fix: address PR review findings from security CI hardening

Arnold Cartagena · Arnold Cartagena · commit 36efa49c7032 · 2026-03-10T23:34:12.000+01:00
- Remove unused id-token:write permission from security-sweep workflow - Exclude accepted findings from open count in baseline report - Support Annotated[str, Field(max_length=...)] in input bounds linter - Document custom lint scripts as non-blocking until issues #12-#28 resolved
diff --git a/.github/workflows/security-sweep.yml b/.github/workflows/security-sweep.yml
@@ -22,7 +22,6 @@ jobs:
     permissions:
       contents: read
       issues: write
-      id-token: write
 
     steps:
       - name: Checkout repository
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -278,7 +278,7 @@ Minimum ~43 adversarial tests before first push.
 
 | Trigger | Checks | Cost |
 |---------|--------|------|
-| Every PR | `bandit -r src/ -ll -ii --exclude tests/`, `pip-audit`, `pnpm audit`, 3 custom lint scripts (tenant isolation, input bounds, timing-safe comparisons) | Free, ~10s |
+| Every PR | `bandit -r src/ -ll -ii --exclude tests/`, `pip-audit`, `pnpm audit`, 3 custom lint scripts (tenant isolation, input bounds, timing-safe comparisons) — **lint scripts are non-blocking (`continue-on-error`) until pre-existing issues #12-#28 are resolved** | Free, ~10s |
 | Every PR | Claude code review via `review.yml` — reads diff, applies `code-reviewer.md` checklist, posts sticky PR comment | Claude OAuth (subscription) |
 | Weekly / pre-release | Full security sweep against `security/baseline.json` — only surfaces new or regressed findings | Claude OAuth |
 
diff --git a/scripts/security-lint/check_input_bounds.py b/scripts/security-lint/check_input_bounds.py
@@ -219,10 +219,19 @@ def _field_call_has_max_length(node: ast.expr) -> bool:
 
 
 def _field_has_max_length(assign: ast.AnnAssign) -> bool:
-    """Return True if the assignment has a Field() default with max_length."""
-    if assign.value is None:
+    """Return True if max_length is declared as a default OR inside Annotated[...]."""
+    # Check assign.value (e.g. name: str = Field(max_length=255))
+    if assign.value is not None and _field_call_has_max_length(assign.value):
+        return True
+    # Check annotation for Annotated[str, Field(max_length=255)]
+    ann = assign.annotation
+    if not isinstance(ann, ast.Subscript):
+        return False
+    if not (isinstance(ann.value, ast.Name) and ann.value.id == "Annotated"):
+        return False
+    if not isinstance(ann.slice, ast.Tuple):
         return False
-    return _field_call_has_max_length(assign.value)
+    return any(_field_call_has_max_length(elt) for elt in ann.slice.elts[1:])
 
 
 # ---------------------------------------------------------------------------
diff --git a/security/manage-baseline.py b/security/manage-baseline.py
@@ -340,7 +340,7 @@ def cmd_report(args: argparse.Namespace) -> None:
 
     open_findings = {
         fid: f for fid, f in data["findings"].items()
-        if f["status"] not in ("fixed",)
+        if f["status"] not in ("fixed", "accepted")
     }
 
     sorted_findings = sorted(open_findings.items(), key=severity_sort_key)

Original file line number	Diff line number	Diff line change
`@@ -340,7 +340,7 @@ def cmd_report(args: argparse.Namespace) -> None:`
`340`	`340`
`341`	`341`	`open_findings = {`
`342`	`342`	`fid: f for fid, f in data["findings"].items()`
`343`		`- if f["status"] not in ("fixed",)`
	`343`	`+ if f["status"] not in ("fixed", "accepted")`
`344`	`344`	`}`
`345`	`345`
`346`	`346`	`sorted_findings = sorted(open_findings.items(), key=severity_sort_key)`