Skip to content

Commit 0e22bb1

Browse files
gabemonteroclaude
andcommitted
fix(boost): address review findings — race condition, proxy options, stale paths
- Clear pendingFetch in KeycloakAuthClient.invalidateToken() to prevent returning a stale in-flight token during 401 retry - Forward ChatOptions second parameter through boostAiProviderServiceFactory lazy proxy to chat() and chatStream() - Update 3 stale doc references from kagenti-entity-provider/src/providers/ kagentiAuth.ts to boost-node/src/KeycloakAuthClient.ts Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent dd33ba1 commit 0e22bb1

5 files changed

Lines changed: 10 additions & 7 deletions

File tree

workspaces/boost/openspec/changes/security-safety-governance/proposal.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,4 +45,4 @@ Enterprise AI platforms must treat security, safety, and governance as foundatio
4545
- `plugins/boost-common/src/permissions.ts` — 16 permission definitions with resource types
4646
- `plugins/boost-backend/src/middleware/security.ts``authorizeLifecycleAction` middleware
4747
- `plugins/boost-frontend/src/components/SecurityGate.tsx` — granular permission checks
48-
- `plugins/kagenti-entity-provider/src/providers/kagentiAuth.ts``KeycloakAuthClient` (OAuth2 Client Credentials Grant)
48+
- `plugins/boost-node/src/KeycloakAuthClient.ts``KeycloakAuthClient` (OAuth2 Client Credentials Grant)

workspaces/boost/plugins/boost-backend/src/plugin.ts

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -86,11 +86,13 @@ export const boostAiProviderServiceFactory = createServiceFactory({
8686
get descriptor() {
8787
return providerManager.getActiveProvider().descriptor;
8888
},
89-
chat(messages) {
90-
return providerManager.getActiveProvider().chat(messages);
89+
chat(messages, options) {
90+
return providerManager.getActiveProvider().chat(messages, options);
9191
},
92-
chatStream(messages) {
93-
return providerManager.getActiveProvider().chatStream(messages);
92+
chatStream(messages, options) {
93+
return providerManager
94+
.getActiveProvider()
95+
.chatStream(messages, options);
9496
},
9597
};
9698
},

workspaces/boost/plugins/boost-node/src/KeycloakAuthClient.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,5 +118,6 @@ export class KeycloakAuthClient {
118118
invalidateToken(): void {
119119
this.cachedToken = undefined;
120120
this.tokenExpiresAt = 0;
121+
this.pendingFetch = undefined;
121122
}
122123
}

workspaces/boost/specifications/prd/pluggable-ai-platform-architecture.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ Hot-swaps between configured providers at runtime. Monitors capability differenc
214214
| RuntimeConfigResolver | `services/RuntimeConfigResolver.ts` | 30s | P0 | Immediate invalidation on write via `cache.delete()` |
215215
| ResponsesApiProvider.\_modelsCache | `providers/llamastack/ResponsesApiProvider.ts` | Match Kagenti | P1 | Eliminates model cache asymmetry |
216216
| McpAuthService tokens | `providers/llamastack/auth/McpAuthService.ts` | From token expiry | P1 | Security-sensitive |
217-
| KeycloakAuthClient | `kagenti-entity-provider/src/providers/kagentiAuth.ts` | From token expiry | P1 | Security-sensitive |
217+
| KeycloakAuthClient | `boost-node/src/KeycloakAuthClient.ts` | From token expiry | P1 | Security-sensitive |
218218
| BackendToolExecutor | `providers/responses-api/tools/BackendToolExecutor.ts` | 5 min | P1 | Add max size limit |
219219
| ConversationRegistry | `providers/responses-api/conversations/ConversationRegistry.ts` | 24h | P1 | Replaces unbounded Map |
220220
| DocumentSyncService | `providers/responses-api/documents/DocumentSyncService.ts` | No expiry | P2 | Content hash tracking |

workspaces/boost/staged-issues.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -388,7 +388,7 @@ From `openspec/changes/security-safety-governance/tasks.md` section 7:
388388
- 7.5b Integrate into `KagentiApiClient` — inject bearer token
389389
- 7.6 Propagate user identity via `X-Backstage-User` header
390390

391-
**Note:** `KeycloakAuthClient` was implemented in `kagenti-entity-provider/src/providers/kagentiAuth.ts` for entity provider use. The remaining tasks (7.3, 7.5b, 7.6) target the `KagentiApiClient` in `boost-backend-module-kagenti` for user-facing provider module use.
391+
**Note:** `KeycloakAuthClient` was implemented in `boost-node/src/KeycloakAuthClient.ts` for entity provider use. The remaining tasks (7.3, 7.5b, 7.6) target the `KagentiApiClient` in `boost-backend-module-kagenti` for user-facing provider module use.
392392

393393
### Specifications
394394

0 commit comments

Comments
 (0)