Simplify: use the project's httpx2 client in the weather tool#260
Merged
Conversation
The new agent_cascade weather tool imported bare httpx, a dev-only dependency that only resolves at runtime because the assemblyai SDK pulls it transitively. Every other runtime HTTP path in the package imports httpx2 as httpx (the declared runtime dep). Switch the weather fetch seam to match, and update the test to patch httpx2. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018YXGuNwZmNDN1cwzsXQr6C
…pproval gate Code-review fixes for the live cascade (#259): - Sandbox no longer leaks env secrets: the OS-confined `execute` command runs with a minimal env allowlist instead of the full parent environment, so ASSEMBLYAI_API_KEY and friends can't be read by agent-run code (they blocked credential files but not env vars). - read_url refuses local/internal/file:// URLs outright (SSRF guard) since the agent-chosen URL can be steered by web content; point the stale risk warning at the real tool name (read_url, not the removed fetch_url). - The voice-approval gate no longer treats the advisory risk heuristic as its enforcement boundary: running code (execute) always requires a keypress, so a misheard affirmative can't run arbitrary commands. - bwrap masks directory secrets (.claude/.ssh/...) with --tmpfs and file secrets (.env/.netrc/...) with a /dev/null bind — the old code used the wrong directive for each kind, failing whenever cwd held a .claude/ directory. - Seatbelt profile escapes the launch dir before interpolating it into the SBPL regex/string literals, so a path with regex/quote metacharacters no longer produces a profile sandbox-exec rejects. - _generate_reply clears the awaiting-approval gate in a finally and always brackets reply_done with reply_started, so a failure mid-approval can't wedge the session and an empty reply doesn't emit an unmatched reply_done. - pop_clauses holds a terminator at end-of-buffer (it may be mid-token under streaming, e.g. "$3." before "50"), avoiding split decimals; the post-tool narration is accumulated in a list joined once (O(n), not per-delta concat). Also split the pure reply-runtime helpers (final_tail/approval_deadline/ is_final_turn) out of engine.py into _runtime.py, where REPLY_TIMEOUT_SECONDS and the other stateless primitives already live, keeping engine under the file-length gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018YXGuNwZmNDN1cwzsXQr6C
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The new agent_cascade weather tool imported bare httpx, a dev-only
dependency that only resolves at runtime because the assemblyai SDK
pulls it transitively. Every other runtime HTTP path in the package
imports httpx2 as httpx (the declared runtime dep). Switch the weather
fetch seam to match, and update the test to patch httpx2.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_018YXGuNwZmNDN1cwzsXQr6C