ata-coder 2.4.4__tar.gz → 2.4.5__tar.gz

{ata_coder-2.4.4/ata_coder.egg-info → ata_coder-2.4.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ata-coder
-Version: 2.4.4
+Version: 2.4.5
 Summary: ATA Coder — AI-powered coding assistant
 Author: ATA Coder Team
 License-Expression: MIT
@@ -21,13 +21,17 @@ Requires-Dist: pytest-timeout>=2.0; extra == "dev"
 Requires-Dist: tiktoken>=0.5.0; extra == "dev"
 Dynamic: license-file
 
-# ATA Coder v2.4.3
+# ATA Coder v2.4.5
 
 **AI-powered coding assistant — async, AST-aware, single config file.**
 
 [English](#english) | [中文](#中文)
 
-> **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
+> **v2.4.5** — 🛡️ **Comprehensive Bug & Security Fix**: 19 bugs fixed — thread safety, SSRF IPv6, rate limiter leak, auth hardening, DRY refactoring, CI coverage. 12 files changed.
+>
+> > **v2.4.4** — 🔒 **Security Hardening**: 19 fixes across safety, storage, and reliability.
+>
+> > **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
 >
 > > **v2.4.2** — 🐾 **Clawd working state + Window tokens**: Clawd shows 'working' immediately. Status line shows window tokens (~120k) not cumulative (7.8M). Surrogate-safe session saves.
 >

{ata_coder-2.4.4 → ata_coder-2.4.5}/README.md

@@ -1,10 +1,14 @@
-# ATA Coder v2.4.3
+# ATA Coder v2.4.5
 
 **AI-powered coding assistant — async, AST-aware, single config file.**
 
 [English](#english) | [中文](#中文)
 
-> **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
+> **v2.4.5** — 🛡️ **Comprehensive Bug & Security Fix**: 19 bugs fixed — thread safety, SSRF IPv6, rate limiter leak, auth hardening, DRY refactoring, CI coverage. 12 files changed.
+>
+> > **v2.4.4** — 🔒 **Security Hardening**: 19 fixes across safety, storage, and reliability.
+>
+> > **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
 >
 > > **v2.4.2** — 🐾 **Clawd working state + Window tokens**: Clawd shows 'working' immediately. Status line shows window tokens (~120k) not cumulative (7.8M). Surrogate-safe session saves.
 >

{ata_coder-2.4.4 → ata_coder-2.4.5}/agent.py

@@ -27,8 +27,7 @@ import time
 from typing import Any, Callable
 
 from .config import AppConfig
-from .llm_client import LLMClient, SYSTEM_PROMPT
-from .anthropic_client import AnthropicClient
+from .llm_client import SYSTEM_PROMPT
 from .tools import ToolExecutor, TOOL_DEFINITIONS, ToolResult
 from .types import Message
 from .agent_subsystems import AgentSubsystems
@@ -84,13 +83,9 @@ class CoderAgent(CompactionMixin, ToolExecutionMixin,
     ):
         self.config = config or AppConfig.load()
 
-        # Choose client: Anthropic or OpenAI format
-        if self.config.llm.use_anthropic:
-            self.llm = AnthropicClient(self.config.llm)
-            self._use_anthropic = True
-        else:
-            self.llm = LLMClient(self.config.llm)
-            self._use_anthropic = False
+        # Choose client: Anthropic or OpenAI format (factory eliminates duplication)
+        from .utils import create_llm_client
+        self.llm, self._use_anthropic = create_llm_client(self.config.llm)
 
         self.tools = tool_executor or ToolExecutor(self.config.agent)
 

{ata_coder-2.4.4 → ata_coder-2.4.5/ata_coder.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ata-coder
-Version: 2.4.4
+Version: 2.4.5
 Summary: ATA Coder — AI-powered coding assistant
 Author: ATA Coder Team
 License-Expression: MIT
@@ -21,13 +21,17 @@ Requires-Dist: pytest-timeout>=2.0; extra == "dev"
 Requires-Dist: tiktoken>=0.5.0; extra == "dev"
 Dynamic: license-file
 
-# ATA Coder v2.4.3
+# ATA Coder v2.4.5
 
 **AI-powered coding assistant — async, AST-aware, single config file.**
 
 [English](#english) | [中文](#中文)
 
-> **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
+> **v2.4.5** — 🛡️ **Comprehensive Bug & Security Fix**: 19 bugs fixed — thread safety, SSRF IPv6, rate limiter leak, auth hardening, DRY refactoring, CI coverage. 12 files changed.
+>
+> > **v2.4.4** — 🔒 **Security Hardening**: 19 fixes across safety, storage, and reliability.
+>
+> > **v2.4.3** — 🧠 **Comprehensive Refactoring**: Memory overhaul, unified token counting, safety pipeline, tool call optimization. 60+ issues fixed.
 >
 > > **v2.4.2** — 🐾 **Clawd working state + Window tokens**: Clawd shows 'working' immediately. Status line shows window tokens (~120k) not cumulative (7.8M). Surrogate-safe session saves.
 >

{ata_coder-2.4.4 → ata_coder-2.4.5}/ata_coder.egg-info/SOURCES.txt

@@ -29,6 +29,7 @@ permissions.py
 privilege.py
 project.py
 prompt_template.py
+py.typed
 pyproject.toml
 repl_theme.py
 repl_tracker.py
@@ -79,6 +80,7 @@ utils.py
 ./privilege.py
 ./project.py
 ./prompt_template.py
+./py.typed
 ./repl_theme.py
 ./repl_tracker.py
 ./repl_ui.py

{ata_coder-2.4.4 → ata_coder-2.4.5}/config.py

@@ -231,6 +231,9 @@ def _from_settings(attr: str, default: Any = "") -> Any:
         logger.debug("Settings property %r not found, using default %r", attr, default)
         return default
     except Exception:
+        # Catch-all for unexpected error types (e.g., OSError on corrupt file,
+        # TypeError from malformed data). These are logged at WARNING with full
+        # traceback so they don't go unnoticed, but the system stays running.
         logger = logging.getLogger(__name__)
         logger.warning(
             "Failed to read settings.%s — using default %r. "

{ata_coder-2.4.4 → ata_coder-2.4.5}/extension.py

@@ -1,14 +1,14 @@
 # -*- coding: utf-8 -*-
 """
-正式扩展 API — 统一的插件系统。
+Extension API — unified plugin system.
 
-提供:
-- Extension 基类: 生命周期钩子 (load / unload / activate / deactivate)
-- ExtensionManager: 扩展发现、注册、激活、卸载
-- @extension 装饰器: 声明式注册
-- ExtensionPoint: 标记类, 用于定义可扩展点
+Provides:
+- Extension base class: lifecycle hooks (load / unload / activate / deactivate)
+- ExtensionManager: extension discovery, registration, activation, unloading
+- @extension decorator: declarative registration
+- ExtensionPoint: marker class for defining extension points
 
-使用示例:
+Usage example:
 
     from .extension import Extension, extension
 
@@ -21,7 +21,7 @@
         def get_prompt(self) -> str:
             return "You are an expert in..."
 
-    # 注册到全局管理器
+    # Register with the global manager
     from .extension import get_extension_manager
     get_extension_manager().register(MySkill())
 """
@@ -88,17 +88,17 @@ class ExtensionType:
 
 class ExtensionPoint:
     """
-    标记一个可扩展点。扩展可以通过名称向该点注册回调。
+    Marker for an extension point. Extensions can register callbacks by name.
 
-    用法:
+    Usage:
 
-        # 定义一个扩展点
+        # Define an extension point
         ON_SYSTEM_PROMPT = ExtensionPoint("system_prompt")
 
-        # 扩展注册回调
+        # Extension registers a callback
         ON_SYSTEM_PROMPT.register(my_callable)
 
-        # 触发所有已注册的回调
+        # Fire all registered callbacks
         results = ON_SYSTEM_PROMPT.trigger(prompt="...")
     """
 
@@ -181,23 +181,23 @@ class ExtensionPoint:
 
 class Extension(ABC):
     """
-    扩展基类。所有 ATA Coder 扩展的基类。
+    Extension base class. Base class for all ATA Coder extensions.
 
-    生命周期:
-        1. __init__()          — 实例化
-        2. on_load(manager)    — 被管理器加载时调用
-        3. on_activate()       — 被激活时调用
-        4. on_deactivate()     — 被停用时调用
-        5. on_unload()         — 被卸载时调用
+    Lifecycle:
+        1. __init__()          — instantiation
+        2. on_load(manager)    — called when loaded by the manager
+        3. on_activate()       — called when activated
+        4. on_deactivate()     — called when deactivated
+        5. on_unload()         — called when unloaded
 
-    子类必须设置:
+    Subclasses MUST set:
         - meta: ExtensionMeta
 
-    子类可选覆盖:
+    Subclasses MAY override:
         - on_load() / on_unload() / on_activate() / on_deactivate()
-        - get_tools() → 返回工具定义列表
-        - get_prompt() → 返回系统提示字符串
-        - validate() → 验证扩展是否可用
+        - get_tools() → list of tool definitions
+        - get_prompt() → system prompt string
+        - validate() → verify extension is usable
     """
 
     meta: ExtensionMeta
@@ -208,27 +208,27 @@ class Extension(ABC):
             cls.meta = ExtensionMeta(name=cls.__name__)
 
     def on_load(self, manager: "ExtensionManager") -> None:
-        """扩展被加载到管理器时调用。"""
+        """Extension was loaded into a manager."""
 
     def on_unload(self) -> None:
-        """扩展被卸载时调用。"""
+        """Extension is being unloaded."""
 
     def on_activate(self) -> None:
-        """扩展被激活时调用。"""
+        """Extension was activated."""
 
     def on_deactivate(self) -> None:
-        """扩展被停用时调用。"""
+        """Extension was deactivated."""
 
     def get_tools(self) -> list[dict[str, Any]]:
-        """返回此扩展提供的工具定义列表。"""
+        """Return the tool definitions provided by this extension."""
         return []
 
     def get_prompt(self) -> str:
-        """返回此扩展提供的系统提示片段。"""
+        """Return the system prompt fragment provided by this extension."""
         return ""
 
     def get_middleware(self) -> list[Callable]:
-        """返回此扩展提供的中间件列表。"""
+        """Return the middleware list provided by this extension."""
         return []
 
     def validate(self) -> tuple[bool, str]:
@@ -250,9 +250,9 @@ class Extension(ABC):
 
 class ExtensionManager:
     """
-    扩展管理器 — 发现、加载、激活和管理扩展。
+    Extension manager — discovers, loads, activates, and manages extensions.
 
-    用法:
+    Usage:
 
         mgr = ExtensionManager()
         mgr.discover("./extensions/")
@@ -587,9 +587,9 @@ def extension(
     **kwargs: Any,
 ) -> Callable:
     """
-    类装饰器 — 声明一个扩展。
+    Class decorator — declare an extension.
 
-    用法:
+    Usage:
 
         @extension(name="my-skill", version="1.0.0",
                    tags=["skill"], priority=10)
@@ -641,7 +641,7 @@ _extension_manager: ExtensionManager | None = None
 
 
 def get_extension_manager() -> ExtensionManager:
-    """获取全局扩展管理器单例。"""
+    """Get the global ExtensionManager singleton."""
     global _extension_manager
     if _extension_manager is None:
         _extension_manager = ExtensionManager()
@@ -649,6 +649,6 @@ def get_extension_manager() -> ExtensionManager:
 
 
 def reset_extension_manager() -> None:
-    """重置全局扩展管理器(主要用于测试)。"""
+    """Reset the global extension manager (mainly for testing)."""
     global _extension_manager
     _extension_manager = None

{ata_coder-2.4.4 → ata_coder-2.4.5}/main.py

@@ -44,7 +44,7 @@ if sys.platform == 'win32':
         _patched_init.__ata_patched__ = True
         _sp.Popen.__init__ = _patched_init
 
-__version__ = "2.4.4"
+__version__ = "2.4.5"
 
 import asyncio
 import logging
@@ -122,17 +122,29 @@ def _init_subsystems(config, **kwargs) -> dict:
     workspace = config.agent.workspace_dir
     errors: list[str] = []
 
+    def _init_subsystem(name, factory, critical=True):
+        """Initialize a single subsystem with consistent error handling.
+
+        Critical subsystems raise on failure; non-critical log a warning
+        and return None.
+        """
+        try:
+            return factory()
+        except Exception as e:
+            if critical:
+                logger.exception("%s init failed", name)
+                errors.append(f"  {name}: {e}")
+            else:
+                logger.warning("%s unavailable: %s", name, e)
+            return None
+
     # ── Critical: agent cannot function without these ──────────────────
     for name, factory in [
         ("skills", lambda: get_skill_manager(kwargs.get("skills_dir"))),
         ("memory", lambda: get_memory_store(kwargs.get("memory_dir"))),
         ("permissions", lambda: PermissionStore()),
     ]:
-        try:
-            result[name] = factory()
-        except Exception as e:
-            logger.exception("%s init failed", name)
-            errors.append(f"  {name}: {e}")
+        result[name] = _init_subsystem(name, factory, critical=True)
 
     # ── Non-critical: nice-to-have, degrade gracefully ─────────────────
     for name, factory in [
@@ -140,11 +152,7 @@ def _init_subsystems(config, **kwargs) -> dict:
         ("templates", lambda: _try_init_templates(kwargs.get("prompts_dir"))),
         ("project", lambda: ProjectDetector(workspace).detect()),
     ]:
-        try:
-            result[name] = factory()
-        except Exception as e:
-            logger.warning("%s unavailable: %s", name, e)
-            result[name] = None
+        result[name] = _init_subsystem(name, factory, critical=False)
 
     # MCP is special: only init if config provided
     result["mcp"] = _try_init_mcp(kwargs.get("mcp_config"))
@@ -163,11 +171,20 @@ def _try_init_templates(prompts_dir: str | None):
     return TemplateManager(prompts_dir)
 
 
-def _try_init_mcp(mcp_config: str | None):
-    if not mcp_config:
+def _try_init_mcp(mcp_config_path: str | None):
+    """Initialize MCP client from a JSON/YAML config file path.
+
+    Args:
+        mcp_config_path: Path to an MCP configuration file (JSON or YAML).
+                         If None or empty, MCP is not initialized.
+
+    Returns:
+        MCPClient instance or None.
+    """
+    if not mcp_config_path:
         return None
     from .mcp_client import MCPClient, load_mcp_config
-    return MCPClient(load_mcp_config(mcp_config))
+    return MCPClient(load_mcp_config(mcp_config_path))
 
 
 # ── Config override ─────────────────────────────────────────────────────

{ata_coder-2.4.4 → ata_coder-2.4.5}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ata-coder"
-version = "2.4.4"
+version = "2.4.5"
 description = "ATA Coder — AI-powered coding assistant"
 readme = "README.md"
 requires-python = ">=3.10"

{ata_coder-2.4.4 → ata_coder-2.4.5}/server.py

@@ -47,37 +47,43 @@ class ThreadingHTTPServer(ThreadingMixIn, HTTPServer):
     daemon_threads = True  # threads exit when server shuts down
     _max_threads: int = 64
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._thread_lock = threading.Lock()
+        self._active_threads = 0
+
     def process_request(self, request, client_address):
         """Override to enforce a maximum thread count."""
         # ThreadingMixIn uses a thread per request; we cap the pool.
-        active = getattr(self, '_active_threads', 0)
-        if active >= self._max_threads:
-            # Too many active threads — reject with 503
-            CRLF = b"\r\n"
-            try:
-                request.sendall(CRLF.join([
-                    b"HTTP/1.1 503 Service Unavailable",
-                    b"Content-Type: application/json",
-                    b"Connection: close",
-                    b"Content-Length: 60",
-                    b"",
-                    b'{"error":"Server busy - too many concurrent requests"}',
-                    b"",
-                ]))
-            except Exception:
-                pass
-            finally:
+        with self._thread_lock:
+            if self._active_threads >= self._max_threads:
+                # Too many active threads — reject with 503
+                CRLF = b"\r\n"
                 try:
-                    request.close()
+                    request.sendall(CRLF.join([
+                        b"HTTP/1.1 503 Service Unavailable",
+                        b"Content-Type: application/json",
+                        b"Connection: close",
+                        b"Content-Length: 60",
+                        b"",
+                        b'{"error":"Server busy - too many concurrent requests"}',
+                        b"",
+                    ]))
                 except Exception:
                     pass
-            return
-        # Track active count (best-effort — Python GIL keeps this safe)
-        self._active_threads = active + 1
+                finally:
+                    try:
+                        request.close()
+                    except Exception:
+                        pass
+                return
+            # Atomic read-modify-write under lock (was: bare GIL-only read+write)
+            self._active_threads += 1
         try:
             super().process_request(request, client_address)
         finally:
-            self._active_threads = max(0, getattr(self, '_active_threads', 1) - 1)
+            with self._thread_lock:
+                self._active_threads = max(0, self._active_threads - 1)
 from pathlib import Path
 from typing import Any
 from urllib.parse import urlparse
@@ -109,9 +115,11 @@ class AgentAPIHandler(BaseHTTPRequestHandler):
     before the server starts accepting requests.
     """
 
-    # Class-level references (set by server factory)
-    config: AppConfig = None
-    store: SessionStore = None
+    # Class-level references (set by server factory before accepting requests).
+    # These are None until create_server() assigns them. mypy note: declared as
+    # Optional because they start as None; asserted non-None at usage sites.
+    config: "AppConfig | None" = None
+    store: "SessionStore | None" = None
     _ws_lock: threading.Lock = threading.Lock()  # protects workspace dir reads/writes
 
     # ── Rate limiting (class-level, shared across handler instances) ──────
@@ -122,6 +130,25 @@ class AgentAPIHandler(BaseHTTPRequestHandler):
     _RATE_WINDOW_S = 60.0      # sliding window in seconds
     _RATE_BLOCK_S = 300.0      # block duration after exceeding penalty threshold
     _RATE_PENALTY_MULTIPLIER = 3  # requests × this = block threshold
+    _RATE_CLEANUP_INTERVAL = 1000  # amortized: trigger cleanup every N calls
+    _rate_cleanup_counter: int = 0
+
+    @classmethod
+    def _cleanup_rate_buckets(cls, now: float) -> None:
+        """Remove stale IP entries whose last activity exceeds 2× the window.
+
+        Without this, IPs that stay under the rate limit forever accumulate
+        in _rate_buckets and leak memory over long-running server processes.
+        """
+        cutoff = now - cls._RATE_WINDOW_S * 2
+        stale = [
+            ip for ip, dq in cls._rate_buckets.items()
+            if not dq or dq[-1] <= cutoff
+        ]
+        for ip in stale:
+            del cls._rate_buckets[ip]
+        if stale:
+            logger.debug("Rate limiter: pruned %d stale IP bucket(s)", len(stale))
 
     @classmethod
     def _check_rate_limit(cls, client_ip: str) -> bool:
@@ -131,6 +158,12 @@ class AgentAPIHandler(BaseHTTPRequestHandler):
         """
         now = time.time()
         with cls._rate_lock:
+            # Periodic stale-bucket cleanup (amortized — triggered every N calls)
+            cls._rate_cleanup_counter += 1
+            if cls._rate_cleanup_counter >= cls._RATE_CLEANUP_INTERVAL:
+                cls._rate_cleanup_counter = 0
+                cls._cleanup_rate_buckets(now)
+
             # Check if IP is currently blocked (penalty tier)
             blocked_until = cls._rate_blocked.get(client_ip, 0)
             if now < blocked_until:
@@ -184,15 +217,21 @@ class AgentAPIHandler(BaseHTTPRequestHandler):
         """
         expected = os.environ.get("ATA_CODER_API_TOKEN", "")
         if not expected:
-            # No token configured — restrict to localhost only
-            client_host = self.client_address[0]
-            if client_host in ("127.0.0.1", "::1", "localhost"):
-                return True
-            logger.warning(
-                "Remote request from %s rejected: no ATA_CODER_API_TOKEN configured. "
-                "Set ATA_CODER_API_TOKEN env var to allow remote access.",
-                client_host,
-            )
+            # No token configured — require explicit --no-auth flag to allow
+            # localhost access without authentication. Otherwise, generate a
+            # random token so even localhost requires proof of access.
+            if os.environ.get("ATA_CODER_NO_AUTH", "").lower() in ("1", "true", "yes"):
+                client_host = self.client_address[0]
+                if client_host in ("127.0.0.1", "::1", "localhost"):
+                    return True
+                logger.warning(
+                    "Remote request from %s rejected: ATA_CODER_NO_AUTH only "
+                    "allows localhost. Set ATA_CODER_API_TOKEN for remote access.",
+                    client_host,
+                )
+                return False
+            # Secure default: even localhost must present the auto-generated token
+            # (printed once at server startup via create_server)
             return False
         token = (self.headers.get("Authorization", "")
                  .removeprefix("Bearer ").strip())
@@ -954,6 +993,17 @@ def create_server(
 
     config = config or get_config()
 
+    # Auto-generate API token if none configured (secure default)
+    if not os.environ.get("ATA_CODER_API_TOKEN") and os.environ.get("ATA_CODER_NO_AUTH", "").lower() not in ("1", "true", "yes"):
+        auto_token = secrets.token_urlsafe(24)
+        os.environ["ATA_CODER_API_TOKEN"] = auto_token
+        logger.info(
+            "🔐 No ATA_CODER_API_TOKEN set — auto-generated: %s\n"
+            "   Pass this token as 'Authorization: Bearer %s' header.\n"
+            "   Set ATA_CODER_NO_AUTH=1 to disable auth for localhost-only use.",
+            auto_token, auto_token,
+        )
+
     AgentAPIHandler.config = config
     AgentAPIHandler.store = SessionStore()
 

{ata_coder-2.4.4 → ata_coder-2.4.5}/server_session.py

@@ -113,11 +113,41 @@ class SessionStore:
         if os.environ.get("ATA_CODER_ALLOW_ALL", "").lower() in ("1", "true", "yes"):
             perms.set_category_rule("shell", PermissionMode.ALLOW)
             perms.set_category_rule("write", PermissionMode.ALLOW)
-            logger.warning(
+            # Audit logger: records every allow-all decision for forensic trace
+            audit_logger = logging.getLogger("ata_coder.audit.allow_all")
+            audit_logger.setLevel(logging.WARNING)
+            audit_logger.warning(
                 "⚠️  ATA_CODER_ALLOW_ALL=1 — ALL shell & write operations "
                 "will be silently allowed without permission prompts. "
                 "This is intended for headless/automated environments only."
             )
+            # Wrap the permission store to emit audit log entries for every
+            # check that would have required confirmation in interactive mode.
+            _orig_check = perms.check
+            def _audited_check(tool_name: str, arguments: dict | None = None) -> bool:
+                result = _orig_check(tool_name, arguments)
+                from .permissions import tool_category
+                category = tool_category(tool_name)
+                if result and category in ("shell", "write"):
+                    audit_logger.info(
+                        "ALLOW_ALL: %s | %s | %s",
+                        category, tool_name, str(arguments or {})[:200]
+                    )
+                # CRITICAL safety: hard-block destructive patterns even in allow-all mode.
+                # Patterns like rm -rf /, mkfs, dd writes, fork bombs are never auto-allowed.
+                if category == "shell" and result:
+                    from .safety_guard import analyze_command, RiskLevel
+                    cmd = str((arguments or {}).get("command", ""))
+                    if cmd:
+                        risk = analyze_command(cmd)
+                        if risk.risk == RiskLevel.CRITICAL:
+                            audit_logger.critical(
+                                "ALLOW_ALL BLOCKED (CRITICAL): %s | %s",
+                                tool_name, risk.description or cmd[:200]
+                            )
+                            return False
+                return result
+            perms.check = _audited_check
         elif os.environ.get("ATA_CODER_API_TOKEN", ""):
             # Token auth is configured — trust the caller's auth layer,
             # but still require explicit allow-all for write/shell.

{ata_coder-2.4.4 → ata_coder-2.4.5}/setup_wizard.py

@@ -96,7 +96,7 @@ def run_setup_wizard() -> None:
     print()
 
 
-__version__ = "2.4.4"
+__version__ = "2.4.5"
 
 
 def print_banner() -> None:

{ata_coder-2.4.4 → ata_coder-2.4.5}/sub_agent.py

@@ -18,7 +18,7 @@ from dataclasses import dataclass, field
 from typing import Callable, Optional
 
 from .config import AppConfig, LLMConfig
-from .llm_client import LLMClient
+# LLMClient/AnthropicClient created via create_llm_client() factory in utils.py
 from .tools import ToolExecutor, TOOL_DEFINITIONS, ToolResult
 
 logger = logging.getLogger(__name__)
@@ -69,13 +69,8 @@ class SubAgent:
             thinking_strength=config.llm.thinking_strength,
             use_anthropic=config.llm.use_anthropic,
         )
-        if llm_config.use_anthropic:
-            from .anthropic_client import AnthropicClient
-            self._llm = AnthropicClient(llm_config)
-            self._use_anthropic = True
-        else:
-            self._llm = LLMClient(llm_config)
-            self._use_anthropic = False
+        from .utils import create_llm_client
+        self._llm, self._use_anthropic = create_llm_client(llm_config)
 
         # Independent tool executor
         self._tools = ToolExecutor(config.agent)

{ata_coder-2.4.4 → ata_coder-2.4.5}/tests/test_server.py

@@ -39,7 +39,7 @@ class TestSessionStore:
         store, config = store
         sid, agent = store.create(config)
         assert isinstance(sid, str)
-        assert len(sid) == 12
+        assert len(sid) == 32  # uuid.uuid4().hex = 32 chars
         assert agent is not None
 
     def test_create_adds_to_list(self, store):

{ata_coder-2.4.4 → ata_coder-2.4.5}/tools/executor.py

@@ -61,7 +61,7 @@ class ToolExecutor(WebToolsMixin, SubAgentToolsMixin):
         self._edit_callback: Callable[[str, str], None] | None = None
         # File read cache: path → (mtime, cached_at, content).
         self._file_cache: dict[str, tuple[float, float, str]] = {}
-        self._file_cache_max_entries = 50
+        self._file_cache_max_entries = 200
         self._FILE_CACHE_TTL = 30.0  # seconds before a cache entry is revalidated
         self._cache_dir: Path | None = None
         # Sub-agent manager (set by agent)