Problem
Scion Ops Kubernetes rounds exposed several upstream Scion issues:
- file secrets restored through Hub can arrive base64-encoded, but Kubernetes runtime was mounting the encoded bytes directly
- workspace sync can fail when a mounted home/config file already exists in the agent image
- Gemini CLI starts were using --prompt-interactive, which can leave a Kubernetes agent in an interactive TUI instead of completing a non-interactive task
- shallow clone/fetch of branches with slash names did not always create origin/ for checkout
- unknown git fetch/clone failures were reported as possible token failures even when the output did not indicate auth
Desired outcome
Kubernetes broker agents should start non-interactively with auth-file credentials, fetch branch names reliably, and report git failures accurately enough for operators to debug.
Verification
- go test ./pkg/runtime ./pkg/harness ./cmd/sciontool/commands
- deploy the dev Scion binary into the scion-ops kind Hub
- start and monitor a Kubernetes scion-ops MCP round through final review
Problem
Scion Ops Kubernetes rounds exposed several upstream Scion issues:
Desired outcome
Kubernetes broker agents should start non-interactively with auth-file credentials, fetch branch names reliably, and report git failures accurately enough for operators to debug.
Verification