fix(sdk): invalidate cached secrets after invalid-secrets responses#3957
Merged
bekossy merged 5 commits intorelease/v0.94.2from Mar 12, 2026
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
bot
added
the
size:M
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Contributor
Railway Preview Environment
Updated at 2026-03-12T14:59:32.739Z |
- Add TTLLRUCache.pop() method that removes and returns the cached value - Refactor get/set/invalidate secrets cache into dedicated helper functions - Invalidate secrets cache when a 400 response containing 'No API key found for model' is detected (FastAPI middleware) - Invalidate secrets cache when _has_invalid_secrets_error detects an invalid-secrets status type or message (workflow service middleware) - Add _has_invalid_secrets_error() helper for structured response inspection - Add unit tests covering pop, cache roundtrip, and error detection
dosubot
bot
added
size:L
junaway
approved these changes
Mar 12, 2026
…n-for-api-key-failures
junaway
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
invalid-secretserror lets the next request fetch fresh secrets immediately.Description
delete()toTTLLRUCacheto support targeted cache eviction viaTTLLRUCache.delete().invalidate_secrets_cache(credentials)to the running vault middleware and wired it to remove the credential-scopedget_secretscache entry when a workflow response contains astatus.typeending with#v0:schemas:invalid-secrets.invalidate_secrets_cache(credentials)when a workflow invocation returns theinvalid-secretsstatus so SDK-run invocations trigger eviction.400responses and invalidate the cache when the response detail contains"No API key found for model"to cover serving-mode responses.TTLLRUCache.delete()andinvalidate_secrets_cache()behavior.Testing
ruff formaton modified files which completed successfully.ruff check --fixwhich reported all checks passed.sdk/tests/pytest/unit/test_vault_cache_invalidation.pyand attempted to run them viapytest, but execution in this environment failed due to repopytestaddopts/plugins and missing runtime dependencypydanticrequired to import theagentapackage.python -m compileallfor modified modules which succeeded.Codex Task