feat: Add Groq and OpenRouter LLM providers, update the unified client and configuration, and include new documentation.#51
Open
Danijel-Enoch wants to merge 1 commit into
Conversation
…t and configuration, and include new documentation.
|
|
zcor
added a commit
to zcor/hound
that referenced
this pull request
Jun 1, 2026
… (firepan-1bg) (scabench-org#51) Lets admins re-run deep audits on behalf of paying customers without burning their own monthly quota, and collapses the manual "delete AuditSession + ScanExecution in SQLAdmin to refund a stalled audit" workflow (CLAUDE.md scabench-org#46) into a single POST. Motivated by the Egorov 2026-04-23 FeeDistributor thread — we need to keep the dashboard pipeline running through the same code path the worker already uses. Changes - tier_enforcement._check_sync: new bypass_quota kwarg skips monthly-limit and credit enforcement. Still requires tenant to exist. Reserved for admin-authenticated callers — never reachable from tenant-facing paths. - POST /admin/audits/force-run: admin-only (X-Admin-Key header, no JWT, no session cookies, no query-param auth — matches the verify-overview CSRF gate). Creates AuditSession + ScanExecution exactly like /audits/start so the dashboard and websocket progress path stay unchanged; stamps admin_forced=True into both scan_config and AuditSession.models for auditability. - POST /admin/audits/{session_id}/refund: deletes AuditSession + matching ScanExecution. Tolerates orphan rows (one side missing); 404 only when both are absent. Quota count drops the moment the row is gone. Tests - 13 new tests cover bypass_quota marker, force-run auth gates (missing key, wrong key, session-cookie reject, 404 on unknown project), worker dispatch + row creation, repo_url fallback to project.git_url, refund happy-path + orphan-tolerance + quota-slot release. - Full suite still passes; 4 pre-existing telegram failures are stale "Deep Audit Complete" vs "Deep Scan Complete" strings from h7u rename, unrelated to this change. Unblocks firepan-nxf (file-scoped deep audit), which is filed but waiting on this to ship first. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
zcor
added a commit
to zcor/hound
that referenced
this pull request
Jun 1, 2026
…ce-run (firepan-nxf) (scabench-org#52) Threads a new optional target_files list from the API boundary all the way down to RepositoryManifest(file_filter=...). Paid-tier tenants honor it; free tier silently drops (logged). Admin force-run (firepan-1bg) also accepts it. Max 50 entries, path-traversal/shell-metacharacter validation, best-effort on-disk existence check at the API, authoritative zero-hit gate at the worker. Motivated by Egorov 2026-04-23 FeeDistributor thread: we want to audit a single .vy file without burning whole-repo quota. Changes - server/api.py: - _validate_target_files: pure syntactic validator. Rejects empty/traversal/ absolute/shell-metacharacter/glob/non-string entries, caps at 50, dedups. - _check_target_files_exist_on_disk: best-effort filesystem check against project.source_path. Symlink-escape guard via resolve+relative_to. Returns ([], []) when no clone is present so caller defers to worker-time gate. - AuditStartRequest + AdminAuditForceRunRequest gain target_files: list[str] | None with pydantic max_length=50. - start_audit: scope honored for paid tenants (has_paid_subscription), silently dropped for free (logged). Best-effort API-time existence check; 422 when all paths miss a cached clone. - admin_force_run_audit: admin bypasses tier gate but NOT existence check. - Both endpoints persist scope in ScanExecution.scan_config["target_files"] AND AuditSession.session_metadata["target_files"] (separate keys, not overloading models). - Both endpoints pass target_files kwarg to execute_audit_task.delay(). - ScanHistoryItem + SurfaceScanResponse surface target_files on read path so the dashboard can render a "Scoped" badge + the scan-detail page shows the full list. Legacy rows and malformed JSONB coerce to None. - worker/tasks.py: - execute_audit_task signature gains target_files kwarg + scan_config fallback read (future redeliveries keep scope without re-dispatch). - RepositoryManifest(file_filter=target_files) wires the existing CLI --files plumbing into the worker path. - Zero-hit gate: if target_files was requested and zero resolved, mark scan failed with a clear error_message, publish websocket failure, delete AuditSession to release quota (mirror of admin_refund_audit), return early. Partial-hit logs the missing entries and continues. - database/models.py: ensure_schema adds ALTER TABLE audit_sessions ADD COLUMN IF NOT EXISTS session_metadata JSONB as belt-and-braces for prod DBs created before the field was in the model. Tests - 30 new tests in tests/test_scoped_audit.py covering: helper validation (traversal, shell metacharacters, globs, over-50, dedup, blank-coerce, non-string), on-disk checker (resolved/missing split, symlink escape, directory treated as missing), admin force-run (happy path, 422 on all-miss, partial-hit defer, uncloned project, legacy no-scope), tenant start_audit (paid honors, free silently drops + logs, 422 on all-miss, legacy no-scope), scan history read-path (surfaces scope, legacy/whole-repo/malformed → null), worker zero-hit (scan marked failed, AuditSession deleted, error_message set), worker partial-hit (warning published, session survives). - All 13 existing firepan-1bg tests still pass. - 723 tests pass in the full regression suite (minus 2 pre-existing ignored files with stale "Deep Audit Complete" strings from h7u rename). Based on feature/admin-audit-bypass-1bg (PR scabench-org#51 → feature/surface-scan). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note : I used Ai and this might contain sloppy code