Skip to content

Security/hardening#16

Merged
arthurpanhku merged 7 commits into
mainfrom
security/hardening
Jul 1, 2026
Merged

Security/hardening#16
arthurpanhku merged 7 commits into
mainfrom
security/hardening

Conversation

@arthurpanhku

@arthurpanhku arthurpanhku commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Description | 描述

What does this PR do? (fixes #issue if applicable)
本 PR 做了什么?(若关联 Issue 请写 fixes #编号)


Type of Change | 变更类型

  • Bug fix
  • New feature
  • Documentation update
  • Refactor / chore

How to Verify | 如何验证

Steps to test the change (e.g. run tests, manual check).
验证步骤(如运行测试、手动检查)。


Checklist | 检查项

  • Tests pass locally (pytest)
  • Frontend checks pass (npm run check --prefix frontend)
  • Generated contracts are current (make contracts-check)
  • Security boundaries and denied paths are covered where relevant
  • Docs/README updated if needed
  • No secrets or sensitive data in the diff

PAN CHAO added 7 commits July 1, 2026 20:43
Validation:
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_config_guard.py (3 passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (97 passed)
Validation:
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_api_auth.py tests/test_assessments_api.py tests/test_kb_api.py tests/test_skills_api.py (16 passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (98 passed)
Validation:
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_ratelimit.py tests/test_agent_gateway.py tests/test_kb_api.py tests/test_assessments_api.py (15 passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (99 passed)
Validation:
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_net_guard.py tests/test_llm_phase2.py tests/test_health.py (12 passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (102 passed)
Validation:
- rg -n "python-jose|from jose|import jose" app requirements.txt pyproject.toml requirements.lock (0 matches)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (102 passed)

Notes:
- database.db was already untracked and covered by .gitignore before this task.
Validation:
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_prompt_injection.py tests/test_orchestrator.py tests/test_assessments_api.py tests/test_agent_gateway.py (40 passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (108 passed)

Assumptions:
- When an assessment is not linked to a governance project with explicit S2O-coded fields, the deterministic rule-engine decision uses conservative default inputs: data_classification=2, access=2, solution_type=1, hosting_environment=1, release_type=1.
- LLM-generated risks and gaps remain advisory report content, while S2O-RISK and S2O-CONTROLS are the authoritative rule-engine decision annotations.
- Rule-engine annotations are skipped when persisting Gate 3 control evidence because they are report-level decisions, not project evidence findings.
Validation:
- .venv/bin/python scripts/export_contracts.py --check (passed)
- .venv/bin/ruff check . (passed)
- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q (108 passed)
@arthurpanhku arthurpanhku merged commit ce3e40f into main Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant