Skip to content

v0.1.0 – Refactor: audit API, CI, pre-commit

Latest
Latest

Choose a tag to compare

View all tags
@sdirishguy sdirishguy released this 24 Aug 02:32
· 8 commits to main since this release
v0.1.0
2e5c03a

### Highlights

  • New audit logging API (AuditEventType, AuditLogger.log_event)
  • Legacy audit API removed; compatibility shims are gone
  • CI hardened: least-privilege permissions, concurrency cancelation, pip caching, Python 3.12/3.13 matrix, optional pre-commit on CI
  • Pre-commit with Ruff (format + lint)
  • Login handler migrated to the new audit API
  • Tests: 53 passing, 21 intentionally skipped (follow-up planned)

Breaking Changes

Removed legacy audit API:

  • AuditEvent dataclass
  • event_action= kwargs
  • AuditEventType.AUTHENTICATION / AuditEventType.AUTHORIZATION aliases
    Use the new API going forward:

Success example

await audit_logger.log_event(
    AuditEventType.LOGIN,
    actor=user_id_or_name,
    context={"success": True, "ip": request.client.host},
)

Failure example

await audit_logger.log_event(
    AuditEventType.LOGIN,
    actor=username,
    context={"success": False, "reason": "invalid_credentials"},
)

### Migration Guide (from legacy audit calls)

1. Search & remove legacy usage

  • AuditEvent( … )
  • event_action=...
  • AuditEventType.AUTHENTICATION / AuditEventType.AUTHORIZATION

2. Replace with
await audit_logger.log_event(AuditEventType.LOGIN, actor=..., context={...})

…choose the appropriate AuditEventType for your operation (LOGIN, LOGOUT, ADAPTER_CREATE, TOOL_EXECUTE, HTTP_REQUEST, HTTP_RESPONSE, ERROR).

3. No more shims

  • All compatibility shims were deleted in this release; legacy construction will raise errors.

CI & Developer Experience

  • GitHub Actions

    • Least-privilege permissions: contents: read
    • concurrency to cancel in-progress runs on new pushes
    • Pip caching with dependency keys
    • Matrix: Python 3.12 and 3.13 (fail-fast: false)
    • Env defaults:
    • ANYIO_BACKEND=asyncio • PYTHONDONTWRITEBYTECODE=1 • PIP_DISABLE_PIP_VERSION_CHECK=1

  • Pre-commit

    • .pre-commit-config.yaml with ruff (lint) and ruff-format
    • Local setup:
pip install pre-commit
pre-commit install
# optional: run on all files once
pre-commit run --all-files

Test Status

  • 53 passing, 21 skipped
  • Skipped tests are intentionally deferred (env-dependent or legacy scenarios). A follow-up issue will track un-skipping or documenting them.

Changes (Summary)

Added

  • New audit logging API (AuditEventType, AuditLogger.log_event)
  • Hardened CI workflow (lint/type-check/tests, caching, concurrency, least-privilege)

Changed

  • Login flow migrated to the new audit API
  • Pre-commit hooks introduced (ruff + ruff-format)

Removed

  • Legacy audit API shims, AuditEvent dataclass, event_action kwargs
  • AuditEventType.AUTHENTICATION / AUTHORIZATION enum aliases

Operational Notes

  • Ensure JWT_SECRET is non-default in CI/prod.
  • Security headers (including HSTS) are sent by the app; use HTTPS in prod.
  • Consider protecting main with required checks (Ruff lint/format, Mypy, Pytest).

Next Steps (planned follow-ups)

  • RBAC enforcement on all protected routes (403 + audit AUTHZ events)
  • Audit coverage across adapters/tools (create/execute with request IDs in context)
  • CacheManager integration (L1 GET caching in REST adapter + hit/miss metrics)
  • Unskip tests or document remaining skips; make fixtures hermetic where feasible
  • Docs refresh (README, env vars, auth, CI badges, ADR for audit/authz)
Assets 2
Loading