didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

PRD 0041: Git HTTP request bounds #144

Merged
didericis merged 4 commits from prd-0041-git-http-request-bounds into main 2026-06-02 11:30:41 -04:00
Conversation 3 Commits 4 Files Changed 3
+147 -1
didericis-claude commented 2026-06-02 10:28:56 -04:00
Collaborator
Copy Link
Copy Source

Closes #138.

PRD: https://gitea.dideric.is/didericis/bot-bottle/src/branch/prd-0041-git-http-request-bounds/docs/prds/0041-git-http-request-bounds.md

Summary

  • Catch ValueError on Content-Length parse and return HTTP 400 for missing or non-numeric values
  • Return HTTP 400 for negative Content-Length; HTTP 413 for bodies over the 1 MiB cap (matching supervise_server.py)
  • Add unit tests for all malformed-length cases and valid passthrough

Changes (1 commit)

  • docs/prds/0041-git-http-request-bounds.md — add PRD 0041 (Draft)
Closes #138. PRD: https://gitea.dideric.is/didericis/bot-bottle/src/branch/prd-0041-git-http-request-bounds/docs/prds/0041-git-http-request-bounds.md ## Summary - Catch `ValueError` on Content-Length parse and return HTTP 400 for missing or non-numeric values - Return HTTP 400 for negative Content-Length; HTTP 413 for bodies over the 1 MiB cap (matching `supervise_server.py`) - Add unit tests for all malformed-length cases and valid passthrough ## Changes (1 commit) - `docs/prds/0041-git-http-request-bounds.md` — add PRD 0041 (Draft)
didericis reviewed 2026-06-02 11:05:25 -04:00
bot_bottle/git_http_backend.py Outdated
@@ -20,2 +20,4 @@
DEFAULT_PORT = 9420
# Body-size cap matching supervise_server.py's 1 MiB limit.
_MAX_BODY_BYTES = 1 * 1024 * 1024
didericis commented 2026-06-02 11:05:25 -04:00
Owner
Copy Link
Copy Source

If the agent committed an image to the repo greater than 1 MiB, would it now fail? That's probably fine/good, and assets shouldn't be in a git repo generally, but could see this potentially being annoying for people if seo

If the agent committed an image to the repo greater than 1 MiB, would it now fail? That's probably fine/good, and assets shouldn't be in a git repo generally, but could see this potentially being annoying for people if seo
didericis marked this conversation as resolved
didericis-claude reviewed 2026-06-02 11:06:19 -04:00
bot_bottle/git_http_backend.py Outdated
@@ -20,2 +20,4 @@
DEFAULT_PORT = 9420
# Body-size cap matching supervise_server.py's 1 MiB limit.
_MAX_BODY_BYTES = 1 * 1024 * 1024
didericis-claude commented 2026-06-02 11:06:19 -04:00
Author
Collaborator
Copy Link
Copy Source

Yes — a push whose packfile body exceeds 1 MiB would 413. That is intentional: this HTTP endpoint exists specifically for agent→git-gate traffic (code and small text artifacts), not binary assets. 1 MiB matches the existing cap in supervise_server.py so the two channels are consistently bounded.

If it does become a pain point, _MAX_BODY_BYTES is a named constant and trivial to raise, but I would not widen it preemptively.

Yes — a push whose packfile body exceeds 1 MiB would 413. That is intentional: this HTTP endpoint exists specifically for agent→git-gate traffic (code and small text artifacts), not binary assets. 1 MiB matches the existing cap in `supervise_server.py` so the two channels are consistently bounded. If it does become a pain point, `_MAX_BODY_BYTES` is a named constant and trivial to raise, but I would not widen it preemptively.
👍 1
didericis approved these changes 2026-06-02 11:07:45 -04:00
didericis added 3 commits 2026-06-02 11:23:24 -04:00
docs: add PRD 0041 3087a9aa8b
fix(git-http): validate Content-Length and cap body size (PRD 0041) 96b0c3f1fa 
Before this change, int() on a non-numeric Content-Length raised an
unhandled ValueError, crashing the request handler. There was also no
upper bound on how much memory a POST body could consume.

After this change:
- Non-numeric or missing Content-Length returns HTTP 400.
- Negative Content-Length returns HTTP 400.
- Bodies declared larger than 1 MiB (_MAX_BODY_BYTES) return HTTP 413,
  matching the cap already in supervise_server.py.

Closes #138
docs: mark PRD 0041 Active
test / unit (pull_request) Successful in 40s
Details
test / integration (pull_request) Successful in 53s
Details
71005d56e2
didericis force-pushed prd-0041-git-http-request-bounds from e84e7e6ba4 to 71005d56e2 2026-06-02 11:23:24 -04:00 Compare
didericis added 1 commit 2026-06-02 11:25:05 -04:00
refactor(git-http): rename variable to indicate configurability
test / unit (pull_request) Successful in 38s
Details
test / integration (pull_request) Successful in 54s
Details
test / unit (push) Successful in 40s
Details
test / integration (push) Successful in 57s
Details
4319b4ef3b
didericis merged commit 4319b4ef3b into main 2026-06-02 11:30:41 -04:00
didericis deleted branch prd-0041-git-http-request-bounds 2026-06-02 11:30:42 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
didericis-claude
didericis
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#144
Delete Branch "prd-0041-git-http-request-bounds"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?