feat(security): P0 pentest modules (api, mcp, gossip) + prod profile#9
Draft
DJLougen wants to merge 1 commit into
Draft
feat(security): P0 pentest modules (api, mcp, gossip) + prod profile#9DJLougen wants to merge 1 commit into
DJLougen wants to merge 1 commit into
Conversation
- Add pentest modules for REST API, MCP SSE, and gossip protocol - Introduce --profile dev|prod and --active FastAPI TestClient checks - Add hive.http_auth with HIVE_REQUIRE_AUTH for API and MCP SSE - Harden gossip: http(s) peers only, optional HIVE_GOSSIP_SECRET on receive - Map oversized compress to HTTP 413 on API server - CI: bandit on scripts, pip-audit, prod pentest on full stack - Tests and SECURITY.md / USAGE.md updates Co-authored-by: Daniel <DJLougen@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Expands the modular pentest suite and adds minimal hardening so production deployments can enforce auth on new HTTP/MCP/gossip surfaces.
Pentest (37 checks)
HIVE_GOSSIP_SECRETon receive, prod hooksCLI
--profile dev(default): informational passes for optional auth--profile prod: requires production security hooks to exist--active: FastAPI TestClient checks on REST API (/health, compress limits,HIVE_REQUIRE_AUTH)Hardening
hive/http_auth.py:HIVE_REQUIRE_AUTH+ bearer JWT via existingJWTValidatorscripts/hive_api_server.py: auth middleware, 413 on oversized compressscripts/hive_mcp_server.py: auth middleware on SSE;HIVE_MCP_BINDdefault127.0.0.1hive/gossip.py: validate peers at init; optionalHIVE_GOSSIP_SECRETonreceive()CI
hive/+ API/MCP scripts,pip-audit, pentesthive+api+mcp+gossip --active--profile prod --fail-on-skip --active+pip-auditTests
tests/test_http_auth.py,tests/test_gossip_security.py,tests/test_pentest_extended.pyProduction env vars
HIVE_REQUIRE_AUTH=trueHIVE_JWKS_URL/HIVE_JWT_PUBLIC_KEYHIVE_GOSSIP_SECRETreceive()Slack Thread