forked from molecule-ai/molecule-core
19d863b052
A malicious or buggy agent could report MonthlySpend = math.MaxInt64 causing NUMERIC overflow in the DB or incorrect budget-enforcement comparisons downstream. Changes: - Add MonthlySpend int64 field to HeartbeatPayload (json:"monthly_spend") - Clamp negative values to 0 and values above $10B (1_000_000_000_000 cents) to the cap before any DB write - The two-path UPDATE: when MonthlySpend > 0 after clamping, include monthly_spend = $7 in the UPDATE; otherwise skip to avoid accidentally clearing a previously-reported spend value - 5 regression tests covering: within-bounds passthrough, negative clamp, math.MaxInt64 overflow clamp, exact-cap boundary, and zero/omitted no-update path Note: this branch introduces MonthlySpend to HeartbeatPayload; it will need trivial conflict resolution when feat/issue-541-budget-limit-backend merges, as that branch also adds the field (without the cap). Keep this branch's clamping logic. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||