eterna2 / kest / 24281483852
91%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 53
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 90.962% (+1.7%) from 89.223%
24281483852

push

github

web-flow 
sec: harden kest-core v0.3.0 — cache isolation, baggage purity, JWT guard & architecture research (#13)

* feat: implement pure Python runtime backend and add SECURITY.md

* sec: harden kest-core v0.3.0 — cache isolation, baggage purity, JWT guard, spec alignment

## Security Fixes

### B-01: Policy Decision Cache — cross-request identity collision
- Expand _PolicyDecisionCache key from (entry_id, policies) to
  (user, agent, task, policies, context_items) — decisions are now
  strictly isolated per identity tuple
- Add KEST_POLICY_CACHE_TTL env var (default 5.0s); set to 0 to disable
- Expose invalidate_policy_cache() publicly for revocation use cases
- Tests: policy_decision_cache_test.py (5 tests: key isolation, TTL=0,
  invalidation)

### R-02: Baggage purity — decouple _get_baggage() from global lab state
- _get_baggage() now reads exclusively from OTel baggage context
- _LAB_BAGGAGE_STORE used only by KestHttpxInterceptor for outbound injection
- Tests: decorators_baggage_test.py (4 tests)

### R-03: JWT verification guard in KestIdentityMiddleware
- Raise RuntimeError on first request if jwks_uri=None and
  KEST_INSECURE_NO_VERIFY is not set — eliminates silent unverified decode
- Tests: ext_test.py (3 tests: raises without jwks, accepts insecure flag,
  spec key names)

### D-01: Baggage keys aligned with SPEC-v0.3.0 §8.4
- Rename kest.principal_user → kest.user
- Rename kest.workload_agent → kest.agent
- kest.task replaces inconsistent kest.scope usage

### D-02: Three-tier baggage propagation formalised (kest.passport_z)
- Inline → Compressed Inline (kest.passport_z, zlib+base64url) →
  Claim Check; pushes claim-check threshold from hop ~8 to hop ~52

## Architecture Research (§5 LEARNINGS.md)

### A-01: asyncio.to_thread unbounded pool risk documented
- Improvement proposal: bounded ThreadPoolExecutor via run_in_executor
- Tracked: #10

### A-02: Rust GIL cliff — root cause precisely identified
- py.allow_threads releases GIL for canonicali... (continued)

2788 of 3065 relevant lines covered (90.96%)

0.91 hits per line

Coverage Regressions

Lines Coverage File
42
82.68
 -0.29% decorators.py
26
52.31
 7.63% identity/providers/spiffe.py
17
89.44
 0.25% models.py
14
77.05
 -10.83% __init__.py
11
85.88
 0.17% identity_test.py
10
81.03
 33.76% ext.py
4
96.61
 -0.86% ext_test.py
2
92.59
 -7.41% interop_test.py
Jobs
ID Job ID Ran Files Coverage
1 24281483852.1 53
90.96
 GitHub Action Run
Source Files on build 24281483852