fix(runtime): implement issue #1493 runtime_state_query permission, masking, rate limit and audit#1504
Merged
fix(runtime): implement issue #1493 runtime_state_query permission, masking, rate limit and audit#1504
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Implements the missing production-grade behaviors for FlowNet runtime state queries (Issue #1493): namespace ACL enforcement, permission-based value masking, sliding-window rate limiting, and consistent audit recording. Adds focused unit tests for the new behaviors and adjusts the dev CLI test runner to redirect coverage artifacts into the repo-managed .sage/ directory.
Changes:
- Implemented reveal-permission “soft downgrade” (masked results instead of hard rejection) plus unified redaction placeholder and success-path auditing.
- Enforced namespace ACL deny path and per-principal sliding-window rate limiting with audit records.
- Added a dedicated test suite covering masking, permission downgrade, namespace denial, rate limiting, include-values behavior, and pagination normalization; redirected coverage output via
COVERAGE_FILE.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/sage/runtime/flownet/client/node_runtime.py | Adds redaction placeholder, reveal permission soft-downgrade, rate limit + ACL enforcement, and consistent auditing for runtime state queries. |
| src/tests/test_flownet_runtime_state_query.py | Introduces focused tests validating masking, auditing, ACL denial, rate limiting, and pagination normalization. |
| src/sage/tools/cli/commands/dev.py | Redirects pytest-cov output to .sage/.coverage to avoid repository-root artifacts and ensures .sage/ exists. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
What Changed
Validation
platform linux -- Python 3.11.15, pytest-9.0.3, pluggy-1.6.0 -- /home/moonlife/miniconda/envs/sage/bin/python3
cachedir: .pytest_cache
rootdir: /home/moonlife/hust/SAGE
configfile: pytest.ini
plugins: anyio-4.13.0, asyncio-1.3.0, mock-3.15.1, cov-7.1.0
asyncio: mode=Mode.STRICT, debug=False, asyncio_default_fixture_loop_scope=None, asyncio_default_test_loop_scope=function
collecting ... collected 6 items
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_masks_value_and_writes_success_audit PASSED [ 16%]
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_reveal_permission_denied_downgrades_to_redacted PASSED [ 33%]
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_namespace_forbidden_is_audited PASSED [ 50%]
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_rate_limited_is_audited PASSED [ 66%]
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_include_values_false_hides_value_field PASSED [ 83%]
src/tests/test_flownet_runtime_state_query.py::test_query_runtime_state_limit_and_cursor_are_normalized PASSED [100%]
============================== 6 passed in 0.47s ===============================
Related