hardening/v1.0.0: Gold-standard release hardening#169
Merged
saschabuehrle merged 14 commits intomainfrom Mar 8, 2026
Merged
Conversation
- Fix docs URL: cascadeflow.dev → cascadeflow.ai in pyproject.toml - Update SECURITY.md supported version: 0.7.x → 1.0.x - Fix __author__: "Sascha Buehrle" → "Lemony Inc." - Fix branding in requirements.txt: CascadeFlow → cascadeflow - Fix README code block language: python → bash for pip install - Update init() docstring to describe actual SDK patching behavior - Add missing License :: OSI Approved :: MIT License classifier
Keep a Changelog format covering all v1.0.0 highlights including harness API, framework integrations, security hardening, lazy imports, and breaking changes from this hardening cycle.
Move numpy import inside methods that use it so that `import cascadeflow` does not trigger a numpy load.
Only BaseProvider, ModelResponse, and PROVIDER_CAPABILITIES are imported eagerly. All 9 provider classes and PROVIDER_REGISTRY are loaded on first access.
- Rewrite cascadeflow/__init__.py with _LazyModule proxy for backward-compat sys.modules aliases (no eager import of core/schema packages) - Rewrite core/__init__.py with PEP 562 lazy imports (defers litellm via batch) - Move ~100 symbols to _LAZY_IMPORTS dict, loaded on first access - Reduce __all__ from 127 to ~20 essential public API symbols - Remove stale __version__ strings from 7 submodule __init__.py files - Fix telemetry get_telemetry_info() to use package-level version
Add `langchain = ["langchain-core>=0.2.0"]` to optional-dependencies and include it in the `all` extra bundle.
Remove v0.1.x backward-compat parameters from CascadeAgent constructor: config, tiers, workflows, enable_caching, cache_size, enable_callbacks. These were deprecated since v0.2 and scheduled for removal. The backward compat block (warnings + silent conversion) is removed. Attributes tier_router, _legacy_tiers, _legacy_workflows default to None.
Replace None stubs with _MissingIntegration proxy that raises ImportError with install hint on any attribute access or call. Users get actionable error messages like: "LangChain requires additional dependencies. Install with: pip install cascadeflow[langchain]" Also update tier-related tests to reflect deprecated param removal.
- Change CORS default from '*' (open) to None (opt-in) - Add auth_token field to ProxyConfig; Bearer token check on all endpoints except /health (returns 401 on mismatch) - Add max_body_bytes (default 10 MB) with 413 rejection - Expose --auth-token and --max-body-bytes CLI flags
Wrap patch_openai(), unpatch_openai(), patch_anthropic(), and unpatch_anthropic() in _patch_lock to prevent race conditions when init()/reset() are called from multiple threads.
- Add _lock and _increment() method to HarnessRunContext for thread-safe counter updates from concurrent instrument hooks - Change _trace from list to collections.deque(maxlen=1000) — removes manual slicing, O(1) append, automatic eviction - Update instrument.py to use ctx._increment() instead of direct +=
Move all re.search() calls in detect() and helper methods to use pre-compiled patterns: trivial/code patterns, conditional/requirement words, keyword boundary patterns, complexity signals, function call indicators, trivial concepts, multi-word technical terms, and long-context QA markers. Also promote context/question marker lists to class-level constants.
- Move rich from core dependency to optional extra with stdlib fallback in utils/helpers.py (setup_logging gracefully degrades) - Add Python 3.13 classifier and CI test matrix entry - Remove || echo "No tests defined yet" CI fallback that swallowed failures - Migrate @xenova/transformers → @huggingface/transformers (deprecated) - Fix workspace:^ → workspace:* in langchain-cascadeflow package.json - Remove License classifier conflicting with PEP 639 license field
github-actions
bot
added
documentation
saschabuehrle
force-pushed
the
hardening/v1.0.0
branch
from
f5e3571 to
405fc45
Compare
Critical: - Remove rich from requirements.txt (now optional in pyproject.toml) - Fix stale tiers=DEFAULT_TIERS warning messages referencing removed param - Complete @xenova/transformers → @huggingface/transformers migration across all TS packages, docs, examples, and CI config - Revert workspace:* → workspace:^ (preserves semver on publish) Security: - Use hmac.compare_digest for constant-time auth token comparison - Guard record() with _lock for thread-safe counter reads Quality: - Preserve _LazyModule.__name__ alias after dict merge - Add __bool__=False to _MissingIntegration for truthiness compat - Fix CHANGELOG import time to match actual measurement (~20ms) - Fix import ordering (ruff I001)
saschabuehrle
force-pushed
the
hardening/v1.0.0
branch
from
405fc45 to
ad5b122
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
14 commits across 7 phases addressing all findings from 4 independent audits (security, DX, performance, release readiness) plus a comprehensive code review.
Phase 1: Metadata & Doc Fixes
Phase 2: CHANGELOG.md
Phase 3: Lazy Imports (Performance Critical)
__init__.py_LazyModuleproxy for backward-compatiblesys.modulesaliasesPhase 4: DX Fixes
langchainoptional dependency extraCascadeAgentconstructor params_MissingIntegrationproxy replacingNonestubs with actionableImportErrorPhase 5: Proxy Gateway Security
"*"→None(opt-in)--auth-tokenBearer token support with constant-time comparison--max-body-bytesrequest size limit (10MB default)Phase 6: Thread Safety & Performance
HarnessRunContextcounters via_increment()+ guardedrecord()deque(maxlen=1000)trace bufferComplexityDetector.__init__()Phase 7: Remaining Cleanup
richmoved from core dep to optional extra with stdlib fallback|| echotest swallowing@xenova/transformers→@huggingface/transformers(complete migration)Review Fix
hmac.compare_digest)@xenova/transformersmigration across all packages/docstiers=DEFAULT_TIERSreferences_LazyModule.__name__preservation,_MissingIntegration.__bool__Test plan
python -m build --sdist: success