Skip to content

Convert pipeline.py to async, add CLI tests, and document protobuf CVE #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SL-Mar merged 1 commit into from
Jan 26, 2026
Merged

Convert pipeline.py to async, add CLI tests, and document protobuf CVE #44

SL-Mar merged 1 commit into from
Jan 26, 2026

Conversation

@SL-Mar
Copy link
Owner

@SL-Mar SL-Mar commented Jan 26, 2026

Summary

This PR completes the production readiness checklist by converting the remaining blocking network calls in pipeline.py to async, adding comprehensive CLI integration tests, and documenting a known transitive dependency vulnerability.

Key Changes

  • Async Network Calls in pipeline.py: Converted requests.get() calls in _fetch_from_arxiv() and _fetch_from_crossref() methods to use aiohttp with proper async/await patterns, eliminating thread pool executors

  • CLI Integration Tests: Added 33 new CLI tests in tests/test_cli.py using Click's CliRunner covering:

    • All top-level commands (version, health, search, download, summarize, generate, validate, backtest, config-show)
    • Subcommand groups (auto, library, evolve)
    • Argument validation and help text
    • Error handling and graceful failure modes
    • Mock-based testing for external tool dependencies

  • CVE Documentation: Added Section 8 to PRODUCTION_READINESS_REVIEW.md documenting:

    • CVE-2026-0994 in protobuf (transitive dependency)
    • Risk assessment (Low severity for CLI tool context)
    • Monitoring instructions for patch availability
    • Remediation plan for when fix becomes available
    • Risk acceptance rationale

Implementation Details

  • Network calls now use aiohttp.ClientSession with 15-second timeouts
  • Response handling properly awaits async operations (await response.read(), await response.json())
  • CLI tests use environment fixtures to mock API keys and temporary directories
  • Tests validate both success and error paths without requiring actual network calls
  • Production readiness review updated to reflect completion of all 7 critical items

Testing

All new CLI tests pass with CliRunner and properly mock external dependencies. No breaking changes to existing functionality.

@claude
Fix remaining production readiness issues
a0ac49b 
1. Convert pipeline.py to native async aiohttp
   - Replace requests.get() with aiohttp.ClientSession
   - Remove run_in_executor workaround
   - Now fully async for _fetch_from_arxiv and _fetch_from_crossref

2. Add comprehensive CLI tests (33 tests)
   - Test all major commands: search, download, validate, etc.
   - Test subcommand groups: auto, library, evolve
   - Test help text, argument validation, error handling
   - Uses Click CliRunner with mock API keys

3. Document protobuf CVE-2026-0994
   - Add detailed section explaining the vulnerability
   - Document why it's low risk for this CLI tool
   - Provide monitoring instructions for when fix is available
   - Include remediation plan

https://claude.ai/code/session_019XEBDoEmdKV4wzfvpk5QCy
@SL-Mar SL-Mar merged commit 16b166d into gamma Jan 26, 2026
4 of 14 checks passed
@SL-Mar SL-Mar deleted the claude/production-readiness-review-oS1HQ branch January 26, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SL-Mar @claude