feat: harden OAuth state secret validation, DCR file permissions, and policy defaults #17

Merged

Latte merged 2 commits from feat/retarget-claude-mcp into main 2026-06-14 12:17:38 +00:00

Conversation 0 Commits 2 Files Changed 11

+269 -4

Latte commented 2026-06-14 12:14:15 +00:00

Owner

Copy Link

Copy Source

• Enforce 32-char minimum on OAUTH_STATE_SECRET at startup (config.py)
• Write DCR client registry with owner-only (0o600) permissions before atomic replace
• Flip policy.yaml default write action from allow → deny
• Add CLAUDE.md with architecture, commands, and AGENTS.md contract summary
• Add .pre-commit-config.yaml mirroring make lint checks
• Update .gitignore: add .venv, .claude, .mypy_cache, .ruff_cache, .coverage.*
• Extend docs: audit log rotation guidance, OAUTH_STATE_SECRET and DCR_STORAGE_PATH notes
• Tests: short-secret rejection, 32-char acceptance, POSIX permission check for DCR store

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

- Enforce 32-char minimum on OAUTH_STATE_SECRET at startup (config.py) - Write DCR client registry with owner-only (0o600) permissions before atomic replace - Flip policy.yaml default write action from allow → deny - Add CLAUDE.md with architecture, commands, and AGENTS.md contract summary - Add .pre-commit-config.yaml mirroring `make lint` checks - Update .gitignore: add .venv, .claude, .mypy_cache, .ruff_cache, .coverage.* - Extend docs: audit log rotation guidance, OAUTH_STATE_SECRET and DCR_STORAGE_PATH notes - Tests: short-secret rejection, 32-char acceptance, POSIX permission check for DCR store Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Latte added 1 commit 2026-06-14 12:14:15 +00:00

feat: harden OAuth state secret validation, DCR file permissions, and policy defaults ... b8217dce8a

- Enforce 32-char minimum on OAUTH_STATE_SECRET at startup (config.py)
- Write DCR client registry with owner-only (0o600) permissions before atomic replace
- Flip policy.yaml default write action from allow → deny
- Add CLAUDE.md with architecture, commands, and AGENTS.md contract summary
- Add .pre-commit-config.yaml mirroring `make lint` checks
- Update .gitignore: add .venv, .claude, .mypy_cache, .ruff_cache, .coverage.*
- Extend docs: audit log rotation guidance, OAUTH_STATE_SECRET and DCR_STORAGE_PATH notes
- Tests: short-secret rejection, 32-char acceptance, POSIX permission check for DCR store

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Latte added 1 commit 2026-06-14 12:14:22 +00:00

Merge branch 'main' into feat/retarget-claude-mcp 6be5ac3608

Latte merged commit 90df37366f into main 2026-06-14 12:17:38 +00:00

Latte deleted branch feat/retarget-claude-mcp 2026-06-14 12:17:38 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change, not backwards compatible

Kind/Bug

Something is not working

Kind/Chore

Maintenance, deps, CI/CD

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Refactor

Code restructuring, no behavior change

Kind/Security

Security-related issue

Priority/Critical

Must be addressed immediately

Priority/High

Important, address soon

Priority/Low

Nice to have

Priority/Medium

Normal priority

Reviewed/Confirmed

Issue has been confirmed

Reviewed/Duplicate

Already tracked elsewhere

Reviewed/Won't Fix

Acknowledged but won't be addressed

Status/Blocked

Blocked by an external dependency

Status/In Progress

Currently being worked on

Status/Need More Info

Needs more information to proceed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Bartender (Bartender) Latte (Latte)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hiddenden/AegisGitea-MCP#17