Skip to content

ci: refresh fetchall baseline for bridge_api.py additions#7891

Merged
Scottcjn merged 1 commit into
mainfrom
ci/refresh-fetchall-baseline
Jul 5, 2026
Merged

ci: refresh fetchall baseline for bridge_api.py additions#7891
Scottcjn merged 1 commit into
mainfrom
ci/refresh-fetchall-baseline

Conversation

@Scottcjn

@Scottcjn Scottcjn commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

The test job was red because tests/test_fetchall_guard.py::test_fetchall_guard_passes_current_baseline was failing. The baseline file scripts/baselines/fetchall_existing.txt had gone stale: two commits added new .fetchall() calls to node/bridge_api.py without updating it.

  • 7925fe174 (bridge: account deposit locks against the source balance at create) added migrate_deposits_to_hard_locks(), which fetches rows filtered on status IN ('pending','locked','confirming') AND source_debited = 0. One-time startup migration over the active in-flight deposit set, not an unbounded scan.
  • 7f3ffd02f (bridge: deposit-create honors in-flight reservations (encumbrance-aware)) added list_bridge_transfers(), which always has LIMIT bound to min(limit, 500). Also bounded.

I regenerated the baseline the way scripts/check_fetchall.sh itself documents (its own stale-baseline error message says to do this):

bash scripts/check_fetchall.sh --print-baseline > scripts/baselines/fetchall_existing.txt

No production code was touched, and no calls were annotated with fetchall-ok. The rest of the diff beyond the 2 new lines is pure reordering from the script's own sort output (locale-dependent), not a content change; net +2 lines matching the two new bridge_api.py calls exactly.

Risk assessment

Neither new call looks like the unbounded-query pattern the guard exists to catch (issue #6627):

  • list_bridge_transfers is capped at 500 rows via LIMIT.
  • migrate_deposits_to_hard_locks is bounded by a status filter to the currently-active deposit set, and only runs once at migration/init time.

Both are reasonable candidates for a follow-up PR that adds explicit # fetchall-ok: already-paginated / # fetchall-ok: bounded-by-schema annotations, but I did not do that here since the ask was specifically to refresh the baseline, not touch node/bridge_api.py.

Test plan

  • python -m pytest tests/test_fetchall_guard.py -x -v — all 11 tests pass
  • bash scripts/check_fetchall.sh — prints OK: no new unannotated .fetchall() calls in node/.
  • Confirmed no stale-baseline entries remain (diffed --print-baseline output against old baseline; only the two new bridge_api.py lines were added, everything else was line reordering)

The fetchall guard test was failing because scripts/baselines/fetchall_existing.txt
was stale. Two commits added new .fetchall() calls to node/bridge_api.py without
updating the baseline:

- 7925fe1 (bridge: account deposit locks against the source balance at create)
  added migrate_deposits_to_hard_locks(), which fetches rows filtered on
  status IN ('pending','locked','confirming') AND source_debited = 0. This is a
  one-time startup migration over the active in-flight deposit set, not an
  unbounded scan.

- 7f3ffd0 (bridge: deposit-create honors in-flight reservations
  (encumbrance-aware)) added list_bridge_transfers(), which fetches rows with a
  query that always has LIMIT bound to min(limit, 500). Also bounded.

Regenerated the baseline the way the guard script itself documents, via
bash scripts/check_fetchall.sh --print-baseline > scripts/baselines/fetchall_existing.txt
No code was touched and no calls were annotated. The rest of the diff is pure
reordering from the script's own sort output, not content changes (net +2
lines, matching the two new bridge_api.py calls).

Neither new call looks like the unbounded-query pattern the guard exists to
catch (issue #6627), so I did not add fetchall-ok annotations or otherwise
touch node/bridge_api.py. If we want to be stricter, both are reasonable
candidates for a follow-up annotation (already-paginated for the LIMIT
query, bounded-by-schema for the status-filtered migration).

Signed-off-by: Scott <scottbphone12@gmail.com>
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) size/XS PR: 1-10 lines labels Jul 5, 2026
@Scottcjn Scottcjn merged commit e1a48a0 into main Jul 5, 2026
12 checks passed
@Scottcjn Scottcjn deleted the ci/refresh-fetchall-baseline branch July 5, 2026 21:04
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

RTC Reward

This merged PR earned 5 RTC — sent to Scottcjn.

RustChain Bounty Program

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

⚠️ BCOS v2 Scan Results

Metric Value
Trust Score 48/100
Certificate ID BCOS-ad6813f3
Tier L1 (not met)

BCOS Badge

What does this mean?

The BCOS (Beacon Certified Open Source) engine scans for:

  • SPDX license header compliance
  • Known CVE vulnerabilities (OSV database)
  • Static analysis findings (Semgrep)
  • SBOM completeness
  • Dependency freshness
  • Test infrastructure evidence
  • Review attestation tier

Full report | What is BCOS?


BCOS v2 Engine - Free & Open Source (MIT) - Elyan Labs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) size/XS PR: 1-10 lines

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants