fix(workflow): prevent checkpoint expiry for paused workflows (#3231)#3448
Merged
fix(workflow): prevent checkpoint expiry for paused workflows (#3231)#3448
Conversation
✅ SSOT Configuration Compliance: Passing🎉 No hardcoded values detected that have SSOT config equivalents! |
AutoBot Phase Validation ResultsSystem Maturity: 0.0% Phase Status:Recommendations: |
Owner
Author
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
mrveiss
added a commit
that referenced
this pull request
Apr 8, 2026
…updates (#3949) * fix(workflow): prevent checkpoint expiry for paused workflows (#3231) (#3448) * fix(security): add auth to /events/sync endpoint (#3452) (#3459) Apply get_current_user dependency at APIRouter level so every route under /events requires a valid bearer token. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): add auth to browser MCP endpoints (#3451) (#3460) /browser/mcp/status requires get_current_user. /browser/mcp/navigate and /browser/mcp/screenshot require require_admin as they can trigger arbitrary page loads and screenshot capture. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): revert get_current_user on /events/sync — agents have no bearer token (#3452) The router-level get_current_user dependency breaks all node agent event syncs: agents post to /api/events/sync with no Authorization header and are identified by node_id validated against the Node table. The endpoint is intentionally exempt from bearer-token auth per security_headers.py (#3193). Add explanatory comment documenting the intended security model. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): harden ALLOWED_EXECUTABLES — dpkg/git-stash/find guards (#3450) * fix(slm): remove write-capable executables from ALLOWED_EXECUTABLES (#3450) - Remove apt, yum, dnf, rpm (package install/remove) from allowlist entirely - Remove wget, curl (arbitrary file write/exfiltration), nmap (network scanner with --script exploit support) from allowlist entirely - Add _GIT_ALLOWED_SUBCOMMANDS frozenset; _validate_command now rejects any git subcommand not in the read-only set (status, log, diff, show, branch, tag, remote, describe, shortlog, rev-parse, ls-files, ls-remote, stash) - find: _validate_command rejects any command containing -exec or -execdir tokens - Fix the inaccurate inline comment that claimed callers enforce git read-only; enforcement is now in _validate_command itself - Add tests for all new guards (write-capable rejection, git subcommand guard, find -exec guard) Closes #3450 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): add dpkg and git-stash argument guards (#3450) Address review findings on PR #3457: - dpkg: restrict to read-only query flags (-l/-s/-L/-S/--list etc); -i/--install/--purge/--unpack and all write flags now return HTTP 400 - git stash: tokens[2] is now validated; only stash list/show pass; stash pop/drop/clear/push/apply return HTTP 400 - Add tests for both guards in nodes_execution_test.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): bump defu (#3624) Bumps the npm_and_yarn group with 1 update in the /autobot-frontend directory: [defu](https://github.com/unjs/defu). Updates `defu` from 6.1.4 to 6.1.6 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.6) --- updated-dependencies: - dependency-name: defu dependency-version: 6.1.6 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates (#3623) Bumps the npm_and_yarn group with 2 updates in the /autobot-frontend directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [defu](https://github.com/unjs/defu). Bumps the npm_and_yarn group with 1 update in the /autobot-slm-frontend directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 8.0.3 to 8.0.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite) Updates `defu` from 6.1.4 to 6.1.6 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.6) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the npm_and_yarn group across 4 directories with 2 updates Bumps the npm_and_yarn group with 2 updates in the /.mcp directory: [@hono/node-server](https://github.com/honojs/node-server) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /autobot-infrastructure/shared/mcp/tools/mcp-autobot-tracker directory: [@hono/node-server](https://github.com/honojs/node-server) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /autobot-infrastructure/shared/mcp/tools/mcp-structured-thinking directory: [@hono/node-server](https://github.com/honojs/node-server) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /autobot-infrastructure/shared/mcp/tools/mcp-task-manager-server directory: [@hono/node-server](https://github.com/honojs/node-server) and [hono](https://github.com/honojs/hono). Updates `@hono/node-server` from 1.19.11 to 1.19.13 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) Updates `hono` from 4.12.7 to 4.12.12 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.12) Updates `@hono/node-server` from 1.19.11 to 1.19.13 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) Updates `hono` from 4.12.7 to 4.12.12 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.12) Updates `@hono/node-server` from 1.19.11 to 1.19.13 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) Updates `hono` from 4.12.7 to 4.12.12 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.12) Updates `@hono/node-server` from 1.19.11 to 1.19.13 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) Updates `hono` from 4.12.7 to 4.12.12 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.12) --- updated-dependencies: - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.12 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Martins Veiss <martins.veiss@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two independent checkpoint systems both used TTLs too short for human-in-the-loop pauses:
WorkflowCheckpointManager(error_handler.py): TTL extended 7 days → 30 days. Newrefresh_ttl()method resets the countdown on every resume, so a workflow paused near its deadline gets a fresh 30-day window when the operator acts.AsyncRedisSaver(graph.py+ssot_config.py): Default TTL extended 24 hours → 30 days (1440→43200minutes). In-code fallback updated to match.workflow_executor.py:_apply_checkpoints()now callscheckpoint_manager.refresh_ttl()immediately on resume.refresh_ttlbeing logged (never raised).Closes #3231
Test plan
pytest autobot-backend/orchestration/error_handler_test.py -v— all passAUTOBOT_REDIS_CHECKPOINT_TTL_MINUTESenv var overrides the default