Skip to content

v3.1 (3/N): docs + autoconfig integration tests#8

Merged
jlc488 merged 1 commit into
mainfrom
v3.1.0/docs-and-autoconfig-tests
May 23, 2026
Merged

v3.1 (3/N): docs + autoconfig integration tests#8
jlc488 merged 1 commit into
mainfrom
v3.1.0/docs-and-autoconfig-tests

Conversation

@jlc488
Copy link
Copy Markdown
Collaborator

@jlc488 jlc488 commented May 23, 2026

Summary

Cleans up the v3.1 baseline before tagging. Catches up the docs that were drifting (matrix / install tabs / config / security-model) and adds the autoconfig integration tests that were missing for the new modules.

Docs (en/ko, symmetric)

File Change
docs/index.md / .ko.md Module matrix gets -llm and -langchain4j rows; WebClient row notes the new URL+DNS coverage
README.md / README.ko.md Same matrix at the repo front-door
docs/getting-started/installation.md / .ko.md Two new install tabs: LangChain4j tool execution + Custom tool dispatcher (ssrf-guard-llm for advanced users)
docs/guides/configuration.md / .ko.md New "LLM-adapter properties" section documenting ssrf.guard.springai.wrap-tool-callbacks and ssrf.guard.langchain4j.wrap-tool-executors
docs/guides/security-model.md / .ko.md The "what this doesn't protect" bullet was stale (mentioned RestClient only); now lists every v3.1 module + a dedicated bullet on the WebClient URL→URL+DNS upgrade

Autoconfig integration tests

SsrfGuardLangchain4jAutoConfigurationTest (new)

Boots a Spring context with the autoconfig active, declares a consumer @Bean ToolExecutor, and asserts:

  • The BeanPostProcessor wraps it (instanceof check)
  • End-to-end block on an AWS metadata URL — LLM sees the structured JSON error
  • End-to-end allow on a whitelisted URL — delegate's PRETEND-FETCHED echo
  • wrap-tool-executors=false correctly leaves the bean unwrapped (off switch for manual-wrap workflows)

SsrfGuardWebClientAutoConfigurationTest extended

Previously only checked filter / customizer / builder. Added assertions for the v3.1 beans:

  • ssrfReactorClientHttpConnector (the ReactorClientHttpConnector with our resolver attached)
  • ssrfReactorAddressResolverGroup (the resolver group itself, exposed so consumers with their own connector can still attach our resolver)

If a future refactor silently drops either bean, these tests catch it.

Counts

Stage Total tests
Pre-v3.1 (v3.0.1 main) 182
After PR #6 (-llm + -langchain4j core) 199
After PR #7 (-webclient DNS resolver) 204
This PR (+ autoconfig tests) 210

All green locally. Module count unchanged.

Test plan

  • ./gradlew build — all 11 modules pass
  • CI green
  • Render check the four updated doc pages on GitHub web

What's left in v3.1

  • Phase 5 — GraalVM Native Image hints
  • Phase 6 — CHANGELOG entry final form, tag v3.1.0, demo bumps in devslab-examples (including the new ssrf-guard-langchain4j-demo, prepared locally pending Maven Central release)

@jlc488
v3.1: docs refresh (en/ko) + autoconfig integration tests
cec57fe 
Cleans up the v3.1 baseline before tagging:

Docs (en/ko, symmetric):
  - index.md / .ko.md            — module matrix gets -llm and
                                    -langchain4j rows; webclient row
                                    notes the new URL+DNS coverage.
  - README.md / .ko.md            — same matrix in the repo's front-door.
  - installation.md / .ko.md      — two new install tabs (LangChain4j
                                    tool execution, Custom tool
                                    dispatcher via ssrf-guard-llm).
  - guides/configuration.md/.ko.md — new "LLM-adapter properties"
                                     section documenting
                                     `ssrf.guard.springai.wrap-tool-callbacks`
                                     and the new
                                     `ssrf.guard.langchain4j.wrap-tool-executors`.
  - guides/security-model.md/.ko.md — the "what this doesn't protect"
                                       bullet was stale (mentioned
                                       RestClient only); now covers
                                       every module v3.1+ ships. Added
                                       a dedicated bullet about the
                                       WebClient URL-time → URL+DNS
                                       upgrade.

Autoconfig integration tests:
  - SsrfGuardLangchain4jAutoConfigurationTest — boots a Spring context
    with the autoconfig, declares a consumer @bean ToolExecutor, then
    asserts:
      * the BeanPostProcessor wrapped it (instanceof check)
      * end-to-end block on an AWS metadata URL (LLM sees the
        structured JSON error)
      * end-to-end allow on a whitelisted URL (delegate's
        PRETEND-FETCHED echo)
      * `wrap-tool-executors=false` correctly leaves the bean
        unwrapped — the off switch for manual-wrap workflows.

  - SsrfGuardWebClientAutoConfigurationTest extended to verify the
    new v3.1 beans (ssrfReactorClientHttpConnector,
    ssrfReactorAddressResolverGroup) are registered. Previously the
    test only checked filter / customizer / builder; the new beans
    silently going missing in a future refactor would have flown
    under the radar.

Tests now total 210 across 11 modules (up from 199 in PR #6 and
204 after PR #7).
@jlc488 jlc488 merged commit 7cb6e3e into main May 23, 2026
1 check passed
@jlc488 jlc488 mentioned this pull request May 23, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jlc488