Skip to content

fix: subagent TTL lower bound + robust loopback check#357

Merged
bicced merged 1 commit intomainfrom
fix/review-hardening-followup
Mar 6, 2026
Merged

fix: subagent TTL lower bound + robust loopback check#357
bicced merged 1 commit intomainfrom
fix/review-hardening-followup

Conversation

@bicced
Copy link
Contributor

@bicced bicced commented Mar 6, 2026

Summary

Two small hardening fixes from principal engineer review:

  1. subagent_tool.py: Add max(1, ...) lower bound to TTL clamping. Zero or negative ttl_seconds caused asyncio.wait_for to time out immediately, wasting resources on a subagent that never runs.

  2. server.py: Replace string-based localhost check ("127.0.0.1", "::1", "localhost") with ipaddress.ip_address().is_loopback. This correctly handles IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) and removes the misleading "localhost" string (Starlette always returns numeric IPs, never hostnames).

Test plan

  • pytest tests/ --ignore=tests/test_dashboard.py — 1595 passed, 45 skipped

@bicced
fix: subagent TTL lower bound + robust loopback check
924cd79 
1. subagent_tool.py: Add lower bound to TTL clamping (max(1, ...)).
   Zero or negative ttl_seconds caused immediate asyncio.wait_for
   timeout, wasting resources spawning a subagent that never runs.

2. server.py: Replace string-based localhost check with
   ipaddress.ip_address().is_loopback. Handles IPv4-mapped IPv6
   addresses (::ffff:127.0.0.1) and removes misleading "localhost"
   string that Starlette never returns.
@bicced bicced merged commit 32699e0 into main Mar 6, 2026
3 checks passed
@bicced bicced deleted the fix/review-hardening-followup branch March 6, 2026 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bicced