release: 0.9.0-beta.153 — ship the stranded June 12 fixes (#252–#256)#265
Merged
Conversation
* Fix #255: Validate and sanitize BookDB response data * Bump version to 0.9.0-beta.153 for integration security fixes * Add CHANGELOG entries for 0.9.0-beta.152 and 0.9.0-beta.153 --------- Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
BookDB can return server_notice with action=abort_task to signal LM should stop processing. This was handled in search_bookdb() but not in identify_audio_with_bookdb(). Added server_notice handling in three places: the initial submit response, the poll completion response, and the final result data (covers old sync path and acts as catch-all). Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
- Changed bookdb min_delay from 3.6s (1000/hr) to 12.0s (300/hr) to match the actual API key tier limit - Added adaptive rate limiting: when BookDB returns a 429 with Retry-After header, min_delay is increased to match the server's requested pace - Added specific 429 handling to identify_audio_with_bookdb() which previously fell through to the generic non-200 handler Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
Map BookDB sl_source field to differentiated source names so the BookProfile weights transcript-only and web-scraped results lower than verified database matches. - bookdb_audio (weight 65): database match, highest trust - bookdb_transcript (weight 55): Whisper transcript only - bookdb_scrape (weight 45): live web scrape, lowest trust Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
- Add generate_nonce() function returning UUID4 hex string - Make nonce optional in generate_signature() and verify_signature() for backwards compatibility with older Skaldleita versions - Update get_signed_headers() in bookdb.py to include X-LM-Nonce - Reduce TIMESTAMP_TOLERANCE from 300s to 120s (2 minutes) Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
Co-authored-by: deucebucket <deucebucket@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes the five fixes that were merged to develop on 2026-06-12 at 09:48 — 26 minutes after the beta.152 main cut — and have been stranded on develop since:
Verification (2026-07-14, full audit before promotion)
get_signed_headers()+ API key → HTTP 200 with results; keyless + nonce headers → clean 401 (no server error).Merging this closes #252, #253, #254, #255, #256 via the commit messages. #264's remaining straggler call sites are NOT in this batch and stay open.