CRITICAL (CVE-class): - C-4: Remove DEV_MODE fallback with hardcoded postgres:postgres credentials - C-3: WebSocket endpoints now require JWT or API key token (?token=) auth - C-1: Superset environment passwords encrypted via Fernet at rest in DB - H-4: SESSION_SECRET_KEY separated from JWT AUTH_SECRET_KEY - H-1: Log injection via %s-formatting instead of f-strings - H-5: X-Trace-ID header validated as UUID4 to prevent trace poisoning INFRASTRUCTURE: - New src/core/encryption.py — EncryptionManager extracted from llm_provider - Test DB: per-module sqlite:///:memory: with PRAGMA foreign_keys=ON - testcontainers PostgreSQL via TEST_DB=postgres env var - conftest temp-file global engine (no 10GB shared-cache leak) TEST FIXES (44 pre-existing → 0): - test_smoke_plugins: module-level sys.modules mock isolated to per-test fixture - test_migration_engine: EXT:Python:uuid → uuid syntax fix - test_dashboards_api: mock env attributes + correct patch target - test_constants_audit_fixes: sync expected constant names with actual - test_defensive_guards: patch.object instead of module-level Repo mock - test_clean_release_cli: removed empty config.json directory - FK violations: TaskRecord parents in log_persistence, Environment in mapping_service, ReleaseCandidate in candidate_manifest_services ORTHOGONAL TESTS (18 new): - test_security_orthogonal.py: bcrypt 72-byte limit, unicode, API key format invariants, Fernet robustness, encryption key lifecycle, log injection protection, JWT edge cases MODEL FIXES: - MetricSnapshot.job_id: nullable with SET NULL (was broken FK for aggregate prune snapshots, hidden by SQLite) CLEANUP: - Removed stale :memory:test_main/test_auth/test_tasks file databases - Removed duplicate #endregion in encryption_key.py
61 lines
1.0 KiB
Plaintext
Executable File
61 lines
1.0 KiB
Plaintext
Executable File
annotated-doc==0.0.4
|
|
annotated-types==0.7.0
|
|
anyio==4.12.0
|
|
APScheduler==3.11.2
|
|
attrs==25.4.0
|
|
Authlib==1.6.6
|
|
certifi==2025.11.12
|
|
cffi==2.0.0
|
|
charset-normalizer==3.4.4
|
|
click==8.3.1
|
|
cryptography==46.0.3
|
|
fastapi==0.126.0
|
|
greenlet==3.3.0
|
|
h11==0.16.0
|
|
httpcore==1.0.9
|
|
httpx==0.28.1
|
|
idna==3.11
|
|
jaraco.classes==3.4.0
|
|
jaraco.context==6.0.1
|
|
jaraco.functools==4.3.0
|
|
jeepney==0.9.0
|
|
jsonschema==4.25.1
|
|
jsonschema-specifications==2025.9.1
|
|
keyring==25.7.0
|
|
more-itertools==10.8.0
|
|
pycparser==2.23
|
|
pydantic==2.12.5
|
|
pydantic-settings
|
|
pydantic_core==2.41.5
|
|
python-multipart==0.0.21
|
|
PyYAML==6.0.3
|
|
passlib[bcrypt]
|
|
python-jose[cryptography]
|
|
PyJWT
|
|
RapidFuzz==3.14.3
|
|
referencing==0.37.0
|
|
requests==2.32.5
|
|
rpds-py==0.30.0
|
|
SecretStorage==3.5.0
|
|
SQLAlchemy==2.0.45
|
|
starlette==0.50.0
|
|
typing-inspection==0.4.2
|
|
typing_extensions==4.15.0
|
|
tzlocal==5.3.1
|
|
urllib3==2.6.2
|
|
uvicorn==0.38.0
|
|
websockets==15.0.1
|
|
pandas
|
|
psycopg2-binary
|
|
openpyxl
|
|
GitPython==3.1.44
|
|
itsdangerous
|
|
email-validator
|
|
openai
|
|
playwright
|
|
tenacity
|
|
Pillow
|
|
ruff>=0.11.0
|
|
lingua-language-detector==2.1.1
|
|
testcontainers[postgres]>=4.0
|