Skip to content

Fix HTTP status for policy-blocked release actions#9

Closed
cursor[bot] wants to merge 5 commits into
mainfrom
cursor/critical-bug-inspection-d362
Closed

Fix HTTP status for policy-blocked release actions#9
cursor[bot] wants to merge 5 commits into
mainfrom
cursor/critical-bug-inspection-d362

Conversation

@cursor

@cursor cursor Bot commented May 2, 2026

Copy link
Copy Markdown

Summary

Return a non-2xx HTTP response when promote/rollback is blocked by policy, while preserving the existing audit record and outcome details.

Why

HTTP promote/rollback endpoints previously returned 200 OK for policy-blocked actions because the shared operation layer records the failed decision and returns an outcome. SDK clients call raise_for_status(), so they treated a blocked promotion as success even though the promoted pointer did not change.

Changes

  • Add a shared HTTP action response body helper.
  • Raise 409 Conflict for policy-blocked promote/rollback outcomes with the serialized outcome in detail.
  • Add regression coverage for HTTP blocked promotion behavior and SDK error propagation.

Validation

  • uv sync --frozen --extra dev
  • uv run python -m ruff check src tests
  • uv run python -m pytest
  • uv run python scripts/generate_schemas.py then git diff --exit-code schemas/ (if models/schemas touched)
  • cd web && npm ci && npm run build && cd .. && git diff --exit-code src/flightdeck/server/static/ (if web/src/ or deps changed)
  • cd web && npx playwright install chromium && npm run test:e2e (if web/ changed)
  • uv run flightdeck-quickstart-verify
  • uv run flightdeck --help

With pip / venv only, use python -m … equivalents from DEVELOPMENT.md.

Schema / Storage Impact

  • None
  • Schema change
  • Storage change

Risk

Low. The operation layer and audit persistence are unchanged; only the HTTP status for an already-blocked action changes from success to conflict.

Review

  • Requested review from maintainers (CODEOWNERS@flightdeckdev/maintainers on the org repo). On a fork, GitHub may not auto-request; use Reviewers on the PR.
  • PR is small and scoped (see AGENTS.md); linked issue or release note intent noted if helpful.

Notes

Bug and impact: SDK/API callers could treat a policy-blocked promotion or rollback as successful because HTTP returned 200. Root cause: server routes serialized ActionOutcome directly without translating failed policy results into a failure status. Fix: return 409 Conflict with the outcome payload for blocked actions.

Open in Web View Automation 

@Gsbreddy Gsbreddy closed this May 2, 2026
@Gsbreddy Gsbreddy deleted the cursor/critical-bug-inspection-d362 branch May 2, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants