From a08bd1684fb345f1c0764cb6f85fd7da56b4794e Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 18 Jun 2026 22:30:13 +0200 Subject: [PATCH] Add ISSUE_CORE_API_KEY auth to IssueCoreRestSink Issue-core requires a shared ingestion key on POST /issues/. The REST sink now sends Authorization: Bearer using ISSUE_CORE_API_KEY and fails fast when the key is missing under ISSUE_SINK_TYPE=rest. Updates .env.example, emission boundary docs, and unit tests for the header contract and missing-key error. --- .env.example | 4 +++- docs/issue-core-emission-boundary.md | 6 +++-- src/activity_core/issue_sink.py | 34 ++++++++++++++++++++++++---- tests/test_issue_sink.py | 20 +++++++++++++++- 4 files changed, 56 insertions(+), 8 deletions(-) diff --git a/.env.example b/.env.example index f58b2d4..0e078b9 100644 --- a/.env.example +++ b/.env.example @@ -18,7 +18,9 @@ STATE_HUB_URL=http://127.0.0.1:8000 # Repo scoping — used by the repo-scoping context adapter. Binds {} on failure. REPO_SCOPING_URL=http://127.0.0.1:8020 # Issue Core — task emission backend. -ISSUE_CORE_URL=http://127.0.0.1:8010 +ISSUE_CORE_URL=http://127.0.0.1:8765 +# Shared ingestion key — must match issue-core's ISSUE_CORE_API_KEY. +ISSUE_CORE_API_KEY= # Sink type: 'rest' (POST to issue-core) or 'null' (discard, for dry-run). ISSUE_SINK_TYPE=rest diff --git a/docs/issue-core-emission-boundary.md b/docs/issue-core-emission-boundary.md index e2bdb6e..f4b8d28 100644 --- a/docs/issue-core-emission-boundary.md +++ b/docs/issue-core-emission-boundary.md @@ -11,7 +11,9 @@ The current authoritative boundary is the issue-core REST API: POST {ISSUE_CORE_URL}/issues/ ``` -`IssueCoreRestSink` sends this payload: +`IssueCoreRestSink` authenticates with the shared `ISSUE_CORE_API_KEY` env var +(same value as the issue-core server) via `Authorization: Bearer ` and +sends this payload: ```json { @@ -52,7 +54,7 @@ task reference before it can replace `IssueCoreRestSink`. Weekly SBOM staleness is safe to evaluate in dry-run mode because the rule contract is deterministic and tested. Do not enable it against the real REST sink -until issue-core credentials, endpoint reachability, and duplicate-handling are +until `ISSUE_CORE_API_KEY`, endpoint reachability, and duplicate-handling are verified in the target environment. ## Verification diff --git a/src/activity_core/issue_sink.py b/src/activity_core/issue_sink.py index 3c978d3..f9dccd4 100644 --- a/src/activity_core/issue_sink.py +++ b/src/activity_core/issue_sink.py @@ -20,7 +20,8 @@ from activity_core.rules.models import TaskRef, TaskSpec logger = logging.getLogger(__name__) -ISSUE_CORE_URL = os.environ.get("ISSUE_CORE_URL", "http://127.0.0.1:8010") +ISSUE_CORE_URL = os.environ.get("ISSUE_CORE_URL", "http://127.0.0.1:8765") +ISSUE_CORE_API_KEY_ENV = "ISSUE_CORE_API_KEY" ISSUE_SINK_TYPE = os.environ.get("ISSUE_SINK_TYPE", "rest") @@ -30,10 +31,30 @@ class IssueSink(ABC): class IssueCoreRestSink(IssueSink): - """POSTs to issue-core REST API. Config: ISSUE_CORE_URL env var.""" + """POSTs to issue-core REST API. - def __init__(self, base_url: str = ISSUE_CORE_URL) -> None: + Config: ISSUE_CORE_URL and ISSUE_CORE_API_KEY env vars (shared key with + the issue-core server). + """ + + def __init__( + self, + base_url: str = ISSUE_CORE_URL, + api_key: str | None = None, + ) -> None: self._base_url = base_url.rstrip("/") + if api_key is not None: + self._api_key = api_key.strip() + else: + self._api_key = os.environ.get(ISSUE_CORE_API_KEY_ENV, "").strip() + + def _auth_headers(self) -> dict[str, str]: + if not self._api_key: + raise RuntimeError( + f"{ISSUE_CORE_API_KEY_ENV} is not set. " + "Required when ISSUE_SINK_TYPE=rest." + ) + return {"Authorization": f"Bearer {self._api_key}"} def emit(self, task_spec: TaskSpec) -> TaskRef: payload = { @@ -48,7 +69,12 @@ class IssueCoreRestSink(IssueSink): "triggering_event_id": task_spec.triggering_event_id, "activity_definition_id": task_spec.activity_definition_id, } - resp = httpx.post(f"{self._base_url}/issues/", json=payload, timeout=10.0) + resp = httpx.post( + f"{self._base_url}/issues/", + json=payload, + headers=self._auth_headers(), + timeout=10.0, + ) resp.raise_for_status() data = resp.json() return TaskRef( diff --git a/tests/test_issue_sink.py b/tests/test_issue_sink.py index 9a6c35e..2c38da0 100644 --- a/tests/test_issue_sink.py +++ b/tests/test_issue_sink.py @@ -34,7 +34,7 @@ def test_issue_core_rest_sink_posts_task_contract(monkeypatch) -> None: monkeypatch.setattr(httpx, "post", fake_post) - ref = IssueCoreRestSink("http://issue-core.test/").emit(TaskSpec( + ref = IssueCoreRestSink("http://issue-core.test/", api_key="test-key").emit(TaskSpec( title="Run SBOM rescan for activity-core", description="SBOM is older than 30 days.", target_repo="activity-core", @@ -67,12 +67,30 @@ def test_issue_core_rest_sink_posts_task_contract(monkeypatch) -> None: "triggering_event_id": "scheduled", "activity_definition_id": "activity-1", }, + "headers": {"Authorization": "Bearer test-key"}, "timeout": 10.0, } ] assert "review_required" not in posts[0]["json"] +def test_issue_core_rest_sink_requires_api_key() -> None: + sink = IssueCoreRestSink("http://issue-core.test/", api_key="") + with pytest.raises(RuntimeError, match="ISSUE_CORE_API_KEY"): + sink.emit(TaskSpec( + title="t", + description="", + target_repo="activity-core", + priority="low", + labels=[], + due_in_days=None, + source_type="rule", + source_id="r", + triggering_event_id="e", + activity_definition_id="a", + )) + + @pytest.mark.asyncio async def test_emit_tasks_raises_when_sink_fails(monkeypatch) -> None: class FailingSink: