Skip to content

release: v0.5.1 - security hardening (DEBT-024)#82

Merged
fvadicamo merged 21 commits into
mainfrom
develop
Jul 12, 2026
Merged

release: v0.5.1 - security hardening (DEBT-024)#82
fvadicamo merged 21 commits into
mainfrom
develop

Conversation

@fvadicamo

Copy link
Copy Markdown
Contributor

What

v0.5.1 release: security hardening. Promotes develop to main.

Details

The remaining open Dependabot alert (torch, low) has no patched release; tracked in DEBT-024 resolution notes.

Testing

After merge

Tag v0.5.1 on the merge commit. No back-merge needed: the only main-side commit (esbuild bump #77) was reconciled into develop by PR #81.

🤖 Generated with Claude Code

fvadicamo and others added 18 commits July 11, 2026 12:20
Tracks the 2026-05-06 post-v0.5.0 sweep of Dependabot and code-scanning
alerts (14 dependency alerts, 13 code-scanning warnings at the time).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
62 open Dependabot alerts (1 critical litellm auth bypass, 15 high) vs
14 at the original 2026-05-06 sweep. Priority raised to high; approach
and acceptance criteria updated to the grouped-by-package view.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Targeted uv lock upgrade closing 61 of 62 open Dependabot alerts:
litellm 1.91.2 (critical auth bypass), pyjwt 2.13.0, starlette 1.3.1
(fastapi 0.139.0), transformers 5.3.0, urllib3 2.7.0, cryptography
49.0.0, Mako 1.3.12, python-multipart 0.0.32, soupsieve 2.8.4,
aiohttp 3.14.1, pypdf 6.14.2, idna 3.18, onnx 1.22.0,
pydantic-settings 2.14.2, python-dotenv 1.2.2, Pygments 2.20.0.
torch (low) has no patched release yet and stays open.

Full unit suite green (636 passed) with a clean env.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Closes the 12 actions/missing-workflow-permissions code-scanning
alerts. contents: read at workflow level; detect-changes additionally
gets pull-requests: read for dorny/paths-filter on PR events.
Changelog entry for the DEBT-024 sweep included.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Hardens POST /admin/login against py/cookie-injection (code-scanning
alert #1): tokens must match the urlsafe-base64 charset of generated
API keys before key-store lookup, so header-unsafe characters can
never reach the Set-Cookie value. The flow was already safe in
practice (only key-store-validated admin tokens were echoed into the
cookie), this makes the bound explicit and testable.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
PR #80 review feedback:
- Gemini (comment 3564172639, medium): strip surrounding whitespace
  from pasted tokens before format validation and key-store lookup;
  new test covers the pasted-with-whitespace case.
- CodeRabbit (review 4677816114, nitpick): the malformed-token test
  now asserts lookup_by_token is never called, matching its name.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mentator

starlette-prometheus 0.10 (latest, unmaintained) is incompatible with
starlette >= 1.0: get_path_template does route.path on _IncludedRouter,
which no longer has that attribute, so every request through the
middleware failed with AttributeError (500). Caught by the integration
job on PR #80; unit tests do not exercise the app-level middleware.

prometheus-fastapi-instrumentator 8.0.2 declares starlette >=1.0,<2.0.
Metric names change (http_* families with templated handler labels);
nothing in-repo referenced the old starlette_* names. ARCH-014 and
CONTEXT.md updated, mypy override for the old package dropped.

Verified on the local Docker stack: /metrics 200 with per-handler
metrics, authenticated admin request 200 through the full middleware
chain.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- DEBT-024 security sweep: uv.lock re-lock closes 61/62 open Dependabot alerts (litellm critical auth bypass, pyjwt, starlette, transformers RCE, aiohttp x21, pypdf x9)
- Minimal permissions blocks on all GitHub workflows (12 code-scanning alerts)
- Admin login hardening: token charset guard + whitespace strip (py/cookie-injection)
- /metrics migrated to prometheus-fastapi-instrumentator (starlette 1.x compatibility)

Reviews: 2/2 addressed (Gemini 1, CodeRabbit 1)
Tests: 638 unit passed, integration + NFR gates green
Refs: DEBT-024
…ectory with 9 updates

Updates the requirements on [alembic](https://github.com/sqlalchemy/alembic), [pyyaml](https://github.com/yaml/pyyaml), [testcontainers](https://github.com/testcontainers/testcontainers-python), [pytest](https://github.com/pytest-dev/pytest), [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio), [pytest-cov](https://github.com/pytest-dev/pytest-cov), [ruff](https://github.com/astral-sh/ruff), [mypy](https://github.com/python/mypy) and [import-linter](https://github.com/seddonym/import-linter) to permit the latest version.

Updates `alembic` to 1.18.5
- [Release notes](https://github.com/sqlalchemy/alembic/releases)
- [Changelog](https://github.com/sqlalchemy/alembic/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/alembic/commits)

Updates `pyyaml` to 6.0.3
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES)
- [Commits](yaml/pyyaml@6.0...6.0.3)

Updates `testcontainers` to 4.14.2
- [Release notes](https://github.com/testcontainers/testcontainers-python/releases)
- [Changelog](https://github.com/testcontainers/testcontainers-python/blob/main/CHANGELOG.md)
- [Commits](testcontainers/testcontainers-python@testcontainers-v4.8.0...testcontainers-v4.14.2)

Updates `pytest` to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `pytest-asyncio` to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v0.24.0...v1.4.0)

Updates `pytest-cov` to 7.1.0
- [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst)
- [Commits](pytest-dev/pytest-cov@v5.0.0...v7.1.0)

Updates `ruff` to 0.15.21
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.0...0.15.21)

Updates `mypy` to 2.2.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.13.0...v2.2.0)

Updates `import-linter` to 2.13
- [Changelog](https://github.com/seddonym/import-linter/blob/main/docs/release_notes.md)
- [Commits](seddonym/import-linter@v2.7...v2.13)

---
updated-dependencies:
- dependency-name: alembic
  dependency-version: 1.18.4
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: import-linter
  dependency-version: '2.11'
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: pytest
  dependency-version: 9.1.0
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: pyyaml
  dependency-version: 6.0.3
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: ruff
  dependency-version: 0.15.17
  dependency-type: direct:development
  dependency-group: development-dependencies
- dependency-name: testcontainers
  dependency-version: 4.14.2
  dependency-type: direct:development
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…ment-dependencies-9b5c4575c9

chore(deps-dev): Bump the development-dependencies group across 1 directory with 9 updates
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…lop/actions/checkout-7

chore(deps): Bump actions/checkout from 6 to 7
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 3 to 4.
- [Release notes](https://github.com/dorny/paths-filter/releases)
- [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md)
- [Commits](dorny/paths-filter@v3...v4)

---
updated-dependencies:
- dependency-name: dorny/paths-filter
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…lop/dorny/paths-filter-4

chore(deps): Bump dorny/paths-filter from 3 to 4
Reconcile the esbuild security bump (PR #77) that Dependabot recreated
against main (default branch) instead of develop.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Bump version 0.5.0 -> 0.5.1 across 8 components
- Promote CHANGELOG entry from [Unreleased] to [0.5.1] - 2026-07-12
- Refresh uv.lock for the version change
- BACKLOG: DEBT-024 completed (resolution notes), new DEBT-025
  (isolate unit tests from local .env)
- Reconcile esbuild 0.28 bump from main (PR #77 landed on the
  default branch)

Prepares the develop -> main release PR for v0.5.1
(security hardening: DEBT-024 sweep).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Version bump 0.5.0 -> 0.5.1 across 8 components
- CHANGELOG promoted to [0.5.1] - 2026-07-12
- BACKLOG: DEBT-024 completed, DEBT-025 added
- esbuild 0.28 bump reconciled from main

Tests: 638 unit passed, lint green, widget build green
Refs: DEBT-024
@fvadicamo fvadicamo added dependencies Dependency updates security Security hardening and vulnerability fixes labels Jul 12, 2026
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@fvadicamo, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 41 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5cce32b5-1919-485e-8cb8-9f660a0dc0f3

📥 Commits

Reviewing files that changed from the base of the PR and between c8696af and ca25717.

⛔ Files ignored due to path filters (5)
  • .s2s/BACKLOG.md is excluded by !.s2s/**
  • .s2s/CONTEXT.md is excluded by !.s2s/**
  • .s2s/architecture.md is excluded by !.s2s/**
  • .s2s/validation-scenarios.md is excluded by !.s2s/**
  • uv.lock is excluded by !**/*.lock, !**/*.lock
📒 Files selected for processing (18)
  • .github/workflows/ci-unit.yml
  • .github/workflows/integration.yml
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .github/workflows/shell-scripts.yml
  • CHANGELOG.md
  • pyproject.toml
  • vektra-admin/pyproject.toml
  • vektra-admin/src/vektra_admin/ui.py
  • vektra-admin/tests/test_ui.py
  • vektra-analytics/pyproject.toml
  • vektra-app/pyproject.toml
  • vektra-app/src/vektra_app/main.py
  • vektra-core/pyproject.toml
  • vektra-index/pyproject.toml
  • vektra-ingest/pyproject.toml
  • vektra-learn/pyproject.toml
  • vektra-shared/pyproject.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch develop

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added documentation Improvements or additions to documentation component:shared vektra-shared component component:core vektra-core component component:ingest vektra-ingest component component:index vektra-index component component:admin vektra-admin component labels Jul 12, 2026
@github-actions github-actions Bot added the ci CI/CD and toolchain changes label Jul 12, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the project to version 0.5.1, focusing on security hardening and dependency updates. Key changes include replacing the unmaintained starlette-prometheus package with prometheus-fastapi-instrumentator for serving metrics, and hardening the admin login endpoint to prevent cookie injection by validating tokens against a urlsafe-base64 regex. The reviewer suggested extending the Prometheus instrumentator configuration to exclude health checks and documentation endpoints, which prevents internal polling traffic from polluting latency metrics.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread vektra-app/src/vektra_app/main.py
Tracks the Gemini suggestion on PR #82 (exclude health/docs endpoints
from request metrics) as deferred low-priority debt.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
fvadicamo and others added 2 commits July 12, 2026 01:23
PR #83 review feedback (Gemini): sequential item order and correct
excluded_handlers regex semantics (re.match, anchoring, dot escaping).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
docs(backlog): track PR #82 review suggestion as DEBT-026
@fvadicamo fvadicamo merged commit 702f743 into main Jul 12, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD and toolchain changes component:admin vektra-admin component component:core vektra-core component component:index vektra-index component component:ingest vektra-ingest component component:shared vektra-shared component dependencies Dependency updates documentation Improvements or additions to documentation security Security hardening and vulnerability fixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant