Skip to content

promote: dev → staging (WAF UA fix)#152

Merged
mabry1985 merged 1 commit intostagingfrom
dev
Apr 23, 2026
Merged

promote: dev → staging (WAF UA fix)#152
mabry1985 merged 1 commit intostagingfrom
dev

Conversation

@mabry1985
Copy link
Copy Markdown
Contributor

@mabry1985 mabry1985 commented Apr 23, 2026
edited by coderabbitai Bot
Loading

Summary

Promotes #151 (OpenAI SDK User-Agent override for Cloudflare WAF) from dev to staging.

Test plan

  • Fix verified end-to-end against live gateway (hot-patched container returned pong, outbound UA = protoAgent/0.1)
  • CI green on staging after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores

  • Version bumped to 0.2.1
  • Documentation deployment workflow now automatically synchronizes repository homepage settings with the published Pages URL, keeping project metadata accurate and discoverable
  • Client library configuration improved with enhanced request handling capabilities for better service compatibility

@mabry1985 @claude
fix(llm): override OpenAI SDK User-Agent to bypass Cloudflare WAF (#151)
b4434b1 
* chore: release v0.2.0

First tagged release. Contents of community-improvements project:

M1 — Security Hardening (A2A bearer auth, audit redaction, origin verification)
M2 — Memory On By Default (session persistence + load-on-start)
M3 — Skill Loop (skill-v1 emission + SQLite FTS5 index + curator)

Plus: .gitignore cleanup for .automaker-lock + .worktrees, docs coverage of
security layer, skill-loop architecture, and new env vars.

Manual bump because prepare-release.yml requires GH_PAT secret (not configured).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: release v0.2.1

Bug fixes from v0.2.0 smoke testing:
- Agent card now advertises bearer scheme when A2A_AUTH_TOKEN is set
- Session memory persistence actually fires (moved from unreachable on_session_end to after_agent)
- Test suite collects cleanly in fresh Docker env
- MemoryMiddleware activates standalone (without knowledge_store)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(ci): update repo homepage after docs deploy (#149)

Writes the deployed GitHub Pages URL back to the repo's `homepage`
field so it renders in the About sidebar on the repo page.

Co-authored-by: Automaker <automaker@localhost>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(llm): override OpenAI SDK User-Agent to bypass Cloudflare WAF

Cloudflare's managed WAF on the proto-labs.ai zone returns 403 "Your
request was blocked" for any request whose User-Agent starts with
`OpenAI/Python` or `AsyncOpenAI/Python` — which is exactly what
langchain_openai.ChatOpenAI sends by default via the bundled OpenAI
SDK. /v1/models succeeded (different SDK path / UA) while
/v1/chat/completions failed, making the break look like a key/ACL
issue when it was a header signature match.

Reproduction (before fix):
  curl -H 'User-Agent: OpenAI/Python 1.54.0' -H 'Authorization: Bearer <key>' \
    https://api.proto-labs.ai/v1/chat/completions -d '{...}'
  -> HTTP 403 "Your request was blocked."

The same call with User-Agent: curl/*, python-httpx/*, or any
non-OpenAI string returns 200. `tools/lg_tools.py:226` already sets a
protoAgent UA for outbound HTTP fetches — reuse that identifier here
so every egress presents a consistent, allowlisted UA.

Alternative fixes considered:
- A Cloudflare Custom WAF Skip rule on the hostname: cleaner at the
  edge but requires a zone-scoped token and couples agent operability
  to infra config.
- Stripping the UA header at cloudflared: not possible; WAF fires
  before the tunnel sees the request.

The in-client override is the most portable fix: self-hosters on a
different edge keep working, operators behind Cloudflare stop getting
403s.

---------

Co-authored-by: Automaker <automaker@localhost>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Ava <ava@protolabs.ai>
@mabry1985 mabry1985 merged commit 2cb089b into staging Apr 23, 2026
1 check was pending
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 23, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d71260ff-535c-41f5-8bce-e3d6aecdfb6d

📥 Commits

Reviewing files that changed from the base of the PR and between 305756e and b4434b1.

📒 Files selected for processing (3)
  • .github/workflows/docs.yml
  • graph/llm.py
  • pyproject.toml

Walkthrough

These changes include a version bump to 0.2.1, addition of a custom User-Agent header configuration for OpenAI client initialization, and a workflow enhancement to automatically update the repository homepage URL after Pages deployment.

Changes

Cohort / File(s) Summary
Workflow Configuration
.github/workflows/docs.yml		 Added administration: write permission and a post-deployment step to update repository homepage via GitHub API using the Pages deployment URL.
OpenAI Client Configuration
graph/llm.py		 Modified create_llm to configure ChatOpenAI with custom User-Agent header via default_headers.
Project Metadata
pyproject.toml		 Updated project version from 0.1.0 to 0.2.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Comment @coderabbitai help to get the list of available commands and usage tips.

@mabry1985 mabry1985 mentioned this pull request Apr 23, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mabry1985