feat(server+migrate): round-1 feedback followups#248
Merged
Conversation
Polish items deferred out of PRs #246/#247 during review. auth.py: SyncTokenValidator + AsyncTokenValidator Protocols replace the Callable[...] alias (TokenValidator = SyncTokenValidator | AsyncTokenValidator). Fixes mypy narrowing for async validators. constant_time_token_match uses TypeVar so return preserves value type. auth.py: validator_from_token_map helper — takes a raw-token to Principal map, returns a SyncTokenValidator that hashes at construction. Plaintext tokens NOT retained in the closure. migrate/v3_to_v4.py: --apply refuses on dirty git tree, --allow-dirty overrides. Fails safe when git unavailable or not-a-repo so CI sandboxes aren't blocked. migrate/v3_to_v4.py: REPORT_SCHEMA_VERSION=1 module constant; top-level schema_version key in JSON output. Stable wire contract for CI scripts/editors. +10 tests (2008 -> 2055). mypy clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Polish items deferred out of PRs #246 / #247 during expert review.
TokenValidatoras Protocol unionSyncTokenValidator+AsyncTokenValidatorProtocols (their Union isTokenValidator). Fixes mypy narrowing for async validators in downstream code.constant_time_token_matchgets a TypeVar so it preserves the value type.validator_from_token_maphelper{raw_token: Principal}dict, returns aSyncTokenValidatorthat hashes at construction and does constant-time compare on every call. Plaintext tokens are NOT retained in the closure. Shrinks the auth example's load-bearing lines.--applydirty-tree guardmigrate --applyrefuses to run whengit status --porcelainshows uncommitted changes;--allow-dirtyoverrides. Fails safe when git isn't available or the path isn't in a repo (CI sandboxes, scratch envs). Prevents post-migrationgit diffmixing seller work with codemod rewrites.REPORT_SCHEMA_VERSION = 1module constant; top-levelschema_versionkey in JSON output. CI scripts / editors parsing the migrate output now have a stable wire contract.Tested
--applyrefuses on dirty tree /--allow-dirtyoverrides / proceeds when not in a git repo.2055 passed, 22 skippedlocally (2008 → 2055).ruff,mypyclean across 677 source files.Test plan
SyncTokenValidator | AsyncTokenValidatorProtocol union the right shape, vs. a single@overload-decorated callable? The union exports both protocols explicitly so advanced users can type their code with the specific branch they use.--allow-dirtyescape hatch have the right name? Alternative:--force.Related
AccountAwareToolContext+ multi-tenant contract doc.With this merged, round-1 of salesagent feedback is fully closed. Round-2 (A2A durable-persistence hooks) is Phase 2 / future work.
🤖 Generated with Claude Code