Chiguyong
|
cb278bb5f0
|
fix(enterprise): ce-debug batch — PERF-1 PII filter + DEPLOY-1/2/4/5 + SCIM RFC 7643/7644
Test / backend-test (pull_request) Waiting to run
Details
Test / frontend-unit (pull_request) Waiting to run
Details
Test / api-e2e (pull_request) Waiting to run
Details
Test / frontend-e2e (pull_request) Waiting to run
Details
修复 ce-code-review 发现的全部 P1/P2 residual findings:
P1:
- PERF-1: PII 脱敏接入 gateway chat()/chat_stream() 生产路径
(env AGENTKIT_PII_FILTER_ENABLED=true 启用,fail-closed)
- API-1/2/5/6/7/9/11/13 + STAND-1 + SEC-3: SCIM router 全面重写
- API-1: totalResults 用 SELECT COUNT(*) 返回全量总数
- API-2: 异常处理器转 RFC 7644 错误格式(scope 到 /scim/v2)
- API-5: create_user 写 user_idp_links(idp_name='scim')
- API-6: POST /Users 返回 Location 头
- API-7: PATCH userName UNIQUE 冲突 → 409
- API-9: 不支持的 filter → 400 invalidFilter
- API-11: displayName=None
- API-13: filter 大小写不敏感
- STAND-1: dict[str, Any] → dict[str, object]
- SEC-3: active true→false 写审计(延后到事务提交后避免 SQLite 锁竞争)
- API-4: _sso_issue_token_pair 用 secrets.token_urlsafe(32) 生成真实 refresh_token
(移除 __pending_sso__ 占位符 + 后续 UPDATE 的非原子两步写入)
- API-8: _sso_issue_token_pair 增加 provider_type/provider_name 参数
- API-10: deprovision_user/change_user_role 加 response_model
- DEPLOY-1: install.sh + docs 用 instance 标签选择器替代硬编码 fullname
- DEPLOY-2: 11 处 Redis 客户端构造显式传入 REDIS_PASSWORD env var
P2:
- DEPLOY-4: 移除 agentkit deployment 中死 env POSTGRES_PASSWORD
(应用通过 DATABASE_URL Slot 3 内嵌密码连接,不读此 env)
- DEPLOY-5: OTel token 格式改为 Authorization=Bearer <token>
(符合 OTEL_EXPORTER_OTLP_HEADERS key=value 规范)
测试:
- ruff check + format 全部通过
- pytest tests/unit/test_scim_router.py 9 passed
- pytest tests/unit/test_llm_gateway.py + test_handoff.py + test_event_queue_integration.py 70 passed, 5 skipped
- helm lint + helm template 验证 POSTGRES_PASSWORD env 已移除
|
2026-07-06 11:41:06 +08:00 |
Chiguyong
|
3cf29f4633
|
fix(enterprise): ce-code-review P1 fixes — SSO is_active + span leak + Helm chart integration
Stage 5c applied safe P1/P2/P3 fixes from multi-agent code review:
- SEC-1 (P1, security): SSO 登录绕过 is_active 检查 — _sso_issue_token_pair
入口加显式校验,与本地 login(auth.py:377)一致。已停用用户无法再通过
IDP 回调拿 JWT,封堵 R1b deprovisioning 绕过。
- PERF-2/3 (P2, reliability): gateway chat() span 泄漏 + 异常未记录 — try 块
扩展到覆盖整个 span 生命周期(含 cache 设置),新增 except 分支调用
record_exception + set_status(ERROR),失败调用在 trace 中不再显示为成功。
- API-3 (P1, test isolation): SCIM router 使用 import-time 捕获的
DEFAULT_AUTH_DB_PATH — 改为 resolve_auth_db_path() 在调用时读取 env var,
让测试 monkeypatch.setenv 可见。
- MAINT-1 (P3, dead code): 删除 BitableRepository.delete_view(被
delete_view_if_not_last 取代,无生产调用方,仅 docs 残留引用)。
- PERF-4/5 (P3, performance): pii_filter._record_pii_metrics 的 from import
提升至模块顶部 + except: pass 改为 logger.debug 记录失败原因。
- DEPLOY-3 (P1, chart integration): ConfigMap 不可达 — deployment.yaml
args 增加 --config /etc/agentkit/agentkit.yaml,让应用能加载 chart 渲染
的非密配置。
- DEPLOY-6/7 (P3, doc/chart consistency): values.yaml 注释残留旧 slot 名
redisPgPasswords → redisPassword;slot 计数 10 → 11(5 处 chart + 3 处
deployment docs 同步修正)。
Verification:
- ruff check + format clean (7 modified .py files)
- pytest tests/unit/{auth,bitable} + test_{pii_filter,oidc_provider,
saml_provider,scim_router,auth_audit,telemetry,prompt_cache_layers}.py
→ 336 passed, 145 skipped
- helm lint + helm template 验证 secret key 一致性
Residual findings (deferred to follow-up):
- PERF-1: PII filter 未接入 gateway 生产路径(manual, 需配置接入决策)
- API-1/2/4/5: SCIM RFC 7644 合规性(totalResults/error format/Location
header/SSO 预配联动)— manual, 需设计决策
- DEPLOY-1/2/4: Helm chart ↔ app 集成断裂(部署名引用/Redis 鉴权/PG 密码双源)
— manual, 需 app+chart 联动修改
|
2026-07-06 08:36:59 +08:00 |