Avatar for the pydantic user
pydantic
monty
BlogDocsChangelog

Performance History

Latest Results

add policy parameter to run_async type stub
marcbrooker:main
2 hours ago
address code review findings from cubic-dev-ai 1. Validate policies against Cedar schema at construction time — reject references to unknown entity types/actions immediately rather than silently ignoring them at evaluation time. 2. Include ReadUpdate (r+) in open_mode_is_write — r+ mode allows writing, so it should be classified as a write action for Cedar. 3. Replace "*" sentinel for GetEnviron with "__all__" — avoids any theoretical collision with a real env var name. 4. Fix misleading docstring in example 06 — reads are permitted across all of /workspace/*, not just /workspace/input/*. 5. Tighten exception assertions in example 06 — verify 'policy denied' is in the error message rather than catching any Exception silently.
marcbrooker:main
3 hours ago
fix two Cedar policy bypass vectors 1. Normalize paths before Cedar evaluation: sandboxed code could craft paths like /data/../secret/file that Cedar's `like "/data/*"` would match literally. Now paths are normalized before policy evaluation, so traversal attempts are correctly denied by Cedar (in addition to MountTable catching them). 2. Add policy enforcement to run_async: the async execution path (dispatch_loop_run) was missing Cedar checks entirely. External function calls and OS calls now go through authorize_external_call / authorize_os_call in the async dispatch loop, matching the sync path. Also wraps PolicyEngine in Arc<> inside PyPolicy so it can be sent into async futures.
marcbrooker:main
3 hours ago
Merge branch 'main' into main
marcbrooker:main
3 hours ago
fix ruff formatting in test_policy.py
marcbrooker:main
6 hours ago
fix ruff Q001: use double quotes for multiline strings in README examples The project's ruff config enforces double quotes (Q001). The Cedar policy examples used triple-single-quotes which fail the lint step.
marcbrooker:main
7 hours ago
fix CI: skip README policy examples in test runner, fix pyright error The README Cedar policy examples reference local directories that don't exist in CI. Mark them with test="skip" so pytest_examples doesn't try to lint or run them. Also add isinstance narrowing for basedpyright.
marcbrooker:main
7 hours ago
add policy-examples directory with six Cedar policy examples Standalone Python scripts demonstrating read-only access, restricted writes, external function allowlisting, env var restrictions, blocklist mode, and a combined realistic agent sandbox policy.
marcbrooker:main
7 hours ago

Latest Branches

CodSpeed Performance Gauge
0%
RFC: Add support for Cedar policies to control what code can do#489
2 hours ago
4313b71
marcbrooker:main
CodSpeed Performance Gauge
0%
fix(file): release the buffered-file OS-call pin on all paths#485
20 hours ago
96748af
arkuhn:fix/openfile-oscall-pin-leak
CodSpeed Performance Gauge
0%
`FromArgs` slots cleanup#484
1 day ago
d94afd3
from-args-slots-cleanup
© 2026 CodSpeed Technology
Home Terms Privacy Docs