fix(py-gov-compliance): pin grade-threshold scan order with list of tuples#2170
Merged
imran-siddique merged 1 commit intoMay 12, 2026
Conversation
…uples
GRADE_THRESHOLDS was a dict {"A": 90, "B": 70, "C": 50, "D": 30, "F": 0}
that _score_to_grade iterated via .items() and relied on Python 3.7+
insertion-ordered dict semantics to scan descending. A future caller
that rebuilt the mapping via dict() round-trips, sorted(), set
operations, or a config-driven merge could silently shuffle the
ordering — at which point a 95 might map to "B" because "B": 70 was
visited before "A": 90.
Adds GRADE_THRESHOLD_LIST as the canonical tuple sequence (highest
threshold first). _score_to_grade reads from the tuple list directly.
GRADE_THRESHOLDS is preserved as dict(GRADE_THRESHOLD_LIST) so any
downstream caller that imports the dict continues to see identical
data.
Verified: PYTHONPATH=src python -m pytest tests/test_prompt_defense.py
-q -> 75 passed.
🤖 AI Agent: docs-sync-checker — Docs SyncDocs Sync
|
🤖 AI Agent: breaking-change-detector — API CompatibilityAPI Compatibility
|
🤖 AI Agent: code-reviewer — View detailsTL;DR: 0 blockers, 0 warnings. No issues found. Clean change. |
🤖 AI Agent: security-scanner — View detailsNo security issues found. |
🤖 AI Agent: test-generator — `prompt_defense.py`
|
|
🟡 Contributor Check: MEDIUM
Automated check by AGT Contributor Check. |
PR Review Summary
Verdict: ✅ Ready for human review |
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…uples (microsoft#2170) GRADE_THRESHOLDS was a dict {"A": 90, "B": 70, "C": 50, "D": 30, "F": 0} that _score_to_grade iterated via .items() and relied on Python 3.7+ insertion-ordered dict semantics to scan descending. A future caller that rebuilt the mapping via dict() round-trips, sorted(), set operations, or a config-driven merge could silently shuffle the ordering — at which point a 95 might map to "B" because "B": 70 was visited before "A": 90. Adds GRADE_THRESHOLD_LIST as the canonical tuple sequence (highest threshold first). _score_to_grade reads from the tuple list directly. GRADE_THRESHOLDS is preserved as dict(GRADE_THRESHOLD_LIST) so any downstream caller that imports the dict continues to see identical data. Verified: PYTHONPATH=src python -m pytest tests/test_prompt_defense.py -q -> 75 passed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
prompt_defense.py'sGRADE_THRESHOLDSwas a dict literal:and
_score_to_gradeiterated via.items(), relying on Python 3.7+ insertion-ordered dict semantics to scan from highest threshold to lowest. A future caller that rebuilt the mapping via adict(...)round-trip,sorted(...), a set operation, or a config-driven merge could silently shuffle the order — at which point a score of 95 might be returned as"B"because"B": 70was visited before"A": 90.The brittleness was load-bearing: the scoring contract holds only as long as nothing ever reorders the dict.
Change
Adds
GRADE_THRESHOLD_LIST: tuple[tuple[str, int], ...]as the canonical sequence with the descending order baked into the data type itself:_score_to_gradenow reads from the tuple list.GRADE_THRESHOLDSis preserved as a public re-export so any downstream caller that imports the dict continues to see identical data.Tests
Three new cases in
TestScoreToGradepin the contract:test_threshold_list_is_descendingtest_threshold_list_matches_legacy_dictdict(GRADE_THRESHOLD_LIST) == GRADE_THRESHOLDStest_threshold_list_covers_all_gradesThe existing boundary cases (
test_grade_athroughtest_grade_f) continue to assert the score-to-grade mapping is byte-equivalent to the prior behaviour.Test plan
test_prompt_defense.pycases passGRADE_THRESHOLDSdict still importable for any external consumersSurfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Python Governance].