Skip to content

fix: remaining 2026-07-15 audit items (GIN tag search, XFF hardening, code-blob over-fetch, CoC)#9644

Merged
MarkusNeusinger merged 4 commits into
mainfrom
claude/remaining-audit-items-cvxn07
Jul 17, 2026
Merged

fix: remaining 2026-07-15 audit items (GIN tag search, XFF hardening, code-blob over-fetch, CoC)#9644
MarkusNeusinger merged 4 commits into
mainfrom
claude/remaining-audit-items-cvxn07

Conversation

@MarkusNeusinger

Copy link
Copy Markdown
Owner

Summary

  • Tag search finally uses the GIN indexSpecRepository.search_by_tags cast the JSONB tags column to text and ran LIKE, which ix_specs_tags can never serve (seq scan on every MCP tag search) and which let %/_ in tag values wildcard-match. On PostgreSQL it now emits per-category JSONB containment (tags @> '{"<category>": ["<tag>"]}' via type_coerce, keeping the left side a bare column so the index stays applicable); the SQLite test fallback escapes LIKE metacharacters via autoescape (audit 2026-07-15 Medium#17).
  • Hot listing paths stop dragging the full code corpus through the DB — MCP list_specs / search_specs_by_tags and /libraries/{id}/images all called get_all_with_code() (every code blob of ~3,240 impls per request). The MCP tools now resolve code presence with a lightweight id probe (ImplRepository.get_ids_with_code), the images endpoint fetches only its own library's code (get_by_library_with_code), and the now caller-less get_all_with_code() is removed (audit Medium#5, issue perf: database access optimizations (follow-ups from #7694) #7696).
  • Feedback rate limiting no longer trusts a client-controlled header entry/feedback keyed its per-IP limit and duplicate suppression on the first x-forwarded-for entry, so a caller could evade the limit or poison a victim's bucket (5 spoofed posts = victim locked out). _client_ip now prefers Cloudflare's cf-connecting-ip and otherwise takes the rightmost, infrastructure-appended XFF entry (audit Medium#20).
  • CODE_OF_CONDUCT.md (Contributor Covenant 2.1) added and linked from docs/contributing.md — closes the last repo-health gap after fix: resolve 2026-07-15 audit findings (retry-loop fail-closed, security, SEO, dark mode) #9642 shipped the PR template and .editorconfig (audit Medium#29).

Also done outside this diff (session action, user-authorized): reconciled the ~50 contradictory impl:* labels on issue #1010 down to the 32 that match the filesystem state (8 done, 7 failed, watchdog history kept) so babysit-pipeline reads true state.

Test plan

  • uv run ruff check . + ruff format --check . clean (148 files)
  • uv run --extra typecheck mypy api core clean
  • uv run --extra test pytest tests/unit tests/integration — 1650 passed
  • New tests: PG filters compile to specs.tags @> … (no CAST on the column), SQLite fallback matches literally with %/_ in tag values, get_ids_with_code excludes NULL-code impls, get_by_library_with_code scopes to one library, _client_ip trust-order matrix (cf-connecting-ip > rightmost XFF > client.host)
  • PostgreSQL query plan not verified against prod (no DB in sandbox); after deploy, EXPLAIN an MCP tag search should show a Bitmap Index Scan on ix_specs_tags

Checklist

  • CHANGELOG.md updated under [Unreleased] (Keep-a-Changelog categories, bold-titled bullets; PR ref to be appended)
  • Related documentation updated (docs/contributing.md links the new Code of Conduct)

🤖 Generated with Claude Code

https://claude.ai/code/session_015kWZJgpARSK68RtfeHMEsK


Generated by Claude Code

… code-blob over-fetch, CoC)

- SpecRepository.search_by_tags now uses JSONB containment (tags @> ...) on
  PostgreSQL so the ix_specs_tags GIN index serves the query instead of a
  cast-to-text LIKE seq scan; the SQLite test fallback escapes LIKE
  metacharacters (audit Medium#17)
- MCP list_specs / search_specs_by_tags resolve code presence via a
  lightweight id probe (get_ids_with_code) and /libraries/{id}/images
  fetches only its own library's code (get_by_library_with_code); the
  now-unused get_all_with_code() is removed (audit Medium#5, issue #7696)
- /feedback keys rate limiting and dup suppression on cf-connecting-ip or
  the rightmost x-forwarded-for entry instead of the client-controlled
  first entry (audit Medium#20)
- Add CODE_OF_CONDUCT.md (Contributor Covenant 2.1), linked from
  docs/contributing.md (audit Medium#29)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015kWZJgpARSK68RtfeHMEsK
Copilot AI review requested due to automatic review settings July 16, 2026 21:20
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015kWZJgpARSK68RtfeHMEsK
The #9644 entry insertion consumed the following block's "### Fixed"
header, misfiling the #9642 fixes under "### Added".

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015kWZJgpARSK68RtfeHMEsK

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses remaining 2026-07-15 audit items by (1) making spec tag search index-friendly and wildcard-safe, (2) removing unnecessary code-blob loading from hot listing paths, (3) hardening feedback rate-limiting IP resolution against spoofing, and (4) improving repo health documentation via a Code of Conduct.

Changes:

  • Reworked SpecRepository.search_by_tags to use PostgreSQL JSONB containment (GIN-servable) and a SQLite fallback that escapes LIKE metacharacters.
  • Eliminated “load all impl code” behavior in MCP tools and /libraries/{id}/images by introducing targeted queries (get_ids_with_code, get_by_library_with_code) and removing get_all_with_code().
  • Updated feedback rate limiting to prefer cf-connecting-ip, otherwise use the rightmost x-forwarded-for entry; added Code of Conduct + docs/changelog updates and unit tests for the new behaviors.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
core/database/repositories.py Adds dialect-aware tag filters; removes get_all_with_code; adds get_by_library_with_code and get_ids_with_code to avoid over-fetching code blobs.
api/mcp/server.py Switches MCP list/search to probe code presence via get_ids_with_code instead of loading code for every impl.
api/routers/libraries.py Updates /libraries/{id}/images to fetch only one library’s impls with code undeferred.
api/routers/feedback.py Hardens _client_ip resolution to reduce XFF spoofing impact on rate limiting / duplicate suppression.
tests/unit/core/database/test_repositories.py Adds tests for tag-search SQL shape (Postgres vs SQLite) and new impl repository queries.
tests/unit/api/mcp/test_tools.py Updates MCP tool tests for the new code-presence probing approach.
tests/unit/api/test_routers.py Updates libraries router tests to mock ImplRepository.get_by_library_with_code behavior.
tests/unit/api/test_feedback_router.py Adds unit tests for _client_ip trust-order logic.
docs/contributing.md Links contribution participation to the new Code of Conduct.
CODE_OF_CONDUCT.md Adds Contributor Covenant 2.1 Code of Conduct.
CHANGELOG.md Adds [Unreleased] entries covering tag search, code-blob over-fetch removal, feedback hardening, and CoC addition.

Copilot AI review requested due to automatic review settings July 16, 2026 21:24

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Comment thread api/routers/feedback.py
Comment thread CHANGELOG.md
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

…g sections

- _client_ip now takes the rightmost NON-EMPTY x-forwarded-for entry and
  falls back to request.client.host, so a malformed header ("1.2.3.4, ")
  can't key rate limiting on a shared empty-string bucket
- CHANGELOG [Unreleased] merged from per-PR blocks (4x Fixed, 4x Changed,
  3x Added) into unique Keep-a-Changelog sections, newest entries first

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015kWZJgpARSK68RtfeHMEsK
Copilot AI review requested due to automatic review settings July 16, 2026 21:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

@MarkusNeusinger
MarkusNeusinger merged commit a88ad9c into main Jul 17, 2026
10 checks passed
@MarkusNeusinger
MarkusNeusinger deleted the claude/remaining-audit-items-cvxn07 branch July 17, 2026 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants