Skip to content

chore: finish proposal_id hardening + document MCP initTimeout#264

Merged
warren618 merged 1 commit into
mainfrom
chore/finish-codex-batch-cleanup
Jun 18, 2026
Merged

chore: finish proposal_id hardening + document MCP initTimeout#264
warren618 merged 1 commit into
mainfrom
chore/finish-codex-batch-cleanup

Conversation

@warren618

Copy link
Copy Markdown
Collaborator

Finishes work the 2026-06-18 self-merged batch left half-applied (found while auditing that batch).

What & why

  • proposal_id hardening (consistency fix). [security] fix(live): contain mandate proposal identifiers #256 tightened mandate/commit.py to enforce the strict ^mp_[0-9a-f]{32}$ proposal-id format, but the relay/preview parsers in api_server.py and cli/_legacy.py were left on the loose mp_[0-9a-zA-Z]+. This aligns them so the relay and the commit gate agree on the format. (Not exploitable on its own — the loose regex already excludes path separators and commit.py backstops — but it was an inconsistent half-change.)
  • Document MCP initTimeout. The key shipped in fix(live): extend Robinhood OAuth init timeout #263 (schema + mcp.py + CLI) but was undocumented; add the README config-table row and wire its base-default passthrough in config/loader.py.
  • Test marker. Add the registered pytest.mark.unit marker to test_mandate_commit_security.py (used by 13 other test files; the merged copy was missing it).

Test plan

  • pytest tests/test_api_live_runtime.py tests/test_cli_live.py tests/test_mandate_commit_security.py tests/test_consent_commit.py tests/test_mcp_oauth_schema.py → 125 passed
  • git grep mp_\[0-9a-zA-Z\]\+ → no loose proposal-id regex remains anywhere
Completes work the 2026-06-18 self-merged batch left half-applied:
- Tighten the mandate proposal_id relay/preview parsers in api_server.py
  and cli/_legacy.py to the strict mp_[0-9a-f]{32} format already enforced
  by commit.py (#256), so the relay and the commit gate agree on format.
- Document the MCP initTimeout config key (shipped in #263) in README and
  wire its base-default passthrough in config/loader.py.
- Add the registered pytest.mark.unit marker to test_mandate_commit_security.py.
@warren618 warren618 merged commit 5e328d6 into main Jun 18, 2026
1 check passed
@warren618 warren618 deleted the chore/finish-codex-batch-cleanup branch June 18, 2026 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant