FIX: Tighten CLI backend health-check validation#2209
Open
romanlutz wants to merge 1 commit into
Open
Conversation
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 52d2518d-ebe5-4888-8189-6146b6503448
adrian-gavrila
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The CLI's backend readiness probe (
PyRITApiClient.health_check_async) previously treated any HTTP 200 from/api/healthas "backend ready." That check is too loose: an unrelated process listening on the same host/port can return 200 and be mistaken for a live PyRIT backend, so the CLI could happily proceed against the wrong server.This tightens the probe to confirm the responder's identity, not just its status code. After verifying the response is 200, it parses the JSON payload and requires both
status == "healthy"andservice == "pyrit-backend"before reporting the backend as ready. A non-200 response, or a 200 from any other service (mismatched or missing fields), now correctly reports "not ready." Connection errors continue to be handled as before.Tests and Documentation
Tests:
tests/unit/cli/test_api_client.pytest_health_check_returns_true_on_200now returns the identifying payload (status/service) so the stricter check passes.test_health_check_returns_false_for_unrelated_serviceasserts a 200 from a different service ({"status": "ok", "service": "another-service"}) is rejected.test_health_check_returns_false_on_non_200is unchanged.uv run pytest tests/unit/cli/test_api_client.py -q-> 30 passed.Documentation: No doc or notebook changes; this is a client-side behavior fix covered by the unit tests above. I also ran
uv run jupytext --execute --to notebook doc/scanner/1_pyrit_scan.pyand saw no regression attributable to this change.