Skip to content

fix(gh): fix issue 58#81

Merged
krokoko merged 5 commits into
mainfrom
issue58
May 13, 2026
Merged

fix(gh): fix issue 58#81
krokoko merged 5 commits into
mainfrom
issue58

Conversation

@krokoko
Copy link
Copy Markdown
Contributor

@krokoko krokoko commented May 13, 2026

Fixes #58

  • Idempotent replay semantics: POST /v1/tasks with a previously-used Idempotency-Key from the same user now returns 200 OK with the full TaskDetail and an Idempotent-Replay: true
    response header, instead of a 409 DUPLICATE_TASK error. This aligns with industry-standard idempotency behavior (Stripe, AWS).
  • Security hardening: Cross-user key collisions still return 409 with a generic message (no task leakage). Incomplete/corrupt DynamoDB records fail closed with 500 INTERNAL_ERROR and
    diagnostic logging (missing_fields).
  • Defensive successResponse extension: New optional extraHeaders parameter uses a safe spread order (extraHeaders first, then protected headers) so Content-Type,
    Access-Control-Allow-Origin, and X-Request-Id can never be overridden by callers.
  • TTL race handling: When the IdempotencyIndex GSI matches a stale entry but the base-table item is gone (TTL/deletion race), the system logs a warning and creates a fresh task
    instead of erroring.

Test plan

  • Same-user idempotent replay returns 200 + Idempotent-Replay: true header + full TaskDetail (unit + handler-level)
  • Cross-user collision returns 409 with no task data leakage (unit + handler + webhook)
  • Incomplete DynamoDB record returns 500 INTERNAL_ERROR (fail-closed)
  • Missing user_id on stored record returns 500 (fail-closed, not false-positive match)
  • GSI match with no base-table item (TTL race) creates new task and invokes orchestrator
  • extraHeaders cannot override Content-Type, Access-Control-Allow-Origin, or X-Request-Id
  • Webhook handler correctly forwards Idempotency-Key and returns replay/collision responses
  • All 80 tests pass across 4 test suites

Area

  • cdk — infrastructure, handlers, constructs
  • agent — Python runtime / Docker image
  • clibgagent client
  • docs — guides or design sources (docs/guides/, docs/design/)
  • tooling — root mise.toml, scripts, CI workflows

Tip: AGENTS.md lists where to edit and which tests to extend.

Related

Changes

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@krokoko krokoko requested a review from a team as a code owner May 13, 2026 00:43
@krokoko krokoko changed the title Issue58 fix(gh): fix issue 58 May 13, 2026
@krokoko krokoko enabled auto-merge May 13, 2026 01:18
@krokoko krokoko disabled auto-merge May 13, 2026 01:18
@krokoko krokoko merged commit f36d352 into main May 13, 2026
6 of 7 checks passed
@krokoko krokoko mentioned this pull request May 13, 2026
Closed
@scottschreckengaust scottschreckengaust deleted the issue58 branch May 13, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Idempotent submit returns DUPLICATE_TASK error instead of the original task_id

1 participant

@krokoko