P3-1 — ruff config: 93 → 1 error (one legit unused import)
Added [tool.ruff] section to backend/pyproject.toml with:
- target-version = py310
- line-length = 100
- Per-file ignores for intentional E402 (mcp_server, main.py,
routers/airdrop.py, tests/) and F401 on plugin re-exports.
Fixed all auto-fixable issues via 'ruff check . --fix'. The
remaining 1 F401 is coincurve.ecdsa.recover — imported in
core/smart_wallet.py for a feature that's not yet wired up.
Wave 6 (pen test prep):
- bandit: 3 High (all pycryptodome false positives — pyCrypto the
original is deprecated, but pycryptodome is the active fork we use
for Keccak-256 in Ethereum address generation).
- bandit: 7 Medium (mostly bind-all-interfaces 0.0.0.0 which is
intentional for container deploys).
- bandit: 85 Low (mostly asserts on test code — acceptable).
- pip-audit: zero vulnerabilities in our actual dependencies.
Code hygiene improvements:
- core/pdf.py: properly imports qrcode (was missing).
- cli/verify_receipt.py: confirmed false-positive (timestamp is
a function parameter, ignored).
- routers/wallet_admin.py: removed duplicate class definitions
introduced during Wave 5 split.
Refs: AUDIT.md P3-1 (final), Wave 6 prep
3.9 MiB
3.9 MiB