agnes-the-ai-analyst

AI-Cognitive-Leap/agnes-the-ai-analyst

Fork 0

Commit graph

Author	SHA1	Message	Date
Vojtech	c552bf8243	feat(api): enforce API design rules via pytest + fix DELETE/status-code violations (#338 ) * feat(api): enforce API design rules via pytest + fix DELETE/status-code violations Adds tests/test_api_design_rules.py with four forward-only design guardrails that prevent new endpoints from accumulating REST debt: Rule 1 — No new verbs in URL paths (existing 28 grandfathered via allowlist) Rule 2 — DELETE must declare 204 No Content (zero allowlist entries) Rule 3 — Creator POSTs (path has GET counterpart) must declare 201/202 Rule 4 — All protected /api/* routes must declare 401 and 403 Fixes found by running the rules: - DELETE /api/admin/metrics/{metric_id}: return 204, drop redundant body - DELETE /api/memory/{item_id}/dismiss (undismiss): return 204, drop body - POST /api/memory/admin/contradictions: add status_code=201 (creates a resource) - app/main.py: _add_auth_error_responses() injected into app.openapi() at startup; declares 401/403 on all protected /api/* operations centrally, fixing the 120 routes that previously omitted these response codes from the spec. Closes #337 * fix(api): resolve CI failures — extend 204 fixes + complete allowlists - Fix remaining 6 DELETE endpoints to return 204: store entities, store entity install, marketplace curated install, marketplace plugin system flag, admin store submission, and observability view - Update all affected tests to expect 204 (removed body assertions) - Add 4 missing verb paths to _VERB_PATH_ALLOWLIST in test_api_design_rules.py - Add 2 upsert endpoints to _CREATOR_POST_ALLOWLIST - Update admin_marketplaces.html to not call r.json() on 204 DELETE * fix(tests): align 2 DELETE-asserting tests with 204 contract (post-#339 rebase) CI's test-shard (1) and (4) failures on this PR were caused by Vojta's second commit (`fix(api): resolve CI failures — extend 204 fixes`) flipping more DELETE endpoints to status_code=204 than just the two mentioned in the PR body. Two tests assert status_code==200 on the DELETE response and broke: - tests/test_admin_store_submissions.py::TestQuarantineGates::test_admin_can_delete_quarantined (DELETE /api/store/entities/{entity_id}) - tests/test_store_api.py::TestInstallCycle::test_admin_hard_delete_cascades_installs (DELETE /api/store/entities/{entity_id}?hard=true) Updated both to assert 204 with a comment pointing at tests/test_api_design_rules.py rule 2 so future reviewers can trace the contract. Verified via broader scan that no other test asserts == 200 on a .delete() response directly (4 other sites do .delete() then check 200 on a subsequent GET — those are fine). * release: 0.54.26 — API design rules (test_api_design_rules.py) + 8 DELETE endpoints flip to 204 --------- Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>	2026-05-18 15:25:07 +02:00
ZdenekSrotyr	9e948abc9c	release(0.54.18): Curated Memory restructure + per-user Dismiss + bundled adversarial-review fixes (#316/#320/#322) (#324 ) * feat(web): Curated Memory restructure + per-user Dismiss + filter-state utility Squashed from cvrysanek/zsrotyr's 4-commit PR branch + rebased onto current main + CHANGELOG bullets spliced into [Unreleased] (preserves existing #316/#320/#322 entries that landed on main since the branch was authored). Routes + access: - /corporate-memory now user-facing (get_current_user), in primary nav next to "Data Packages" — same gate as /api/memory/. - /admin/corporate-memory is the new admin review queue location (was /corporate-memory/admin); reached via Admin dropdown. Template renamed: corporate_memory_admin.html → admin_corporate_memory.html. Visual chrome: - Both pages migrate to shared _page_hero.html blue hero band. Per-user Dismiss (new feature, schema v46): - knowledge_item_user_dismissed(user_id, item_id, dismissed_at) + index. - POST /api/memory/{id}/dismiss + DELETE (idempotent). - Mandatory items can never be dismissed — enforced at 2 layers. - GET /api/memory: hide_dismissed=false default + dismissed_by_me flag. - GET /api/memory/bundle: always excludes dismissed for the caller. - UI: Dismiss/Undismiss button per item (hidden for mandatory), gray-out + line-through for dismissed rows, Hide-dismissed toggle. Admin edit modal: - Category as <select> + "Add new category…" reveal. - Audience as <select> with (unset)/all/group:<name> from RBAC. - Tags: full tag-input widget (pills, ×-remove, Backspace pop, Enter/comma to add, ↑/↓ typeahead from EXISTING_TAGS). Bulk-edit modal pickers (closes #128): - Move-to-category / Add-tag: <select> + add-new. - Set-audience: <select> (no more typo-able 'gourp:eng'). - Remove-tag: closed-set picker. FilterState utility: - app/web/static/js/filter-state.js — save/load/clear/bindInputs for per-page localStorage filter state. Adopted on /corporate-memory. E2E verified live on a real VM through the API + browser flow. release: 0.54.18 — Curated Memory restructure + 4 adversarial-review fixes Bundles together: - #316 fix(store): surface review failures + harden publish gate (BREAKING fail-CLOSED guardrail, override v2+ promote, restore guard, retry/rescan staged-bundle, banner widening, LLM truncation retry) - #320 fix(store): C2 bundle export RBAC + H2 per-entity write lock + H3 update_status compare-and-swap with bg_verdict_skipped audit - #322 fix(store): M1 prompt sentinel filename escape + M2 atomic promote_to_version helper + L1 admin forensic download per-version - #324 Curated Memory restructure + per-user Dismiss + FilterState utility Bump from 0.54.17 → 0.54.18 (patch — pre-1.0 policy: every cycle is patch).	2026-05-15 18:51:05 +02:00

Author

SHA1

Message

Date

Vojtech

c552bf8243

feat(api): enforce API design rules via pytest + fix DELETE/status-code violations (#338 )

* feat(api): enforce API design rules via pytest + fix DELETE/status-code violations

Adds tests/test_api_design_rules.py with four forward-only design guardrails
that prevent new endpoints from accumulating REST debt:

  Rule 1 — No new verbs in URL paths (existing 28 grandfathered via allowlist)
  Rule 2 — DELETE must declare 204 No Content (zero allowlist entries)
  Rule 3 — Creator POSTs (path has GET counterpart) must declare 201/202
  Rule 4 — All protected /api/* routes must declare 401 and 403

Fixes found by running the rules:

- DELETE /api/admin/metrics/{metric_id}: return 204, drop redundant body
- DELETE /api/memory/{item_id}/dismiss (undismiss): return 204, drop body
- POST /api/memory/admin/contradictions: add status_code=201 (creates a resource)
- app/main.py: _add_auth_error_responses() injected into app.openapi() at startup;
  declares 401/403 on all protected /api/* operations centrally, fixing the 120
  routes that previously omitted these response codes from the spec.

Closes #337

* fix(api): resolve CI failures — extend 204 fixes + complete allowlists

- Fix remaining 6 DELETE endpoints to return 204: store entities,
  store entity install, marketplace curated install, marketplace plugin
  system flag, admin store submission, and observability view
- Update all affected tests to expect 204 (removed body assertions)
- Add 4 missing verb paths to _VERB_PATH_ALLOWLIST in test_api_design_rules.py
- Add 2 upsert endpoints to _CREATOR_POST_ALLOWLIST
- Update admin_marketplaces.html to not call r.json() on 204 DELETE

* fix(tests): align 2 DELETE-asserting tests with 204 contract (post-#339 rebase)

CI's test-shard (1) and (4) failures on this PR were caused by
Vojta's second commit (`fix(api): resolve CI failures — extend 204
fixes`) flipping more DELETE endpoints to status_code=204 than just
the two mentioned in the PR body. Two tests assert status_code==200
on the DELETE response and broke:

- tests/test_admin_store_submissions.py::TestQuarantineGates::test_admin_can_delete_quarantined
  (DELETE /api/store/entities/{entity_id})
- tests/test_store_api.py::TestInstallCycle::test_admin_hard_delete_cascades_installs
  (DELETE /api/store/entities/{entity_id}?hard=true)

Updated both to assert 204 with a comment pointing at
tests/test_api_design_rules.py rule 2 so future reviewers can
trace the contract. Verified via broader scan that no other test
asserts == 200 on a .delete() response directly (4 other sites do
.delete() then check 200 on a subsequent GET — those are fine).

* release: 0.54.26 — API design rules (test_api_design_rules.py) + 8 DELETE endpoints flip to 204

---------

Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>

2026-05-18 15:25:07 +02:00

ZdenekSrotyr

9e948abc9c

release(0.54.18): Curated Memory restructure + per-user Dismiss + bundled adversarial-review fixes (#316/#320/#322) (#324 )

* feat(web): Curated Memory restructure + per-user Dismiss + filter-state utility

Squashed from cvrysanek/zsrotyr's 4-commit PR branch + rebased onto
current main + CHANGELOG bullets spliced into [Unreleased] (preserves
existing #316/#320/#322 entries that landed on main since the branch
was authored).

Routes + access:
- /corporate-memory now user-facing (get_current_user), in primary
  nav next to "Data Packages" — same gate as /api/memory/*.
- /admin/corporate-memory is the new admin review queue location
  (was /corporate-memory/admin); reached via Admin dropdown. Template
  renamed: corporate_memory_admin.html → admin_corporate_memory.html.

Visual chrome:
- Both pages migrate to shared _page_hero.html blue hero band.

Per-user Dismiss (new feature, schema v46):
- knowledge_item_user_dismissed(user_id, item_id, dismissed_at) + index.
- POST /api/memory/{id}/dismiss + DELETE (idempotent).
- Mandatory items can never be dismissed — enforced at 2 layers.
- GET /api/memory: hide_dismissed=false default + dismissed_by_me flag.
- GET /api/memory/bundle: always excludes dismissed for the caller.
- UI: Dismiss/Undismiss button per item (hidden for mandatory),
  gray-out + line-through for dismissed rows, Hide-dismissed toggle.

Admin edit modal:
- Category as <select> + "Add new category…" reveal.
- Audience as <select> with (unset)/all/group:<name> from RBAC.
- Tags: full tag-input widget (pills, ×-remove, Backspace pop,
  Enter/comma to add, ↑/↓ typeahead from EXISTING_TAGS).

Bulk-edit modal pickers (closes #128):
- Move-to-category / Add-tag: <select> + add-new.
- Set-audience: <select> (no more typo-able 'gourp:eng').
- Remove-tag: closed-set picker.

FilterState utility:
- app/web/static/js/filter-state.js — save/load/clear/bindInputs
  for per-page localStorage filter state. Adopted on /corporate-memory.

E2E verified live on a real VM through the API + browser flow.

* release: 0.54.18 — Curated Memory restructure + 4 adversarial-review fixes

Bundles together:
- #316  fix(store): surface review failures + harden publish gate
        (BREAKING fail-CLOSED guardrail, override v2+ promote, restore guard,
        retry/rescan staged-bundle, banner widening, LLM truncation retry)
- #320  fix(store): C2 bundle export RBAC + H2 per-entity write lock +
        H3 update_status compare-and-swap with bg_verdict_skipped audit
- #322  fix(store): M1 prompt sentinel filename escape + M2 atomic
        promote_to_version helper + L1 admin forensic download per-version
- #324  Curated Memory restructure + per-user Dismiss + FilterState utility

Bump from 0.54.17 → 0.54.18 (patch — pre-1.0 policy: every cycle is patch).

2026-05-15 18:51:05 +02:00

2 commits