stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	5d683d401e	fix(#121 ): Remediate security issues from ORCH-121 review Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Priority Fixes (Required Before Production): H3: Add rate limiting to webhook endpoint - Added slowapi library for FastAPI rate limiting - Implemented per-IP rate limiting (100 req/min) on webhook endpoint - Added global rate limiting support via slowapi M4: Add subprocess timeouts to all gates - Added timeout=300 (5 minutes) to all subprocess.run() calls in gates - Implemented proper TimeoutExpired exception handling - Removed dead CalledProcessError handlers (check=False makes them unreachable) M2: Add input validation on QualityCheckRequest - Validate files array size (max 1000 files) - Validate file paths (no path traversal, no null bytes, no absolute paths) - Validate diff summary size (max 10KB) - Validate taskId and agentId format (non-empty) Additional Fixes: H1: Fix coverage.json path resolution - Use absolute paths resolved from project root - Validate path is within project boundaries (prevent path traversal) Code Review Cleanup: - Moved imports to module level in quality_orchestrator.py - Refactored mock detection logic into separate helper methods - Removed dead subprocess.CalledProcessError exception handlers from all gates Testing: - Added comprehensive tests for all security fixes - All 339 coordinator tests pass - All 447 orchestrator tests pass - Followed TDD principles (RED-GREEN-REFACTOR) Security Impact: - Prevents webhook DoS attacks via rate limiting - Prevents hung processes via subprocess timeouts - Prevents path traversal attacks via input validation - Prevents malformed input attacks via comprehensive validation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-04 11:50:05 -06:00
Jason Woltje	38da576b69	fix(#147 ): Fix linting violations in quality gate tests Fixed code review findings: - Removed unused mock_run variables (6 instances) - Fixed line length violations (3 instances) - All ruff checks now pass All 36 tests still passing after fixes. Quality gates: BuildGate, LintGate, TestGate, CoverageGate ready for use.	2026-02-01 18:29:13 -06:00
Jason Woltje	0af93d1ef4	test(#147 ): Add tests for quality gates (TDD - RED phase) Implement comprehensive test suite for four core quality gates: - BuildGate: Tests mypy type checking enforcement - LintGate: Tests ruff linting with warnings as failures - TestGate: Tests pytest execution requiring 100% pass rate - CoverageGate: Tests coverage enforcement with 85% minimum All tests follow TDD methodology - written before implementation. Total: 36 tests covering success, failure, and edge cases. Related to #147 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-01 18:25:02 -06:00

Author

SHA1

Message

Date

Jason Woltje

5d683d401e

fix(#121 ): Remediate security issues from ORCH-121 review

ci/woodpecker/push/woodpecker Pipeline failed

Details

Priority Fixes (Required Before Production):

H3: Add rate limiting to webhook endpoint
- Added slowapi library for FastAPI rate limiting
- Implemented per-IP rate limiting (100 req/min) on webhook endpoint
- Added global rate limiting support via slowapi

M4: Add subprocess timeouts to all gates
- Added timeout=300 (5 minutes) to all subprocess.run() calls in gates
- Implemented proper TimeoutExpired exception handling
- Removed dead CalledProcessError handlers (check=False makes them unreachable)

M2: Add input validation on QualityCheckRequest
- Validate files array size (max 1000 files)
- Validate file paths (no path traversal, no null bytes, no absolute paths)
- Validate diff summary size (max 10KB)
- Validate taskId and agentId format (non-empty)

Additional Fixes:

H1: Fix coverage.json path resolution
- Use absolute paths resolved from project root
- Validate path is within project boundaries (prevent path traversal)

Code Review Cleanup:
- Moved imports to module level in quality_orchestrator.py
- Refactored mock detection logic into separate helper methods
- Removed dead subprocess.CalledProcessError exception handlers from all gates

Testing:
- Added comprehensive tests for all security fixes
- All 339 coordinator tests pass
- All 447 orchestrator tests pass
- Followed TDD principles (RED-GREEN-REFACTOR)

Security Impact:
- Prevents webhook DoS attacks via rate limiting
- Prevents hung processes via subprocess timeouts
- Prevents path traversal attacks via input validation
- Prevents malformed input attacks via comprehensive validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-04 11:50:05 -06:00

Jason Woltje

38da576b69

fix(#147 ): Fix linting violations in quality gate tests

Fixed code review findings:
- Removed unused mock_run variables (6 instances)
- Fixed line length violations (3 instances)
- All ruff checks now pass

All 36 tests still passing after fixes.
Quality gates: BuildGate, LintGate, TestGate, CoverageGate ready for use.

2026-02-01 18:29:13 -06:00

Jason Woltje

0af93d1ef4

test(#147 ): Add tests for quality gates (TDD - RED phase)

Implement comprehensive test suite for four core quality gates:
- BuildGate: Tests mypy type checking enforcement
- LintGate: Tests ruff linting with warnings as failures
- TestGate: Tests pytest execution requiring 100% pass rate
- CoverageGate: Tests coverage enforcement with 85% minimum

All tests follow TDD methodology - written before implementation.
Total: 36 tests covering success, failure, and edge cases.

Related to #147

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-01 18:25:02 -06:00

3 Commits