Skip to content

fix: add auth_code guard to set_gateway_state stale cleanup#3792

Merged
crivetimihai merged 7 commits intoIBM:mainfrom
kimsehwan96:fix/set-gateway-state-authcode-guard
Mar 23, 2026
Merged

fix: add auth_code guard to set_gateway_state stale cleanup#3792
crivetimihai merged 7 commits intoIBM:mainfrom
kimsehwan96:fix/set-gateway-state-authcode-guard

Conversation

@kimsehwan96
Copy link
Copy Markdown
Contributor

@kimsehwan96 kimsehwan96 commented Mar 23, 2026
edited
Loading

🔗 Related Issue

Closes #3788

📝 Summary

When an auth_code gateway transitions from offline → online, set_gateway_state calls _initialize_gateway which connects without a valid OAuth token, receives empty results, and deletes all existing tools, resources, prompts, and their virtual server associations as "stale."

This PR mirrors the existing guard from _refresh_gateway_tools_resources_prompts (line 4558) into set_gateway_state, skipping stale cleanup when the response is empty for authorization_code gateways.

🏷️ Type of Change

  • Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below)

🧪 Verification

Check Command Status
Lint suite make lint pass
Unit tests make test pass
Coverage ≥ 80% make coverage

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • Tests added/updated for changes
  • Documentation updated (if applicable)
  • No secrets or credentials committed

📓 Notes (optional)

What the guard protects:

  • DB DELETE queries (tools, resources, prompts, metrics, server_tool_association)
  • In-memory list reassignment (gateway.tools = [...] filtering)

What it does NOT change:

  • Non-auth_code gateways behave exactly as before
  • Auth_code gateways with partial results (some tools returned) still run normal stale cleanup
  • The guard only activates when ALL three (tools, resources, prompts) are empty AND the gateway is authorization_code type

kimsehwan96 and others added 6 commits March 23, 2026 14:58
@kimsehwan96 @crivetimihai
fix: prevent tool deletion on auth_code gateway reactivation
103ae80 
When an OAuth authorization_code gateway transitions from offline to
online, set_gateway_state re-initializes without a valid token, receives
empty results, and deletes all existing tools/resources/prompts as stale.

Add the same auth_code guard that _refresh_gateway_tools_resources_prompts
already has (PR IBM#2537): skip stale cleanup when the response is empty
for authorization_code gateways.

Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
@kimsehwan96 @crivetimihai
test: align assert style with existing conventions
bdbfd6c 
Replace string-parsing assert with call_count check to match
the existing test patterns in test_gateway_service.py.

Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
@kimsehwan96 @crivetimihai
fix: also guard in-memory list reassignment and improve test coverage
8832391 
Skip gateway.tools/resources/prompts list filtering when stale cleanup
is skipped, and verify all existing tools are preserved by id.

Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
@kimsehwan96 @crivetimihai
style: align variable naming with existing convention
bc62d2e 
Rename _is_auth_code_gw to is_auth_code_gateway and
_skip_stale_cleanup to skip_stale_cleanup to match
_refresh_gateway_tools_resources_prompts naming.

Signed-off-by: kimsehwan96 <sktpghks138@gmail.com>
@crivetimihai
test: add negative and resource/prompt coverage for auth_code guard
d108f73 
Add two tests for set_gateway_state auth_code guard:
- Non-auth_code gateway with empty results still runs stale cleanup
- Auth_code guard preserves resources and prompts (not just tools)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
test: add partial-results coverage for auth_code guard
5da5e3d 
Verify that an authorization_code gateway returning partial results
(some tools) still runs stale cleanup, ensuring the guard only
activates when all three collections are empty.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the fix/set-gateway-state-authcode-guard branch from de86e0a to 5da5e3d Compare March 23, 2026 15:49
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Mar 23, 2026

Rebased onto main (clean, no conflicts) and added three additional tests for full differential coverage:

  1. Negative test — non-auth_code gateway with empty results still runs stale cleanup (tools get removed)
  2. Resources/prompts preservation — auth_code guard preserves resources and prompts, not just tools
  3. Partial results — auth_code gateway returning partial results (some tools) still cleans stale items, confirming the guard only activates when all three collections are empty

All 272 tests pass (271 passed, 1 pre-existing skip).

The guard logic is correct and consistent with the existing pattern in _refresh_gateway_tools_resources_prompts. No security or performance concerns.

crivetimihai
crivetimihai previously approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — guard is correct, consistent with the existing pattern, and well-tested.

@crivetimihai
fix(sdist): include infra/s390x/Containerfile in MANIFEST.in
fe259e4 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai merged commit 6614650 into IBM:main Mar 23, 2026
39 of 54 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai left review comments

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG]: set_gateway_state deletes tools on offlin to online transition for OAuth authorization_code gateways

2 participants

@kimsehwan96 @crivetimihai