect_sources
    participant ST as ArgoCDStatusTool
    participant DT as ArgoCDDiffTool
    participant C as ArgoCDClient
    participant API as Argo CD API

    DS->>DS: Extract app_name / hint from alert
    DS-->>ST: sources[argocd] = {base_url, bearer_token, application_name, ...}

    ST->>C: make_argocd_client(base_url, token)
    alt application_name present
        C->>API: GET /api/v1/applications/{name}
        API-->>C: application payload
        C-->>ST: {application: {...}, recent_history: [...]}
        ST-->>post_process: _map_argocd_application_status → argocd_application, argocd_revision_history
    else application_name absent
        C->>API: GET /api/v1/applications
        API-->>C: {items: [...]}
        C-->>ST: {applications: [...], total: N}
        ST-->>post_process: ⚠️ _map_argocd_application_status drops applications list
    end

    DT->>C: make_argocd_client(base_url, token)
    C->>API: GET /api/v1/applications/{name}/server-side-diff
    API-->>C: {diffs: [...]}
    C-->>DT: {drift_detected: bool, diffs: [sanitized]}
    DT-->>post_process: _map_argocd_application_diff → argocd_drift_detected, argocd_diff

_{Reviews (1): Last reviewed commit: "feat(argocd): add read-only deployment i..." | Re-trigger Greptile}

Updated in b9e297f009f21cc112ff43d65167e8ff946f83bf and addressed the Greptile findings:

• preserved the Argo CD applications list in list-mode evidence mapping instead of dropping it;
• narrowed bearer-prefix stripping so it only applies to bearer tokens, not generic string fields;
• added/updated regression coverage for both cases.

Validation:

• uv run pytest -q tests/services/argocd/test_client.py tests/integrations/test_argocd_catalog_verify.py tests/nodes/plan_actions/test_detect_sources_argocd.py tests/tools/test_argocd_tools.py — passed
• make typecheck — passed
• make lint — passed
• make format-check — passed
• git diff --check — passed
• GitHub checks on the updated head are green: quality, Analyze (python), typecheck, test, and CodeQL passed.

Updated in 99ff09c55e5c2b3c70e205fccc6589d18ec78cbf and addressed the latest Argo CD review comments:

• tightened Argo CD source hints by removing the generic deploy/drift substring triggers and keeping Argo CD/GitOps-specific markers;
• clear cached username/password session tokens on 401, retry once with a fresh session, and keep retired tokens in the redaction set for surfaced errors;
• moved the HTTPS-or-loopback HTTP URL validation into a shared app.utils.url_validation helper used by both integration config and the service client;
• registered argocd_applications as investigated evidence so list-mode status calls count toward the evidence gate.

Validation run locally:

• uv run pytest -q tests/services/argocd/test_client.py tests/integrations/test_argocd_catalog_verify.py tests/nodes/plan_actions/test_detect_sources_argocd.py tests/tools/test_argocd_tools.py tests/nodes/root_cause_diagnosis/test_healthy_short_circuit.py -q → 205 passed
• make lint
• make format-check
• make typecheck
• git diff --check

Nice work. Demo video is missing though? Can you quickly add in the PR description

Follow-up self-review fix in dce3da0bc2d23e188e641d0031eeb951c6ee33b8:

• added argocd_diff to investigated evidence so diff-only Argo CD investigations count the same way status/list-mode investigations do;
• included Argo CD status/list/diff keys in evidence availability so diagnosis does not treat Argo CD-only evidence as missing;
• added regression coverage for the healthy short-circuit and evidence-availability paths.

Additional validation:

• uv run pytest -q tests/nodes/root_cause_diagnosis/test_evidence_checker.py tests/nodes/root_cause_diagnosis/test_healthy_short_circuit.py tests/tools/test_argocd_tools.py tests/services/argocd/test_client.py tests/integrations/test_argocd_catalog_verify.py tests/nodes/plan_actions/test_detect_sources_argocd.py -q → 232 passed
• make lint
• make format-check
• make typecheck
• git diff --check

Added the demo video to the PR description.

It shows the Argo CD setup/configuration, local verification, read-only status/list/diff paths, and secret/diff redaction behavior. Transparency note: the recording uses a live shell with automated input and a local Argo CD-compatible endpoint, so the real OpenSRE code path is exercised without exposing live credentials or Kubernetes Secrets.

setup and usage are documented clearly

missing as per Acceptance criteria

#320

Thanks for the catch. Addressed in the latest commit (250c02a).

Added docs/argocd.mdx and registered it in the docs navigation. The page now covers:

• setup via environment variables, persistent store, and ARGOCD_INSTANCES
• token vs username/password auth, including the no-dual-auth rule
• HTTPS/loopback HTTP behavior and TLS verification
• opensre integrations verify argocd
• investigation usage, supported alert hints, and the two Argo CD evidence tools
• read-only scope and secret/diff redaction behavior

I also updated the multi-instance integrations page to include ARGOCD_INSTANCES.

Local validation passed:

• python -m json.tool docs/docs.json
• git diff --check
• Mintlify local preview served /argocd successfully
• make lint
• make format-check
• make typecheck
• focused Argo CD/evidence pytest slice: 65 passed

Update: the first GitHub Actions run was cancelled before a hosted runner acquired the jobs. I re-pushed the same tree to trigger fresh checks; current head 250c02a is now green (quality, typecheck, test, Analyze (python), and CodeQL passed; Kubernetes/thorough jobs were skipped by workflow rules).

@MestreY0d4-Uninter you still need to add entry here https://github.com/Tracer-Cloud/opensre/blob/main/.env.example for the env vars you created and document it!!

and in your demo I dont understand the command you ran? could you pls run any of the scenario mentioned in the docs instead? and not some unit tests pls

and pls give a walk through whats happening in demo

Thanks for the follow-up notes. I addressed the remaining items in the latest head commit (70e8c32):

• added the Argo CD env vars to .env.example;
• made the documented opensre integrations verify argocd path work from the main CLI;
• kept the catalog key canonical as argocd only, while preserving Argo CD spelling variants only for alert/source hints;
• replaced the PR description demo with a real local kind-hosted Argo CD walkthrough instead of the earlier compatible-endpoint demo;
• verified read-only status/list/diff against that real Argo CD instance, including a live Deployment replica drift scenario where Argo CD reports OutOfSync and ArgoCDApplicationDiffTool returns drift_detected=true.

Validation after the follow-up changes:

• focused related pytest slice: 245 passed;
• make lint: passed;
• make format-check: passed;
• make typecheck: passed;
• git diff --check: passed;
• GitHub Actions on the current head are green (quality, typecheck, test, Analyze/CodeQL; Kubernetes/thorough jobs are skipped by the workflow).

The PR description now includes the updated demo video link and a walkthrough of what is happening in the demo. Credentials are hidden/redacted, and the video OCR/secret scan did not find raw passwords, bearer tokens, JWTs, GitHub tokens, AWS keys, or private keys.

@MestreY0d4-Uninter pls fix merge conflicts

Thanks @muddlebee, fixed.

I rebased the branch onto the latest main and force-pushed the refreshed PR head (8b0ebb67b39fa9babc96c36c9622a2d6450ca799). The merge-conflict blocker is resolved now: GitHub reports mergeStateStatus: CLEAN and the PR still has reviewDecision: APPROVED.

Validation:

• python -m json.tool docs/docs.json
• focused Argo CD/regression slice: 245 passed
• MoA-claim spot checks for Argo CD evidence/session/source-detection paths: 6 passed
• make lint
• make format-check
• make typecheck
• make test-cov: 4053 passed, 2 skipped, 1 xfailed
• GitHub checks are green: quality, typecheck, test, Analyze (python), CodeQL

I also re-checked the earlier review items against the current head; no remaining blocker found.

🎊 Achievement unlocked: PR Merged. @MestreY0d4-Uninter passed code review, survived CI, and shipped. Respect. 🤝

👋 Join us on Discord - OpenSRE : hang out, contribute, or hunt for features and issues. Everyone's welcome.

@MestreY0d4-Uninter nice work. and from next time lets try to keep the commits after rebase/resolve conflicts clean :) difficult to spot any errors or missing..