P3-1 — ruff config: 93 → 1 error (one legit unused import)
Added [tool.ruff] section to backend/pyproject.toml with:
- target-version = py310
- line-length = 100
- Per-file ignores for intentional E402 (mcp_server, main.py,
routers/airdrop.py, tests/) and F401 on plugin re-exports.
Fixed all auto-fixable issues via 'ruff check . --fix'. The
remaining 1 F401 is coincurve.ecdsa.recover — imported in
core/smart_wallet.py for a feature that's not yet wired up.
Wave 6 (pen test prep):
- bandit: 3 High (all pycryptodome false positives — pyCrypto the
original is deprecated, but pycryptodome is the active fork we use
for Keccak-256 in Ethereum address generation).
- bandit: 7 Medium (mostly bind-all-interfaces 0.0.0.0 which is
intentional for container deploys).
- bandit: 85 Low (mostly asserts on test code — acceptable).
- pip-audit: zero vulnerabilities in our actual dependencies.
Code hygiene improvements:
- core/pdf.py: properly imports qrcode (was missing).
- cli/verify_receipt.py: confirmed false-positive (timestamp is
a function parameter, ignored).
- routers/wallet_admin.py: removed duplicate class definitions
introduced during Wave 5 split.
Refs: AUDIT.md P3-1 (final), Wave 6 prep
58 lines
1.3 KiB
YAML
58 lines
1.3 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
env:
|
|
WP_ADMIN_KEY: ci-admin-key-for-testing
|
|
WP_VAULT_PASSWORD: ci-vault-password-for-testing
|
|
WP_DATA_DIR: /tmp/wp_ci_data
|
|
WP_RATE_LIMIT: "0"
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: Install dependencies
|
|
run: |
|
|
pip install -r requirements.lock
|
|
pip install ruff mypy
|
|
- name: Ruff lint
|
|
run: ruff check .
|
|
- name: Ruff format check
|
|
run: ruff format --check .
|
|
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: Install dependencies
|
|
run: |
|
|
pip install -r requirements.lock
|
|
- name: Run tests
|
|
run: python3 -m pytest tests/ -v --tb=short --timeout=120
|
|
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: Install dependencies
|
|
run: |
|
|
pip install bandit gitleaks
|
|
- name: Bandit
|
|
run: bandit -r . -x tests
|
|
- name: Gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|