feat!: align Python SDK with Symbiont OSS runtime v1.14.3#5
Merged
Conversation
jaschadub
force-pushed
the
feat/oss-runtime-1.14.3-parity
branch
from
404d565 to
60bea4a
Compare
Brings the SDK to exact parity with the Symbiont OSS runtime v1.14.3 HTTP
surface (the ~41 routes served by crates/runtime/src/api/server.rs) and
removes everything that targeted endpoints the OSS runtime does not serve.
Added (real OSS endpoints the SDK was missing):
- execute_agent -> POST /api/v1/agents/{id}/execute
- send_message -> POST /api/v1/agents/{id}/messages
- receive_messages -> GET /api/v1/agents/{id}/messages
- get_message_status -> GET /api/v1/messages/{id}/status
- send_heartbeat -> POST /api/v1/agents/{id}/heartbeat
- push_agent_event -> POST /api/v1/agents/{id}/events
Fixed:
- /api/v1 double-prefix bug. The default base_url already includes /api/v1,
but ~12 methods hard-coded an extra "api/v1/" in the endpoint, producing
"/api/v1/api/v1/..." (404). Client._request now de-duplicates the version
segment in one place; base URLs with a different prefix are untouched, so
custom deployments and existing URL-construction tests are unaffected.
- execute_workflow now targets POST /api/v1/workflows/execute (was /workflows).
- get_agent_status now targets GET /api/v1/agents/{id}/status (was /agents/{id}).
Removed (BREAKING) — endpoints/modules the OSS runtime does not expose, every
call to which returned 404:
- Client methods: get_agent_metrics, re_execute_agent, and all tool-review,
secrets, MCP-management, knowledge/RAG/vector, DSL/deploy, http-input,
http-endpoint, memory, and communication-rule methods.
- Modules: reasoning_client.py, reasoning.py, toolclad.py, qdrant.py,
memory.py (and the client.reasoning / client.toolclad accessors).
- MetricsClient trimmed to get_metrics() -> GET /api/v1/metrics; the former
/metrics/snapshot|scheduler|system|export methods were removed. Client-side
exporters (File/OTLP/Collector) are unchanged.
- Retained client-side helpers (no runtime dependency): AgentPin verification,
webhook signature verification, skill scanning, markdown memory store.
Validated: remaining SDK HTTP surface cross-checked against the runtime route
table in crates/runtime/src/api/server.rs — every call maps to a real OSS
route, zero phantom paths remain. Intentionally unwrapped: /ws/chat and the
/health/live, /health/ready probes.
Version: 1.11.0 -> 1.14.3 (tracks the runtime). black + ruff clean;
test suite 131 passed.
jaschadub
force-pushed
the
feat/oss-runtime-1.14.3-parity
branch
from
60bea4a to
af1d971
Compare
jaschadub
added a commit
that referenced
this pull request
May 31, 2026
The CI "Security check with bandit" step (`bandit -r symbiont/`) failed on a
single LOW-severity B105 (hardcoded_password_string) false positive: the
human-readable validation error string "JWT secret key required when refresh
tokens enabled" assigned to errors["auth.jwt_secret_key"]. It is an error
message, not a secret.
The line already carried a `# nosec B105` suppression, but it stopped working
after black wrapped the assignment across multiple lines: bandit attributes
the finding to the statement-start line (`errors[...] = (`), while the nosec
comment ended up on the following (string-literal) line, so they no longer
matched and bandit exited 1.
Fix: bind the message to a plainly-named local (`message`) first, then assign
it. The dict value is now a Name node rather than a string literal, so B105
does not fire at all — robust against future reformatting, no nosec needed.
Verified locally: `bandit -r symbiont/` -> exit 0 ("No issues identified");
`ruff check symbiont/ tests/` clean; `black --check` clean; pytest 131 passed.
Note: PR #5 was merged while this CI step was red (the other test jobs were
cancelled by concurrency, masking that only the bandit step truly failed).
This commit lands the fix directly on main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the Python SDK to exact parity with the Symbiont OSS runtime v1.14.3 HTTP surface and removes everything that targeted endpoints the OSS runtime does not serve. Validated by cross-checking every remaining SDK call against the runtime route table in
crates/runtime/src/api/server.rs.Added (real OSS endpoints the SDK was missing)
execute_agentPOST /api/v1/agents/{id}/executesend_messagePOST /api/v1/agents/{id}/messagesreceive_messagesGET /api/v1/agents/{id}/messagesget_message_statusGET /api/v1/messages/{id}/statussend_heartbeatPOST /api/v1/agents/{id}/heartbeatpush_agent_eventPOST /api/v1/agents/{id}/eventsFixed
/api/v1double-prefix bug. Defaultbase_urlalready includes/api/v1, but ~12 methods hard-coded an extraapi/v1/, producing/api/v1/api/v1/...(404).Client._requestnow de-duplicates the version segment in one place; base URLs with a different prefix are untouched.execute_workflow→POST /api/v1/workflows/execute(was/workflows).get_agent_status→GET /api/v1/agents/{id}/status(was/agents/{id}).Removed (BREAKING)
Endpoints/modules the OSS runtime does not expose over HTTP (every call returned 404):
get_agent_metrics,re_execute_agent; all tool-review, secrets, MCP-management, knowledge/RAG/vector, DSL/deploy, http-input, http-endpoint, memory, and communication-rule methods.reasoning_client.py,reasoning.py,toolclad.py,qdrant.py,memory.py(+client.reasoning/client.toolcladaccessors).MetricsClienttrimmed toget_metrics()→GET /api/v1/metrics; the/metrics/snapshot|scheduler|system|exportmethods were removed.Validation
/ws/chat(WebSocket),/health/live,/health/ready(probes).black+ruffclean; test suite 131 passed (newtests/test_oss_endpoints.pycovers the added methods + prefix de-dup).20 files changed, +469 / −2902.