This repository was archived by the owner on May 26, 2026. It is now read-only.
chore(kora): KR-SLOWAPI-DEP-FIX — move slowapi to runtime deps#128
Merged
rafe-walker merged 1 commit intoMay 23, 2026
Merged
Conversation
Closes BOTH task NousResearch#265 (slowapi misplacement) AND task NousResearch#269 (test_web_server_mcp_clients failures — same root cause, traced in PR #125's Part B investigation). Problem ======= `kora_cli/listeners/webhooks.py` imports `slowapi` unconditionally for the public webhook rate-limiter. The import chain kora_cli/web_server.py → kora_cli/listeners/__init__ → kora_cli/listeners/webhooks → slowapi runs on any process that touches web_server. With slowapi sitting under the `[web]` optional-deps extra, base-install environments (CI / fresh dev / `uv sync --extra dev` only) hit ModuleNotFoundError at import time — collapsing 13 mcp_clients tests (failures) + 5 more (collection errors) on a single missing package, NOT on stale assertions. Fix === * pyproject.toml: remove `slowapi>=0.1.9` from [project.optional-dependencies].web * pyproject.toml: add `slowapi==0.1.9` to [project].dependencies, next to the aiosmtplib pin that established this discipline in PR #124. Inline comment cites task NousResearch#265 + PR #125 so the next contributor inheriting this code sees the rationale. * Version pin is exact-equals (==0.1.9) per the security policy in the dependencies block header (2026-05-12 Mini Shai-Hulud response). Resolved via `uv pip compile` against the existing constraint graph — same version slowapi was already shipping. * uv.lock regenerated via `uv lock`. slowapi promoted from extras-only into the root dep set; limits transitive (5.8.0) pulled in alongside (slowapi's only required runtime dep). Verification ============ Base-install path (`uv sync --frozen --extra dev`, NO --extra web): * tests/kora_cli/test_web_server_mcp_clients.py: 19/19 pass (was 13 fail + 5 err; matches what PR #125's investigation predicted when --extra web was installed) * Full admin-panel regression: 271/271 across 23 suites * No regression elsewhere Refs ==== * Task NousResearch#265 — slowapi misplacement (closed by this PR) * Task NousResearch#269 — test_web_server_mcp_clients failures (closed: same root cause as NousResearch#265 per PR #125 investigation) * PR #124 — aiosmtplib runtime-promotion (same discipline) * PR #125 — KR-FRONTEND-CLEANUP Part B (root-cause investigation) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes BOTH task NousResearch#265 (slowapi misplacement) AND task NousResearch#269 (
test_web_server_mcp_clientsfailures — same root cause, traced in PR #125's Part B investigation).Problem
kora_cli/listeners/webhooks.pyimportsslowapiunconditionally for the public webhook rate-limiter. The import chainruns on any process that touches
web_server. Withslowapisitting under the[web]optional-deps extra, base-install environments (CI / fresh dev /uv sync --extra devonly) hitModuleNotFoundErrorat import time — collapsing 13 mcp_clients tests (failures) + 5 more (collection errors) on a single missing package, NOT on stale assertions.Fix
pyproject.toml: removeslowapi>=0.1.9from[project.optional-dependencies].web.pyproject.toml: addslowapi==0.1.9to[project].dependencies, next to theaiosmtplibpin that established this discipline in PR #124. Inline comment cites task Add codex app-server ChatGPT OAuth provider path NousResearch/hermes-agent#265 + PR chore(kora): KR-FRONTEND-CLEANUP — tsc drift + stale mcp_clients tests #125 so the next contributor inheriting this code sees the rationale.==0.1.9) per the security policy in the dependencies block header (2026-05-12 Mini Shai-Hulud response). Resolved viauv pip compileagainst the existing constraint graph — same versionslowapiwas already shipping under[web].uv.lockregenerated viauv lock.slowapipromoted from extras-only into the root dep set;limitstransitive (5.8.0) pulled in alongside (slowapi's only required runtime dep).Test plan
Base-install path (
uv sync --frozen --extra dev, no--extra web):tests/kora_cli/test_web_server_mcp_clients.py: 19/19 pass (was 13 fail + 5 err; matches what PR chore(kora): KR-FRONTEND-CLEANUP — tsc drift + stale mcp_clients tests #125's investigation predicted when--extra webwas installed)Refs
test_web_server_mcp_clientsfailures (closed: same root cause as Add codex app-server ChatGPT OAuth provider path NousResearch/hermes-agent#265 per PR chore(kora): KR-FRONTEND-CLEANUP — tsc drift + stale mcp_clients tests #125 investigation)aiosmtplibruntime-promotion (same discipline)🤖 Generated with Claude Code