feat: harden gateway with policy engine, secure tools, and governance docs

2026-02-14 16:05:56 +01:00
parent e17d34e6d7
commit 5969892af3
55 changed files with 4711 additions and 1587 deletions
--- a/scripts/check_key_age.py
+++ b/scripts/check_key_age.py
@@ -135,5 +135,6 @@ if __name__ == "__main__":
    except Exception as e:
        print(f"\n❌ Error: {e}", file=sys.stderr)
        import traceback
+
        traceback.print_exc()
        sys.exit(1)
--- a/scripts/rotate_api_key.py
+++ b/scripts/rotate_api_key.py
@@ -106,11 +106,7 @@ def main() -> None:
    print()

    # Update .env file
-    new_env_content = re.sub(
-        r"MCP_API_KEYS=([^\n]+)",
-        f"MCP_API_KEYS={new_keys_str}",
-        env_content
-    )
+    new_env_content = re.sub(r"MCP_API_KEYS=([^\n]+)", f"MCP_API_KEYS={new_keys_str}", env_content)

    # Backup old .env
    backup_file = env_file.with_suffix(f".env.backup-{datetime.now().strftime('%Y%m%d-%H%M%S')}")
@@ -170,5 +166,6 @@ if __name__ == "__main__":
    except Exception as e:
        print(f"\n❌ Error: {e}", file=sys.stderr)
        import traceback
+
        traceback.print_exc()
        sys.exit(1)
--- a/scripts/validate_audit_log.py
+++ b/scripts/validate_audit_log.py
@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+"""Validate tamper-evident Aegis audit log integrity."""
+
+from __future__ import annotations
+
+import argparse
+import sys
+from pathlib import Path
+
+from aegis_gitea_mcp.audit import validate_audit_log_integrity
+
+
+def parse_args() -> argparse.Namespace:
+    """Parse command line arguments."""
+    parser = argparse.ArgumentParser(description="Validate Aegis audit log hash chain")
+    parser.add_argument(
+        "--path",
+        type=Path,
+        default=Path("/var/log/aegis-mcp/audit.log"),
+        help="Path to audit log file",
+    )
+    return parser.parse_args()
+
+
+def main() -> int:
+    """Validate audit chain and return process exit code."""
+    args = parse_args()
+    is_valid, errors = validate_audit_log_integrity(args.path)
+
+    if is_valid:
+        print(f"Audit log integrity OK: {args.path}")
+        return 0
+
+    print(f"Audit log integrity FAILED: {args.path}")
+    for error in errors:
+        print(f"- {error}")
+    return 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())