Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(py-ext-marketplace): gate seen_names mutation on validate_bundle duplicate path#2161

Merged
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/py-ext-marketplace-bundle-duplicate-detection
May 12, 2026
Merged

fix(py-ext-marketplace): gate seen_names mutation on validate_bundle duplicate path#2161
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/py-ext-marketplace-bundle-duplicate-detection

Conversation

@finnoybu

Copy link
Copy Markdown
Contributor

Summary

BundleRegistry.validate_bundle recorded every component name in seen_names regardless of whether the duplicate check had already fired:

if comp.name in seen_names:
    errors.append(f"Duplicate component name: '{comp.name}'")
seen_names.add(comp.name)         # also runs on duplicates

Re-adding an already-present name to a set is a no-op, so this didn't change which duplicate errors got emitted — every repeat occurrence still reports correctly. The defect is cosmetic in the strict sense, but two related problems were real:

  1. Empty names polluted seen_names. A BundleComponent with name == "" had its empty string added to seen_names, so the next unnamed component would be reported BOTH as "Component name is required" AND as Duplicate component name: '' — a spurious second finding for the same underlying problem.
  2. Loop intent was implicit. seen_names is meant to mean "canonical / first-seen names". Adding to it on the duplicate branch hid that contract behind a set-semantics quirk.

Change

Gate seen_names.add(comp.name) behind not in seen_names and skip the add entirely for empty names. Both adjustments are locally-scoped to the duplicate-tracking branch; the existing "name required" and "version required" findings are unchanged.

Tests

Two new regression tests in tests/test_workflow_bundle.py::TestValidateBundle:

  • test_three_components_same_name_emit_two_duplicates — three components sharing one name yield two Duplicate errors.
  • test_unnamed_components_do_not_cross_collide_as_duplicates — two unnamed components yield two "Component name is required" findings and zero Duplicate findings.
$ PYTHONPATH=src python -m pytest tests/ -q
311 passed, 2 skipped in 1.86s

Test plan

  • Existing marketplace test suite green (309 → 311 with new regressions).
  • Empty-name component no longer produces a spurious duplicate finding.
  • Duplicate detection still flags every repeat occurrence.

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Python Extensions].

…duplicate path

`BundleRegistry.validate_bundle` recorded every component name in
``seen_names`` regardless of whether the duplicate check had already fired:

    if comp.name in seen_names:
        errors.append(f"Duplicate component name: {comp.name!r}")
    seen_names.add(comp.name)         # also runs on duplicates

Re-adding an already-present name to a ``set`` is a no-op, so this didn't
change which duplicate errors got emitted — every repeat-occurrence still
reports correctly. The defect is cosmetic in the strict sense, but two
related problems were real:

1. **Empty names polluted ``seen_names``**: a ``BundleComponent`` with
   ``name == ""`` had its empty string added to ``seen_names``, so the
   *next* unnamed component would be reported BOTH as
   "Component name is required" AND as `Duplicate component name: ''` —
   a spurious second finding for the same underlying problem.

2. **Loop intent was implicit**: ``seen_names`` is meant to mean
   "canonical / first-seen names". Adding to it on the duplicate branch
   hid that contract behind a set-semantics quirk.

This change gates ``seen_names.add(comp.name)`` behind ``not in seen_names``
and skips the add entirely for empty names. Both adjustments are
locally-scoped to the duplicate-tracking branch; the "name required" and
"version required" findings are unchanged.

Regression tests:

- Three components sharing the same name now emit two `Duplicate` errors
  (one per repeat occurrence).
- Two unnamed components emit two "Component name is required" findings
  and zero `Duplicate component name: ''` findings.

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Python Extensions].
@github-actions github-actions Bot added tests size/M Medium PR (< 200 lines) labels May 12, 2026
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

TL;DR: 0 blockers, 0 warnings. No issues found. Clean change.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — API Compatibility

API Compatibility

Severity Change Impact
Potential The logic for adding component names to seen_names has changed to prevent empty names from being added and to only add names that are not already present. This could affect any external code or tests that rely on the previous behavior of seen_names including empty names, potentially leading to different error reporting for bundles with unnamed components.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

  • validate_bundle() in workflow_bundle.py -- missing docstring
  • CHANGELOG.md -- missing entry for behavioral change in duplicate detection logic

Please address these issues to ensure documentation is in sync.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: test-generator — `workflow_bundle.py`

workflow_bundle.py

  • test_empty_names_pollute_seen_names -- validate that empty component names do not get added to seen_names.
  • test_duplicate_component_names_rejected -- ensure that duplicate component names are correctly flagged without spurious errors.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

No security issues found.

@github-actions

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label May 12, 2026
@github-actions

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ✅ Passed No issues found
🛡️ Security Scan ✅ Passed No issues found
🔄 Breaking Changes ✅ Completed Analysis complete
📝 Docs Sync ✅ Passed No issues found
🧪 Test Coverage ✅ Completed Analysis complete

Verdict: ✅ Ready for human review

@imran-siddique imran-siddique merged commit 90966f3 into microsoft:main May 12, 2026
13 of 14 checks passed
MohammadHaroonAbuomar pushed a commit to MohammadHaroonAbuomar/agt-acs that referenced this pull request Jun 1, 2026
…duplicate path (microsoft#2161)

`BundleRegistry.validate_bundle` recorded every component name in
``seen_names`` regardless of whether the duplicate check had already fired:

    if comp.name in seen_names:
        errors.append(f"Duplicate component name: {comp.name!r}")
    seen_names.add(comp.name)         # also runs on duplicates

Re-adding an already-present name to a ``set`` is a no-op, so this didn't
change which duplicate errors got emitted — every repeat-occurrence still
reports correctly. The defect is cosmetic in the strict sense, but two
related problems were real:

1. **Empty names polluted ``seen_names``**: a ``BundleComponent`` with
   ``name == ""`` had its empty string added to ``seen_names``, so the
   *next* unnamed component would be reported BOTH as
   "Component name is required" AND as `Duplicate component name: ''` —
   a spurious second finding for the same underlying problem.

2. **Loop intent was implicit**: ``seen_names`` is meant to mean
   "canonical / first-seen names". Adding to it on the duplicate branch
   hid that contract behind a set-semantics quirk.

This change gates ``seen_names.add(comp.name)`` behind ``not in seen_names``
and skips the add entirely for empty names. Both adjustments are
locally-scoped to the duplicate-tracking branch; the "name required" and
"version required" findings are unchanged.

Regression tests:

- Three components sharing the same name now emit two `Duplicate` errors
  (one per repeat occurrence).
- Two unnamed components emit two "Component name is required" findings
  and zero `Duplicate component name: ''` findings.

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Python Extensions].
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-review:MEDIUM Contributor check flagged MEDIUM risk size/M Medium PR (< 200 lines) tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants