Skip to content

release: v0.1.0-beta final audit, cleanup, and hardening #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sainathsapa merged 17 commits into from
Apr 6, 2026
Merged

release: v0.1.0-beta final audit, cleanup, and hardening #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
52b1416
feat(prod): harden config/auth, add lifespan startup, policy canary…
sainathsapa Apr 6, 2026
315cad3
release: finalize v0.1.0-beta hardening and docs
sainathsapa Apr 6, 2026
08b4e72
release: finalize v0.1.0-beta hardening and docs
sainathsapa Apr 6, 2026
4dbc59b
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
6951bb3
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
97e1dc2
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
e0ce0c4
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
2deefc0
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
59a26a0
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
693edc5
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
9c3f1fe
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
4adc495
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
1d1e620
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
fb7dde0
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
8f0b095
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
3617f17
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
962c983
ci: fix import-order pipeline failures and align lint config
sainathsapa Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ KEYNETRA_RATE_LIMIT_WINDOW_SECONDS=60
KEYNETRA_SERVICE_MODE=all
KEYNETRA_AUTO_SEED_SAMPLE_DATA=true
KEYNETRA_OTEL_ENABLED=false
# Enforce explicit tenant resolution (no implicit fallback)
KEYNETRA_STRICT_TENANCY=false

# Server defaults for CLI config mode
KEYNETRA_SERVER_HOST=0.0.0.0
Expand Down
200 changes: 173 additions & 27 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: CI
name: CI Pipeline

on:
push:
Expand All @@ -8,51 +8,197 @@ on:
permissions:
contents: read

env:
PYTHONUNBUFFERED: "1"
KEYNETRA_DATABASE_URL: sqlite+pysqlite:///./.keynetra-ci.db
KEYNETRA_API_KEYS: testkey
KEYNETRA_RATE_LIMIT_PER_MINUTE: "5000"
KEYNETRA_RATE_LIMIT_BURST: "5000"

jobs:

# -------------------------------
# Stage 1: Security Scan
# -------------------------------
secret-scan:
name: 🔐 Secret Scan (Gitleaks)
runs-on: ubuntu-latest

steps:
- name: 📥 Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: 🔍 Run Gitleaks
run: |
docker run --rm \
-v ${{ github.workspace }}:/repo \
ghcr.io/gitleaks/gitleaks:latest \
detect --source /repo --verbose --exit-code 1


# -------------------------------
# Stage 2: Lint & Static Checks
# -------------------------------
lint:
name: 🧹 Lint & Formatting
runs-on: ubuntu-latest
needs: secret-scan

steps:
- name: 📥 Checkout repository
uses: actions/checkout@v4

- name: 🐍 Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: pip

- name: 📦 Install dependencies
run: |
pip install -r requirements.lock
pip install -r requirements-dev.lock

- name: 🧪 Run linters
run: |
ruff check .
black --check .
isort --check-only .
lint-imports --config .importlinter


# -------------------------------
# Stage 3: Security Dependencies
# -------------------------------
security-deps:
name: 🛡 Dependency Security Scan
runs-on: ubuntu-latest
needs: lint

steps:
- name: 📥 Checkout repository
uses: actions/checkout@v4

- name: 🐍 Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: pip

- name: 📦 Install dependencies
run: |
pip install -r requirements.lock
pip install pip-audit

- name: 🔍 Run pip-audit
run: |
pip-audit
mkdir -p artifacts
pip-audit -f cyclonedx-json -o artifacts/sbom.cdx.json

- name: 📤 Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: artifacts/sbom.cdx.json


# -------------------------------
# Stage 4: Tests (Matrix)
# -------------------------------
test:
name: CI / test (${{ matrix.python-version }})
runs-on: ubuntu-latest
needs: security-deps

strategy:
fail-fast: false
fail-fast: true
matrix:
python-version: ["3.11", "3.12", "3.13", "3.14"]

env:
KEYNETRA_DATABASE_URL: sqlite+pysqlite:///./.keynetra-ci.db
KEYNETRA_API_KEYS: testkey
PYTHONUNBUFFERED: "1"

steps:
- name: Checkout repository
- name: 📥 Checkout repository
uses: actions/checkout@v4

- name: Set up Python ${{ matrix.python-version }}
- name: 🐍 Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
cache: pip

- name: Install dependencies
- name: 📦 Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
python -m pip install -r requirements-dev.txt
python -m pip install -e .
pip install --upgrade pip
pip install -r requirements.lock
pip install -r requirements-dev.lock
pip install -e .

if [ -d ./keynetra-client-python ]; then
pip install -e ./keynetra-client-python
fi

- name: Lint
- name: 🔄 OpenAPI drift check
run: keynetra check-openapi

- name: 🗄 Migration check
run: keynetra migrate --confirm-destructive

- name: 🧪 Run tests with coverage
run: |
ruff check .
black --check .
isort --check-only .
pytest -q \
--cov=keynetra \
--cov-fail-under=80 \
--cov-report=term \
--cov-report=json

if [ -d ./keynetra-client-python/tests ]; then
pytest -q keynetra-client-python/tests
fi

python scripts/check_coverage.py


# -------------------------------
# Stage 5: Load Test
# -------------------------------
load-test:
name: 🚦 Load Smoke Test
runs-on: ubuntu-latest
needs: test

steps:
- name: 📥 Checkout repository
uses: actions/checkout@v4

- name: 🐍 Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: pip

- name: Migration check
env:
PYTHONPATH: ${{ github.workspace }}
run: python -m keynetra.cli migrate --confirm-destructive
- name: 📦 Install dependencies
run: |
pip install -r requirements.lock
pip install locust uvicorn

- name: 🚀 Start API
run: |
python -m uvicorn keynetra.api.main:app --host 127.0.0.1 --port 8000 &
sleep 3

- name: Tests and coverage
env:
PYTHONPATH: ${{ github.workspace }}
- name: ⚡ Run Locust
run: |
python -m pytest -q --cov=keynetra --cov-fail-under=80
locust \
-f locustfile.py \
--host http://127.0.0.1:8000 \
--headless \
-u 10 \
-r 2 \
-t 20s \
--csv /tmp/locust \
--only-summary

- name: 📊 Validate load budget
run: python scripts/check_load_budget.py
Loading
Loading