Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

```html

Diagnosing and Remediating a Distributed Agent Orchestrator: JADA Daemon Health Assessment and OAuth Token Lifecycle Management

During a routine infrastructure health check of the JADA agent orchestrator running on AWS Lightsail instance 34.239.233.28, we discovered a critical OAuth token degradation affecting downstream Google Sheets sync operations, alongside expected but noteworthy Claude API turn-limit behavior in complex agentic workflows. This post details the diagnostic methodology, root cause analysis, and remediation strategy for production daemon orchestration.

Objective and Scope

The JADA agent daemon is a long-running orchestrator that:

  • Polls a task progress dashboard at regular intervals
  • Executes multi-turn Claude API agentic sessions (max 30 turns per session)
  • Delegates automation tasks: content generation, analytics queries, infrastructure management
  • Syncs completion states back to tracking systems
  • Manages subordinate sync processes (port sheet syncing, GA reporting, etc.)

This assessment aimed to verify service health, validate active task processing, identify error patterns, and flag degraded external integrations.

Diagnostic Approach: Multi-Layer Validation

Because the SSH private key (jada-key) was not available in the local ~/.ssh directory, we employed AWS Lightsail's temporary credential API as the access vector:

# Retrieve temporary SSH access credentials from Lightsail API
# (No key material stored locally; credentials generated on-demand)
aws lightsail get-instance-access-details \
  --instance-name jada-agent \
  --region us-east-1

# Extract certificate and temporary key, validate OpenSSH format
# Connect via SSH using cert + private key pairing
ssh -i /tmp/jada-temp-key ubuntu@34.239.233.28

This approach follows the principle of ephemeral credential rotation: credentials are generated per-session, time-limited, and automatically revoked. No persistent SSH keys are stored on developer machines, reducing attack surface for long-lived secrets.

Service Health: Active and Stable

The jada-agent.service systemd unit was confirmed running and healthy:

  • Uptime: 3 days (since May 10, 2026)
  • Host uptime: 11 days — instance is stable
  • Load average: 0.00 (essentially idle between tasks)
  • CPU utilization: ~0.65% average across 2-hour window — normal for a 60-second polling loop
  • Memory footprint: 144MB / 914MB (15.8% utilization)
  • Disk usage: 6.2GB / 39GB (17%) — ample headroom for logs and task state
  • AWS status checks: 0 failures in last 2 hours

No CPU spikes, no memory leaks, no disk pressure. The daemon's core orchestration function is operating nominally.

Task Processing Activity and Turn-Limit Behavior

Session logs for May 13, 2026 (UTC) revealed three distinct agent sessions:

Session Time (UTC) Outcome Exit Code
1 00:00 Hit max turns (30) 1
2 00:02 Completed successfully 0
3 00:05 Hit max turns (30) 1

Key observation: Sessions 1 and 3 exited with code 1 because they reached the 30-turn limit imposed by the Claude API integration in /Users/cb/Documents/repos/tools/auth_ga.py and related orchestration scripts. This is not a crash or a service failure—it is expected behavior when tasks are sufficiently complex to consume all allocated turns.

Session 2, which completed successfully (exit code 0), processed two meaningful tasks:

  • Resolved blockers on the e-signature link integration
  • Generated automation for crew page builder
  • Created a "needs-you" task (delegating to human review) for downstream action

The daemon correctly continued polling after sessions 1 and 3 exited. No tasks remained queued post-session-3, so the daemon entered idle polling mode (expected behavior between task arrival).

Critical Issue: Google OAuth Token Degradation in Port Sheet Sync

The port_sheet_sync.py subprocess has been failing every 30 minutes with:

[port-sheet] token error: HTTP Error 400: Bad Request

This indicates the Google OAuth token stored for port sheet synchronization is either:

  • Expired (OAuth tokens have finite lifespans; refresh tokens may have been revoked)
  • Revoked (user revoked access in Google Account settings)
  • Invalid scope (token lacks required Google Sheets API scopes)

Port sheet syncs have not run successfully since at least afternoon UTC on May 13. This is a data integrity issue: any changes to the port sheet tracking database are not being reflected in Google Sheets, and vice versa.

Root cause: OAuth token lifecycle management for service accounts and long-running daemons requires periodic re-authorization, especially if the token is stored in plaintext or if the refresh token grant expires (Google's default is 6 months of