build(deps): Bump anthropics/claude-code-action from 1.0.69 to 1.0.83#9
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.69 to 1.0.83. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@1fc90f3...bee87b3) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.83 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Contributor
Author
|
Superseded by #12. |
dependabot
Bot
deleted the
dependabot/github_actions/anthropics/claude-code-action-1.0.83
branch
justin-layerv
added a commit
that referenced
this pull request
Apr 11, 2026
Brings the Python SDK into parity with every improvement made to
qurl-typescript and qurl-mcp during the recent review and seam-audit
rounds. Cross-references the qurl-service OpenAPI spec
(qurl/api/openapi.yaml) and the Go handler code.
### Critical — real bug
* parse_error detail fallback. RFC 7807 leaves `detail` optional and
the qurl Error schema only requires type/title/status/code.
Previously the parser used `err.get("detail", "")`, producing
"Forbidden (403): " when the API omitted detail. Now falls back
`detail -> message -> title -> HTTP {status}`. QURLError also
defaults detail to title in its constructor so Exception.args is
never empty-string padded.
### RFC 7807 structured fields
* QURLError now carries `type` and `instance` (the problem-type URI
and occurrence URI). Both are optional per the spec; the SDK was
silently dropping them before.
* parse_error extracts both from the envelope.
### Backward compatibility
* Legacy `{error: {code, message}}` envelope supported in the
fallback chain. If the API ever regresses to the pre-RFC-7807
shape, the SDK degrades gracefully instead of showing empty detail.
### Type narrowing
* QURLStatus clarified as resource-only ("active" | "revoked" | str).
* New TokenStatus for AccessToken ("active" | "consumed" | "expired"
| "revoked" | str) — per QurlSummary.status in the spec, tokens
have a wider enum than resources.
* AccessToken.status now uses TokenStatus.
* New QuotaPlan ("free" | "growth" | "enterprise" | str); Quota.plan
uses it. Uses the (Literal | str) pattern so the API can add new
plans without a breaking SDK change.
### Spec-derived input validation
New validate_create_input / validate_update_input / validate_mint_input
helpers in _utils.py enforcing the constraints documented on each
request schema in openapi.yaml:
- target_url: maxLength 2048
- label: maxLength 500 (on create + mint_link)
- description: maxLength 500 (on update)
- custom_domain: maxLength 253 (on create)
- max_sessions: 0-1000 integer (on create + mint_link)
- tags: max 10, each 1-50 chars, regex ^[a-zA-Z0-9][a-zA-Z0-9 _-]*$
batch_create runs validate_create_input on every item and attributes
errors by index (`items[N]: ...`) so bulk mistakes fail fast.
### Mutual-exclusion pre-flight checks
* update: rejects both extend_by + expires_at
* update: rejects empty input (at least one field required)
* mint_link: rejects both expires_in + expires_at
Extend() inherits the update() checks via delegation.
### delete() r_ prefix enforcement
Per the OpenAPI spec DELETE /v1/qurls/:id description: "Requires a
resource ID (r_ prefix). To revoke a single token, use DELETE
/v1/resources/:id/qurls/:qurl_id". New require_resource_id_prefix
helper raises ValueError client-side for q_ IDs with a clear message
pointing at the token-scoped endpoint.
### batch_create HTTP 400 passthrough
The API returns a populated BatchCreateOutput body on HTTP 400 (all
items rejected) — see qurl/internal/api/handlers/server.go:1126.
Added `allow_statuses` to _raw_request and _request, and batch_create
whitelists 400 so the per-item errors are surfaced instead of being
swallowed by the generic raise-on-error path. Non-400 errors (401,
403, 429, 5xx) still raise the appropriate QURLError subclass.
Matches the qurl-typescript and qurl-mcp implementations.
### create() parameter cleanup
Dropped the spurious `expires_at` kwarg from both sync and async
create(). CreateQurlRequest in openapi.yaml has only `expires_in` —
the previous signature let callers pass a field the API doesn't
accept.
### Dual-prefix documentation
get/update/extend/mint_link docstrings now document that both r_
(resource) and q_ (QURL display) IDs are accepted; the API resolves
q_ IDs to the parent resource automatically. delete() stays narrow
(r_ only) matching its client-side enforcement.
### parse_create_output: normalize empty qurl_id to None
Empty-string qurl_id from a response (mock or legacy shape) is now
normalized to None so callers can use `if result.qurl_id:` as a
presence check instead of having "" be silently truthy-false.
### _serialize_value: stop stripping None from nested dicts
Previously the dict branch filtered out None values, which would
silently drop explicit nulls callers send to clear nested fields
(e.g. `{"access_policy": {"ai_agent_policy": null}}`). Top-level
None-stripping still happens in build_body since that serves the
"drop unset kwargs" case. Nested None is now preserved; dataclass
fields still skip None (dataclasses distinguish unset vs explicit).
### Misc
* build_list_params type annotation tightened — the `int | None`
arm was misordered in the old union.
* test_update_with_tags corrected to use spec-compliant tags
(previous test used `team:engineering` with a colon that the
^[a-zA-Z0-9][a-zA-Z0-9 _-]*$ regex rejects).
* test_batch_create_empty_raises regex updated for the new error
message ("requires at least 1 item").
* test_create_sends_correct_body now covers one_time_use,
max_sessions, and session_duration alongside label (reviewer #9
gap note).
### Tests (74 -> 101)
Twenty-seven new tests covering:
- Create rejection: target_url > 2048, label > 500,
custom_domain > 253, max_sessions > 1000, max_sessions < 0
- Create boundaries: max_sessions 0 and 1000 both accepted
- Update rejection: description > 500, > 10 tags, tag > 50 chars,
tag regex pattern mismatch, empty input, mutual-exclusion
- Update success: empty tags array clears all tags
- mint_link rejection: label > 500, max_sessions > 1000,
mutual-exclusion
- delete q_ prefix rejection
- batch_create per-item validation with index attribution
- batch_create missing target_url surfaces index
- Async batch_create empty/>100 (reviewer #7 symmetry gap)
- batch_create HTTP 400 passthrough with per-item errors
- batch_create still raises on 401 (passthrough is surgical)
- Error type/instance surfacing
- Error detail fallback when RFC 7807 detail missing
- Legacy error.message fallback
- parse_create_output empty qurl_id normalization
BREAKING CHANGE: `active_qurls_percent` on `Quota.usage` is now
`float | None` instead of `float` with a `0.0` default; callers
doing arithmetic must None-check. Also `create()` no longer accepts
an `expires_at` kwarg — that field wasn't in `CreateQurlRequest`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6 tasks
justin-layerv
added a commit
that referenced
this pull request
Apr 11, 2026
Ten items from the latest PR review. Reviewer marked #1 as blocking and #8 + #10 as strongly recommended; the rest picked up on the "don't be lazy" directive. 1. batch_create 400 shape guard (reviewer's blocking item). _utils.py gains _validate_batch_create_shape() which verifies that a passthrough 400 body has the expected BatchCreateOutput envelope (succeeded/failed are ints, results is a list, each entry carries a boolean success discriminant). If the API ever returns 400 with a different body (plain error envelope, proxy error, malformed JSON), batch_create now raises a QURLError with status=0 and code="unexpected_response" instead of silently returning (succeeded=0, failed=0, results=[]). Defense in depth matches the qurl-typescript fix. Wired into both client.py and async_client.py. 2. QURLError docstring now documents that .detail is guaranteed non-empty at the instance level. The constructor falls back to title when the API omits detail per RFC 7807, so consumers shouldn't inspect .detail to detect "was it absent?" — use .code / .status / .type instead. 3. QURLError docstring now explains why .type shadows Python's built-in. Intentional for RFC 7807 field-name parity and consistency with qurl-typescript/qurl-mcp; the shadowing only matters inside QURLError method definitions, not external code. 4. target_url scheme check in validate_create_input. Reviewer's observation that the length check didn't catch the most common mistake (forgetting http(s)://). New _ALLOWED_URL_SCHEMES tuple with a startswith() guard; the server still owns SSRF validation. 5. Sync/async parity comment added to client.py's module docstring (async_client.py already had one). Calls out the contract so a future change can't silently update one client without the other. 6. Tag regex comment expanded with a note about keeping it in lockstep with the openapi.yaml schema, and why. 7. Quota.plan empty-string default now documented — it only exists so the dataclass can be instantiated with no arguments for tests/ bootstrap paths; the real /v1/quota endpoint always returns a populated plan. Tests (108 -> 116): - test_get_response_parses_nested_ai_agent_policy (reviewer gap #8) — mocks a GET response with a fully-populated ai_agent_policy inside a token's access_policy and asserts the deserialization round-trip. - test_list_serializes_datetime_filter_params_as_isoformat (reviewer gap #9) — passes an actual datetime to client.list(created_after=) and asserts the URL-encoded ISO 8601 output. - test_async_delete_rejects_q_prefix_client_side (reviewer gap #10) — async symmetry for the existing sync delete() q_ prefix test. - test_create_rejects_target_url_without_scheme — the new URL scheme check catches bare "example.com". - test_create_rejects_target_url_with_unsupported_scheme — rejects ftp:// etc. - test_create_accepts_http_and_https_schemes — both valid schemes pass. - test_batch_create_rejects_unexpected_400_body_shape — defense-in- depth for the new _validate_batch_create_shape. - test_batch_create_rejects_400_body_with_non_boolean_success — the per-entry discriminant check. Also updated three existing tests that depended on the pre-URL-check create() accepting invalid URLs: - test_422_raises_validation_error - test_400_raises_validation_error - test_batch_create_partial_failure Each now uses a syntactically valid URL that passes client-side validation; the mocked API response payload is unchanged, so the tests still exercise the API error-parsing paths they intended to. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps anthropics/claude-code-action from 1.0.69 to 1.0.83.
Release notes
Sourced from anthropics/claude-code-action's releases.
... (truncated)
Commits
bee87b3chore: bump Claude Code to 2.1.89 and Agent SDK to 0.2.8932156b1Add subprocess isolation setup and git credential helper (#1132)7225f04chore: bump Claude Code to 2.1.88 and Agent SDK to 0.2.8888c168bchore: bump Claude Code to 2.1.87 and Agent SDK to 0.2.87e7b588bchore: bump Claude Code to 2.1.86 and Agent SDK to 0.2.86094bd24chore: bump Claude Code to 2.1.85 and Agent SDK to 0.2.853ac52d0chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.840ee1beechore: bump Claude Code to 2.1.83 and Agent SDK to 0.2.83ff9acaeAuto-set subprocess env scrub when allowed_non_write_users is configured (#1093)6062f37chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)