fix(sdk): select deployed cross-read by per-request envelope, not process IsLambda#140
Merged
Merged
Conversation
…cess IsLambda
DependencyDB.Result gated the cross-read plane on the process-global
runtime.IsLambda(). That is wrong altitude: whether a read is "deployed"
is a PER-REQUEST property (did this invoke arrive through the deployed
Lambda envelope?), not a per-process one.
The local deploy-sim module-runtime serves DEPLOYED invokes over HTTP via
the dev lambda-invoke shim, which is mounted ONLY when !runtime.IsLambda()
— and it MUST run with IsLambda==false: setting AWS_LAMBDA_FUNCTION_NAME
would make module.Start() call the real lambda.Start(), which stops the
HTTP server the shim needs. So on the local shim the envelope-arrival
signals (auth.PayloadTrusted + the injected Dependencies manifest) are all
present, yet the IsLambda gate took the dev-tunnel PROXY branch and failed
with ErrDependencyUnauthorized ("MS_INTERNAL_SECRET unset") instead of
resultDeployed. Real Lambda worked (IsLambda true); only the shim was
blocked — which blocked the scenario-3 (all-deployed) E2E on the local
stack entirely.
Gate on auth.PayloadTrusted(ctx) instead: it is set by
runtime.NewLambdaHandler for BOTH the real Lambda entrypoint AND the dev
shim, unconditionally per invoke, and never for a dev-tunnel HTTP request.
The result() seam keeps its injected bool (renamed inLambda -> deployed)
so the three planes stay explicitly testable.
Behavior preserved exactly: dev-tunnel requests (no envelope) still take
the read-exposed proxy; resultDeployed keeps its manifest-absent hard-error
rollout gate; an all-deps-degraded deployed invoke (manifest nil but
PayloadTrusted true) routes to resultDeployed and fail-closes to the
typed sentinel, NOT the proxy error. Real-Lambda behavior is unchanged.
Unblocks the scenario-3 local E2E on the deploy-sim shim.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The local deploy-sim module-runtime serves DEPLOYED invokes over HTTP with
runtime.IsLambda() == false— settingAWS_LAMBDA_FUNCTION_NAMEwould makemodule.Start()call the reallambda.Start()and hijack the process, killing the HTTP server the shim needs to serve. So theIsLambda-gated deployedDependencyDBbranch never fires locally, blocking the scenario-3 (all-deployed) E2E — even though the shim already injects the dependency manifest per-request.Fix
Gate on the PER-REQUEST envelope signal instead:
auth.PayloadTrusted(ctx)— the deployed-envelope / payload-trust mark set byruntime.NewLambdaHandlerfor BOTH real Lambda (module.goStart->lambda.Start) AND the dev lambda-invoke shim (lambda_shim.go), unconditionally per invoke, and never for a dev-tunnel HTTP request.Used ALONE —
runtime.IsLambdais removed entirely, not OR'd. Investigation showedPayloadTrustedis the single discriminator correct in all four cases — critically case 4 (all-degraded deployed invoke, manifest nil) stays on the deployed branch ->errDevPlaneOnlyfail-closed, whereas keying on manifest-presence would wrongly divert it to the proxy error.Behavior preserved exactly:
MS_INTERNAL_SECRETpath preserved.resultDeployedmanifest-absent rollout hard-error ("dev-plane only", no typed sentinel) preserved.Verification
gofmt -lclean on all 3 changed files.go build ./...OK.go vet ./internal/core/clean.go test ./internal/core/ ./auth/ ./internal/runtime/all green.go test ./internal/core -run TestDependencyDB -vpasses, including the new pinTestDependencyDB_Result_DeployedFiresInLocalShimNotOnlyRealLambda(3 subtests).false && auth.PayloadTrusted) makes subtest (a) dev-sim-shim FAIL with "dependency read unauthorized ... MS_INTERNAL_SECRET is unset" (wantErrNotExposed) — i.e. the pin fails before the fix and passes after; the dev-tunnel-proxy subtest (b) passes both before and after, confirming scenario 1/2 is preserved. Restored the tree clean after the experiment (git status --porcelainempty).internal/refcacheTestSlowPath_SingleflightCoalescestiming flake is unrelated — this diff touches onlyinternal/core/dependency_db*.go.Relationship
Follow-up to #139 decision-18 PR2; enables the local all-deployed E2E.
🤖 Generated with Claude Code