Commit graph

9 commits

Author SHA1 Message Date
opencode
e404e90c1a feat(rmi-backend,audit): add app/main.py entrypoint delegating to factory
Phase 1 of AUDIT-2026-Q3.md item P1.1.

app/main.py was referenced by Makefile, AGENTS.md, CONTRIBUTING.md,
and external `uvicorn app.main:app` invocations, but the file did not
exist (refactored to app/factory.py in a prior session — the docs were
never updated). This restores the canonical entrypoint.
2026-07-06 17:49:25 +02:00
opencode
1171a35d9f fix(rmi-backend): drop passlib — route backup codes through direct bcrypt
Some checks failed
CI / build (pull_request) Failing after 2s
The reported symptom (AttributeError: module 'bcrypt' has no attribute
'__about__') was misleading. passlib 1.7.4 (the latest released version
— the project is unmaintained) actually traps that AttributeError with
a bare `except:` and continues. The real failure occurs later in
`passlib.handlers.bcrypt._finalize_backend_mixin`:

  detect_wrap_bug -> verify(secret, bug_hash)
    where secret = (b"0123456789"*26)[:255]   # 255-byte test secret

bcrypt 4.0+ removed silent 72-byte truncation and now raises
`ValueError: password cannot be longer than 72 bytes`, breaking the
backend probe and crashing every `pwd_context.hash()/verify()` call.

Three options were considered:

  A. Upgrade passlib — impossible, 1.7.4 is the latest PyPI release.
  B. Pin bcrypt<4.0  — conflicts with chromadb 1.1.1 (>=4.0.1 required),
     even though chromadb's bcrypt usage is optional and still works
     at runtime in practice.
  C. Shim bcrypt.__about__ — doesn't fix the actual truncation error.

Chosen: refactor app/auth.py to use bcrypt directly for backup-code
hashing too (the main `hash_password`/`verify_password` already did).
Drops the passlib dependency entirely, restoring bcrypt 5.x for chromadb
compatibility and eliminating the unmaintained passlib pin.

Verified:
  * hash_password / verify_password round-trip OK
  * _hash_backup_code / _verify_backup_code round-trip OK on
    freshly generated 8-digit backup codes
  * `pytest tests/unit` -> 717 passed, 32 warnings, 60 subtests passed
2026-07-06 16:17:47 +02:00
opencode
6b29227131 fix(rmi-backend): define missing User helpers + import CryptContext (fixes 23 F821 in app/auth.py) 2026-07-06 15:55:14 +02:00
opencode
c762564d40 style(rmi-backend): complete lint cleanup — 1175→0 ruff errors
- Fix 71 invalid-syntax files (class-body newline-broken assignments)
- Add from/None chain to 307 B904 raise-without-from sites
- Add B008 ignore to ruff.toml (already in pyproject.toml)
- Noqa F401 on __init__.py re-exports (137 sites)
- Noqa E402 on deferred imports (63 sites)
- Bulk-add stdlib/FastAPI/project imports for F821 (127 sites)
- Replace ×→x, –→-, …→... in docstrings (4093 chars)
- Manual refactor of 5 SIM103/SIM116 patterns

Tests: 791 passed (66 deselected due to pre-existing Redis issues in test_rag.py)
Co-authored-by: opencode <opencode@rugmunch.io>
2026-07-06 15:43:20 +02:00
3c6b29563f fix(health): use fresh httpx client per qdrant check to avoid stale connection pool
Some checks failed
CI / build (push) Failing after 10s
2026-07-03 17:07:20 +02:00
01cb548f8f fix(health): use env vars for qdrant/clickhouse/minio/reth instead of localhost
Some checks are pending
CI / build (push) Waiting to run
2026-07-03 16:43:30 +02:00
b2cdfce4cd security(status_page): remove hardcoded ClickHouse password fallback
Some checks failed
CI / build (push) Failing after 2s
2026-07-02 22:37:41 +02:00
f932ac4e1e security(rmi-backend): remove hardcoded API keys, env-reference instead
Gitleaks flagged 4 production secrets in rmi-backend source:

  app/caching_shield/solana_tracker.py:    st_ZMzXzdUI54TXQPx5E6JkG
  app/databus/arkham_ws.py:                ws_Z5x09Rcr_1780418740765322917
  app/routers/webhooks_router.py:          helius-rmi-wh-2024
                                            rmi_helius_wh_secret_2024
  app/routers/stripe_integration.py:       pk_test_51Tn13MAXseReicQtM...

Each replaced with os.getenv() reads. Placeholder env lines added to
/srv/rmi-infra/.env.secrets. Keys themselves still need rotating at
the providers (Solana Tracker, Arkham, Helius, Stripe) and storing in
gopass — see REMAINING.md.

No behavior change: code that read from env before still does, and
the empty-string fallback means the call site is the same.

Note: this commit scrubs the keys from the working tree. They remain
in git history. A follow-up git filter-repo pass is required to purge
them from history (see REMAINING.md). After that, all clones and
external remotes must be force-updated.
2026-07-02 21:34:33 +02:00
bde2f3a97d merge: chore/cleanup-remove-bloat-and-secrets into main 2026-07-02 01:24:22 +07:00