fix(security): classify public MCP aggregate readback

This commit is contained in:
ogt
2026-07-15 09:37:49 +08:00
parent 28a554e4f8
commit 99645b42cf
3 changed files with 7 additions and 1 deletions

View File

@@ -42,6 +42,7 @@ INTENTIONALLY_PUBLIC_ENDPOINTS = frozenset({
"misc.brand_assets",
"system_public.favicon",
"system_public.health_check",
"system_public.public_mcp_federation_readback_api",
"system_public.webcrumbs_asset_proxy",
"user_bp.get_password_reqs",
})

View File

@@ -146,6 +146,7 @@ def test_public_federation_route_is_anonymous_aggregate_only(monkeypatch):
from flask import Flask
from routes import system_public_routes as routes
from services import external_mcp_rag_integration_service as service
from services.http_access_policy_service import INTENTIONALLY_PUBLIC_ENDPOINTS
monkeypatch.setattr(service, "build_public_mcp_federation_receipt", lambda **_: {
"success": True,
@@ -170,3 +171,7 @@ def test_public_federation_route_is_anonymous_aggregate_only(monkeypatch):
"ewoooc",
"momo-pro-system",
}
assert (
"system_public.public_mcp_federation_readback_api"
in INTENTIONALLY_PUBLIC_ENDPOINTS
)

View File

@@ -38,7 +38,7 @@ def test_security_governance_review_is_honest_and_release_gate_passes():
access = checks["PR.AA-route-access-control"]["evidence"]
assert access["mutating_unguarded_count"] == 0
assert access["unclassified_unguarded_count"] == 0
assert access["unguarded_count"] == 7
assert access["unguarded_count"] == 8
dependencies = checks["ID.RA-dependency-vulnerability-management"]["evidence"]
assert dependencies["sbom_files"] == []
supply = checks["GV.SC-gitea-only-supply-chain"]