Optimize email query with composite index and fix Starlette CVE#574
Optimize email query with composite index and fix Starlette CVE#574seonghobae wants to merge 21 commits into
Conversation
* Add rust compiler and build-essential to Github Actions app-ci.yml to build tiktoken/asyncpg wheels for Python 3.14. * Add rust compiler (via curl rustup) to Dockerfile.
|
Warning Review limit reached
More reviews will be available in 16 minutes and 27 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (12)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
PR governance metadata gate is not ready for
|
|
@copilot resolve the merge conflicts in this pull request |
|
@seonghobae I'm unable to start working on this because of repository rules that prevent me from pushing to the branch:
See the documentation for more details. |
There was a problem hiding this comment.
Pull request overview
This PR hardens runtime secret validation, improves email-query performance via a new composite index, and updates the project’s Python/tooling baseline (Docker + CI) for Python 3.14 alongside dependency upgrades.
Changes:
- Added a composite
(user_id, organization_id, date)index foremailsand validated it via bootstrap/modeled-index tests. - Strengthened
AUTH_SESSION_HMAC_SECRETvalidation with a low-entropy pattern check and corresponding tests. - Upgraded runtime/CI to Python 3.14 and updated backend dependencies; added Rust build tooling for packages requiring compilation.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Dockerfile | Bumps base image to Python 3.14 and installs Rust + build deps for compiling Python packages. |
| .github/workflows/app-ci.yml | Updates CI to Python 3.14 and installs build tooling (incl. Rust) before pip install. |
| backend/requirements.txt | Updates key dependencies for Python 3.14; introduces httpx2. |
| backend/core/runtime_secrets.py | Adds entropy-based validation to reject low-entropy HMAC secrets. |
| backend/tests/test_config.py | Adds parametrized tests asserting low-entropy secrets are rejected in production settings. |
| backend/db/models.py | Declares the new ix_emails_owner_date composite index on the Email model. |
| backend/scripts/bootstrap_db.py | Ensures schema backfill creates the composite emails index in existing DBs. |
| backend/tests/test_bootstrap_db.py | Adds assertions verifying bootstrap SQL includes the new index and the model declares it. |
| backend/tests/test_tenant_config_model.py | Disposes SQLAlchemy engine after fixture use to improve resource cleanup. |
| backend/tests/test_dav_api.py | Refactors route dependency assertion logic for DAV routes (currently incorrect). |
| backend/tests/test_runner_ws_api.py | Refactors route dependency assertion logic for runner WS routes (currently incorrect). |
| .jules/bolt.md | Documents the email index optimization rationale and intended impact. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Closed as superseded by #591. This PR used the repository master branch as its head and carried a broad stale stack: Python 3.14/runtime/dependency/security-test changes are already present or newer on develop, and live Dependabot alerts only show the undici issues handled by #590. The still-useful email owner/date index has been replayed into the focused develop-based #591. |
This pull request introduces several important improvements across the codebase, focusing on security hardening, database performance optimizations, dependency updates for Python 3.14 compatibility, and improved test coverage. The most notable changes are the introduction of a composite database index for faster email queries, stricter validation for authentication secrets, and upgrades to Python and key dependencies.
Database performance and schema:
emails(user_id,organization_id,date) to optimize common inbox and missing replies queries, with corresponding migration and test coverage. This significantly reduces query time and eliminates unnecessary sorting in Python. (backend/db/models.py[1]backend/scripts/bootstrap_db.py[2]backend/tests/test_bootstrap_db.py[3] [4].jules/bolt.md[5]Security improvements:
AUTH_SESSION_HMAC_SECRETby adding an entropy check to block low-entropy secrets (e.g., repeated or simple patterns), ensuring secrets are both long and random. Includes new tests for this logic. (backend/core/runtime_secrets.py[1] [2] [3]backend/tests/test_config.py[4]Python and dependency upgrades:
Dockerfile[1].github/workflows/app-ci.yml[2]fastapi,sqlalchemy,asyncpg,pytest-asyncio,tiktoken, and others. (backend/requirements.txtbackend/requirements.txtL1-R23)Testing and code quality:
backend/tests/test_tenant_config_model.pybackend/tests/test_tenant_config_model.pyR38)backend/tests/test_dav_api.py[1]backend/tests/test_runner_ws_api.py[2]