fix(helm): update image names to openktree- prefix#9
Merged
charlie83Gs merged 1 commit intomainfrom Mar 23, 2026
Merged
Conversation
Update all template defaultNames from kt- to openktree- to match the GHCR image naming. Set default imageRegistry to ghcr.io/openktree/knowledge-tree. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Mar 27, 2026
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
Critical: - #1: Validate schema names with strict ^[a-z0-9_]+$ regex before DDL - #2: Escape ILIKE special chars (%, _, \) in graph_nodes search - #3: Replace cached Graph ORM instances with frozen GraphInfo dataclass to prevent DetachedInstanceError High: - #4: Reuse system session factories for default graph (no duplicate pools) via default_graph_session_factory/default_write_session_factory params - #5: Add 23 unit tests — GraphInfo, GraphSessions, GraphSessionResolver, slug/schema validation, CreateGraphRequest, role validation - #6: Scope sync watermarks by graph_slug — SyncEngine now passes graph_slug to _get_watermark/_set_watermark, composite PK on (table_name, graph_slug) Medium: - #7: Replace N+1 member count queries with batch GROUP BY - #8: Replace catch { // ignore } with console.error in frontend - #9: Engine pool disposal on GraphSessionResolver.invalidate() - #10: Run Alembic migrations during graph provisioning - #11: (node_count in list deferred — requires cross-schema queries) Low: - #13: Replace "Cycle Role" button with role dropdown - #14: require_writer/require_graph_admin kept for future endpoints Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
Critical: - #1: Remove dead quote_ident call — regex is the sole injection guard - #2: Add ^[a-z0-9_]+$ validation for ALEMBIC_SCHEMA in both env.py files High: - #3: Derive kt_db_root from kt_db package location instead of fragile parents[5] - #4: Document MCP omits default_write_session_factory intentionally (read-only) - #5: GraphContext now uses GraphInfo (frozen dataclass) instead of ORM Graph Medium: - #6: Replace user._token_graph_slugs monkey-patching with request.state - #7: Fix remaining catch { // ignore } in graphs/page.tsx - #9: Document MCP graph access check limitation, planned for follow-up Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
Critical: - #1: Validate schema_name in GraphRepository.create() (data layer guard) - #2: Enforce graph:{slug} scopes in MCP _get_graph_factory via get_access_token() — tokens without matching scope are denied - #3: Disallow hyphens in slugs to prevent schema name collisions (my_graph and my-graph can no longer coexist) High: - #4: Add asyncio.Lock to GraphSessionResolver.resolve/resolve_by_slug with double-check pattern to prevent duplicate engine pool creation - #5: Evict from cache on graph deletion (invalidate in delete_graph) Medium: - #8: Last-admin protection — prevent removing or demoting the last admin - #9: Defense-in-depth schema_name validation in _make_session_factory Low: - Validate stored graph slug still exists in GraphProvider (reset to default) - Update tests and frontend for no-hyphens slug policy Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
Critical: - #1: Control-plane migrations (zzai, zzaj) now skip when ALEMBIC_SCHEMA is non-public — prevents duplicating graphs/ graph_members/api_tokens tables in per-graph schemas High: - #3: Replace global asyncio.Lock with per-graph locks via _locks dict + lightweight _meta_lock for dict insertion only - #7: Default graph now enforces min_role for write operations (PUT /graphs/default requires admin) Medium: - #9: Validate storage_mode=database requires connection key at creation time (422 instead of confusing ValueError at resolve) - #12: Fix SyncWatermark docstring (defaults to "default", not NULL) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 8, 2026
PR4 review (#192) flagged five substantive correctness gaps. All addressed; full test suite still green (kt-graph 95 / kt-hatchet 40). ## Correctness fixes 1. **`_match_or_create_node` no longer over-reports `created` and no longer trusts the remote `node_uuid`** (review #1). - The local uuid is now derived from `key_to_uuid(make_node_key(...))` so it never collides with the existing unique index on `write_nodes.node_uuid` when the same concept already exists locally under a different historical id. - The insert uses `RETURNING node_uuid` to distinguish a real insert from an ON CONFLICT no-op. On no-op the bridge re-SELECTs the existing local row's `node_uuid` and reports `created=False` so `ImportResult.nodes_matched` increments correctly. 2. **`_load_linked_nodes` array-overlap query now has integration coverage** (review #2). New test file `tests/integration/test_public_bridge_db.py` spins up a real write-db schema and exercises the full SQL surface that the unit tests can't: - The `write_nodes.fact_ids && ARRAY[...]` overlap operator — including the concept/entity type filter (perspective rows must NOT match) and an empty-input short-circuit. - `_load_linked_facts` / `_load_linked_fact_sources` provenance joins. - `_upsert_raw_source` returning the correct local id on both insert and ON CONFLICT branches. - `_match_or_create_node` reuse-vs-create branches without Qdrant. - `_upsert_fact_source` idempotency under re-imports. 3. **`_upsert_raw_source` now returns the local id, not the remote one** (review #3). Both call sites updated: - `import_cached_source` records `result.raw_source_id = local_raw_id` so PR5's workflow code attaches downstream rows to the right id. - `contribute_source_and_facts` discards the return — fact_source rows there are keyed on `content_hash`, not the source id. 4. **`make_worker_engine` now refuses to wire a bridge for a non-default graph that's missing its Qdrant collection prefix** (review #4). Empty prefix would silently dedup against the default graph's collection — exactly the cross-contamination this whole subsystem exists to prevent. Fail loud at construction rather than discover it in production. 5. **`_upsert_fact_source` now uses a deterministic UUID5** keyed on `(local_fact_id, raw_source_content_hash)` instead of a fresh `uuid.uuid4()` (review #8). Re-imports of the same source into the same target graph become true no-ops without needing a schema-level unique constraint. PR5's workflow should still avoid re-imports, this is defence in depth. ## Smaller things - **lifespan.py**: extracted `_resolve_default_graph_id()` helper — the duplicated try/except block in `worker_lifespan()` and `build_worker_state()` collapses to one call (review #5). - **test_public_bridge.py**: comment on the staleness assertion now reflects the actual fixture date (`2023-01-01`, not `2026-01-01`) (review #6). - **CLAUDE.md**: noted the one-way `kt-hatchet → kt-graph` workspace dep added in PR4 so future contributors don't reverse it (review #9). ## Test plan - [x] kt-graph: 95 passed (13 unit + 9 new integration on `test_public_bridge_db.py`, plus the existing 73) - [x] kt-hatchet: 40 passed - [ ] CI all green
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rename all Helm template defaultName values from kt- prefix to openktree- prefix to match GHCR image names. Set global.imageRegistry default to ghcr.io/openktree/knowledge-tree. Update Chart.yaml home URL to https://github.com/openktree/knowledge-tree.