Skip to content

Harden runtime validation and HTTP behavior#39

Draft
krotname wants to merge 1 commit into
mainfrom
agent/harden-runtime-validation
Draft

Harden runtime validation and HTTP behavior#39
krotname wants to merge 1 commit into
mainfrom
agent/harden-runtime-validation

Conversation

@krotname

Copy link
Copy Markdown
Owner

Summary

  • validate runtime token, endpoint, timeout, and server-port inputs with clear CLI errors
  • serialize DaData requests safely, apply connection timeouts, and distinguish unknown company statuses from known inactive states
  • parse health payloads structurally and require exact embedded-server routes and supported methods
  • make the UI server restartable, release its executor/socket cleanly, and render UNKNOWN as a warning rather than success
  • align OpenAPI, architecture, README, and container license metadata with the runtime contract
  • expand boundary, integration, lifecycle, payload, and mutation-focused coverage

Root causes

Several edge cases were handled permissively: unknown DaData values were collapsed into NOT_ACTIVE, resource endpoint overrides were ignored, request JSON was assembled with string formatting, health checks accepted a matching substring, and JDK HttpServer prefix routing exposed unintended paths. Server startup/stop also did not own the virtual-thread executor lifecycle.

During review, the newly reachable UNKNOWN state exposed a UI regression because it inherited the default green status style. The existing mutation suite also scored 79%, below the configured 80% gate, because request and boundary behavior was not asserted precisely enough.

Impact

Configuration failures now fail clearly, downstream requests are safely encoded and bounded by timeouts, unsupported paths/methods return deterministic errors, lifecycle resources are released, and future DaData statuses no longer appear inactive or visually successful.

Validation

  • Hermetic full verify: 83 tests passed, Checkstyle 0 violations, JaCoCo gate passed, SpotBugs 0 findings
  • Hermetic PIT mutation gate: 84% (183/218), threshold 80%
  • Main sources compile with Java 21
  • git diff --check passed
  • Secret scan found only documented placeholders/test fixtures

Local Maven was kept offline. It used cached compatible overrides JUnit 6.1.0, CycloneDX 2.9.1, and PIT 1.25.4 because the exact current artifacts were not cached. CycloneDX SBOM generation is skipped by that offline mode. GitHub CI will validate the committed current versions, SBOM, Docker image, smoke test, and security workflows. Local Docker was unavailable (daemon query timed out).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant