fix(acl): enforce list type for identity_types and roles condition values

Per spec, identity_types and roles condition values MUST be lists.
_IdentityTypesHandler accepted bare strings (matching by equality),
_RolesHandler crashed on non-iterable values like int.

Both now return False for non-list input.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tercel

src/apcore/acl.py

@@ -574,4 +574,3 @@ def reload(self) -> None:
 # ---------------------------------------------------------------------------
 ACL.register_condition("$or", _OrHandler(ACL._evaluate_conditions))
 ACL.register_condition("$not", _NotHandler(ACL._evaluate_conditions))
-

src/apcore/acl_handlers.py

@@ -44,24 +44,31 @@ async def evaluate(self, value: Any, context: Context) -> bool: ...
 
 
 class _IdentityTypesHandler:
-    """Check context.identity.type matches allowed value(s)."""
+    """Check context.identity.type matches allowed value(s).
+
+    Per spec, identity_types condition value MUST be a list.
+    """
 
     def evaluate(self, value: Any, context: Context) -> bool:
         if context.identity is None:
             return False
-        if isinstance(value, list):
-            return context.identity.type in value
-        return context.identity.type == value
+        if not isinstance(value, list):
+            return False
+        return context.identity.type in value
 
 
 class _RolesHandler:
-    """Check role overlap between identity and required roles."""
+    """Check role overlap between identity and required roles.
+
+    Per spec, roles condition value MUST be a list.
+    """
 
     def evaluate(self, value: Any, context: Context) -> bool:
         if context.identity is None:
             return False
-        required = {value} if isinstance(value, str) else set(value)
-        return bool(set(context.identity.roles) & required)
+        if not isinstance(value, list):
+            return False
+        return bool(set(context.identity.roles) & set(value))
 
 
 class _MaxCallDepthHandler:

src/apcore/utils/normalize.py

@@ -50,7 +50,7 @@ def _to_snake_case(segment: str) -> str:
                 if i + 1 < len(segment) and segment[i + 1].islower():
                     res.append("_")
         res.append(char.lower())
-    
+
     return "".join(res).replace("__", "_")
 
 

tests/test_conformance.py

@@ -14,7 +14,6 @@
 from __future__ import annotations
 
 import json
-import logging
 import os
 from pathlib import Path
 from typing import Any
@@ -123,8 +122,7 @@ def _cleanup_globals() -> Any:
 def test_pattern_matching(case: dict[str, Any]) -> None:
     result = match_pattern(case["pattern"], case["value"])
     assert result == case["expected"], (
-        f"match_pattern({case['pattern']!r}, {case['value']!r}) "
-        f"returned {result}, expected {case['expected']}"
+        f"match_pattern({case['pattern']!r}, {case['value']!r}) " f"returned {result}, expected {case['expected']}"
     )
 
 
@@ -143,8 +141,7 @@ def test_pattern_matching(case: dict[str, Any]) -> None:
 def test_specificity(case: dict[str, Any]) -> None:
     score = calculate_specificity(case["pattern"])
     assert score == case["expected_score"], (
-        f"calculate_specificity({case['pattern']!r}) "
-        f"returned {score}, expected {case['expected_score']}"
+        f"calculate_specificity({case['pattern']!r}) " f"returned {score}, expected {case['expected_score']}"
     )
 
 
@@ -396,10 +393,7 @@ def test_config_env(case: dict[str, Any], monkeypatch: pytest.MonkeyPatch) -> No
             result = str(result).lower()
         if expected is not None:
             expected = str(expected).lower()
-        assert result == expected, (
-            f"config.get({case['expected_path']!r}) = {result!r}, "
-            f"expected {expected!r}"
-        )
+        assert result == expected, f"config.get({case['expected_path']!r}) = {result!r}, " f"expected {expected!r}"
 
 
 # ---------------------------------------------------------------------------
@@ -579,14 +573,11 @@ def test_schema_validation(
 
     result = validator.validate(input_data, model)
     assert result.valid == expected_valid, (
-        f"schema_validate({case['id']}) valid={result.valid}, "
-        f"expected={expected_valid}, errors={result.errors}"
+        f"schema_validate({case['id']}) valid={result.valid}, " f"expected={expected_valid}, errors={result.errors}"
     )
 
     # Verify error path when expected
     if not expected_valid and "expected_error_path" in case:
         error_paths = [e.path for e in result.errors]
         expected_path = "/" + case["expected_error_path"].replace(".", "/").replace("[", "/").replace("]", "")
-        assert any(expected_path in p for p in error_paths), (
-            f"Expected error at {expected_path}, got {error_paths}"
-        )
+        assert any(expected_path in p for p in error_paths), f"Expected error at {expected_path}, got {error_paths}"