ci: enforce mypy type checking (all errors fixed)

2025-12-25 00:20:21 +01:00
parent a040fad0b8
commit 79b12cc3b3
3 changed files with 4 additions and 15 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -41,14 +41,8 @@ jobs:
      - name: Ruff format
        run: ruff format --check app/ tests/ fpaste

-      - name: Type check (informational)
-        run: |
-          errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true)
-          echo "mypy found $errors type errors"
-          if [ "$errors" -gt 20 ]; then
-            echo "::warning::mypy errors increased to $errors (baseline: 20)"
-          fi
-        continue-on-error: true
+      - name: Type check
+        run: mypy app/ tests/ fpaste --ignore-missing-imports

  security:
    name: Security Scan
--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -11,12 +11,6 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 | ☐      | Create Ansible deployment role
 | ☐      | Add Kubernetes manifests (Deployment, Service, ConfigMap)

-## Priority 3: Quality
-
-| Status | Task
-|--------|--------------------------------------------------------------
-| ☐      | Fix mypy type errors (currently ignored)
-
 ## Priority 4: Documentation

 | Status | Task
@@ -28,6 +22,7 @@ Prioritized, actionable tasks. Each task is small and completable in one session

 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Fix all mypy type errors (now enforced in CI)
 | 2024-12    | Enhance CI with security-tests job, SBOM generation, memory checks
 | 2024-12    | Complete pentest remediation (CRYPTO-001, TIMING-001)
 | 2024-12    | Complete pentest remediation (HASH-001, ENUM-001)
--- a/TODO.md
+++ b/TODO.md
@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r

 ## Observations

+- Mypy type errors fixed: now enforced in CI (was informational)
 - CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
 - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
 - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
@@ -42,7 +43,6 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r

 ## Debt

- Mypy has pre-existing type errors (runs with --ignore-missing-imports)
 - Could add more deployment examples (Kubernetes, Ansible role)

 ## External Dependencies