fix(client): use regex for host:port parsing to avoid bare IPv6 misparse

- Replace rsplit(":",1) with _HOST_PORT_RE regex in AsyncCoordinodeClient.__init__
- Add _cypher_param_name() to sanitise property keys before use as Cypher $params
- Push ignore_rels filter into Cypher WHERE so LIMIT applies after filtering
- Use uuid suffix for test node names to prevent collision on retry
- Remove internal GAPS.md reference from xfail reason; set strict=True
- Run uv sync before make proto (grpcio-tools must be installed first)
- Pin all GitHub Actions refs to immutable commit SHAs
- Verify gRPC port 7080 is up alongside HTTP :7084 in CI health wait

Closes #1

Author: polaz

.github/workflows/ci.yml

@@ -10,9 +10,9 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - uses: astral-sh/setup-uv@v4
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a  # v4
         with:
           python-version: "3.11"
 
@@ -28,11 +28,11 @@ jobs:
       matrix:
         python-version: ["3.11", "3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           submodules: recursive
 
-      - uses: astral-sh/setup-uv@v4
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a  # v4
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -55,19 +55,20 @@ jobs:
           - 7080:7080
           - 7084:7084
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           submodules: recursive
 
-      - uses: astral-sh/setup-uv@v4
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a  # v4
         with:
           python-version: "3.11"
 
       - name: Wait for coordinode
         run: |
-          echo "Waiting for coordinode health endpoint..."
+          echo "Waiting for coordinode to be ready (HTTP :7084 + gRPC :7080)..."
           for i in $(seq 1 30); do
-            if curl -sf http://localhost:7084/health >/dev/null 2>&1; then
+            if curl -sf http://localhost:7084/health >/dev/null 2>&1 && \
+               (echo > /dev/tcp/localhost/7080) 2>/dev/null; then
               echo "coordinode is ready (attempt $i)"
               exit 0
             fi

.github/workflows/release-please.yml

@@ -13,7 +13,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38  # v4
         id: rp
         with:
           config-file: release-please-config.json

.github/workflows/release.yml

@@ -27,12 +27,12 @@ jobs:
           - name: llama-index-graph-stores-coordinode
             path: llama-index-coordinode
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           submodules: recursive
           fetch-depth: 0   # hatch-vcs needs full history for tag detection
 
-      - uses: astral-sh/setup-uv@v4
+      - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a  # v4
         with:
           python-version: "3.11"
 
@@ -48,7 +48,7 @@ jobs:
         run: uv run python -m build
 
       - name: Upload dist artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: dist-${{ matrix.package.name }}
           path: ${{ matrix.package.path }}/dist/
@@ -68,12 +68,12 @@ jobs:
           - langchain-coordinode
           - llama-index-graph-stores-coordinode
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
         with:
           name: dist-${{ matrix.package }}
           path: dist/
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # release/v1
         with:
           packages-dir: dist/
 
@@ -84,13 +84,13 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
         with:
           pattern: dist-*
           merge-multiple: true
           path: dist/
 
-      - uses: softprops/action-gh-release@v2
+      - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe  # v2
         with:
           prerelease: ${{ contains(github.ref_name, 'a') || contains(github.ref_name, 'b') || contains(github.ref_name, 'rc') }}
           generate_release_notes: true

Makefile

@@ -27,15 +27,18 @@ proto-check:
 	@test -f $(PROTO_OUT)/coordinode/v1/query/cypher_pb2.py || \
 		(echo "ERROR: Proto stubs not generated. Run: make proto" && exit 1)
 
-# Install using uv (recommended for contributors)
-install: proto
+# Install using uv (recommended for contributors).
+# uv sync runs first — it installs grpcio-tools which proto generation requires.
+install:
 	uv sync
+	$(MAKE) proto
 
 # Install using pip (alternative — works without uv)
-install-pip: proto
+install-pip:
 	pip install -e "coordinode[dev]"
 	pip install -e langchain-coordinode/
 	pip install -e llama-index-coordinode/
+	$(MAKE) proto
 
 test: proto-check test-unit
 

coordinode/client.py

@@ -6,6 +6,7 @@
 
 import asyncio
 import logging
+import re
 from collections.abc import Sequence
 from typing import Any
 
@@ -22,6 +23,12 @@
 
 logger = logging.getLogger(__name__)
 
+# Matches "host:port" strings where host is either a bracketed IPv6 address
+# ([::1], [2001:db8::1]) or a name/IPv4 with no colons.  Unbracketed IPv6
+# addresses (e.g. "2001:db8::1") are intentionally NOT matched — they cannot
+# be reliably distinguished from a "host:port" pair.
+_HOST_PORT_RE = re.compile(r"^(\[.+\]|[^:]+):(\d+)$")
+
 # ── Low-level helpers ────────────────────────────────────────────────────────
 
 
@@ -105,13 +112,11 @@ def __init__(
         timeout: float = 30.0,
     ) -> None:
         # Support "host:port" as a single string (common gRPC convention).
-        # Parse whenever the last colon-delimited segment is numeric, regardless
-        # of default port. IPv6 bracket notation ([::1]:7080) is handled correctly
-        # by rsplit(":", 1): "[::1]" + "7080".
-        if ":" in host:
-            _h, _p = host.rsplit(":", 1)
-            if _p.isdigit():
-                host, port = _h, int(_p)
+        # _HOST_PORT_RE matches "hostname:port" and "[IPv6]:port" but not bare
+        # IPv6 addresses, avoiding the ambiguity of rsplit(":", 1) on "::1".
+        m = _HOST_PORT_RE.match(host)
+        if m:
+            host, port = m.group(1), int(m.group(2))
         self._host = host
         self._port = port
         self._tls = tls

llama-index-coordinode/llama_index/graph_stores/coordinode/base.py

@@ -24,6 +24,19 @@ def _cypher_ident(value: str) -> str:
     return f"`{value.replace('`', '``')}`"
 
 
+def _cypher_param_name(key: str) -> str:
+    """Return a valid Cypher parameter name derived from *key*.
+
+    Cypher parameter names must be valid identifiers (letters, digits, ``_``).
+    Replace any other character with ``_`` and prepend ``p_`` when the result
+    starts with a digit.
+    """
+    safe = "".join(c if c.isalnum() or c == "_" else "_" for c in key)
+    if safe and safe[0].isdigit():
+        safe = f"p_{safe}"
+    return safe or "p_"
+
+
 class CoordinodePropertyGraphStore(PropertyGraphStore):
     """LlamaIndex ``PropertyGraphStore`` backed by CoordiNode.
 
@@ -78,9 +91,15 @@ def get(
                 node_id = str(row.get("_nid", ""))
                 nodes.append(_node_result_to_labelled(node_id, node_data))
         elif properties:
-            where_clauses = " AND ".join(f"n.{_cypher_ident(k)} = ${k}" for k in properties)
+            # Build param mapping: safe Cypher param name → original value.
+            # Property keys may contain hyphens or other chars invalid in
+            # Cypher parameter names; _cypher_param_name() sanitises them.
+            param_map = {_cypher_param_name(k): v for k, v in properties.items()}
+            where_clauses = " AND ".join(
+                f"n.{_cypher_ident(k)} = ${_cypher_param_name(k)}" for k in properties
+            )
             cypher = f"MATCH (n) WHERE {where_clauses} RETURN n, n.id AS _nid LIMIT 1000"
-            result = self._client.cypher(cypher, params=properties)
+            result = self._client.cypher(cypher, params=param_map)
             for row in result:
                 node_data = row.get("n", {})
                 node_id = str(row.get("_nid", ""))
@@ -145,15 +164,23 @@ def get_rel_map(
             return []
 
         node_ids = [n.id for n in graph_nodes]
-        ignored = set(ignore_rels) if ignore_rels else set()
+        ignored = list(ignore_rels) if ignore_rels else []
+
+        # Push ignore_rels filter into Cypher so LIMIT applies after filtering;
+        # a Python-side filter after LIMIT would silently truncate valid results.
+        params: dict[str, object] = {"ids": node_ids}
+        ignore_clause = ""
+        if ignored:
+            ignore_clause = " AND NONE(rel IN r WHERE type(rel) IN $ignored_rels)"
+            params["ignored_rels"] = ignored
 
         cypher = (
             f"MATCH (n)-[r*1..{depth}]->(m) "
-            f"WHERE id(n) IN $ids "
+            f"WHERE id(n) IN $ids{ignore_clause} "
             f"RETURN n, r, m, id(n) AS _src_id, id(m) AS _dst_id "
             f"LIMIT {limit}"
         )
-        result = self._client.cypher(cypher, params={"ids": node_ids})
+        result = self._client.cypher(cypher, params=params)
 
         triplets: list[list[LabelledNode]] = []
         for row in result:
@@ -163,10 +190,6 @@ def get_rel_map(
             dst_id = str(row.get("_dst_id", ""))
             # Variable-length path [r*1..N] returns a list of relationship dicts.
             rels = row.get("r", [])
-            # Skip paths that contain any ignored relationship type.
-            if ignored and isinstance(rels, list):
-                if any(isinstance(r, dict) and r.get("type") in ignored for r in rels):
-                    continue
             if isinstance(rels, list) and rels:
                 first_rel = rels[0]
                 rel_label = first_rel.get("type", "RELATED") if isinstance(first_rel, dict) else str(first_rel)

tests/integration/test_basic.py

@@ -8,6 +8,7 @@
 """
 
 import os
+import uuid
 
 import pytest
 
@@ -37,35 +38,36 @@ def test_cypher_return_literal(client):
 def test_create_and_get_node(client):
     # CREATE returns the node as an integer ID; RETURN n.prop verifies properties.
     # Note: id(n) is not yet implemented in alpha — use RETURN n.name.
+    # UUID suffix prevents collisions when tests run in parallel or are retried.
+    name = f"sdk-test-node-{uuid.uuid4().hex[:8]}"
     result = client.cypher(
         "CREATE (n:IntegrationTest {name: $name}) RETURN n.name AS name",
-        params={"name": "sdk-test-node"},
+        params={"name": name},
     )
     assert result, "CREATE returned no rows"
-    assert result[0]["name"] == "sdk-test-node"
+    assert result[0]["name"] == name
 
     # Verify node is retrievable
     found = client.cypher(
         "MATCH (n:IntegrationTest {name: $name}) RETURN n.name AS name",
-        params={"name": "sdk-test-node"},
+        params={"name": name},
     )
     assert found, "MATCH returned no rows"
-    assert found[0]["name"] == "sdk-test-node"
+    assert found[0]["name"] == name
 
     # Clean up
     client.cypher(
         "MATCH (n:IntegrationTest {name: $name}) DELETE n",
-        params={"name": "sdk-test-node"},
+        params={"name": name},
     )
 
 
 @pytest.mark.xfail(
     reason=(
         "VectorServiceImpl is a stub in server/src/services/vector.rs — always returns []."
         " HNSW algorithm (coordinode-vector crate) is implemented, but not wired to the RPC handler."
-        " Tracked as gap G007 in coordinode-python GAPS.md."
     ),
-    strict=False,
+    strict=True,
 )
 def test_vector_search(client):
     # Insert a node with an embedding, then search for it.