Skip to content

fix: address Phase 4 code review findings#8

Merged
prosdev merged 2 commits intomainfrom
fix/phase-4-review-findings
Mar 14, 2026
Merged

fix: address Phase 4 code review findings#8
prosdev merged 2 commits intomainfrom
fix/phase-4-review-findings

Conversation

@prosdev
Copy link
Contributor

@prosdev prosdev commented Mar 14, 2026

Summary

Fixes all findings from the 3-agent parallel code review (security, logic, quality) run against Phase 4.

  • Ownership leak on delete (security + logic WARNING) — Added ownership check on RunManager path in delete_run. Previously, any authenticated user could confirm another user's run was active (409 vs 404).
  • Admin bypass inconsistency (logic MEDIUM) — Stream and status DB fallback paths now use owner_filter(auth) instead of auth.owner_id, matching cancel/delete/list behavior.
  • Duplicated _owner_filter (quality WARNING) — Consolidated into shared owner_filter() in auth/deps.py. Both route modules now import from one place.
  • Duplicated _run_list_item (quality WARNING) — Consolidated into run_to_list_item() in schemas/runs.py.
  • Non-deterministic test (quality WARNING) — test_delete_active_run_rejected now uses DB-inserted run instead of racing against fast execution.
  • Merged validate exception blocks (quality SUGGESTION) — Two identical except GraphBuildError blocks collapsed into one try.
  • Missing test coverage (quality SUGGESTION) — Added test_delete_live_run_in_manager_rejected verifying different owner gets 404 (not 409) on RunManager path.
  • CLAUDE.md rule — Added "Code review before PR" to non-negotiables.

Code review results

All 3 reviewers ran on this fix branch before PR:

Agent Verdict Notes
security-reviewer APPROVE Original leak confirmed fixed, no new issues
logic-reviewer APPROVE 1 pre-existing timing edge case (not a regression)
quality-reviewer REQUEST CHANGES _owner_filter duplication, missing RunManager delete test

Second round addressed quality findings — owner_filter consolidated, RunManager delete test added.

Test plan

  • 241 unit tests passing (1 new: test_delete_live_run_in_manager_rejected)
  • Lint clean (ruff check)
  • Typecheck clean (tsc --noEmit)

🤖 Generated with Claude Code

prosdev and others added 2 commits March 14, 2026 14:13
@prosdev @claude
fix: address code review findings for Phase 4
0b7174d 
- Add ownership check on delete endpoint's RunManager path
  (prevents cross-tenant run state leak)
- Fix stream/status DB fallback to use _owner_filter(auth)
  for admin bypass consistency
- Consolidate _run_list_item into shared run_to_list_item helper
  in schemas/runs.py (was duplicated in graphs.py and runs.py)
- Merge duplicate validate exception blocks
- Fix non-deterministic test_delete_active_run_rejected to use
  DB-inserted run instead of racing against fast execution

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@prosdev @claude
fix: consolidate owner_filter and add review-before-PR rule
5da6d82 
- Move _owner_filter to shared owner_filter() in auth/deps.py,
  remove duplicates from graphs.py and runs.py
- Add test_delete_live_run_in_manager_rejected verifying ownership
  check on RunManager path (different owner gets 404, not 409)
- Add code-review-before-PR rule to CLAUDE.md non-negotiables

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@prosdev prosdev merged commit b761032 into main Mar 14, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prosdev