fix: add bandit SAST + pip-audit to CI, fix assert in production code

claude · devonartis · commit ca8520564d30 · 2026-04-17T16:16:14.000-04:00
- Replace assert with AgentWritError raise in orchestrator.py:83 (bandit B101: assert stripped by python -O) - Add bandit SAST gate to CI — scans src/ for security issues - Add pip-audit gate to CI — checks deps against vulnerability DBs - Upgrade 4 vulnerable deps: cryptography 46.0.5→46.0.7, pygments 2.19.2→2.20.0, pytest 9.0.2→9.0.3, python-multipart 0.0.24→0.0.26 Closes #19 Refs devonartis/agentwrit#31 Generated with Claude Code Harness Agent Co-Authored-By: Claude <claude@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -113,6 +113,28 @@ jobs:
             exit 1
           fi
 
+  sast:
+    name: SAST (bandit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run bandit -r src/ -q
+
+  dep-audit:
+    name: Dependency Audit (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run pip-audit
+
   secrets-scan:
     name: Secrets Scan
     runs-on: ubuntu-latest
diff --git a/pyproject.toml b/pyproject.toml
@@ -64,4 +64,6 @@ dev-dependencies = [
     "python-multipart>=0.0.24",
     "uvicorn>=0.44.0",
     "flask>=3.0.0",
+    "bandit>=1.9.4",
+    "pip-audit>=2.10.0",
 ]
diff --git a/src/agentwrit/orchestrator.py b/src/agentwrit/orchestrator.py
@@ -12,6 +12,7 @@
 from typing import TYPE_CHECKING
 
 from agentwrit.agent import Agent
+from agentwrit.errors import AgentWritError
 
 if TYPE_CHECKING:
     from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
@@ -80,7 +81,8 @@ def orchestrate(
         agent_name = label or f"{orch_id}/{task_id}"
 
         # The app JWT is required as Bearer auth for launch token creation.
-        assert self._app._session is not None
+        if self._app._session is None:
+            raise AgentWritError("App not authenticated — call authenticate() first")
         app_token = self._app._session.access_token
 
         lt_response = self._transport.request(
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -64,4 +64,6 @@ dev-dependencies = [`
`64`	`64`	`"python-multipart>=0.0.24",`
`65`	`65`	`"uvicorn>=0.44.0",`
`66`	`66`	`"flask>=3.0.0",`
	`67`	`+ "bandit>=1.9.4",`
	`68`	`+ "pip-audit>=2.10.0",`
`67`	`69`	`]`