Skip to content

fix: transport, session, and resource hardening consistency for RC2 - h-batch-2#3106

Merged
crivetimihai merged 7 commits intomainfrom
h-batch-2
Feb 22, 2026
Merged

fix: transport, session, and resource hardening consistency for RC2 - h-batch-2#3106
crivetimihai merged 7 commits intomainfrom
h-batch-2

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 22, 2026

Summary

This PR completes RC2 hardening updates for transport auth, session ownership, resource visibility scoping, and roots authorization consistency.

Hardening Items Completed

  • C-14: WebSocket bearer auth is now header-only (Authorization); query-token auth is no longer accepted.
  • C-04: Message ingress (/message, /servers/{id}/message) now enforces owner/admin authorization.
  • C-11: RPC initialize now uses atomic session-owner claim semantics to prevent concurrent ownership races.
  • C-28: Resource SSE events are scoped per subscriber visibility (public/team/private + owner/team context).
  • C-29: resources/subscribe now enforces visibility before persisting subscriptions; deny paths return consistent permission errors.
  • C-07: Roots listing is consistently admin-gated across REST and JSON-RPC (list_roots, roots/list).

Additional Hardening/Consistency

  • Session ingress now distinguishes:
    • missing session (404)
    • owner metadata unavailable/unverifiable (403, fail-closed)
  • Defensive guard added for team-based resource access checks when DB context is unavailable.
  • RC2 changelog updated with migration/breaking-change notes.
  • Docstring/lint coverage alignment updates included.

@crivetimihai
fix: session and resource access hardening and behavior consistency
68bc8e9 
Align websocket token handling, session ownership checks, resource visibility enforcement, and roots permission consistency for C-04 C-07 C-11 C-14 C-28 C-29.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
docs: rc2 changelog hardening and migration clarity
dd25157 
Document C-04 C-07 C-11 C-14 C-28 C-29 behavior changes and breaking-change migration guidance under 1.0.0-RC2.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
chore: docstring lint compliance and coverage consistency
6f4ccc7 
Add missing Args/Returns/Raises docstrings for helper methods and nested search/session owner helpers to satisfy flake8 DAR rules and interrogate coverage.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: session ownership claim hardening and auth semantics
4711a7e 
Use atomic owner claim for initialize, distinguish missing session from unverifiable owner metadata on message ingress, add defensive team-access guard, and extend regression coverage.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Update pylint
89389b4 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai changed the title fix: transport, session, and resource hardening consistency for RC2 fix: transport, session, and resource hardening consistency for RC2 - h-batch-2 Feb 22, 2026
@crivetimihai
fix: distributed owner-claim fail-closed semantics
71fc725 
Return unverifiable state when Redis ownership backend is unavailable and extend backend coverage for owner claim/session existence behavior.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
test: expand hardening regression and diff coverage
5033762 
Add backend-specific session owner claim/existence tests and helper-path regressions to reach 100% diff coverage for new hardening code.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai self-assigned this Feb 22, 2026
@crivetimihai crivetimihai added security Improves security revisit Revisit this PR at a later date to address further issues, or if problems arise. labels Feb 22, 2026
@crivetimihai crivetimihai added this to the Release 1.0.0-GA milestone Feb 22, 2026
@crivetimihai crivetimihai merged commit 9e7ee4f into main Feb 22, 2026
54 checks passed
@crivetimihai crivetimihai deleted the h-batch-2 branch February 22, 2026 18:30
vishu-bh pushed a commit that referenced this pull request Feb 24, 2026
@crivetimihai
fix: transport, session, and resource hardening consistency for RC2 -…
f2dcaba 
… h-batch-2 (#3106)

* fix: session and resource access hardening and behavior consistency

Align websocket token handling, session ownership checks, resource visibility enforcement, and roots permission consistency for C-04 C-07 C-11 C-14 C-28 C-29.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* docs: rc2 changelog hardening and migration clarity

Document C-04 C-07 C-11 C-14 C-28 C-29 behavior changes and breaking-change migration guidance under 1.0.0-RC2.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: docstring lint compliance and coverage consistency

Add missing Args/Returns/Raises docstrings for helper methods and nested search/session owner helpers to satisfy flake8 DAR rules and interrogate coverage.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: session ownership claim hardening and auth semantics

Use atomic owner claim for initialize, distinguish missing session from unverifiable owner metadata on message ingress, add defensive team-access guard, and extend regression coverage.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Update pylint

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: distributed owner-claim fail-closed semantics

Return unverifiable state when Redis ownership backend is unavailable and extend backend coverage for owner claim/session existence behavior.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* test: expand hardening regression and diff coverage

Add backend-specific session owner claim/existence tests and helper-path regressions to reach 100% diff coverage for new hardening code.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

@jonpspri jonpspri Awaiting requested review from jonpspri

Assignees

@crivetimihai crivetimihai

Labels

revisit Revisit this PR at a later date to address further issues, or if problems arise. security Improves security

Projects

None yet

Milestone

Release 1.0.0-RC2

Development

Successfully merging this pull request may close these issues.

1 participant

@crivetimihai