feat: add X-Permit-Consistent-Update header on facts proxy requests

[omer9564]

Summary

• Adds the X-Permit-Consistent-Update: true header on facts requests that the PDP proxies through forward_request_then_wait_for_update (the wait-for-local-sync flow)
• The backend's opal-interface uses this header to skip sending the control-plane delta update back to PDPs, since the PDP already propagates the update via OPAL Server pubsub after a successful write — removing a duplicate update path
• The fallback proxy route (forward_remaining_requests) does NOT set the header, so generic passthrough requests continue to rely on the standard control-plane delta path

Details

The header is gated behind a new is_consistent_update: bool = False kwarg on FactsClient.build_forward_request and FactsClient.send_forward_request. Only forward_request_then_wait_for_update (called by the explicit consistent-update routes: users, tenants, role_assignments, resource_instances, relationship_tuples) passes True.

Paired with backend changes in permit-backend (branch: omer/per-14392-consistent-updates-duplicated-updates) which:

1. Adds a FastAPI dependency that reads this header on all facts routes
2. Injects is_consistent_update: True into the DB session's AMQP headers
3. Makes opal-interface skip the delta publish when this flag is set

Test plan

• New unit tests for FactsClient.build_forward_request:
  • Verifies header is set when is_consistent_update=True
  • Verifies header is NOT set by default (fallback proxy path)
• All 47 horizon tests pass locally
• Pre-commit clean (ruff, ruff-format)
• Manual end-to-end: with backend change deployed, verify a proxied write results in a single update reaching the PDP (not two)

🤖 Generated with Claude Code

[linear]

PER-14392 Investigate Consistent Updates High latency

[github-actions]

🔍 Vulnerabilities of permitio/pdp-v2:next

📦 Image Reference permitio/pdp-v2:next

digest	sha256:6434e121c5fcf51c63f670e47555127f5871518f18a378ae720cbf9c4e08d84d
vulnerabilities
platform	linux/amd64
size	214 MB
packages	252

📦 Base Image python:3.10-alpine3.22

also known as	3.10.20-alpine3.22
digest	sha256:c8f94b3bb77e6ea9015ccd091b7f8aec1b1fcbca95159675235d9a93788797cd
vulnerabilities

sqlite 3.49.2-r1 (apk) pkg:apk/alpine/sqlite@3.49.2-r1?os_name=alpine&os_version=3.22 Affected range <=3.49.2-r1 Fixed version Not Fixed EPSS Score 0.037% EPSS Percentile 11th percentile Description

go.opentelemetry.io/otel/sdk 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.42.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.006% EPSS Percentile 0th percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

sqlparse 0.5.0 (pypi) pkg:pypi/sqlparse@0.5.0 Allocation of Resources Without Limits or Throttling Affected range <=0.5.3 Fixed version 0.5.4 CVSS Score 6.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Description Summary The below gist hangs while attempting to format a long list of tuples. This was found while drafting a regression test for Dja ngo 5.2's composite primary key feature, which allows querying composite fields with tuples.

go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@1.42.0 Memory Allocation with Excessive Size Value Affected range <1.43.0 Fixed version 1.43.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.020% EPSS Percentile 5th percentile Description overview: this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). severity HIGH not claiming: this is a remote dos against every default deployment. claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body. callsite (pinned): exporters/otlp/otlptrace/otlptracehttp/client.go:199 exporters/otlp/otlptrace/otlptracehttp/client.go:230 exporters/otlp/otlpmetric/otlpmetrichttp/client.go:170 exporters/otlp/otlpmetric/otlpmetrichttp/client.go:201 exporters/otlp/otlplog/otlploghttp/client.go:190 exporters/otlp/otlplog/otlploghttp/client.go:221 permalinks (pinned): https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L199 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlptrace/otlptracehttp/client.go#L230 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L170 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlpmetric/otlpmetrichttp/client.go#L201 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L190 https://github.com/open-telemetry/opentelemetry-go/blob/248da958375e4dfb4a1105645107be3ef04b1c59/exporters/otlp/otlplog/otlploghttp/client.go#L221 root cause: each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound. impact: a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom). affected component: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp repro (local-only): unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0 expected output contains: [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [PROOF_MARKER]: resp_bytes=33554432 peak_alloc_bytes=118050512 control (same env, patched target): unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0 expected control output contains: [CALLSITE_HIT]: otlptracehttp.UploadTraces::io.Copy(resp.Body) [NC_MARKER]: resp_bytes=33554432 peak_alloc_bytes=512232 attachments: poc.zip (attached) PR_DESCRIPTION.md attack_scenario.md poc.zip Fixed in: open-telemetry/opentelemetry-go#8108

busybox 1.37.0-r20 (apk) pkg:apk/alpine/busybox@1.37.0-r20?os_name=alpine&os_version=3.22 Affected range <=1.37.0-r20 Fixed version Not Fixed EPSS Score 0.051% EPSS Percentile 16th percentile Description

[github-actions]

🔍 Vulnerabilities of permitio/pdp-v2:next

📦 Image Reference permitio/pdp-v2:next

digest	sha256:6434e121c5fcf51c63f670e47555127f5871518f18a378ae720cbf9c4e08d84d
vulnerabilities
platform	linux/amd64
size	214 MB
packages	252

📦 Base Image python:3.10-alpine3.22

also known as	3.10.20-alpine3.22
digest	sha256:c8f94b3bb77e6ea9015ccd091b7f8aec1b1fcbca95159675235d9a93788797cd
vulnerabilities

sqlite 3.49.2-r1 (apk) pkg:apk/alpine/sqlite@3.49.2-r1?os_name=alpine&os_version=3.22 Affected range <=3.49.2-r1 Fixed version Not Fixed EPSS Score 0.037% EPSS Percentile 11th percentile Description

go.opentelemetry.io/otel/sdk 1.42.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.42.0 Untrusted Search Path Affected range >=1.15.0 <=1.42.0 Fixed version 1.43.0 CVSS Score 7.3 CVSS Vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N EPSS Score 0.006% EPSS Percentile 0th percentile Description Summary The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/host_id.go line 42: if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil { Compare with the fixed Darwin path at line 58: result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator. Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris. The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems. Attack Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk Attacker places a malicious kenv binary earlier in $PATH Application initializes OpenTelemetry resource detection at startup hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary Arbitrary code executes in the context of the application Same attack vector and impact as CVE-2026-24051. Suggested Fix Use the absolute path: if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil { On FreeBSD, kenv is located at /bin/kenv.

[Copilot]

Pull request overview

Adds an opt-in request header to facts-service proxy calls made via the “wait-for-local-sync” path, allowing the backend to skip emitting a redundant control-plane delta update when the PDP is already publishing an OPAL pubsub update.

Changes:

• Introduce CONSISTENT_UPDATE_HEADER and an is_consistent_update kwarg on FactsClient.build_forward_request() / send_forward_request(), adding X-Permit-Consistent-Update: true when enabled.
• Set is_consistent_update=True for the consistent-update proxy flow (forward_request_then_wait_for_update).
• Add unit tests asserting the header is present when requested and absent by default.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
horizon/facts/client.py	Adds the consistent-update header constant and gating logic in forwarded request construction/sending.
horizon/facts/router.py	Enables the consistent-update header for the wait-for-local-sync proxy flow.
horizon/tests/test_facts_client.py	Adds tests covering header inclusion/exclusion behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[zeevmoney]

LGTM, small issues.

[zeevmoney]

Tautological constant test

This asserts the constant against its own literal value — if the header is renamed, a developer updates constant and test in lockstep, so the test catches nothing. The other two tests in this file use forward_request.headers.get(CONSISTENT_UPDATE_HEADER) which also references the constant, so neither guards against an accidental rename of the outgoing header spelling.

Suggestion: Delete this test, or replace with an assertion that checks the literal header name is present on the built request:

Example:

async def test_build_forward_request_uses_exact_header_spelling():
    ...
    forward_request = await client.build_forward_request(request, "/users", is_consistent_update=True)
    assert "X-Permit-Consistent-Update" in forward_request.headers

[omer9564]

Replaced with a literal-header-spelling assertion in test_build_forward_request_adds_header_when_consistent_update — now checks "X-Permit-Consistent-Update" in forward_request.headers and value == "true". Tautological constant test removed. Fixed in d02054a.

[zeevmoney]

Router integration is untested

The only place is_consistent_update=True is wired in is here, and nothing tests that the wait-for-update path passes True while the fallback at forward_remaining_requests (router.py:391-392) does not. A future refactor could drop the kwarg silently and reintroduce the exact duplicate-update bug this PR prevents — all unit tests would still pass.

Suggestion: Add a router-level test that mocks FactsClient.send_forward_request, exercises forward_request_then_wait_for_update, and asserts the call received is_consistent_update=True. Add the mirror test for forward_remaining_requests asserting the header is absent on the built request.

[omer9564]

Added router-level coverage in horizon/tests/test_facts_router.py: test_forward_request_then_wait_for_update_sets_consistent_update_flag pins is_consistent_update=True on the wait-for-update path, and test_forward_remaining_requests_does_not_set_consistent_update_header asserts the header is absent on the fallback proxy's built request. Fixed in d02054a.

[zeevmoney]

send_forward_request kwarg passthrough is untested

The kwarg plumbing from send_forward_request into build_forward_request has no direct test. The PR's purpose is propagating this flag across that boundary, so the boundary itself should be covered.

Suggestion: Add a test that patches FactsClient.send and asserts the built request carries X-Permit-Consistent-Update: true when send_forward_request(..., is_consistent_update=True) is called.

[omer9564]

Added test_send_forward_request_propagates_consistent_update_kwarg which patches FactsClient.send, calls send_forward_request(..., is_consistent_update=True), and asserts the built HttpxRequest carries X-Permit-Consistent-Update: true. Fixed in d02054a.

[zeevmoney]

Header value is a magic string literal

"true" is a lowercase string literal the backend likely compares directly. If a future well-intentioned edit changes it to "True" or "1", and the backend does a case-sensitive string compare (e.g. value == "true"), consistent-update routing silently breaks with no test catching it.

Suggestion: Extract the value next to the header name so both are coupled, and document that the backend expects this exact literal:

Example:

CONSISTENT_UPDATE_HEADER = "X-Permit-Consistent-Update"
CONSISTENT_UPDATE_HEADER_VALUE = "true"  # backend compares case-sensitively
...
forward_headers[CONSISTENT_UPDATE_HEADER] = CONSISTENT_UPDATE_HEADER_VALUE

[omer9564]

Extracted CONSISTENT_UPDATE_HEADER_VALUE = "true" alongside the header-name constant in horizon/facts/client.py, with a comment noting the backend expects this exact literal (case-sensitive compare). Fixed in d02054a.