fix: address review findings in dynamic tool list PR

claude · claude · commit aa06ada6dfc1 · 2026-03-08T19:07:46.000Z
- Fix get_blocked_tools docstring: says "concurrently" but checks run sequentially (two awaits, no asyncio.gather) - Fix _viewer_credentials docstring: says users.update, should be users.update_role - Broaden _login retry to catch httpx.RequestError alongside RuntimeError for network errors and timeouts - Add comment explaining why viewer E2E tests skip on Outline 1.5.0 (users.update_role invalidates API keys) https://claude.ai/code/session_0122umEU4tP9VMzCTrV6SdZN
diff --git a/src/mcp_outline/features/dynamic_tools/filtering.py b/src/mcp_outline/features/dynamic_tools/filtering.py
@@ -190,7 +190,7 @@ async def get_blocked_tools(
 ) -> set[str]:
     """Return tool names *api_key* cannot access.
 
-    Performs two independent checks **concurrently** (results
+    Performs two independent checks sequentially (results
     unioned):
 
     1. ``auth.info`` — blocks tools by user role via ``min_role``
diff --git a/tests/e2e/conftest.py b/tests/e2e/conftest.py
@@ -124,7 +124,7 @@ def _login(
     for attempt in range(retries):
         try:
             return _login_once(email, password)
-        except RuntimeError as exc:
+        except (RuntimeError, httpx.RequestError) as exc:
             last_exc = exc
             if attempt < retries - 1:
                 time.sleep(2 * (attempt + 1))
@@ -437,7 +437,7 @@ def _viewer_credentials(outline_stack, _outline_credentials):
     """Log in as ``user@example.com`` and set role to viewer.
 
     Uses the admin session token to demote the second Dex user
-    to ``viewer`` via ``users.update``.  Returns
+    to ``viewer`` via ``users.update_role``.  Returns
     ``(full_access_key, scoped_keys, access_token)``.
 
     **Order matters**: all API keys must be created *before*
diff --git a/tests/e2e/test_dynamic_tool_list.py b/tests/e2e/test_dynamic_tool_list.py
@@ -532,6 +532,12 @@ async def test_http_header_filters_tools(
 # -------------------------------------------------------------------
 
 # READ_TOOLS (viewer tools) already computed by _build_expected_tools()
+#
+# NOTE: These tests are skipped on Outline 1.5.0 because
+# ``users.update_role`` invalidates existing API keys.  The
+# ``_viewer_credentials`` fixture detects this and calls
+# ``pytest.skip``.  Role-based filtering is still covered by
+# unit tests in ``tests/features/test_dynamic_tools.py``.
 
 
 async def test_viewer_full_access_key_blocks_writes(
