Skip to content

fix(api): add security sentinel ingest compatibility endpoint#2

Open
Bbowlby22 wants to merge 1 commit intomainfrom
fix/security-sentinel-ingest-compat-clean-20260305
Open

fix(api): add security sentinel ingest compatibility endpoint#2
Bbowlby22 wants to merge 1 commit intomainfrom
fix/security-sentinel-ingest-compat-clean-20260305

Conversation

@Bbowlby22
Copy link
Copy Markdown
Owner

@Bbowlby22 Bbowlby22 commented Mar 5, 2026

Summary

  • add POST /ingest compatibility endpoint for OmniLore Security Sentinel calls
  • include ingest capability metadata in /health
  • keep a bounded in-memory security event buffer for observability

Why

OmniLore white-label gateway points security sentinel URL at 127.0.0.1:8001 (FastCode). Without /ingest, events fell back to vector-store mode. This PR restores native ingest behavior.

Validation

  • restart FastCode service
  • POST /ingest returns status=received
  • OmniLore security_sentinel_ingest returns HTTP 200 (no fallback)

Copilot AI review requested due to automatic review settings March 5, 2026 11:25
@Bbowlby22 Bbowlby22 mentioned this pull request Mar 5, 2026
Closed
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an OmniLore Security Sentinel compatibility surface to FastCode’s FastAPI service so security events can be POSTed to a dedicated endpoint and basic ingest observability is surfaced via /health.

Changes:

  • Add POST /ingest endpoint that accepts a security event payload and records it in a bounded in-memory buffer.
  • Extend /health with ingest capability metadata and current buffer size.
  • Add env-configurable buffer sizing and UTC receive timestamps for stored records.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread api.py
Comment on lines +124 to +127
SECURITY_EVENT_BUFFER_LIMIT = max(
10,
int(os.getenv("FASTCODE_SECURITY_EVENT_BUFFER_LIMIT", "500")),
)
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SECURITY_EVENT_BUFFER_LIMIT is computed with int(os.getenv(...)). If FASTCODE_SECURITY_EVENT_BUFFER_LIMIT is set to a non-integer value, this will raise ValueError at import time and prevent the API from starting. Consider parsing defensively (try/except with a fallback) and optionally clamping to a reasonable maximum to avoid accidental huge memory usage.

Suggested change
SECURITY_EVENT_BUFFER_LIMIT = max(
10,
int(os.getenv("FASTCODE_SECURITY_EVENT_BUFFER_LIMIT", "500")),
)
_raw_security_event_buffer_limit = os.getenv("FASTCODE_SECURITY_EVENT_BUFFER_LIMIT", "500")
try:
_parsed_security_event_buffer_limit = int(_raw_security_event_buffer_limit)
except (TypeError, ValueError):
_parsed_security_event_buffer_limit = 500
# Clamp to avoid accidental huge memory usage
SECURITY_EVENT_BUFFER_LIMIT = max(10, min(_parsed_security_event_buffer_limit, 10_000))

Copilot uses AI. Check for mistakes.
Comment thread api.py
Comment on lines 176 to +183
return {
"status": "healthy",
"repo_loaded": fastcode_instance.repo_loaded,
"repo_indexed": fastcode_instance.repo_indexed,
"multi_repo_mode": fastcode_instance.multi_repo_mode,
"security_ingest_enabled": True,
"security_event_buffer_size": len(security_event_buffer),
}
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In /health, the "healthy" response now includes security_ingest_enabled and security_event_buffer_size, but the earlier "initializing" return path does not. If clients rely on /health to detect ingest capability (per PR description), consider adding these fields to the initializing response as well for a consistent schema.

Copilot uses AI. Check for mistakes.
Comment thread api.py
Comment on lines +203 to +205
security_event_buffer.append(record)
if len(security_event_buffer) > SECURITY_EVENT_BUFFER_LIMIT:
security_event_buffer.pop(0)
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security_event_buffer uses a list and trims with pop(0), which is O(n) due to shifting elements. Since this is a bounded FIFO buffer, consider using collections.deque with maxlen (or popleft) to keep trimming O(1) and simplify the logic.

Copilot uses AI. Check for mistakes.
Comment thread api.py
Comment on lines +214 to +218
logger.warning(
"Security ingest accepted (compat): event_type=%s tenant_id=%s",
event_type,
tenant_id,
)
Copy link

Copilot AI Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every /ingest call logs at WARNING level. If security events are high-volume, this can quickly flood logs and trigger alerting; consider logging at INFO/DEBUG, adding sampling/rate-limiting, or only warning on malformed/unexpected payloads.

Suggested change
logger.warning(
"Security ingest accepted (compat): event_type=%s tenant_id=%s",
event_type,
tenant_id,
)
log_message = "Security ingest accepted (compat): event_type=%s tenant_id=%s"
if event_type == "unknown" or tenant_id == "unknown":
logger.warning(log_message, event_type, tenant_id)
else:
logger.info(log_message, event_type, tenant_id)

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bbowlby22