stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	432dbd4d83	fix(#365 ): fix ruff, mypy, pip, and bandit issues in coordinator - Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501 (line length), F401 (unused imports), UP045 (Optional -> X \| None), I001 (import sorting) - Fix mypy error: wrap slowapi rate limit handler with Exception-compatible signature for add_exception_handler - Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703) - Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable) - Add nosec B101 to telemetry.py (assert for type narrowing) - Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling Fixes #365 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 12:46:25 -06:00
Jason Woltje	5d683d401e	fix(#121 ): Remediate security issues from ORCH-121 review Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Priority Fixes (Required Before Production): H3: Add rate limiting to webhook endpoint - Added slowapi library for FastAPI rate limiting - Implemented per-IP rate limiting (100 req/min) on webhook endpoint - Added global rate limiting support via slowapi M4: Add subprocess timeouts to all gates - Added timeout=300 (5 minutes) to all subprocess.run() calls in gates - Implemented proper TimeoutExpired exception handling - Removed dead CalledProcessError handlers (check=False makes them unreachable) M2: Add input validation on QualityCheckRequest - Validate files array size (max 1000 files) - Validate file paths (no path traversal, no null bytes, no absolute paths) - Validate diff summary size (max 10KB) - Validate taskId and agentId format (non-empty) Additional Fixes: H1: Fix coverage.json path resolution - Use absolute paths resolved from project root - Validate path is within project boundaries (prevent path traversal) Code Review Cleanup: - Moved imports to module level in quality_orchestrator.py - Refactored mock detection logic into separate helper methods - Removed dead subprocess.CalledProcessError exception handlers from all gates Testing: - Added comprehensive tests for all security fixes - All 339 coordinator tests pass - All 447 orchestrator tests pass - Followed TDD principles (RED-GREEN-REFACTOR) Security Impact: - Prevents webhook DoS attacks via rate limiting - Prevents hung processes via subprocess timeouts - Prevents path traversal attacks via input validation - Prevents malformed input attacks via comprehensive validation Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-04 11:50:05 -06:00
Jason Woltje	f45dbac7b4	feat(#147 ): Implement core quality gates (TDD - GREEN phase) Implement four quality gates enforcing non-negotiable quality standards: 1. BuildGate: Runs mypy type checking - Detects compilation/type errors - Uses strict mode from pyproject.toml - Returns GateResult with pass/fail status 2. LintGate: Runs ruff linting - Treats warnings as failures (non-negotiable) - Checks code style and quality - Enforces rules from pyproject.toml 3. TestGate: Runs pytest tests - Requires 100% test pass rate (non-negotiable) - Runs without coverage (separate gate) - Detects test failures and missing tests 4. CoverageGate: Measures test coverage - Enforces 85% minimum coverage (non-negotiable) - Extracts coverage from JSON and output - Handles edge cases gracefully All gates implement QualityGate protocol with check() method. All gates return GateResult with passed/message/details. All implementations achieve 100% test coverage. Files created: - src/gates/quality_gate.py: Protocol and result model - src/gates/build_gate.py: Type checking enforcement - src/gates/lint_gate.py: Linting enforcement - src/gates/test_gate.py: Test execution enforcement - src/gates/coverage_gate.py: Coverage enforcement - src/gates/__init__.py: Module exports Related to #147 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-01 18:25:16 -06:00

Author

SHA1

Message

Date

Jason Woltje

432dbd4d83

fix(#365 ): fix ruff, mypy, pip, and bandit issues in coordinator

- Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501
  (line length), F401 (unused imports), UP045 (Optional -> X | None),
  I001 (import sorting)
- Fix mypy error: wrap slowapi rate limit handler with
  Exception-compatible signature for add_exception_handler
- Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703)
- Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable)
- Add nosec B101 to telemetry.py (assert for type narrowing)
- Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 12:46:25 -06:00

Jason Woltje

5d683d401e

fix(#121 ): Remediate security issues from ORCH-121 review

ci/woodpecker/push/woodpecker Pipeline failed

Details

Priority Fixes (Required Before Production):

H3: Add rate limiting to webhook endpoint
- Added slowapi library for FastAPI rate limiting
- Implemented per-IP rate limiting (100 req/min) on webhook endpoint
- Added global rate limiting support via slowapi

M4: Add subprocess timeouts to all gates
- Added timeout=300 (5 minutes) to all subprocess.run() calls in gates
- Implemented proper TimeoutExpired exception handling
- Removed dead CalledProcessError handlers (check=False makes them unreachable)

M2: Add input validation on QualityCheckRequest
- Validate files array size (max 1000 files)
- Validate file paths (no path traversal, no null bytes, no absolute paths)
- Validate diff summary size (max 10KB)
- Validate taskId and agentId format (non-empty)

Additional Fixes:

H1: Fix coverage.json path resolution
- Use absolute paths resolved from project root
- Validate path is within project boundaries (prevent path traversal)

Code Review Cleanup:
- Moved imports to module level in quality_orchestrator.py
- Refactored mock detection logic into separate helper methods
- Removed dead subprocess.CalledProcessError exception handlers from all gates

Testing:
- Added comprehensive tests for all security fixes
- All 339 coordinator tests pass
- All 447 orchestrator tests pass
- Followed TDD principles (RED-GREEN-REFACTOR)

Security Impact:
- Prevents webhook DoS attacks via rate limiting
- Prevents hung processes via subprocess timeouts
- Prevents path traversal attacks via input validation
- Prevents malformed input attacks via comprehensive validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-04 11:50:05 -06:00

Jason Woltje

f45dbac7b4

feat(#147 ): Implement core quality gates (TDD - GREEN phase)

Implement four quality gates enforcing non-negotiable quality standards:

1. BuildGate: Runs mypy type checking
   - Detects compilation/type errors
   - Uses strict mode from pyproject.toml
   - Returns GateResult with pass/fail status

2. LintGate: Runs ruff linting
   - Treats warnings as failures (non-negotiable)
   - Checks code style and quality
   - Enforces rules from pyproject.toml

3. TestGate: Runs pytest tests
   - Requires 100% test pass rate (non-negotiable)
   - Runs without coverage (separate gate)
   - Detects test failures and missing tests

4. CoverageGate: Measures test coverage
   - Enforces 85% minimum coverage (non-negotiable)
   - Extracts coverage from JSON and output
   - Handles edge cases gracefully

All gates implement QualityGate protocol with check() method.
All gates return GateResult with passed/message/details.
All implementations achieve 100% test coverage.

Files created:
- src/gates/quality_gate.py: Protocol and result model
- src/gates/build_gate.py: Type checking enforcement
- src/gates/lint_gate.py: Linting enforcement
- src/gates/test_gate.py: Test execution enforcement
- src/gates/coverage_gate.py: Coverage enforcement
- src/gates/__init__.py: Module exports

Related to #147

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-01 18:25:16 -06:00

3 Commits