Update analysis hub response models

[brucetony]

Summary by CodeRabbit

• Documentation

  • Renamed node credentials and expanded environment section with new config options (OVERRIDE_JWKS, HTTP_PROXY, HTTPS_PROXY, AUTOSTART, AUTOSTART_INTERVAL, EXTRA_CA_CERTS, ROLE_CLAIM_NAME, ADMIN/STEWARD/RESEARCHER_ROLE, POSTGRES_EVENT_PASSWORD). Updated autostart criteria and API base/docs URL to localhost:5000.

• Changes

  • Standardized status terminology: "running"/"finished" → "executing"/"executed".
  • API metadata refreshed (title, description, contact, servers) and added a Storage API tag; default server port changed to 5000.
  • Minor route path normalization (/local).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors authentication from RobotAuth to ClientAuth with env var renames (HUB_ROBOT_* → HUB_NODE_CLIENT_*), renames pod statuses (RUNNING→EXECUTING, FINISHED→EXECUTED), updates autostart status criteria, synchronizes docs/tests, updates API metadata/port and minor route/path changes, and bumps client dependency/tooling metadata.

Changes

Cohort / File(s)	Summary
Auth & Core client hub_adapter/dependencies.py, hub_adapter/dependencies.py (signatures), tests/test_dependencies.py	RobotAuth → ClientAuth; env vars switched to HUB_NODE_CLIENT_ID/HUB_NODE_CLIENT_SECRET; get_core_client/get_flame_hub_auth_flow signatures updated; cache keys, node lookup filter, error messages, and auth construction adjusted to client_id semantics.
Config, README & env docs README.md, hub_adapter/conf.py, tests/conftest.py	Settings dataclass replaces HUB_ROBOT_* with HUB_NODE_CLIENT_*; README updated with new env vars (OVERRIDE_JWKS, HTTP_PROXY, HTTPS_PROXY, AUTOSTART, AUTOSTART_INTERVAL, EXTRA_CA_CERTS, ROLE_CLAIM_NAME, ADMIN_ROLE, STEWARD_ROLE, RESEARCHER_ROLE, POSTGRES_EVENT_PASSWORD) and docs URL/port changes; autostart build_status criterion changed to "executed".
Autostart & status parsing hub_adapter/autostart.py, tests/test_autostart.py	Local auth var renamed; run_status → execution_status throughout; require build_status == "executed"; pod status logic updated to treat "executed" as non-pod and to use "executing" instead of "running"; tests updated accordingly.
Pod status enum hub_adapter/models/podorc.py	PodStatus enum: removed RUNNING/FINISHED, added EXECUTING/EXECUTED, STUCK repositioned — affects any comparisons or status ordering.
API metadata & routes hub_adapter/server.py, hub_adapter/routers/storage.py, hub_adapter/routers/hub.py	FastAPI metadata updated (title, description, contact, servers); default deploy port changed to 5000; added Storage tag; storage delete route path trimmed (/local/ → /local); accept_reject_analysis_node signature changed to use ProjectNodeApprovalStatus (removed AnalysisNodeApprovalStatus import).
Tests & fixtures tests/constants.py, tests/conftest.py, tests/router_tests/test_meta.py, tests/test_auth.py	Tests migrated to client_id naming (TEST_MOCK_NODE_CLIENT_ID), AnalysisNode imports switched to flame_hub.models, added MOCK_ANALYSIS/MOCK_ANALYSIS_NODE, reworked ANALYSIS_NODES_RESP, updated expected statuses/URLs and removed/adjusted obsolete imports.
Packaging / tooling pyproject.toml	Bumped flame-hub-client to ^0.2.12, adjusted ruff dev dependency, downgraded package version, and removed ruff formatting config block.
Misc test / config data docker/test-realm.json	hub-adapter client rootUrl/adminUrl updated from http://localhost:8081/ → http://localhost:5000/.

Sequence Diagram(s)

(Skipped — changes are refactors, renames, metadata and tests updates, not a new multi-component sequential flow requiring visualization.)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Improve event logging #133 — overlapping edits to hub_adapter/autostart.py and autostart/status handling.

Poem

🐇 I swapped my robot hat for a client so spry,

Execution hops in place of running by and by,
Docs, tests, and enums danced to a new beat,
Ports turned to five thousand — a tiny, bright feat,
Carrots for CI, and a hop of delight.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title only addresses response models but the changeset includes significant authentication refactoring, environment variable updates, API endpoint changes, and status terminology updates across multiple files.	Revise the title to reflect the primary changes, such as: 'Refactor hub authentication and update analysis status models' or 'Update authentication credentials and analysis hub response models'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 86.36% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 112-update-analysis-hub-response-models

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

hub_adapter/routers/hub.py (1)

69-69: ⚠️ Potential issue | 🔴 Critical

Pre-existing security risk: eval() on user-supplied query parameter.

eval(page_params) can execute arbitrary Python code if a malicious string is passed as the page query parameter. This is a code injection vulnerability. Consider replacing with json.loads() or a safer parser.

🔒 Proposed fix

+import json
+
 ...
 
     if page_params:
-        page_param_dict: dict = eval(page_params)
+        page_param_dict: dict = json.loads(page_params)
         limit = page_param_dict.get("limit") or 50
         offset = page_param_dict.get("offset") or 0
         formatted_query_params["page"] = {"limit": limit, "offset": offset}

tests/test_dependencies.py (1)

192-206: ⚠️ Potential issue | 🟠 Major

Assertions inside pytest.raises context managers may be silently skipped.

Lines 195-196, 205-206, and 213-214 place assert statements inside with pytest.raises(...) blocks after the call that raises. Once the exception is raised, the remaining lines in the with block are skipped. These assertions will never execute.

Move assertions outside the with block using the as alias (already captured in some cases, e.g., badUser), similar to how it's done in test_hub_auth_flow (lines 93-94).

🐛 Example fix for lines 192-196

-        with pytest.raises(HTTPException) as err:
-            get_registry_metadata_for_url(TEST_MOCK_NODE, self.cc)
-
-            assert err.value.status_code == status.HTTP_400_BAD_REQUEST
-            assert err.value.detail["message"] == "No external name for node found"
+        with pytest.raises(HTTPException) as err:
+            get_registry_metadata_for_url(TEST_MOCK_NODE, self.cc)
+
+        assert err.value.status_code == status.HTTP_400_BAD_REQUEST
+        assert err.value.detail["message"] == "No external name for node found"

The same pattern needs to be fixed for the blocks at lines 202-206, 210-214, and 150-154.

hub_adapter/dependencies.py (1)

243-252: ⚠️ Potential issue | 🟡 Minor

Updated error message is semantically inaccurate.

The error at line 247 fires when account_name or account_secret is missing from the registry project. The message "Unable to retrieve node client ID or secret from the registry" conflates registry account credentials with node client credentials (HUB_NODE_CLIENT_ID/HUB_NODE_CLIENT_SECRET), which are unrelated. A more precise message would be something like "Unable to retrieve registry account credentials."

📝 Suggested message fix

-                "message": "Unable to retrieve node client ID or secret from the registry",
+                "message": "Unable to retrieve registry account name or secret",

🤖 Fix all issues with AI agents

In `@pyproject.toml`:
- Line 14: The pyproject dependency constraint for flame-hub-client is incorrect
(references nonexistent 0.2.11); update the version specifier in pyproject.toml
for the flame-hub-client dependency from "^0.2.11" to "^0.2.10" so the project
uses the latest available release and resolves installation failures.

🧹 Nitpick comments (4)

hub_adapter/errors.py (1)

162-173: Consider using logger.exception instead of logger.error to capture the traceback.

When catching pydantic.ValidationError, the traceback is valuable for debugging which field/model failed validation. logger.exception automatically includes it.

Proposed fix

         except pydantic.ValidationError as e:
-            logger.error(f"Pydantic type error: {e.errors()}")
+            logger.exception(f"Pydantic type error: {e.errors()}")
 
             raise HubTypeError(

tests/constants.py (1)

56-102: Test data centralization is a good refactor. Consider using distinct UUIDs for different fields.

The same UUID (ac776c7f-...) is reused for id, realm_id, user_id, analysis_realm_id, and node_realm_id. While this works for current tests, it could mask bugs where the wrong field is accidentally used (e.g., analysis_realm_id instead of id). Using distinct UUIDs for semantically different fields would make tests more robust.

tests/test_dependencies.py (1)

11-11: Importing from a private module (_auth_flows) is fragile.

ClientAuth is only available from the private flame_hub._auth_flows module—it is not re-exported from public APIs like flame_hub or flame_hub.models. This applies to both the test file and hub_adapter/dependencies.py (line 16). Since flame_hub is a pinned dependency with ^0.2.11 allowance for minor updates, internal module reorganization in a future version could break these imports.

Consider whether ClientAuth could be inferred from type stubs, documentation, or future library updates that expose it publicly.

hub_adapter/dependencies.py (1)

16-17: ClientAuth is imported from a private module.

flame_hub._auth_flows is a private module (indicated by the leading underscore in the module name). The flame-hub-client library's public API exposes authentication via PasswordAuth and RobotAuth instead. When flame-hub updates its API to expose ClientAuth publicly, prefer importing from the public path to avoid breaking changes.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/conftest.py (1)

1-1: ⚠️ Potential issue | 🟠 Major

Pipeline failure: missing node_event_logging dependency.

The CI is failing with ImportError: failed to import hub_adapter.server due to missing dependency 'node_event_logging'. This is likely unrelated to the auth migration but will block merging.

🤖 Fix all issues with AI agents

In `@hub_adapter/errors.py`:
- Around line 33-35: The file defines HubTypeError twice which shadows the
original class used by catch_hub_errors; remove the duplicate class definition
so only the first HubTypeError (subclassing HTTPException) remains and ensure
catch_hub_errors continues to reference that single definition (no other symbol
changes required).

🧹 Nitpick comments (1)

hub_adapter/dependencies.py (1)

48-48: Stale docstring still references "robot token".

The docstring says "getting a robot token from the central Hub service" but this function now uses ClientAuth with node client credentials.

Proposed fix

-    """Automated method for getting a robot token from the central Hub service."""
+    """Automated method for getting a client token from the central Hub service."""

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pyproject.toml`:
- Line 29: Update the ruff version constraint in pyproject.toml: replace the
incorrect "ruff = \"^0.1.8\"" with the correct modern constraint (e.g., "ruff =
\"^0.15.0\"" or at minimum the previous "0.14.x" line) so the dependency
resolves to the current ruff 0.x release; locate the ruff entry in
pyproject.toml and change the version string accordingly.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@hub_adapter/server.py`:
- Line 143: The default port was changed in the deploy function (async def
deploy(host: str = "127.0.0.1", port: int = 5000, reload: bool = False)) but
documentation and test artifacts still reference 8081; update README.md to use
http://127.0.0.1:5000, update tests/constants.py to replace all occurrences of
http://localhost:8081/ (lines noted in the review) with http://localhost:5000/
(or use the deploy default via a shared constant/env var), and adjust
docker/test-realm.json entries that embed port 8081 to 5000 (or make them
configurable) so docs/tests match the new deploy default.

🧹 Nitpick comments (1)

hub_adapter/server.py (1)

60-76: Consider making servers configurable and using an organizational email.

Two minor observations:

1. Hardcoded server URL (line 71): http://localhost:5000 is fine for local dev, but in deployed environments this will appear in the OpenAPI spec and could confuse consumers. Consider populating this from settings or omitting it so FastAPI defaults to the request's origin.

2. Personal email in contact (line 64): Using a personal Gmail in public API metadata may not age well if maintainership changes. Consider using a project or organization email.