Commit graph

2 commits

Author SHA1 Message Date
a7c30b12cd chore(lint): auto-fix 253 of 283 ruff issues (F401, I001, E402, RUF100, UP037, SIM105)
Some checks failed
CI / lint (push) Failing after 2s
CI / typecheck (push) Failing after 2s
CI / test (push) Failing after 2s
CI / Secret scan (gitleaks) (push) Failing after 1s
CI / Security audit (bandit) (push) Failing after 2s
Mass ruff auto-fix:
  - ruff check --fix: 109 issues fixed (F401 unused imports,
    I001 unsorted imports, UP037 quoted annotations, SIM105
    suppressible exception, RUF100 unused-noqa)
  - ruff check --fix --unsafe-fixes: 22 additional issues
  - ruff format: 70 files reformatted
  - Manual pass: fix 16 misplaced import httpx lines
  - Manual pass: fix remaining E402 (import-after-docstring)

Result: 283 errors -> 30 errors.

The remaining 30 are real issues that need manual review:
  5 F401 unused-import (likely auto-generated stubs)
  5 F821 undefined-name (real bugs in code that references
    redis/pydantic/LLMRegistry without imports)
  3 BLE001 (the compliance LLM fallback is intentional; the
    other two are real)
  3 RUF012 mutable-class-default
  3 SIM105, 3 SIM117, 2 E722, 2 E741
  1 B007, 1 B025, 1 E402, 1 RUF200 (pyproject.toml issue)

Tests: 436/437 pass (1 pre-existing SSE sandbox failure).
format check + import sort: now clean.
make ci: still gated on the 30 remaining real issues.
Follow-up: triage the 30 issues file-by-file.
2026-07-02 21:51:25 +02:00
80b067ea3b feat(secrets): gopass-based secret backend (PRY_SECRET_BACKEND)
The SECURITY.md contract said "use gopass" but the code only used
os.getenv. The deploy at /srv/pry/ had an .env file with secrets in
it, which violates the SECURITY.md threat model.

New module secrets_backend.py provides:
  get_secret(name, default) - resolves from gopass, env, or file
  set_secret(name, value)   - writes to gopass
  backend_info()            - diagnostic dict for /health or /status

Backends selected by PRY_SECRET_BACKEND env var:
  gopass (default) - reads from gopass at pry/<name>
  env              - reads from os.environ (PRY_<NAME> or PRY_<name>)
  file             - reads from PRY_ENV_FILE (default: PRY_DATA_DIR/.env)
  auto             - tries gopass, falls back to env

Refactored call sites:
  auth.py:        JWT_SECRET (was: os.getenv + ephemeral random default)
  x402.py:        X402_WALLET, X402_FACILITATOR_URL (was: os.getenv)

Seeded initial secrets on Talos (5 entries under pry/):
  jwt_secret, api_key, x402_wallet, x402_facilitator, ollama_url

Updated .env.example header with backend selection guide and
seed-secret instructions.

Tests: 9/9 in test_secrets_backend.py pass. 36 tests in
test_x402_mcp_spec.py + test_secrets_backend.py all pass.

Verified end-to-end:
  >>> import x402
  >>> x402.X402_WALLET
  '0xYourWalletAddressHere'
  >>> import auth
  >>> auth.JWT_SECRET
  'change-me-rotate-quarterly'

Follow-up: rotate jwt_secret and api_key to real random values.
Document the rotation cadence in SECURITY.md.
2026-07-02 20:26:00 +02:00