feat: harden gateway with policy engine, secure tools, and governance docs

2026-02-14 16:05:56 +01:00
parent e17d34e6d7
commit 5969892af3
55 changed files with 4711 additions and 1587 deletions
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -0,0 +1,26 @@
+"""Tests for secret detection and sanitization helpers."""
+
+from aegis_gitea_mcp.security import detect_secrets, sanitize_data
+
+
+def test_detect_secrets_api_key_pattern() -> None:
+    """Secret detector should identify common token formats."""
+    findings = detect_secrets("token=sk-test12345678901234567890")
+    assert findings
+
+
+def test_sanitize_data_mask_mode() -> None:
+    """Mask mode should preserve structure while redacting values."""
+    payload = {"content": "api_key=AKIA1234567890ABCDEF"}
+    sanitized = sanitize_data(payload, mode="mask")
+
+    assert sanitized["content"] != payload["content"]
+    assert "AKIA" in sanitized["content"]
+
+
+def test_sanitize_data_block_mode() -> None:
+    """Block mode should replace secret-bearing fields entirely."""
+    payload = {"nested": ["Bearer eyJhbGciOiJIUzI1NiJ9.abcd.efgh"]}
+    sanitized = sanitize_data(payload, mode="block")
+
+    assert sanitized["nested"][0] == "[REDACTED_SECRET]"