Skip to content

fix: protect sophia governor recent events#6514

Merged
Scottcjn merged 1 commit into
Scottcjn:mainfrom
sirakinb:codex/protect-sophia-governor-recent
May 28, 2026
Merged

fix: protect sophia governor recent events#6514
Scottcjn merged 1 commit into
Scottcjn:mainfrom
sirakinb:codex/protect-sophia-governor-recent

Conversation

@sirakinb
Copy link
Copy Markdown
Contributor

@sirakinb sirakinb commented May 28, 2026

Fixes #6513.

Summary

  • require the existing Sophia governor admin key before returning /sophia/governor/recent
  • keep limit validation behind the auth check so unauthenticated callers cannot enumerate endpoint behavior
  • add Flask regression tests for missing, wrong, and valid admin keys

Testing

  • ./.venv/bin/python -m pytest -q tests/test_sophia_governor_recent_auth.py
  • PYTHONPYCACHEPREFIX=/private/tmp/rustchain-pycache python3 -m py_compile node/sophia_governor.py tests/test_sophia_governor_recent_auth.py
  • git diff --check

@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related tests Test suite changes size/M PR: 51-200 lines and removed BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related tests Test suite changes labels May 28, 2026
This was referenced May 28, 2026
Open
Open
eliasx45
eliasx45 approved these changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eliasx45 eliasx45 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the focused Sophia governor auth change at e0d3c4f510123c530ba5747307e3d868ff56dbea.

I did not find a blocker in the changed files. The new guard in node/sophia_governor.py runs before limit parsing, so unauthenticated callers get the same 401 for both normal and malformed limit requests, which matches the issue's goal of not exposing recent-event behavior. The new tests cover missing key, wrong key, valid admin key, and the auth-before-limit ordering.

Verification performed locally:

  • .\.venv\Scripts\python.exe -m pytest tests/test_sophia_governor_recent_auth.py -q -> 3 passed
  • .\.venv\Scripts\python.exe -m py_compile node/sophia_governor.py tests/test_sophia_governor_recent_auth.py -> passed
  • git diff --check origin/main...HEAD -> clean
  • Read Scottcjn/Rustchain#6513 and confirmed this PR gates /sophia/governor/recent with the existing RC_ADMIN_KEY / X-Admin-Key / X-API-Key helper used by the review/retry routes.

One merge note: GitHub's full pytest job is currently red during collection on node/gpu_render_endpoints.py:240 (SyntaxError: expected 'except' or 'finally' block). I confirmed the same syntax error exists when compiling that file from both origin/main and this PR head, so it is outside this two-file PR's diff. The focused regression for this PR is green locally.

This was referenced May 28, 2026
Open
Merged
@eliasx45
Copy link
Copy Markdown
Contributor

eliasx45 commented May 28, 2026

Disclosure update for my review above: I am claiming RustChain ONBOARD review bounty #2782 for this review. RTC wallet: RTC9aa45a5fc499eeefff084f197ed15002e2a2309f.

@eliasx45 eliasx45 mentioned this pull request May 28, 2026
Open
@Scottcjn Scottcjn merged commit bbba41d into Scottcjn:main May 28, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@eliasx45 eliasx45 eliasx45 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sophia governor recent endpoint exposes event summaries without authentication

4 participants

@sirakinb @eliasx45 @Scottcjn @pentridgemedia