Tighten SECURITY.md and prune docs-consistency tests#31
Merged
Conversation
Private vulnerability reporting is disabled on this repo, so the previous "preferred" link rendered a dead form for external reporters. The IonQ security team monitors security@ionq.co; make that the only documented channel and stop pointing reporters at a route that GitHub does not forward to the team's inbox.
After dropping PVR there is only one reporting channel; update the safe-harbor paragraph to say "the email above" instead.
Apply the philosophy "pin where drift is likely AND bad": - test_retryable_status_codes_match_runtime: tautological self-pin; the set is checked against a copy of itself, no second source of truth. - test_session_example_backend_consistent: stylistic check that all SessionManager examples in session.py share one backend literal. Pure consistency, no runtime correctness link, easily caught in review. - test_pyproject_description_canonical / _init_module_docstring_canonical / _readme_tagline_canonical: the package description rarely changes, and divergence across pyproject / __init__.py / README is benign and reviewer-visible. Three pins for a once-set string isn't worth the maintenance overhead.
Previously test_default_base_url_matches_spec_servers compared the full URL of openapi.json's first server entry against DEFAULT_BASE_URL, which forced the spec to come from the production host. Regenerating the client from staging (different host, same /v0.4 path) tripped the test even though the API-version contract was identical. The version path is the actual safety property the test cares about; the host is just the environment, and the runtime base URL is overridable on IonQClient anyway. Compare urlparse(...).path on both sides so staging regenerations pass while a /v0.4 -> /v0.5 bump still fails until DEFAULT_BASE_URL is updated.
The committed openapi.json's servers[0] path is whatever URL the spec was fetched from. CONTRIBUTING.md hardcodes that fetch URL, and test_spec_path_matches_default_base_url already pins DEFAULT_BASE_URL.path into CONTRIBUTING.md and spec-drift.yml. Under the documented regeneration workflow the spec path equals DEFAULT_BASE_URL.path by construction; the only failure modes left are manual fetches from a wrong version or version bumps without regenerating, both of which code review catches.
Likely to drift (every release) and bad if it does (shipped artifact's version disagrees with the changelog readers consult to know what's in it). The release.yml verify-version step already pins the git tag to pyproject; this adds the missing CHANGELOG side of that triangle.
guenp
previously approved these changes
Apr 29, 2026
splch
changed the title
Cynocracy
previously approved these changes
Apr 29, 2026
On honest reflection neither axis of the philosophy holds: release prep tightly couples a pyproject bump with the CHANGELOG rename so drift is unlikely, and "gh release create --generate-notes" already gives users a fallback view of what changed if CHANGELOG.md ever goes stale. Quality erosion at best, not the case-1 "likely AND bad" the test was added under.
splch
changed the title
- Drop static (429, 500, 502, 503, "520-529") pins from test_client_extension_docstring_pins. They were hardcoded copies not derived from RETRYABLE_STATUS_CODES, so they inverted the drift the test claims to catch: additions to the constant go unnoticed, and docstring reformats fail spuriously. - Add test_spec_servers_path_in_docs to close the docs <-> spec edge of the (DEFAULT_BASE_URL, docs, spec) triangle. - Collapse multi-line WHY comments on four tests to one line.
Cynocracy
previously approved these changes
Apr 29, 2026
guenp
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SECURITY.mdand route reports tosecurity@ionq.coonly. Private vulnerability reporting is disabled on the repo, so the previous "preferred" link rendered a dead form for external reporters; the security team monitors the email channel. Also fixes the stale "channels above" plural left behind in the safe-harbor paragraph.tests/test_docs_consistency.pyper "test only what is likely to drift AND likely to be bad": droptest_retryable_status_codes_match_runtime(tautological self-pin),test_session_example_backend_consistent(stylistic, reviewer-visible), and the three*_canonicaldescription tests (description rarely changes, divergence is benign).test_default_base_url_matches_spec_servers. Under the documented regen workflowDEFAULT_BASE_URL-> docs -> curl URL -> spec path are chained, andtest_spec_path_matches_default_base_urlalready pinsDEFAULT_BASE_URL.pathintoCONTRIBUTING.mdandspec-drift.yml. Verified by fetchinghttps://api-staging.ionq.co/v0.4/api-docsand regenerating end-to-end: staging declares the prod URL inservers[0]and the generated tree is byte-identical to a prod regen.Test plan
uv run pytest tests/test_docs_consistency.py --no-covpasses (22/22, down from 26/26).uv run ruff check tests/test_docs_consistency.pyclean.uv run ruff format --check tests/test_docs_consistency.pyclean.curl https://api-staging.ionq.co/v0.4/api-docsreturns 200, generator runs cleanly,diff -rqof staging-generated vs prod-generated trees is empty.SECURITY.mdrenders correctly on GitHub with the email-only intake.Important
Most code in
ionq_core/is auto-generated and overwritten on regeneration.See CONTRIBUTING.md for which files are safe to edit.