fix: address critical CI blockers - type errors and TOCTOU race

- ws_api.py: Add proper PubSub type annotation to fix 'possibly unbound' error - toggle_model: Move replacement model validation inside transaction to prevent TOCTOU race (consistent with delete_model fix from earlier reviews)
2026-04-08 03:00:28 -04:00 · 2026-03-02 16:39:32 +00:00
parent 9bba427979
commit 1e9a614168
2 changed files with 14 additions and 13 deletions
--- a/autogpt_platform/backend/backend/api/ws_api.py
+++ b/autogpt_platform/backend/backend/api/ws_api.py
@@ -80,7 +80,9 @@ async def event_broadcaster(manager: ConnectionManager):
                )

        # Track registry pubsub for cleanup
-        registry_pubsub = None
+        from redis.asyncio.client import PubSub
+        
+        registry_pubsub: PubSub | None = None

        async def registry_refresh_worker():
            """Listen for LLM registry refresh notifications and broadcast to all clients."""
--- a/autogpt_platform/backend/backend/server/v2/llm/db.py
+++ b/autogpt_platform/backend/backend/server/v2/llm/db.py
@@ -394,21 +394,20 @@ async def toggle_model(

    # If disabling with migration, perform migration first
    if not is_enabled and migrate_to_slug:
-        # Validate replacement model exists and is enabled
-        replacement = await prisma.models.LlmModel.prisma().find_unique(
-            where={"slug": migrate_to_slug}
-        )
-        if not replacement:
-            raise ValueError(f"Replacement model '{migrate_to_slug}' not found")
-        if not replacement.isEnabled:
-            raise ValueError(
-                f"Replacement model '{migrate_to_slug}' is disabled. "
-                f"Please enable it before using it as a replacement."
-            )
-
        # Perform all operations atomically within a single transaction
        # This ensures no nodes are missed between query and update
        async with transaction() as tx:
+            # Validate replacement model exists and is enabled (inside transaction to prevent TOCTOU)
+            replacement = await tx.llmmodel.find_unique(
+                where={"slug": migrate_to_slug}
+            )
+            if not replacement:
+                raise ValueError(f"Replacement model '{migrate_to_slug}' not found")
+            if not replacement.isEnabled:
+                raise ValueError(
+                    f"Replacement model '{migrate_to_slug}' is disabled. "
+                    f"Please enable it before using it as a replacement."
+                )
            # Get the IDs of nodes that will be migrated (inside transaction for consistency)
            node_ids_result = await tx.query_raw(
                """