Refactor test cases for improved readability and consistency

- Updated test cases in `test_bindings.py` to enhance YAML formatting and readability.
- Refactored test cases in `test_decorator.py` for better code organization and clarity.
- Improved formatting in `test_executor.py` and added thread safety tests for async operations.
- Enhanced async test cases in `test_executor_async.py` for better readability.
- Refactored integration tests in `test_integration_executor.py` for consistency in method signatures.
- Improved middleware tests in `test_middleware.py` and `test_middleware_manager.py` for clarity and consistency.
- Updated public API tests in `test_public_api.py` for better readability and consistency.
- Enhanced redaction tests in `test_redaction.py` for improved clarity.
- Bumped version in `uv.lock` from 0.1.0 to 0.1.1.

Author: tercel

.gitignore

@@ -10,6 +10,7 @@ build/
 .DS_Store
 .ruff_cache/
 .pytest_cache/
+.coverage
 .venv/
 venv/
 env/

CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.1] - 2026-02-14
+
+### Fixed
+
+#### Thread Safety
+- **MiddlewareManager** - Added internal locking and snapshot pattern; `add()`, `remove()`, `execute_before()`, `execute_after()` are now thread-safe
+- **Executor** - Added lock to async module cache; use `snapshot()` for middleware iteration in `call_async()` and `middlewares` property
+- **ACL** - Internally synchronized; `check()`, `add_rule()`, `remove_rule()`, `reload()` are now safe for concurrent use
+- **Registry** - Extended existing `RLock` to cover all read paths (`get`, `has`, `count`, `module_ids`, `list`, `iter`, `get_definition`, `on`, `_trigger_event`, `clear_cache`)
+
+#### Memory Leak
+- **InMemoryExporter** - Replaced unbounded `list` with `collections.deque(maxlen=10_000)` and added `threading.Lock` for thread-safe access
+
+#### Robustness
+- **TracingMiddleware** - Added empty span stack guard in `after()` and `on_error()` to log a warning instead of raising `IndexError`
+- **Executor** - Set `daemon=True` on timeout and async bridge threads to prevent blocking process exit
+
+### Changed
+
+- **Context.child()** - Added docstring clarifying that `data` is intentionally shared between parent and child for middleware state propagation
+
 ## [0.1.0] - 2026-02-13
 
 ### Added
@@ -60,4 +81,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+[0.1.1]: https://github.com/aipartnerup/apcore-python/releases/tag/v0.1.1
 [0.1.0]: https://github.com/aipartnerup/apcore-python/releases/tag/v0.1.0

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "apcore"
-version = "0.1.0"
+version = "0.1.1"
 description = "Schema-driven module development framework for AI-perceivable interfaces"
 readme = "README.md"
 requires-python = ">=3.11"

src/apcore/acl.py

@@ -8,6 +8,7 @@
 
 import logging
 import os
+import threading
 from dataclasses import dataclass
 from typing import Any
 
@@ -41,9 +42,8 @@ class ACL:
     Implements PROTOCOL_SPEC section 6 for module access control.
 
     Thread safety:
-        - check() is read-only and fully thread-safe for concurrent calls.
-        - add_rule(), remove_rule(), and reload() mutate the rules list and
-          require external locking if called concurrently with check().
+        Internally synchronized. All public methods (check, add_rule,
+        remove_rule, reload) are safe to call concurrently.
     """
 
     def __init__(self, rules: list[ACLRule], default_effect: str = "deny") -> None:
@@ -58,6 +58,7 @@ def __init__(self, rules: list[ACLRule], default_effect: str = "deny") -> None:
         self._yaml_path: str | None = None
         self.debug: bool = False
         self._logger: logging.Logger = logging.getLogger("apcore.acl")
+        self._lock = threading.Lock()
 
     @classmethod
     def load(cls, yaml_path: str) -> ACL:
@@ -83,37 +84,49 @@ def load(cls, yaml_path: str) -> ACL:
                 raise ACLRuleError(f"Invalid YAML in {yaml_path}: {e}") from e
 
         if not isinstance(data, dict):
-            raise ACLRuleError(f"ACL config must be a mapping, got {type(data).__name__}")
+            raise ACLRuleError(
+                f"ACL config must be a mapping, got {type(data).__name__}"
+            )
 
         if "rules" not in data:
             raise ACLRuleError("ACL config missing required 'rules' key")
 
         raw_rules = data["rules"]
         if not isinstance(raw_rules, list):
-            raise ACLRuleError(f"'rules' must be a list, got {type(raw_rules).__name__}")
+            raise ACLRuleError(
+                f"'rules' must be a list, got {type(raw_rules).__name__}"
+            )
 
         default_effect: str = data.get("default_effect", "deny")
         rules: list[ACLRule] = []
 
         for i, raw_rule in enumerate(raw_rules):
             if not isinstance(raw_rule, dict):
-                raise ACLRuleError(f"Rule {i} must be a mapping, got {type(raw_rule).__name__}")
+                raise ACLRuleError(
+                    f"Rule {i} must be a mapping, got {type(raw_rule).__name__}"
+                )
 
             for key in ("callers", "targets", "effect"):
                 if key not in raw_rule:
                     raise ACLRuleError(f"Rule {i} missing required key '{key}'")
 
             effect = raw_rule["effect"]
             if effect not in ("allow", "deny"):
-                raise ACLRuleError(f"Rule {i} has invalid effect '{effect}', must be 'allow' or 'deny'")
+                raise ACLRuleError(
+                    f"Rule {i} has invalid effect '{effect}', must be 'allow' or 'deny'"
+                )
 
             callers = raw_rule["callers"]
             if not isinstance(callers, list):
-                raise ACLRuleError(f"Rule {i} 'callers' must be a list, got {type(callers).__name__}")
+                raise ACLRuleError(
+                    f"Rule {i} 'callers' must be a list, got {type(callers).__name__}"
+                )
 
             targets = raw_rule["targets"]
             if not isinstance(targets, list):
-                raise ACLRuleError(f"Rule {i} 'targets' must be a list, got {type(targets).__name__}")
+                raise ACLRuleError(
+                    f"Rule {i} 'targets' must be a list, got {type(targets).__name__}"
+                )
 
             rules.append(
                 ACLRule(
@@ -147,7 +160,11 @@ def check(
         """
         effective_caller = "@external" if caller_id is None else caller_id
 
-        for rule in self._rules:
+        with self._lock:
+            rules = list(self._rules)
+            default_effect = self._default_effect
+
+        for rule in rules:
             if self._matches_rule(rule, effective_caller, target_id, context):
                 decision = rule.effect == "allow"
                 self._logger.debug(
@@ -159,7 +176,7 @@ def check(
                 )
                 return decision
 
-        default_decision = self._default_effect == "allow"
+        default_decision = default_effect == "allow"
         self._logger.debug(
             "ACL check: caller=%s target=%s decision=%s rule=default",
             caller_id,
@@ -168,7 +185,9 @@ def check(
         )
         return default_decision
 
-    def _match_pattern(self, pattern: str, value: str, context: Context | None = None) -> bool:
+    def _match_pattern(
+        self, pattern: str, value: str, context: Context | None = None
+    ) -> bool:
         """Match a single pattern against a value, with special pattern handling.
 
         Handles @external and @system patterns locally, delegates all
@@ -177,7 +196,11 @@ def _match_pattern(self, pattern: str, value: str, context: Context | None = Non
         if pattern == "@external":
             return value == "@external"
         if pattern == "@system":
-            return context is not None and context.identity is not None and context.identity.type == "system"
+            return (
+                context is not None
+                and context.identity is not None
+                and context.identity.type == "system"
+            )
         return match_pattern(pattern, value)
 
     def _matches_rule(
@@ -194,11 +217,15 @@ def _matches_rule(
         2. At least one target pattern matches the target (OR logic).
         3. If conditions are present, they must all be satisfied.
         """
-        caller_match = any(self._match_pattern(p, caller, context) for p in rule.callers)
+        caller_match = any(
+            self._match_pattern(p, caller, context) for p in rule.callers
+        )
         if not caller_match:
             return False
 
-        target_match = any(self._match_pattern(p, target, context) for p in rule.targets)
+        target_match = any(
+            self._match_pattern(p, target, context) for p in rule.targets
+        )
         if not target_match:
             return False
 
@@ -208,7 +235,9 @@ def _matches_rule(
 
         return True
 
-    def _check_conditions(self, conditions: dict[str, Any], context: Context | None) -> bool:
+    def _check_conditions(
+        self, conditions: dict[str, Any], context: Context | None
+    ) -> bool:
         """Evaluate conditional rule parameters against the execution context.
 
         Returns False if any condition is not satisfied.
@@ -217,7 +246,10 @@ def _check_conditions(self, conditions: dict[str, Any], context: Context | None)
             return False
 
         if "identity_types" in conditions:
-            if context.identity is None or context.identity.type not in conditions["identity_types"]:
+            if (
+                context.identity is None
+                or context.identity.type not in conditions["identity_types"]
+            ):
                 return False
 
         if "roles" in conditions:
@@ -238,7 +270,8 @@ def add_rule(self, rule: ACLRule) -> None:
         Args:
             rule: The ACLRule to add.
         """
-        self._rules.insert(0, rule)
+        with self._lock:
+            self._rules.insert(0, rule)
 
     def remove_rule(self, callers: list[str], targets: list[str]) -> bool:
         """Remove the first rule matching the given callers and targets.
@@ -250,20 +283,24 @@ def remove_rule(self, callers: list[str], targets: list[str]) -> bool:
         Returns:
             True if a rule was found and removed, False otherwise.
         """
-        for i, rule in enumerate(self._rules):
-            if rule.callers == callers and rule.targets == targets:
-                self._rules.pop(i)
-                return True
-        return False
+        with self._lock:
+            for i, rule in enumerate(self._rules):
+                if rule.callers == callers and rule.targets == targets:
+                    self._rules.pop(i)
+                    return True
+            return False
 
     def reload(self) -> None:
         """Re-read the ACL from the original YAML file.
 
         Only works if the ACL was created via ACL.load().
         Raises ACLRuleError if no YAML path was stored.
         """
-        if self._yaml_path is None:
+        with self._lock:
+            yaml_path = self._yaml_path
+        if yaml_path is None:
             raise ACLRuleError("Cannot reload: ACL was not loaded from a YAML file")
-        reloaded = ACL.load(self._yaml_path)
-        self._rules = reloaded._rules
-        self._default_effect = reloaded._default_effect
+        reloaded = ACL.load(yaml_path)
+        with self._lock:
+            self._rules = reloaded._rules
+            self._default_effect = reloaded._default_effect

src/apcore/bindings.py

@@ -9,7 +9,11 @@
 import yaml
 from pydantic import BaseModel, ConfigDict, create_model
 
-from apcore.decorator import FunctionModule, _generate_input_model, _generate_output_model
+from apcore.decorator import (
+    FunctionModule,
+    _generate_input_model,
+    _generate_output_model,
+)
 from apcore.errors import (
     BindingCallableNotFoundError,
     BindingFileInvalidError,
@@ -65,19 +69,15 @@ def _build_model_from_json_schema(
 class BindingLoader:
     """Loads YAML binding files and creates FunctionModule instances."""
 
-    def load_bindings(
-        self, file_path: str, registry: Registry
-    ) -> list[FunctionModule]:
+    def load_bindings(self, file_path: str, registry: Registry) -> list[FunctionModule]:
         """Load binding file and register all modules."""
         path = pathlib.Path(file_path)
         binding_file_dir = str(path.parent)
 
         try:
             content = path.read_text()
         except OSError as exc:
-            raise BindingFileInvalidError(
-                file_path=file_path, reason=str(exc)
-            ) from exc
+            raise BindingFileInvalidError(file_path=file_path, reason=str(exc)) from exc
 
         try:
             data = yaml.safe_load(content)
@@ -87,9 +87,7 @@ def load_bindings(
             ) from exc
 
         if data is None:
-            raise BindingFileInvalidError(
-                file_path=file_path, reason="File is empty"
-            )
+            raise BindingFileInvalidError(file_path=file_path, reason="File is empty")
 
         if "bindings" not in data:
             raise BindingFileInvalidError(
@@ -197,9 +195,7 @@ def _create_module_from_binding(
                 input_schema = _generate_input_model(func)
                 output_schema = _generate_output_model(func)
             except (FuncMissingTypeHintError, FuncMissingReturnTypeError) as exc:
-                raise BindingSchemaMissingError(
-                    target=binding["target"]
-                ) from exc
+                raise BindingSchemaMissingError(target=binding["target"]) from exc
         elif "input_schema" in binding or "output_schema" in binding:
             input_schema_dict = binding.get("input_schema", {})
             output_schema_dict = binding.get("output_schema", {})
@@ -237,9 +233,7 @@ def _create_module_from_binding(
                 input_schema = _generate_input_model(func)
                 output_schema = _generate_output_model(func)
             except (FuncMissingTypeHintError, FuncMissingReturnTypeError) as exc:
-                raise BindingSchemaMissingError(
-                    target=binding["target"]
-                ) from exc
+                raise BindingSchemaMissingError(target=binding["target"]) from exc
 
         return FunctionModule(
             func=func,

src/apcore/context.py

@@ -49,7 +49,13 @@ def create(
         )
 
     def child(self, target_module_id: str) -> Context:
-        """Create a child Context for calling a target module."""
+        """Create a child Context for calling a target module.
+
+        The ``data`` dict is intentionally shared (not copied) between parent
+        and child contexts.  Middleware such as TracingMiddleware and
+        MetricsMiddleware rely on this shared reference to maintain span and
+        timing stacks across nested module-to-module calls.
+        """
         return Context(
             trace_id=self.trace_id,
             caller_id=self.call_chain[-1] if self.call_chain else None,

src/apcore/decorator.py

@@ -67,7 +67,9 @@ def _generate_input_model(func: Any) -> type[BaseModel]:
 
     # Create the model, with extra="allow" if **kwargs was present
     if has_kwargs:
-        return create_model("InputModel", __config__=ConfigDict(extra="allow"), **field_dict)
+        return create_model(
+            "InputModel", __config__=ConfigDict(extra="allow"), **field_dict
+        )
     return create_model("InputModel", **field_dict)
 
 
@@ -158,8 +160,12 @@ def __init__(
     ) -> None:
         self._func = func
         self.module_id = module_id
-        self.input_schema = input_schema if input_schema is not None else _generate_input_model(func)
-        self.output_schema = output_schema if output_schema is not None else _generate_output_model(func)
+        self.input_schema = (
+            input_schema if input_schema is not None else _generate_input_model(func)
+        )
+        self.output_schema = (
+            output_schema if output_schema is not None else _generate_output_model(func)
+        )
 
         has_context, context_param_name = _has_context_param(func)