ci: update linting and security checks

- Fix bandit suppressions (use # nosec B608 for bandit) - Add # noqa: S608 for ruff compatibility - CI workflow: add coverage reporting (informational) - CI workflow: track mypy error baseline - CI workflow: improve documentation
2025-12-21 13:39:30 +01:00
parent 0c7bf6b587
commit 2ccbfcbfaa
2 changed files with 34 additions and 22 deletions
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -420,9 +420,7 @@ def generate_challenge(difficulty_override: int | None = None) -> dict[str, Any]
    }


-def verify_pow(
-    token: str, solution: str, min_difficulty: int | None = None
-) -> tuple[bool, str]:
+def verify_pow(token: str, solution: str, min_difficulty: int | None = None) -> tuple[bool, str]:
    """Verify proof-of-work solution. Returns (valid, error_message).

    Accepts tokens with difficulty >= min_difficulty. The solution must meet the
@@ -1019,9 +1017,7 @@ class RegisterView(MethodView):
        if ca_info is None or "certificate_pem" not in ca_info:
            ca_info = get_ca_info(skip_enabled_check=True)
        ca_cert = x509.load_pem_x509_certificate(ca_info["certificate_pem"].encode())
-        client_cert = x509.load_pem_x509_certificate(
-            cert_info["certificate_pem"].encode()
-        )
+        client_cert = x509.load_pem_x509_certificate(cert_info["certificate_pem"].encode())
        client_key = serialization.load_pem_private_key(
            cert_info["private_key_pem"].encode(), password=None
        )
@@ -1044,9 +1040,7 @@ class RegisterView(MethodView):

        # Return PKCS#12 as binary download
        response = Response(p12_data, mimetype="application/x-pkcs12")
-        response.headers["Content-Disposition"] = (
-            f'attachment; filename="{common_name}.p12"'
-        )
+        response.headers["Content-Disposition"] = f'attachment; filename="{common_name}.p12"'
        response.headers["X-Fingerprint-SHA1"] = cert_info["fingerprint_sha1"]
        response.headers["X-Certificate-Expires"] = str(cert_info["expires_at"])
        return response
@@ -1211,7 +1205,7 @@ class PasteView(MethodView):
            return error_response("No updates provided", 400)

        # Execute update (fields are hardcoded strings, safe from injection)
-        update_sql = f"UPDATE pastes SET {', '.join(update_fields)} WHERE id = ?"  # noqa: S608
+        update_sql = f"UPDATE pastes SET {', '.join(update_fields)} WHERE id = ?"  # noqa: S608  # nosec B608
        update_params.append(paste_id)
        db.execute(update_sql, update_params)
        db.commit()
@@ -1376,7 +1370,7 @@ class PastesListView(MethodView):

        # Count total pastes matching filters (where_sql is safe, built from constants)
        count_row = db.execute(
-            f"SELECT COUNT(*) as total FROM pastes WHERE {where_sql}",  # noqa: S608
+            f"SELECT COUNT(*) as total FROM pastes WHERE {where_sql}",  # noqa: S608  # nosec B608
            params,
        ).fetchone()
        total = count_row["total"] if count_row else 0
@@ -1389,7 +1383,7 @@ class PastesListView(MethodView):
               FROM pastes
               WHERE {where_sql}
               ORDER BY created_at DESC
-               LIMIT ? OFFSET ?""",  # noqa: S608
+               LIMIT ? OFFSET ?""",  # noqa: S608  # nosec B608
            [*params, limit, offset],
        ).fetchall()