Fixed Secrets sharing

[NiveditJain]

No description provided.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added support for the latest version of the exospherehost package.

• Bug Fixes

  • Improved handling of AWS credentials and region by requiring explicit input rather than relying on environment variables.
  • Adjusted secret handling to ensure only relevant secret data is processed.
  • Updated the route for graph template upserts to a more concise URL.

• Other

  • Relaxed validation for secret values by removing unnecessary character checks.
  • Updated internal versioning to 0.0.7b4.

Walkthrough

The changes update AWS credential handling in S3 file listing logic, adjust how secrets are passed in runtime code, and relax base64 secret validation. Additionally, a dependency version is updated, a new dependency is added, and a route path is modified for graph template upserts.

Changes

Cohort / File(s)	Change Summary
S3 Credential Handling exosphere-runtimes/cloud-storage-runtime/nodes/list_s3_files.py	Removes use of environment variables for AWS credentials and region in the Secrets class; these are now required as explicit input parameters. Updates boto3.client initialization to use these parameters. Removes an extraneous print statement.
Secrets Passing Logic python-sdk/exospherehost/runtime.py	Changes the argument passed to node.Secrets in _worker: only the nested "secrets" dictionary is passed, rather than the full secrets response dictionary.
Base64 Secret Validation state-manager/app/models/db/graph_template_model.py	Removes explicit regex validation for URL-safe base64 characters in secret values; relies solely on base64 decoding for validation, maintaining minimum length and decode checks.
Dependency and Version Updates exosphere-runtimes/cloud-storage-runtime/pyproject.toml, python-sdk/exospherehost/_version.py	Adds exospherehost==0.0.7b3 as a dependency in the runtime's pyproject.toml. Updates version string in SDK to 0.0.7b4.
Route Path Change state-manager/app/routes.py	Changes the PUT endpoint for graph template upserts from /graph-templates/{graph_name} to /graph/{graph_name}.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API (state-manager/app/routes.py)
    participant DB Model (graph_template_model.py)

    Client->>API: PUT /graph/{graph_name} (upsert)
    API->>DB Model: Validate and store secret (base64 decode)
    DB Model-->>API: Success or error
    API-->>Client: Response

Loading

sequenceDiagram
    participant Runtime
    participant Node
    participant AWS S3

    Runtime->>Node: Pass secrets dict (aws_access_key_id, aws_secret_access_key, aws_region)
    Node->>AWS S3: Initialize boto3 client with explicit credentials
    Node->>AWS S3: List S3 objects
    AWS S3-->>Node: Return file list
    Node-->>Runtime: Return results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Poem

A rabbit hops through lines of code,
Credentials explicit, no secrets owed.
Base64 checks now less strict,
Endpoints shortened, changes picked.
New versions bloom, dependencies grow—
In this patch, improvements show!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8793b4f and 933a698.

📒 Files selected for processing (1)

• state-manager/app/models/db/graph_template_model.py (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (2)

state-manager/app/models/db/graph_template_model.py (1)

1-1: Remove unused import causing pipeline failure.

The re module is imported but no longer used after removing the regex validation logic.

-import re

exosphere-runtimes/cloud-storage-runtime/nodes/list_s3_files.py (1)

33-36: Add error handling for empty S3 responses.

The code assumes response['Contents'] always exists, but S3 returns responses without this key when no objects match the criteria, which will cause a KeyError.

-        return [
-            self.Outputs(key=data['Key'])
-            for data in response['Contents']
-        ]
+        return [
+            self.Outputs(key=data['Key'])
+            for data in response.get('Contents', [])
+        ]

Additionally, the files_only and recursive input parameters are defined but not used in the implementation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 712da17 and 8793b4f.

⛔ Files ignored due to path filters (1)

• exosphere-runtimes/cloud-storage-runtime/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• exosphere-runtimes/cloud-storage-runtime/nodes/list_s3_files.py (1 hunks)
• exosphere-runtimes/cloud-storage-runtime/pyproject.toml (1 hunks)
• python-sdk/exospherehost/_version.py (1 hunks)
• python-sdk/exospherehost/runtime.py (1 hunks)
• state-manager/app/models/db/graph_template_model.py (1 hunks)
• state-manager/app/routes.py (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: the exospherehost project is currently in beta phase, so breaking changes in apis are acceptable and...

Learnt from: NiveditJain
PR: exospherehost/exospherehost#131
File: state-manager/app/models/executed_models.py:0-0
Timestamp: 2025-08-03T04:26:00.148Z
Learning: The exospherehost project is currently in beta phase, so breaking changes in APIs are acceptable and don't require versioning or migration strategies.

Applied to files:

• python-sdk/exospherehost/_version.py
• exosphere-runtimes/cloud-storage-runtime/pyproject.toml

📚 Learning: the exospherehost project requires python versions > 3.12 for the ci workflow, meaning python 3.13 o...

Learnt from: NiveditJain
PR: exospherehost/exospherehost#130
File: .github/workflows/ci.yml:22-22
Timestamp: 2025-08-02T12:43:35.075Z
Learning: The exospherehost project requires Python versions > 3.12 for the CI workflow, meaning Python 3.13 or higher should be used despite potential stability concerns with pre-release versions.

Applied to files:

• python-sdk/exospherehost/_version.py
• exosphere-runtimes/cloud-storage-runtime/pyproject.toml

🪛 GitHub Actions: Ruff check on changed files only

state-manager/app/models/db/graph_template_model.py

[error] 1-1: Ruff: re imported but unused (F401). Remove unused import: re. 1 fixable error with the --fix option.

🔇 Additional comments (6)

python-sdk/exospherehost/_version.py (1)

1-1: LGTM! Version bump aligns with dependency management.

The version increment from "0.0.7b3" to "0.0.7b4" is consistent with the runtime dependency pinning to "0.0.7b3" in the pyproject.toml file, following proper versioning practices for the beta phase.

exosphere-runtimes/cloud-storage-runtime/pyproject.toml (1)

9-9: LGTM! Appropriate dependency pinning.

Adding the pinned dependency on exospherehost==0.0.7b3 ensures the runtime uses a stable version of the SDK while development continues on the next version.

state-manager/app/routes.py (1)

118-118: No internal references to /graph-templates – ready to merge

A quick ripgrep search (rg -i "graph-templates") returned no hits elsewhere in the repo. The only change lives in:

• state-manager/app/routes.py (line 118): "/graph/{graph_name}",

Since we’re in beta, this breaking change is acceptable. Remember to update any external clients to call /graph/{graph_name}.

python-sdk/exospherehost/runtime.py (1)

309-309: Secrets payload extraction confirmed
Verified that the get_secrets endpoint returns a SecretsResponseModel with a top-level secrets field (state-manager/app/models/secrets_response.py), so using secrets["secrets"] to initialize node.Secrets correctly unwraps the nested dict. No further changes needed.

state-manager/app/models/db/graph_template_model.py (1)

45-58: LGTM! Simplified validation logic by relying on base64 decoding.

Removing the explicit regex validation and letting the base64.urlsafe_b64decode() call handle invalid characters is a good simplification. The base64 decoding will naturally fail if invalid characters are present, making the regex check redundant.

exosphere-runtimes/cloud-storage-runtime/nodes/list_s3_files.py (1)

18-21: LGTM! Improved security through explicit credential handling.

The change from implicit environment variable usage to explicit AWS credential fields enhances security, traceability, and testability. All required fields for S3 authentication are properly defined.