You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The _resolve_context method opens a KnowledgeStore connection inside the synchronous _handle method, but the SQLite store path is a class-level default (exports/knowledge.sqlite). If the store is concurrently written by another process (e.g., a generator run) between the heartbeat and the context assembly, the context pack output could differ between runs with identical inputs. This breaks the byte-stable regeneration guarantee required by export --check and the loop's volatile-churn detection. The store should be opened once at worker startup or the connection should be held read-only for the duration of the cycle.
In _stage_learning_proposal, the event_type is extracted from envelope.payload.get("event_type") and validated against allowed_event_types, but the producer field in the learning event is hardcoded from the profile lookup (producer, allowed_event_types = profile). The caller can supply a producer in the payload that conflicts with the derived producer. If the caller's payload contains "producer": "engineering_loop" while the source loop is soc, the event will be staged with the wrong producer. This could allow a SOC loop to masquerade as an engineering loop in the learning ledger.
The _write_proposal method uses a temporary file with os.replace for atomic writes, but the collision check (if target.exists()) and the write are not atomic. If two concurrent worker instances process the same proposal (e.g., due to a coordinator re-delivery), both could pass the existence check, write different temporary files, and the second os.replace would silently overwrite the first. This could lead to data loss or inconsistent proposal states. The collision check should be inside the exclusive file creation.
The HandoffEnvelope may not always have a risk_level attribute. If it is missing, this will raise an AttributeError. Use getattr with a safe default to avoid crashes when the field is absent.
Why: The suggestion adds defensive access for the risk_level attribute, but in this PR the HandoffEnvelope is consistently expected to have that field, so it's a low-impact precaution. Score capped for error handling suggestions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Safety boundaries
Validation