Skip to content

Fix RBAC pyright type errors and add unit tests#553

Open
swinney wants to merge 1 commit intodevfrom
fix/rbac-type-safety-and-tests
Open

Fix RBAC pyright type errors and add unit tests#553
swinney wants to merge 1 commit intodevfrom
fix/rbac-type-safety-and-tests

Conversation

@swinney
Copy link
Copy Markdown
Collaborator

@swinney swinney commented Apr 14, 2026

Summary

Fixes #552

  • Fix 3 pre-existing pyright type errors in registry.py, jwt_parser.py, and decorators.py
  • Add 46 unit tests across 5 new test files covering the full RBAC subsystem
  • All changes target src/utils/rbac/ and tests/unit/test_rbac_* — no functional behavior changes

Changes

Type Fixes (3 files, 10 line changes)

File Line Fix
registry.py:148 _resolve_permissions Set[str] = NoneOptional[Set[str]] = None
jwt_parser.py:158 assign_default_role List[str] = NoneOptional[List[str]] = None
decorators.py 8 call sites request.endpointrequest.endpoint or '<unknown>'

New Tests (5 files, 655 lines, 46 tests)

File Tests Covers
test_rbac_registry.py 17 Permission resolution, inheritance, wildcards, config validation, filtering, properties
test_rbac_permissions.py 8 has_permission, is_admin, is_expert with explicit roles
test_rbac_audit.py 8 Log levels, message format, structured JSON output
test_rbac_jwt_parser.py 6 extract_roles_from_token (4 scenarios), get_user_roles default fallback
test_rbac_decorators.py 7 require_permission, require_any_permission, check_sso_required via Flask test client

Test plan

  • pyright reports 0 errors on all 3 modified source files
  • All 46 new tests pass (pytest tests/unit/test_rbac_*.py)
  • No changes to RBAC runtime behavior — type annotations and fallback string only

🤖 Generated with Claude Code

@claude
fix: RBAC pyright type errors and add unit test coverage
5765491 
Fix 3 pre-existing pyright type errors in the RBAC subsystem:
- registry.py: `visited: Set[str] = None` → `Optional[Set[str]]`
- jwt_parser.py: `original_roles: List[str] = None` → `Optional[List[str]]`
- decorators.py: 8 call sites passing `request.endpoint` (Optional[str])
  to `log_permission_check(endpoint: str)` — use fallback `or '<unknown>'`

Add 46 unit tests across 5 new test files covering:
- RBACRegistry: permission resolution, inheritance, wildcards, config
  validation (circular/empty/undefined), filter_valid_roles, properties
- Permissions: has_permission, is_admin, is_expert with explicit roles
- Audit: log_authentication_event, log_permission_check, log_role_assignment
  levels and structured output
- JWT Parser: extract_roles_from_token (resource_access, fallback, edge
  cases), get_user_roles with default fallback
- Decorators: require_permission, require_any_permission, check_sso_required
  via Flask test client

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
swinney pushed a commit to fasrc/archi that referenced this pull request Apr 14, 2026
@claude
fix: RBAC pyright type errors and add unit test coverage
ca0b7a7 
Fix 3 pre-existing pyright type errors and add 46 unit tests
for the RBAC subsystem. See archi-physics#552, archi-physics#553.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swinney