mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-07-16 11:31:04 +02:00
* fix(quota): fail closed when quota verification errors (#331) Quota enforcement fell open on unexpected errors: the outer `except` in `authorize_workflow_run_start` returned `has_quota=True`, so a degraded database or a config-resolution bug let a billable run start unverified. Billing and abuse protection are control-plane functions, so this is the wrong default under exactly the degraded conditions that matter. - Fail closed by default: the outer handler now returns `has_quota=False` / `quota_check_failed`, reusing the existing message. - Add `QUOTA_FAIL_MODE=closed|open` (default `closed`) so OSS self-hosters can explicitly opt back into availability; the open path logs loudly. - Narrow the try-scope so `get_user_by_id` / `get_workflow_run` DB read failures surface as their specific `user_not_found` / `workflow_run_not_found` codes instead of the generic handler. - Tests cover the config-resolution and DB-read failure paths (denied, not `has_quota=True`) and the `QUOTA_FAIL_MODE=open` escape hatch. Fixes #331 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(quota): route DB read failures through the fail-mode policy gate Review (greptile) flagged that the narrowed get_user_by_id / get_workflow_run catches returned user_not_found / workflow_run_not_found before the outer QUOTA_FAIL_MODE handler ran, so QUOTA_FAIL_MODE=open never applied to a DB failure -- the exact "degraded database" case the escape hatch documents. Revert the two narrowed catches so DB read exceptions fall through to the single outer policy gate: closed -> quota_check_failed, open -> allow. The None checks still return the specific not_found codes for genuinely missing rows; an exception is a "cannot verify" condition, not a definitive absence. Add a regression test asserting QUOTA_FAIL_MODE=open allows a run when a DB read throws, and update the two DB-error tests to expect quota_check_failed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(quota): scope the fail-mode comment to credit-verification failures (#331) Review (cubic) flagged the outer-handler comment as overclaiming: it said the handler is the single gate for "all cannot-verify errors", but the earlier workflow-load and org-membership catches always deny with workflow_not_found regardless of QUOTA_FAIL_MODE. That distinction is intentional (those are authorization/existence gates, not credit verification), so scope the comment accordingly. Comment-only, no behavior change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(quota): fail open only when MPS is unreachable --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me> |
||
|---|---|---|
| .. | ||
| alembic | ||
| assets | ||
| db | ||
| errors | ||
| mcp_server | ||
| native/rnnoise | ||
| routes | ||
| schemas | ||
| services | ||
| tasks | ||
| tests | ||
| utils | ||
| .cursorignore | ||
| .dockerignore | ||
| .env.example | ||
| .env.test.example | ||
| .gitignore | ||
| __init__.py | ||
| AGENTS.md | ||
| alembic.ini | ||
| app.py | ||
| CLAUDE.md | ||
| conftest.py | ||
| constants.py | ||
| Dockerfile | ||
| enums.py | ||
| logging_config.py | ||
| pyproject.toml | ||
| pytest.ini | ||
| requirements.dev.txt | ||
| requirements.txt | ||
| sdk_expose.py | ||