Sail JADA — Engineering Log

Technical work on sailjada.com and the JADA booking systems

```html

Diagnosing and Remediating the JADA Agent Daemon: OAuth Token Expiration and Turn Limit Patterns

During a routine health check of the JADA orchestrator daemon running on AWS Lightsail instance 34.239.233.28, we identified a critical authentication failure in the port sheet synchronization pipeline and confirmed expected behavior around Claude turn limits. This post details the diagnostic approach, findings, and remediation strategy.

What Was Done

We conducted a comprehensive health audit of the jada-agent.service daemon by:

  • Establishing SSH connectivity to the Lightsail instance using temporary credentials via the AWS Lightsail API (after discovering the private key was not stored locally)
  • Collecting systemd service status, daemon logs, and system metrics (CPU, memory, disk utilization)
  • Analyzing session activity logs for the past 24 hours to understand task execution patterns
  • Identifying and isolating the root cause of recurring port_sheet_sync failures
  • Documenting the behavior of max-turn exits and confirming they are not daemon crashes

Technical Details: Service Health Assessment

The jada-agent.service systemd unit on the Lightsail instance has been running continuously for 3 days with an uptime of 11 days total on the underlying instance. This indicates stable orchestration:

Service Status: Active and running
Last restart: May 10, 2026
Load average: 0.00 (idle between task pickups)
CPU utilization: ~0.65% (normal for polling loop)
Memory consumption: 144MB / 914MB allocated (15% usage)
Disk usage: 6.2GB / 39GB (17% capacity)
Status check failures: 0 in last 2 hours

The daemon operates as a polling orchestrator: it maintains a 60-second event loop, checks the progress dashboard for pending tasks, and executes Claude agent sessions to process them. With no active tasks between scheduled runs, the daemon correctly shows near-zero CPU and minimal memory footprint.

Session Activity Analysis: Understanding the 30-Turn Pattern

Over the past 24 hours (UTC), the daemon consumed 3 of its 5 available sessions:

  • Session 1 (00:00 UTC): Exited with code 1 after hitting max-turns limit (30 turns). This is expected behavior when task complexity exceeds the Claude API conversation window.
  • Session 2 (00:02 UTC): Completed successfully. Processed e-signature and crew page blockers, created a needs-you task and logged it to the progress dashboard.
  • Session 3 (00:05 UTC): Again hit max-turns at turn 30, exited with code 1. No new tasks were found after this point; the daemon returned to idle polling.

The exit code 1 for max-turns is not a crash condition. The daemon correctly logs it, remains active, and continues polling. However, if tasks frequently exceed the 30-turn window, this indicates either task scope is too broad or the turn limit should be increased. This pattern warrants monitoring but does not require immediate intervention.

Critical Issue: Broken Google OAuth Token in port_sheet_sync

The most significant finding is the persistent failure of the port_sheet_sync.py script. Every 30-minute sync attempt since at least May 13 afternoon (UTC) has failed with:

[port-sheet] token error: HTTP Error 400: Bad Request

This indicates the Google OAuth token stored for this synchronization task has expired or been revoked. The token is likely stored in a credentials file (referenced in the daemon configuration) and no longer valid for the Google Sheets or Google Analytics APIs that port_sheet_sync.py depends on.

Root cause: Google OAuth tokens have a limited lifetime (typically 1 hour for access tokens; refresh tokens can last longer). If the refresh token has expired or was revoked, the sync cannot renew the access token, resulting in HTTP 400 Bad Request errors.

Infrastructure and Architecture

The JADA daemon runs on a dedicated AWS Lightsail instance with the following configuration:

  • Instance: 34.239.233.28 (public IP)
  • Service unit: /etc/systemd/system/jada-agent.service
  • Daemon executable: Runs Claude agent loop with configurable turn limits and session allocation
  • Task source: Progress dashboard (consulted via polling in 60-second intervals)
  • Dependent scripts: port_sheet_sync.py (30-minute sync intervals), other service scripts
  • Credentials storage: Environment variables and local credential files (no public exposure)

The daemon uses AWS Systems Manager Session Manager as a backup connection method if SSH key-pair access is unavailable, demonstrating defense-in-depth for operational access.

Key Decisions and Diagnostics

Why we used Lightsail API for temporary SSH credentials: The jada-key private key was not stored in the standard ~/.ssh/ directory, suggesting it may be managed by AWS or stored in a secure vault. Rather than delay troubleshooting, we used the AWS Lightsail API to request temporary SSH access credentials (valid for a limited window), connected, performed diagnostics, and immediately revoked the temporary key. This approach is safer than searching for and exposing long-lived private keys.

Why OAuth token failure is critical: The port_sheet_sync.py script likely syncs analytics data or crew scheduling information to a shared Google Sheet. Data loss or sync lag directly impacts downstream reporting and coordination. This is a blocking issue that requires immediate re-authentication.

Why max-turns exits are logged as errors but not critical: The daemon treats turn limit exits as non-fatal. If tasks are legitimately large, the 30-turn window may be insufficient. However, session 2 completed successfully with fewer turns, suggesting turn consumption correlates with task complexity rather than a systematic issue.

What's Next

  • Re-authenticate Google OAuth for port_sheet_sync: Use the existing OAuth flow (likely a command-line re-auth script or dashboard link) to refresh the Google OAuth token. Verify the token is stored with correct permissions for the Sheets and Analytics APIs.
  • Monitor turn limit patterns: Log task complexity metrics (number of API calls, output token counts) alongside turn consumption to determine if the 30-turn limit is appropriate or if task scope should be split across multiple sessions.
  • Validate sync success: After re-authentication, confirm that at least two consecutive 30-minute sync cycles complete without the HTTP 400 error. Check the synced data for completeness and accuracy.
  • Document key management: Clarify where the jada-key private key is stored and how it should be accessed for future Lightsail operations to avoid reliance on temporary credential APIs.

The daemon is operationally healthy; the OAuth token issue is isolated and remediable without service restarts or architectural changes.

```