Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

```html

Diagnosing and Remediating the JADA Agent Daemon: OAuth Token Expiration, Turn Limits, and Multi-Site Orchestration

Over the past development session, we performed a comprehensive health audit of the JADA orchestrator daemon running on our Lightsail instance (34.239.233.28), identified a critical OAuth token failure in the port sheet sync pipeline, and validated the daemon's task handling under the current Claude API turn constraints. This post documents the diagnostic approach, findings, and remediation path.

What Was Done

  • Established SSH access to the Lightsail instance via temporary credentials from the Lightsail API (since the persistent private key was not stored locally)
  • Collected full daemon health metrics: service status, uptime, CPU/memory/disk utilization, and CloudWatch status checks
  • Parsed daemon logs to identify session completion patterns, error conditions, and task queue state
  • Isolated a critical OAuth token failure in the port_sheet_sync.py script affecting Google Sheets sync every 30 minutes
  • Documented the recurring "max turns (30)" exit code 1 pattern and its relationship to task complexity
  • Verified that the daemon gracefully handles turn-limit exits and resumes on the next polling cycle

Technical Details: Daemon Health Assessment

Service Status and Uptime

The jada-agent.service systemd unit is active and running since May 10, 2026—a healthy 3-day uptime with no unexpected restarts. The instance itself has been up for 11 days, indicating stable infrastructure. Load average measures 0.00 between polling cycles, confirming the daemon operates in an idle state until tasks arrive from the progress dashboard queue.

Resource Utilization

CPU baseline: ~0.65% average during the 60-second polling loop, with no observed spikes. This is expected behavior for a lightweight orchestrator that blocks on queue reads. Memory consumption sits at 144MB of 914MB available—well within acceptable bounds. Disk usage is 6.2GB of 39GB (17%), leaving ample headroom for logs and artifacts. All AWS Lightsail status checks have passed in the last 2 hours with zero failures.

Session Activity Breakdown (UTC, May 13)

  • Session 1 (00:00): Exited with code 1 after hitting the 30-turn Claude API limit. No errors logged beyond the turn ceiling.
  • Session 2 (00:02): Completed successfully. Processed blockers on the e-signature and crew page generator code. Created a needs-you task in the progress dashboard for manual review.
  • Session 3 (00:05): Hit the 30-turn limit again, exited code 1. After this run, daemon polling found no new tasks and entered idle state (normal behavior).

Session 4 and beyond remained quiet, with the daemon polling the task queue every 60 seconds and finding nothing new. This is the expected steady state.

Critical Finding: Port Sheet Sync OAuth Token Failure

The port_sheet_sync.py script, which maintains synchronization between our internal port availability tracking system and a shared Google Sheet, has been failing every 30-minute sync cycle since at least May 13 afternoon (UTC). The error appears consistent in the daemon logs:

[port-sheet] token error: HTTP Error 400: Bad Request

This indicates that the stored Google OAuth token for the service account or user account backing the sheet sync has either expired or been revoked. The script attempts to refresh the token using the stored credentials but receives a 400 Bad Request from the Google OAuth 2.0 endpoint—a strong signal that the refresh token itself is invalid or has been manually revoked.

Root Cause Analysis

During the session, we verified that the GA4 authentication flow (in auth_ga.py) successfully reuses an existing client_id and client_secret stored in the secrets directory. However, the port_sheet_sync.py script uses a different OAuth flow, likely with its own service account credentials or user-level refresh token. That token has reached end-of-life or been explicitly revoked, preventing any new sheet synchronization.

Impact

Port sheet data (vessel availability, crew scheduling, booking windows) is no longer updating in Google Sheets. Any downstream automation or manual reports relying on that sheet are reading stale data. The daemon continues to run and handle other tasks normally; this is a localized credential failure, not a systemic issue.

Secondary Pattern: Claude API Turn Limits and Task Complexity

Two of today's three agent sessions exited with code 1 after consuming all 30 available turns in a single invocation. This is not a crash or error in the traditional sense—the daemon logs it as an error for visibility, but gracefully exits and resumes polling on the next cycle.

Why This Happens

The Claude API conversation limit of 30 turns is a safeguard against runaway costs and infinite loops. Complex tasks that require extensive back-and-forth reasoning, code generation, testing, and refinement can legitimately exceed this ceiling. Session 2, which completed successfully, was likely a more straightforward task (processing specific code blockers) that fit within the turn budget.

Current Behavior

When a session hits the turn limit, the daemon:

  • Receives a max_turns_exceeded signal from the Claude API
  • Logs the exit with code 1 and a clear "Reached max turns (30)" message
  • Commits partial progress (any artifacts, files, or state written during the session)
  • Returns to idle polling; any incomplete task remains in the queue for the next session

This is resilient by design: incomplete work doesn't disappear; it waits for the next invocation.

Infrastructure: Lightsail Instance and CloudWatch Integration

Instance Details

The daemon runs on a Lightsail instance at 34.239.233.28 with the key pair named jada-key. SSH access was verified via the Lightsail API's temporary credential endpoint (since the persistent private key was not stored in ~/.ssh/). This demonstrates a gap in key management that should be addressed: the persistent private key should be stored securely in the repo's secrets directory with appropriate file permissions (600).

Metrics and Monitoring

We pulled CPU utilization, network traffic, and status check metrics directly from the Lightsail API for the past 2 hours. All metrics indicate a healthy, stable instance. The daemon's systemd service logs are accessible via SSH and show clear records of every session, including exit codes, turn counts, and any error messages.

Multi-Site Development Context

During this session, we also deployed updates across three separate site repositories:

  • /Users/cb/Documents/repos/sites/86from.com/: New SEO content page and index.html refinements deployed to S3 bucket and CloudFront invalidated
  • /Users/cb/Documents/repos/sites/sailjada.com/: Extensive index.html edits (booking widget JavaScript corrections) deployed to staging, with CloudFront cache invalidated
  • /Users/cb/Documents/repos/sites/queenofsandiego.