Validate forwarded grant agents before import#1674
Conversation
SummaryThis is a tight, correct security-hardening fix — approve once the docstring catches up. The forwarded-connection import previously skipped unknown The single most important thing: the behavior change is correct and the tests prove the right thing — they assert both the 404/503 status and that no grant or connection was persisted ( No prompt-injection content in the diff. No secrets, no new dependencies, scope-clean (router + its test only). Issues Found🟢 Docstring no longer lists all failure modes ( The 🟢 Minor: behavior change for existing callers (non-blocking, no action needed) A host app that was sending an unknown/stale Strengths
VerdictApprove with suggestions — no blocking issues. The docstring nit is a one-line follow-up and can be applied with one click; the logic and tests are ready to merge as-is. |
|
@itomek-amd, can you review this PR as it's related to connectors. |
Summary
Why
Forwarded imports resolved required scopes only for known agents, but still persisted every requested
grant_agentsvalue. An unknown id could therefore collapse import-time scope validation to[]and still receive a grant entry.Validation
uv run python -m pytest tests/unit/connectors/test_router_forwarded.py- 16 passed, 2 skippeduv run python -m pytest tests/unit/connectors/test_forwarded_import.py- 18 passed