From fff83955c85745b17f6142f190c364130f32f285 Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:12:46 -0700 Subject: [PATCH 1/6] fix: Python 3.9 compatibility and pip-audit for local packages Add `from __future__ import annotations` to all files using PEP 604 union syntax (`X | None`). This defers annotation evaluation and makes the syntax work on Python 3.9+. Fix pip-audit by adding --local flag to skip packages not on PyPI (cryptoserve is installed from source in CI). --- .github/workflows/security.yml | 2 +- sdk/python/cryptoserve/__init__.py | 1 + sdk/python/cryptoserve/_auto_register.py | 1 + sdk/python/cryptoserve/_gate.py | 1 + sdk/python/cryptoserve/_policies.py | 1 + sdk/python/cryptoserve/fastapi.py | 1 + sdk/python/packages/cryptoserve-auto/cryptoserve_auto/config.py | 1 + .../cryptoserve-auto/cryptoserve_auto/detectors/detector.py | 1 + .../packages/cryptoserve-auto/cryptoserve_auto/interceptor.py | 1 + .../cryptoserve-client/cryptoserve_client/async_client.py | 1 + .../packages/cryptoserve-client/cryptoserve_client/client.py | 1 + .../packages/cryptoserve-client/cryptoserve_client/errors.py | 1 + .../cryptoserve-client/cryptoserve_client/resilience.py | 1 + .../packages/cryptoserve-core/cryptoserve_core/ciphers.py | 1 + sdk/python/packages/cryptoserve-core/cryptoserve_core/keys.py | 1 + 15 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index acc4b0b..3122cb9 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -72,7 +72,7 @@ jobs: - name: Run pip-audit run: | cd sdk/python - pip-audit --strict --desc + pip-audit --strict --desc --local - name: License compliance check run: | diff --git a/sdk/python/cryptoserve/__init__.py b/sdk/python/cryptoserve/__init__.py index cdb675e..646a719 100644 --- a/sdk/python/cryptoserve/__init__.py +++ b/sdk/python/cryptoserve/__init__.py @@ -33,6 +33,7 @@ cryptoserve-client - API client only cryptoserve-auto - Auto-protect for third-party libraries """ +from __future__ import annotations # Re-export from sub-packages for convenience from cryptoserve_client import CryptoClient diff --git a/sdk/python/cryptoserve/_auto_register.py b/sdk/python/cryptoserve/_auto_register.py index 9757eea..c7991ee 100644 --- a/sdk/python/cryptoserve/_auto_register.py +++ b/sdk/python/cryptoserve/_auto_register.py @@ -11,6 +11,7 @@ - Automatic cache invalidation on key rotation - Local mode: full SDK API without server (no network required) """ +from __future__ import annotations import hashlib import hmac as hmac_mod diff --git a/sdk/python/cryptoserve/_gate.py b/sdk/python/cryptoserve/_gate.py index 5f4d67b..984bfd3 100644 --- a/sdk/python/cryptoserve/_gate.py +++ b/sdk/python/cryptoserve/_gate.py @@ -4,6 +4,7 @@ Scans source files for cryptographic usage and applies policies. Works offline without server connection. """ +from __future__ import annotations import os import re diff --git a/sdk/python/cryptoserve/_policies.py b/sdk/python/cryptoserve/_policies.py index 8c0814d..e78ba19 100644 --- a/sdk/python/cryptoserve/_policies.py +++ b/sdk/python/cryptoserve/_policies.py @@ -5,6 +5,7 @@ Supports policy presets (strict, standard, permissive) and custom configuration via .cryptoserve.yml. """ +from __future__ import annotations from dataclasses import dataclass, field from enum import Enum diff --git a/sdk/python/cryptoserve/fastapi.py b/sdk/python/cryptoserve/fastapi.py index e398769..4ee5ff2 100644 --- a/sdk/python/cryptoserve/fastapi.py +++ b/sdk/python/cryptoserve/fastapi.py @@ -34,6 +34,7 @@ class UserCreate(BaseModel): email: str ssn: str """ +from __future__ import annotations from typing import Any, Callable, Type, TypeVar, get_type_hints, TYPE_CHECKING from functools import wraps diff --git a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/config.py b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/config.py index 39f35f0..87ca883 100644 --- a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/config.py +++ b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/config.py @@ -1,6 +1,7 @@ """ Configuration for Auto-Protect. """ +from __future__ import annotations from dataclasses import dataclass, field from enum import Enum diff --git a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/detectors/detector.py b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/detectors/detector.py index c1a2f5b..85d6df1 100644 --- a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/detectors/detector.py +++ b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/detectors/detector.py @@ -1,6 +1,7 @@ """ Sensitive field detection logic. """ +from __future__ import annotations import re from dataclasses import dataclass diff --git a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/interceptor.py b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/interceptor.py index 00d5f67..fc79027 100644 --- a/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/interceptor.py +++ b/sdk/python/packages/cryptoserve-auto/cryptoserve_auto/interceptor.py @@ -1,6 +1,7 @@ """ Library interception and auto-protection. """ +from __future__ import annotations import threading from contextlib import contextmanager diff --git a/sdk/python/packages/cryptoserve-client/cryptoserve_client/async_client.py b/sdk/python/packages/cryptoserve-client/cryptoserve_client/async_client.py index 465e9be..a8dd980 100644 --- a/sdk/python/packages/cryptoserve-client/cryptoserve_client/async_client.py +++ b/sdk/python/packages/cryptoserve-client/cryptoserve_client/async_client.py @@ -3,6 +3,7 @@ Requires httpx: pip install cryptoserve-client[async] """ +from __future__ import annotations import base64 from typing import Any diff --git a/sdk/python/packages/cryptoserve-client/cryptoserve_client/client.py b/sdk/python/packages/cryptoserve-client/cryptoserve_client/client.py index 48b47c9..f93c199 100644 --- a/sdk/python/packages/cryptoserve-client/cryptoserve_client/client.py +++ b/sdk/python/packages/cryptoserve-client/cryptoserve_client/client.py @@ -10,6 +10,7 @@ - Circuit breaker for fault tolerance - Batch operations for bulk processing """ +from __future__ import annotations import base64 import json diff --git a/sdk/python/packages/cryptoserve-client/cryptoserve_client/errors.py b/sdk/python/packages/cryptoserve-client/cryptoserve_client/errors.py index bc72e49..5051a64 100644 --- a/sdk/python/packages/cryptoserve-client/cryptoserve_client/errors.py +++ b/sdk/python/packages/cryptoserve-client/cryptoserve_client/errors.py @@ -1,6 +1,7 @@ """ Exception classes for CryptoServe Client. """ +from __future__ import annotations class CryptoServeError(Exception): diff --git a/sdk/python/packages/cryptoserve-client/cryptoserve_client/resilience.py b/sdk/python/packages/cryptoserve-client/cryptoserve_client/resilience.py index 4db0dfd..cd174c5 100644 --- a/sdk/python/packages/cryptoserve-client/cryptoserve_client/resilience.py +++ b/sdk/python/packages/cryptoserve-client/cryptoserve_client/resilience.py @@ -6,6 +6,7 @@ - Batch operations for bulk encryption/decryption - Request timeout handling """ +from __future__ import annotations import random import threading diff --git a/sdk/python/packages/cryptoserve-core/cryptoserve_core/ciphers.py b/sdk/python/packages/cryptoserve-core/cryptoserve_core/ciphers.py index 28b19ee..617a0e3 100644 --- a/sdk/python/packages/cryptoserve-core/cryptoserve_core/ciphers.py +++ b/sdk/python/packages/cryptoserve-core/cryptoserve_core/ciphers.py @@ -3,6 +3,7 @@ Provides AES-256-GCM and ChaCha20-Poly1305 encryption. """ +from __future__ import annotations import os from typing import Tuple diff --git a/sdk/python/packages/cryptoserve-core/cryptoserve_core/keys.py b/sdk/python/packages/cryptoserve-core/cryptoserve_core/keys.py index 9506252..6c145c3 100644 --- a/sdk/python/packages/cryptoserve-core/cryptoserve_core/keys.py +++ b/sdk/python/packages/cryptoserve-core/cryptoserve_core/keys.py @@ -1,6 +1,7 @@ """ Key derivation and management utilities. """ +from __future__ import annotations import os import hashlib From 92fdc8a9e0c3f1bb6e51f7cd462d50f6160a26bc Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:16:16 -0700 Subject: [PATCH 2/6] fix: exclude local packages from pip-audit to avoid PyPI lookup failures The four source-installed packages (cryptoserve, cryptoserve-core, cryptoserve-client, cryptoserve-auto) aren't published to PyPI, so pip-audit --local still fails trying to resolve them. Use --exclude for each package instead. --- .github/workflows/security.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3122cb9..8e8ecfe 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -72,7 +72,11 @@ jobs: - name: Run pip-audit run: | cd sdk/python - pip-audit --strict --desc --local + pip-audit --strict --desc --ignore-vuln PYSEC-0000 \ + --exclude cryptoserve \ + --exclude cryptoserve-core \ + --exclude cryptoserve-client \ + --exclude cryptoserve-auto - name: License compliance check run: | From e085d87c48164cefb6e83306be2271f75f72114e Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:17:50 -0700 Subject: [PATCH 3/6] fix: SSRF validation was silently allowing link-local addresses The raise ValueError for link-local IPs was inside the same try block that catches ValueError from ipaddress.ip_address(), so the exception was swallowed. Move the link-local check to an else block so it propagates correctly. --- sdk/python/cryptoserve/__main__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sdk/python/cryptoserve/__main__.py b/sdk/python/cryptoserve/__main__.py index 79b1597..009167b 100644 --- a/sdk/python/cryptoserve/__main__.py +++ b/sdk/python/cryptoserve/__main__.py @@ -150,10 +150,11 @@ def _validate_server_url(url: str) -> str: try: ip = ipaddress.ip_address(hostname) + except ValueError: + pass # Not an IP literal — hostname is fine + else: if ip.is_link_local: raise ValueError(f"Blocked URL — link-local address: {hostname}") - except ValueError: - pass # Not an IP, hostname is fine return url.rstrip("/") From c5815af483d922f3a30a9cc45071e9f16d510b8e Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:19:25 -0700 Subject: [PATCH 4/6] fix: use --skip-editable for pip-audit instead of invalid --exclude flag pip-audit has no --exclude option. Since our local packages are installed with pip install -e (editable mode), --skip-editable correctly skips them. --- .github/workflows/security.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 8e8ecfe..f9aa5f4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -72,11 +72,7 @@ jobs: - name: Run pip-audit run: | cd sdk/python - pip-audit --strict --desc --ignore-vuln PYSEC-0000 \ - --exclude cryptoserve \ - --exclude cryptoserve-core \ - --exclude cryptoserve-client \ - --exclude cryptoserve-auto + pip-audit --strict --desc --skip-editable --ignore-vuln PYSEC-0000 - name: License compliance check run: | From 2a09949d2fab3924af8bb83ca777537d3c3eb527 Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:22:06 -0700 Subject: [PATCH 5/6] fix: add future annotations to 5 missed files, clean up pip-audit flags - Add `from __future__ import annotations` to _credentials.py, __main__.py, passwords.py, _cli_style.py, and _binary_manager.py which all use PEP 585 lowercase generics (list[], dict[], tuple[], set[]) in type annotations - Remove placeholder --ignore-vuln PYSEC-0000 (not a real vulnerability ID) --- .github/workflows/security.yml | 2 +- sdk/python/cryptoserve/__main__.py | 2 ++ sdk/python/cryptoserve/_binary_manager.py | 2 ++ sdk/python/cryptoserve/_cli_style.py | 2 ++ sdk/python/cryptoserve/_credentials.py | 2 ++ .../packages/cryptoserve-core/cryptoserve_core/passwords.py | 2 ++ 6 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f9aa5f4..274152b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -72,7 +72,7 @@ jobs: - name: Run pip-audit run: | cd sdk/python - pip-audit --strict --desc --skip-editable --ignore-vuln PYSEC-0000 + pip-audit --strict --desc --skip-editable - name: License compliance check run: | diff --git a/sdk/python/cryptoserve/__main__.py b/sdk/python/cryptoserve/__main__.py index 009167b..e61cafa 100644 --- a/sdk/python/cryptoserve/__main__.py +++ b/sdk/python/cryptoserve/__main__.py @@ -43,6 +43,8 @@ cryptoserve token --key my-key --payload '{}' # Create JWT token """ +from __future__ import annotations + import os import sys import json diff --git a/sdk/python/cryptoserve/_binary_manager.py b/sdk/python/cryptoserve/_binary_manager.py index 8958015..fa8fb03 100644 --- a/sdk/python/cryptoserve/_binary_manager.py +++ b/sdk/python/cryptoserve/_binary_manager.py @@ -5,6 +5,8 @@ Uses only stdlib (urllib.request) to avoid adding dependencies. """ +from __future__ import annotations + import hashlib import json import os diff --git a/sdk/python/cryptoserve/_cli_style.py b/sdk/python/cryptoserve/_cli_style.py index 60c5bc0..cb3f2f1 100644 --- a/sdk/python/cryptoserve/_cli_style.py +++ b/sdk/python/cryptoserve/_cli_style.py @@ -3,6 +3,8 @@ Provides consistent, enterprise-grade terminal output styling. """ +from __future__ import annotations + import os import sys diff --git a/sdk/python/cryptoserve/_credentials.py b/sdk/python/cryptoserve/_credentials.py index 15db816..05b3e32 100644 --- a/sdk/python/cryptoserve/_credentials.py +++ b/sdk/python/cryptoserve/_credentials.py @@ -5,6 +5,8 @@ Credentials are stored per-app per-environment in ~/.cryptoserve/apps/ """ +from __future__ import annotations + import json import os from typing import Optional diff --git a/sdk/python/packages/cryptoserve-core/cryptoserve_core/passwords.py b/sdk/python/packages/cryptoserve-core/cryptoserve_core/passwords.py index 476fc23..96d6eb3 100644 --- a/sdk/python/packages/cryptoserve-core/cryptoserve_core/passwords.py +++ b/sdk/python/packages/cryptoserve-core/cryptoserve_core/passwords.py @@ -8,6 +8,8 @@ $algorithm$params$salt_b64$hash_b64 """ +from __future__ import annotations + import base64 import hashlib import hmac From cad8850d965d32c3fc3b873aa79f0583e8ad4816 Mon Sep 17 00:00:00 2001 From: Abdel Sy Fane Date: Sat, 7 Feb 2026 15:23:48 -0700 Subject: [PATCH 6/6] fix: drop --strict from pip-audit to allow skipping editable packages With --strict, pip-audit treats skipped editable packages as collection failures and exits non-zero. Without --strict, it skips them with a warning and still reports real vulnerabilities in third-party deps. --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 274152b..44d2add 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -72,7 +72,7 @@ jobs: - name: Run pip-audit run: | cd sdk/python - pip-audit --strict --desc --skip-editable + pip-audit --desc --skip-editable - name: License compliance check run: |