Skip to content

Release SDK updates#451

Merged
sagrawal-byte merged 8 commits into
mainfrom
stainless/release
Jul 18, 2026
Merged

Release SDK updates#451
sagrawal-byte merged 8 commits into
mainfrom
stainless/release

Conversation

@stlc-workflow-app

Copy link
Copy Markdown
Contributor

cac9173 docs: expose fine-tune artifact ids

Stainless-Generated-From: 40d744a6a4a807b2180882953696ff38d0bc74cc
@broly-code-security-scanner

broly-code-security-scanner Bot commented Jul 16, 2026

Copy link
Copy Markdown

Broly Security Scan

Note

Summary

7 actionable finding(s) in this PR

  • 🟡 7 medium

5 highest-priority actionable rows in the table below (critical/high first, then top medium).

Severity Scanner Issue Location Dismiss Verdict
🟡 MEDIUM SCA aiohttp@3.13.3 — 42 vulnerabilities (worst:
GHSA-2fqr-mr3j-6wp8)
→ >= 3.14.1
uv.lock:1 d1 🔺 TRUE_POSITIVE · Confidence: HIGH
🟡 MEDIUM SCA pygments@2.19.2 — 2 vulnerabilities (worst:
GHSA-5239-wwwm-4pmq)
→ >= 2.20.0
uv.lock:1 d4 🔺 TRUE_POSITIVE · Confidence: HIGH
🟡 MEDIUM SCA pillow@12.1.1 — 18 vulnerabilities (worst:
GHSA-5xmw-vc9v-4wf2)
→ >= 12.3.0
uv.lock:1 d3 🔺 TRUE_POSITIVE · Confidence: HIGH
🟡 MEDIUM SCA idna@3.11 — 2 vulnerabilities (worst:
GHSA-65pc-fj4g-8rjx)
→ >= 3.15
uv.lock:1 d2 🔺 TRUE_POSITIVE · Confidence: HIGH
🟡 MEDIUM SCA pytest@9.0.2 — 2 vulnerabilities (worst:
GHSA-6w46-j5rx-g56g)
→ >= 9.0.3
uv.lock:1 d5 🔺 TRUE_POSITIVE · Confidence: HIGH

Dismiss false positives

Each dismissable row has a Dismiss key (d1, d2, …) in the table above. Reply to this comment (or post on the PR) with /broly dismiss d2: your reason to mark a false positive, or /broly undismiss d2 to reverse it. Broly records every dismissal in the section below this comment (updated in place) and suppresses the finding on the next scan.

Key Finding
d1 🟡 MEDIUM · aiohttp@3.13.3 — 42 vulnerabilities (worst: GHSA-2fqr-mr3j-6wp8) · uv.lock:1
d2 🟡 MEDIUM · idna@3.11 — 2 vulnerabilities (worst: GHSA-65pc-fj4g-8rjx) · uv.lock:1
d3 🟡 MEDIUM · pillow@12.1.1 — 18 vulnerabilities (worst: GHSA-5xmw-vc9v-4wf2) · uv.lock:1
d4 🟡 MEDIUM · pygments@2.19.2 — 2 vulnerabilities (worst: GHSA-5239-wwwm-4pmq) · uv.lock:1
d5 🟡 MEDIUM · pytest@9.0.2 — 2 vulnerabilities (worst: GHSA-6w46-j5rx-g56g) · uv.lock:1
d6 🟡 MEDIUM · urllib3@2.6.3 — 4 vulnerabilities (worst: GHSA-mf9v-mfxr-j63j) · uv.lock:1
d7 🟡 MEDIUM · Host key verification is disabled for the second hop (bastion to target host)... · src/together/lib/cli/api/beta/clusters/ssh.py:445

Note

Re-scan this PR anytime with /broly scan — useful after /broly undismiss, or to refresh findings without a new push.

Broly — SAST (zai-org/GLM-5.2) · Secrets · SCA · GH Actions (zizmor) · Containers · SBOM · Powered by Together AI

github-actions Bot and others added 7 commits July 16, 2026 15:06
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Stainless-Generated-From: 921be61e3d30644afe08371cc347e9bbe75e4892
Stainless-Generated-From: 1d5c88ae86529cdbe0347cc071cbea0df49b4769
`tg beta clusters ssh` authenticates entirely via the cluster's Dex OIDC flow +
step-ca signed SSH certificate — it makes no Together API calls. It used to work
with no API key, but #25 added an unconditional `_resolve_project_id` (whoami())
to the global launcher that runs before every command dispatches, so the keyless
ssh command started requiring a valid API key.

Detect the command via preparse_tokens before creating the client and skip
`_create_client` + the whoami() for an allowlist of out-of-band-auth commands
(currently just `clusters ssh`). The client is None on that path; ssh() doesn't
take `config` so nothing dereferences it, and the finally-block close() is
guarded. Every API-backed command keeps its existing api-key gate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ng clean

- beta clusters ssh: disable host-key verification on the second hop
  (bastion -> target). Cluster hosts are ephemeral (CAPI-reprovisioned,
  cert-based user auth) so their host keys aren't pinned; trust is the
  step-ca user certificate. First hop (client -> bastion) keeps
  StrictHostKeyChecking=ask. Drops the now-unused known_hosts_path.
- Rework the keyless-ssh fix to keep CLIConfig.client non-Optional: add
  require_api_key to _create_client (waived for no-auth commands) and skip
  the whoami() there, instead of typing client Optional (which rippled
  union-attr errors across ~80 API-backed call sites).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…osts_path

Existing _ssh_command/_ssh_config_entry tests still passed the removed
known_hosts_path arg and asserted the old StrictHostKeyChecking=ask /
known_hosts second hop (pyright: 'Expected 6 positional arguments'). Update
them to the new signature + assert the second hop is StrictHostKeyChecking=no
/ UserKnownHostsFile=/dev/null while the first hop (in ProxyCommand) stays
=ask. Fixes CI lint (pyright).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
fix(cli): [TCL-7938] keyless OIDC `beta clusters ssh` + insecure second hop
@sagrawal-byte
sagrawal-byte merged commit 64bc7dd into main Jul 18, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant