tests/security/test_config_hygiene.py

import subprocess
import unittest
from pathlib import Path

import yaml


class TestConfigHygiene(unittest.TestCase):
    def setUp(self) -> None:
        self.repo_root = Path(__file__).resolve().parents[2]
        self.sample_config_path = self.repo_root / "app" / "config.sample.yaml"

    def _is_tracked(self, path: str) -> bool:
        result = subprocess.run(
            ["git", "ls-files", "--error-unmatch", path],
            cwd=self.repo_root,
            check=False,
            capture_output=True,
            text=True,
        )
        return result.returncode == 0

    def _find_values_for_key(self, data, key_name: str):
        if isinstance(data, dict):
            for key, value in data.items():
                if key == key_name:
                    yield value
                yield from self._find_values_for_key(value, key_name)
        elif isinstance(data, list):
            for item in data:
                yield from self._find_values_for_key(item, key_name)

    def test_runtime_only_files_are_ignored_and_untracked(self):
        gitignore_lines = (
            (self.repo_root / ".gitignore").read_text(encoding="utf-8").splitlines()
        )

        self.assertIn("app/config.yaml", gitignore_lines)
        self.assertIn(".env", gitignore_lines)
        self.assertFalse(self._is_tracked("app/config.yaml"))
        self.assertFalse(self._is_tracked(".env"))

    def test_sample_config_keeps_the_nasa_api_key_placeholder(self):
        with self.sample_config_path.open("r", encoding="utf-8") as handle:
            sample_config = yaml.safe_load(handle)

        nasa_api_keys = list(self._find_values_for_key(sample_config, "nasa_api_key"))
        self.assertEqual(
            nasa_api_keys,
            ["YOUR_REAL_KEY_HERE"],
            "config.sample.yaml should only contain the documented NASA API key "
            "placeholder.",
        )


if __name__ == "__main__":
    unittest.main()
feat: migrate to pyproject.toml, add test suites, split CI workflows - Replace requirements.txt with pyproject.toml for modern Python packaging - Add unit, integration, lint and security test suites under tests/ - Add utils/export_runtime_requirements.py and utils/check_hadolint_sarif.py - Split monolithic CI into reusable lint.yml, security.yml and tests.yml - Refactor ci.yml to orchestrate reusable workflows; publish on semver tag only - Modernize Dockerfile: pin python:3.12-slim, install via pyproject.toml - Expand Makefile with lint, security, test and CI targets - Add test-e2e via act with portfolio container stop/start around run - Fix navbar_logo_visibility.spec.js: win.fullscreen() → win.enterFullscreen() - Set use_reloader=False in app.run() to prevent double-start in CI - Add app/core.* and build artifacts to .gitignore - Fix apt-get → sudo apt-get in tests.yml e2e job - Fix pip install --ignore-installed to handle stale act cache Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-29 23:03:09 +02:00			`import subprocess`
			`import unittest`
			`from pathlib import Path`

			`import yaml`


			`class TestConfigHygiene(unittest.TestCase):`
			`def setUp(self) -> None:`
			`self.repo_root = Path(__file__).resolve().parents[2]`
			`self.sample_config_path = self.repo_root / "app" / "config.sample.yaml"`

			`def _is_tracked(self, path: str) -> bool:`
			`result = subprocess.run(`
			`["git", "ls-files", "--error-unmatch", path],`
			`cwd=self.repo_root,`
			`check=False,`
			`capture_output=True,`
			`text=True,`
			`)`
			`return result.returncode == 0`

			`def _find_values_for_key(self, data, key_name: str):`
			`if isinstance(data, dict):`
			`for key, value in data.items():`
			`if key == key_name:`
			`yield value`
			`yield from self._find_values_for_key(value, key_name)`
			`elif isinstance(data, list):`
			`for item in data:`
			`yield from self._find_values_for_key(item, key_name)`

			`def test_runtime_only_files_are_ignored_and_untracked(self):`
			`gitignore_lines = (`
			`(self.repo_root / ".gitignore").read_text(encoding="utf-8").splitlines()`
			`)`

			`self.assertIn("app/config.yaml", gitignore_lines)`
			`self.assertIn(".env", gitignore_lines)`
			`self.assertFalse(self._is_tracked("app/config.yaml"))`
			`self.assertFalse(self._is_tracked(".env"))`

			`def test_sample_config_keeps_the_nasa_api_key_placeholder(self):`
			`with self.sample_config_path.open("r", encoding="utf-8") as handle:`
			`sample_config = yaml.safe_load(handle)`

			`nasa_api_keys = list(self._find_values_for_key(sample_config, "nasa_api_key"))`
			`self.assertEqual(`
			`nasa_api_keys,`
			`["YOUR_REAL_KEY_HERE"],`
			`"config.sample.yaml should only contain the documented NASA API key "`
			`"placeholder.",`
			`)`


			`if __name__ == "__main__":`
			`unittest.main()`