Skip to content

test(canopy): cover websocket global-cap counter release#423

Merged
pcalnon merged 6 commits into
mainfrom
cursor/missing-test-coverage-72e8
Jul 4, 2026
Merged

test(canopy): cover websocket global-cap counter release#423
pcalnon merged 6 commits into
mainfrom
cursor/missing-test-coverage-72e8

Conversation

@cursor

@cursor cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Coverage follow-up for PR #420 (fix/sec-f22-f19-bind-guard-ws-caps).

Risky behavior now covered

  • WebSocket endpoints reserve per-IP and per-session slots before WebSocketManager.connect() enforces the stack-wide global cap.
  • A global-cap rejection after those reservations must release the reserved counters, otherwise stale per-IP/per-session counts can block later legitimate connections.
  • connect() now returns an explicit admission result so endpoints can stop immediately after a global-cap reject instead of continuing to send on a closed socket.

Test files added/updated

  • Updated src/tests/unit/test_ws_connection_caps.py
    • Adds a regression for global-cap rejection after reserved per-IP/per-session limits.
    • Asserts rejected sockets are not tracked, reserved counters are released, and the new boolean admission result is True/False as expected.

Why this materially reduces regression risk

This covers a high-blast-radius admission-ordering edge case across all three WebSocket endpoints (/ws/training, /ws/control, and legacy /ws). The failure mode is subtle: the connection is rejected as intended, but stale counters can accumulate and create a self-inflicted denial of service for unrelated future clients.

Validation

  • python -m py_compile src/communication/websocket_manager.py src/main.py src/tests/unit/test_ws_connection_caps.py
  • pytest tests/unit/test_ws_connection_caps.py tests/unit/test_bind_guard.py tests/unit/test_websocket_manager_unit.py tests/unit/test_websocket_manager_thread_safety.py tests/unit/test_websocket_manager_concurrency.py tests/unit/test_websocket_comprehensive.py -v ✅ — 140 passed, 1 warning
  • Broader pytest -m "unit and not slow" -v in the ad-hoc Cloud venv completed the selected tests with 2017 passed, 9 skipped, 3705 deselected, then aborted during interpreter teardown (terminate called without an active exception). Focused suites above were clean and deterministic.
Open in Web View Automation 

pcalnon and others added 5 commits July 4, 2026 16:28
… caps (D2/D4)

Implements the approved control-surface hardening design
(juniper-ml notes/JUNIPER_CANOPY_CONTROL_SURFACE_AUTH_AND_NAT_DESIGN_2026-07-03.md,
§4 Option A, §5 Option B, §7 Phases 1-2, decisions D2 + D4). Deferred proxy/dashboard
login (D6/D7) and XFF (Phase 4) are NOT built here.

D2 — startup loopback bind-guard (SEC-F22). enforce_loopback_bind_guard (security.py)
refuses to start (NonLoopbackBindError + CRITICAL, fail-closed) when canopy is configured
to bind a non-loopback interface unless JUNIPER_CANOPY_FRONTING_AUTH_ATTESTED=true (new
Settings field, default False). Loopback (127.0.0.0/8, ::1, localhost) starts normally;
an unparseable host is treated as non-loopback (fail-closed). Makes the sole effective
SEC-F22 control (loopback bind, audit HO-6) an enforced invariant; closes the silent
BIND_HOST=0.0.0.0 footgun.

D4 — global + per-session WS caps (SEC-F19). websocket_manager.py adds a stack-absolute
GLOBAL cap across all WS endpoints and a per-session cap keyed on the canopy_session
cookie, alongside the existing per-IP cap. Over-cap -> close 1013. Cookieless first
connection is exempt from per-session and backstopped by the global cap (design §9 R2).
Kills the HO-3 self-DoS. Per-IP cap documented inert-behind-NAT (DoS-dampening, not auth).

Tests: test_bind_guard.py + test_ws_connection_caps.py + a notes/ security note.

Owner-gated — do not auto-merge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LX5ToumBaABH3QutQC86sM
Co-authored-by: Overtoad <paul.calnon@gmail.com>
Co-authored-by: Overtoad <paul.calnon@gmail.com>
Co-authored-by: Overtoad <paul.calnon@gmail.com>
Co-authored-by: Overtoad <paul.calnon@gmail.com>
@pcalnon pcalnon self-assigned this Jul 4, 2026

@pcalnon pcalnon left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved

@pcalnon pcalnon marked this pull request as ready for review July 4, 2026 22:29
Signed-off-by: Overtoad <paul.calnon@gmail.com>
@pcalnon pcalnon merged commit 3f32970 into main Jul 4, 2026
10 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants