Fix: remove duplicate dev-read rate-limit wrappers to unbreak main CI#9065
Conversation
A merge race left main red. The 2026-07-03 Developer API auth refactor moved read rate-limiting into the dependency chain (get_auth_with_X_read -> check_api_key_rate_limit) and added a guard test forbidding the old with_rate_limit(get_uid_with_X_read, "dev:X_read") route wrappers. BasedHardware#8923 predated that refactor, added exactly those wrappers plus a test requiring them, and merged (its selective CI never ran the new guard test). The two tests are contradictory, so every full-suite CI run fails. Revert the 5 now-duplicate wrappers on the developer read routes back to the bare Depends(get_uid_with_X_read) deps (rate-limiting is preserved by the dependency chain) and delete the superseded test_dev_read_rate_limits.py. TestRouterWiring is green again.
83d1a9a to
15e7c6b
Compare
|
Flagging since this affects main CI: the full backend unit suite is currently red on main because #8923's dev-read rate-limit wrappers and the 2026-07-03 auth-refactor's duplicate-wrapper guard test contradict each other (developer.py cannot satisfy both). This PR resolves it by dropping the now-duplicate wrappers (the dependency chain already rate-limits via check_api_key_rate_limit) and removing the superseded test, and it is green. Any PR touching a full-suite-trigger file will keep failing until this lands. Happy to adjust if a different resolution is preferred. |
Omi PR #9065 — ReviewPR: Fix: remove duplicate dev-read rate-limit wrappers to unbreak main CI SummaryThis PR removes 5 The rate-limiting claim is technically sound: each However, the PR is built on a premise that is now factually wrong, and the PR is effectively superseded. Why this should not be approved/merged as-is
Verification performed
Risk assessment
RecommendationDo not approve or merge as-is. This needs a human maintainer to decide which resolution is No urgent alert. No agent-behavior documentation changes. |
kodjima33
left a comment
There was a problem hiding this comment.
Correct: read rate-limiting now lives in the get_auth_with_*_read dependency chain (verified check_api_key_rate_limit on main), so these wrappers were double-limiting; removal + obsolete-test deletion unbreaks main CI. conf 5/5.
What
Removes the duplicate Developer API read rate-limit wrappers in
developer.pyand deletes the supersededtest_dev_read_rate_limits.py, so the backend unit suite is green on main again.Why (a merge race broke main)
The 2026-07-03 Developer API auth refactor moved read rate-limiting into the dependency chain (
dependencies.pyget_auth_with_*_readcallscheck_api_key_rate_limit) and added a guard test,TestRouterWiring.test_developer_read_routes_do_not_add_duplicate_uid_wrappers, that forbids the oldwith_rate_limit(get_uid_with_X_read, "dev:X_read")route wrappers.#8713's PR (#8923) predated that refactor. It added exactly those wrappers plus its own test requiring them, and merged because its selective CI never ran the new guard test. Main now has two contradictory tests, so
developer.pycannot satisfy both and any PR touching a full-suite file goes red.Details
Depends(get_uid_with_X_read)deps.check_api_key_rate_limitviaget_auth_with_X_read, so the wrappers were true duplicates. The intent of Harden Developer API read endpoints against abuse #8713 is still delivered by the dependency chain.test_dev_read_rate_limits.py, which is fully superseded (it required the wrappers and forbade the bare deps, both now inverted).with_rate_limitimport (still used forconversations:from-segments).Test
TestRouterWiring(all 22 tests) passes locally, including the previously-failingtest_developer_read_routes_do_not_add_duplicate_uid_wrappersand the*_has_rate_limitsassertions confirming the read routes are still rate-limited.