Merge pull request #65 from wrhalpin/copilot/fix-ci-workflow-failures-another-one

Fix CI failures: ruff lint errors, pylint slots=True on Python 3.9, and integration test skipping

Author: wrhalpin

gnat/agents/security/hygiene/__init__.py

@@ -1,3 +1,4 @@
-from .leak_scanner import LeakScanner, LeakFinding
-from .duplicate_detector import DuplicateDetector
-from .unsafe_patterns import UnsafePatternDetector
+from .duplicate_detector import DuplicateDetector as DuplicateDetector
+from .leak_scanner import LeakFinding as LeakFinding
+from .leak_scanner import LeakScanner as LeakScanner
+from .unsafe_patterns import UnsafePatternDetector as UnsafePatternDetector

gnat/agents/security/hygiene/duplicate_detector.py

@@ -1,8 +1,10 @@
 from collections import defaultdict
-from typing import Dict, Iterable, List
+from collections.abc import Iterable
+
 
 class DuplicateDetector:
-    def find_duplicates(self, values: Iterable[str]) -> Dict[str, List[str]]:
+    def find_duplicates(self, values: Iterable[str]) -> dict[str, list[str]]:
         index = defaultdict(list)
-        for value in values: index[value].append(value)
+        for value in values:
+            index[value].append(value)
         return {k: v for k, v in index.items() if len(v) > 1}

gnat/agents/security/hygiene/leak_scanner.py

@@ -1,39 +1,60 @@
 from __future__ import annotations
+
+import re
+from collections.abc import Iterable
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Iterable, List
-import re
 
-@dataclass(slots=True)
+
+@dataclass
 class LeakFinding:
     path: str
     line_number: int
     severity: str
     rule: str
     snippet: str
 
+
 class LeakScanner:
     DEFAULT_PATTERNS = {
         "aws_access_key": re.compile(r"AKIA[0-9A-Z]{16}"),
         "private_key_header": re.compile(r"-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----"),
-        "generic_token_assignment": re.compile(r"(api[_-]?key|token|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]", re.IGNORECASE),
+        "generic_token_assignment": re.compile(
+            r"(api[_-]?key|token|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]", re.IGNORECASE
+        ),
     }
+
     def __init__(self, allowlist: Iterable[str] | None = None) -> None:
         self.allowlist = set(allowlist or [])
-    def scan_paths(self, paths: Iterable[str]) -> List[LeakFinding]:
-        findings: List[LeakFinding] = []
+
+    def scan_paths(self, paths: Iterable[str]) -> list[LeakFinding]:
+        findings: list[LeakFinding] = []
         for root in paths:
             for path in Path(root).rglob("*"):
-                if path.is_file() and not any(part in {".git", ".venv", "__pycache__"} for part in path.parts):
+                if path.is_file() and not any(
+                    part in {".git", ".venv", "__pycache__"} for part in path.parts
+                ):
                     findings.extend(self._scan_file(path))
         return findings
-    def _scan_file(self, path: Path) -> List[LeakFinding]:
-        try: text = path.read_text(encoding="utf-8", errors="ignore")
-        except OSError: return []
-        out: List[LeakFinding] = []
+
+    def _scan_file(self, path: Path) -> list[LeakFinding]:
+        try:
+            text = path.read_text(encoding="utf-8", errors="ignore")
+        except OSError:
+            return []
+        out: list[LeakFinding] = []
         for i, line in enumerate(text.splitlines(), start=1):
-            if line.strip() in self.allowlist: continue
+            if line.strip() in self.allowlist:
+                continue
             for rule, pattern in self.DEFAULT_PATTERNS.items():
                 if pattern.search(line):
-                    out.append(LeakFinding(str(path), i, "high" if rule != "generic_token_assignment" else "medium", rule, line.strip()[:200]))
+                    out.append(
+                        LeakFinding(
+                            str(path),
+                            i,
+                            "high" if rule != "generic_token_assignment" else "medium",
+                            rule,
+                            line.strip()[:200],
+                        )
+                    )
         return out

gnat/agents/security/hygiene/unsafe_patterns.py

@@ -1,21 +1,37 @@
 from __future__ import annotations
+
 from dataclasses import dataclass
-from typing import Any, Dict, List
+from typing import Any
+
 
-@dataclass(slots=True)
+@dataclass
 class UnsafePatternFinding:
     location: str
     rule: str
     message: str
 
+
 class UnsafePatternDetector:
-    def inspect_connector_config(self, config: Dict[str, Any]) -> List[UnsafePatternFinding]:
-        findings: List[UnsafePatternFinding] = []
+    def inspect_connector_config(self, config: dict[str, Any]) -> list[UnsafePatternFinding]:
+        findings: list[UnsafePatternFinding] = []
         credentials = config.get("credentials", {})
-        if not isinstance(credentials, dict): return findings
+        if not isinstance(credentials, dict):
+            return findings
         for key, value in credentials.items():
             if isinstance(value, str):
-                findings.append(UnsafePatternFinding(f"credentials.{key}", "plain_text_secret", "credential should use secret_ref instead of inline string"))
+                findings.append(
+                    UnsafePatternFinding(
+                        f"credentials.{key}",
+                        "plain_text_secret",
+                        "credential should use secret_ref instead of inline string",
+                    )
+                )
             elif isinstance(value, dict) and "value" in value:
-                findings.append(UnsafePatternFinding(f"credentials.{key}", "embedded_secret_value", "credential dictionary embeds raw value instead of reference"))
+                findings.append(
+                    UnsafePatternFinding(
+                        f"credentials.{key}",
+                        "embedded_secret_value",
+                        "credential dictionary embeds raw value instead of reference",
+                    )
+                )
         return findings

gnat/agents/security/secrets/__init__.py

@@ -1,2 +1,9 @@
-from .broker import SecretsBroker
-from .models import SecretRef, SecretValue, SecretLease, SecretMetadata, ProviderCapabilities, StoreSecretRequest, SecretVersionInfo, AuditEvent
+from .broker import SecretsBroker as SecretsBroker
+from .models import AuditEvent as AuditEvent
+from .models import ProviderCapabilities as ProviderCapabilities
+from .models import SecretLease as SecretLease
+from .models import SecretMetadata as SecretMetadata
+from .models import SecretRef as SecretRef
+from .models import SecretValue as SecretValue
+from .models import SecretVersionInfo as SecretVersionInfo
+from .models import StoreSecretRequest as StoreSecretRequest

gnat/agents/security/secrets/audit.py

@@ -1,10 +1,24 @@
 from __future__ import annotations
+
 from datetime import datetime
-from typing import List
+
 from .models import AuditEvent, SecretRef
 
+
 class InMemoryAuditRecorder:
     def __init__(self) -> None:
-        self.events: List[AuditEvent] = []
-    def record(self, *, action: str, actor: str, ref: SecretRef, allowed: bool, provider: str, reason: str = "") -> None:
-        self.events.append(AuditEvent(action, actor, ref.to_uri(), allowed, provider, datetime.utcnow(), reason))
+        self.events: list[AuditEvent] = []
+
+    def record(
+        self,
+        *,
+        action: str,
+        actor: str,
+        ref: SecretRef,
+        allowed: bool,
+        provider: str,
+        reason: str = "",
+    ) -> None:
+        self.events.append(
+            AuditEvent(action, actor, ref.to_uri(), allowed, provider, datetime.utcnow(), reason)
+        )

gnat/agents/security/secrets/broker.py

@@ -1,42 +1,96 @@
 from __future__ import annotations
-from typing import Dict
+
 from urllib.parse import parse_qs, urlparse
+
 from .audit import InMemoryAuditRecorder
 from .exceptions import SecretPolicyError, SecretProviderError, UnsupportedProviderAction
 from .models import SecretRef, SecretValue, SecretVersionInfo, StoreSecretRequest
 from .policy import SecretPolicyEngine
 from .providers.base import SecretProvider
 
+
 class SecretsBroker:
-    def __init__(self, providers: Dict[str, SecretProvider], policy: SecretPolicyEngine, audit: InMemoryAuditRecorder | None = None) -> None:
+    def __init__(
+        self,
+        providers: dict[str, SecretProvider],
+        policy: SecretPolicyEngine,
+        audit: InMemoryAuditRecorder | None = None,
+    ) -> None:
         self.providers = providers
         self.policy = policy
         self.audit = audit or InMemoryAuditRecorder()
+
     def parse_ref(self, uri: str) -> SecretRef:
-        parsed = urlparse(uri); params = parse_qs(parsed.query)
-        return SecretRef(provider=parsed.scheme, vault=parsed.netloc or None, path=parsed.path.lstrip("/"), version=params.get("version", [None])[0])
+        parsed = urlparse(uri)
+        params = parse_qs(parsed.query)
+        return SecretRef(
+            provider=parsed.scheme,
+            vault=parsed.netloc or None,
+            path=parsed.path.lstrip("/"),
+            version=params.get("version", [None])[0],
+        )
+
     def resolve(self, ref: SecretRef, *, caller: str) -> SecretValue:
         decision = self.policy.decide(ref, action="resolve", caller=caller)
-        self.audit.record(action="resolve", actor=caller, ref=ref, allowed=decision.allowed, provider=ref.provider, reason=decision.reason)
-        if not decision.allowed: raise SecretPolicyError(decision.reason)
+        self.audit.record(
+            action="resolve",
+            actor=caller,
+            ref=ref,
+            allowed=decision.allowed,
+            provider=ref.provider,
+            reason=decision.reason,
+        )
+        if not decision.allowed:
+            raise SecretPolicyError(decision.reason)
         provider = self._provider(ref.provider)
-        if not provider.capabilities().supports_read: raise UnsupportedProviderAction(f"provider does not support resolve: {ref.provider}")
+        if not provider.capabilities().supports_read:
+            raise UnsupportedProviderAction(f"provider does not support resolve: {ref.provider}")
         return provider.resolve(ref)
+
     def store(self, request: StoreSecretRequest, *, caller: str) -> SecretVersionInfo:
-        decision = self.policy.decide(request.ref, action="store", caller=caller, overwrite=request.allow_overwrite)
-        self.audit.record(action="store", actor=caller, ref=request.ref, allowed=decision.allowed, provider=request.ref.provider, reason=decision.reason)
-        if not decision.allowed: raise SecretPolicyError(decision.reason)
-        provider = self._provider(request.ref.provider); caps = provider.capabilities()
-        if not caps.supports_write: raise UnsupportedProviderAction(f"provider does not support store: {request.ref.provider}")
-        if request.tags and not caps.supports_tagging: raise UnsupportedProviderAction(f"provider does not support tags: {request.ref.provider}")
+        decision = self.policy.decide(
+            request.ref, action="store", caller=caller, overwrite=request.allow_overwrite
+        )
+        self.audit.record(
+            action="store",
+            actor=caller,
+            ref=request.ref,
+            allowed=decision.allowed,
+            provider=request.ref.provider,
+            reason=decision.reason,
+        )
+        if not decision.allowed:
+            raise SecretPolicyError(decision.reason)
+        provider = self._provider(request.ref.provider)
+        caps = provider.capabilities()
+        if not caps.supports_write:
+            raise UnsupportedProviderAction(
+                f"provider does not support store: {request.ref.provider}"
+            )
+        if request.tags and not caps.supports_tagging:
+            raise UnsupportedProviderAction(
+                f"provider does not support tags: {request.ref.provider}"
+            )
         return provider.store(request)
+
     def checkout(self, ref: SecretRef, *, caller: str):
         decision = self.policy.decide(ref, action="checkout", caller=caller)
-        self.audit.record(action="checkout", actor=caller, ref=ref, allowed=decision.allowed, provider=ref.provider, reason=decision.reason)
-        if not decision.allowed: raise SecretPolicyError(decision.reason)
+        self.audit.record(
+            action="checkout",
+            actor=caller,
+            ref=ref,
+            allowed=decision.allowed,
+            provider=ref.provider,
+            reason=decision.reason,
+        )
+        if not decision.allowed:
+            raise SecretPolicyError(decision.reason)
         provider = self._provider(ref.provider)
-        if not provider.capabilities().supports_checkout: raise UnsupportedProviderAction(f"provider does not support checkout: {ref.provider}")
+        if not provider.capabilities().supports_checkout:
+            raise UnsupportedProviderAction(f"provider does not support checkout: {ref.provider}")
         return provider.checkout(ref)
+
     def _provider(self, name: str) -> SecretProvider:
-        if name not in self.providers: raise SecretProviderError(f"unknown provider: {name}")
+        if name not in self.providers:
+            raise SecretProviderError(f"unknown provider: {name}")
         return self.providers[name]

gnat/agents/security/secrets/exceptions.py

@@ -1,4 +1,14 @@
-class SecretError(Exception): pass
-class SecretPolicyError(SecretError): pass
-class SecretProviderError(SecretError): pass
-class UnsupportedProviderAction(SecretProviderError): pass
+class SecretError(Exception):
+    pass
+
+
+class SecretPolicyError(SecretError):
+    pass
+
+
+class SecretProviderError(SecretError):
+    pass
+
+
+class UnsupportedProviderAction(SecretProviderError):
+    pass