Skip to content

ci: add mutation testing for validation and redaction helpers (#244)#344

Open
aaniya22 wants to merge 3 commits into
utksh1:mainfrom
aaniya22:ci/mutation-testing-244
Open

ci: add mutation testing for validation and redaction helpers (#244)#344
aaniya22 wants to merge 3 commits into
utksh1:mainfrom
aaniya22:ci/mutation-testing-244

Conversation

@aaniya22
Copy link
Copy Markdown
Contributor

@aaniya22 aaniya22 commented May 26, 2026

What

Adds mutation testing for the two most security-critical helper modules:

  • backend/secuscan/validation.py
  • backend/secuscan/redaction.py

How

  • mutmut.toml — configures which files to mutate and which tests to run
  • .github/workflows/mutation.yml — new targeted CI job that:
    • triggers only when relevant source or test files change (no noise on unrelated PRs)
    • also runs on a weekly schedule (every Monday 03:00 UTC) to catch regressions
    • uploads an HTML report as a downloadable artifact (30-day retention)
    • enforces a hard 80% mutation score threshold — fails CI if too many mutants survive
  • backend/requirements-dev.txt — pins mutmut>=3.5.0

What was NOT changed

  • No UI changes
  • No doc changes
  • No lockfile churn
  • No formatting changes
  • No existing tests modified

Verification

Run locally:

mutmut run
mutmut results
mutmut html

Closes #244

aaniya22 added 3 commits May 27, 2026 03:53
@aaniya22
fix: replace hardcoded vault key fallback and broken XOR cipher
e822f3a 
Fixes utksh1#265

- config.py: removed 'secuscan-dev-key' hardcoded fallback in
  resolved_vault_key(). Now raises ValueError at startup if
  SECUSCAN_VAULT_KEY is not explicitly set in environment.

- vault.py: replaced broken XOR stream cipher with AES-256-GCM via
  the cryptography package. XOR with a 32-byte cycling keystream was
  trivially breakable via crib-dragging for secrets > 32 bytes.
  AES-256-GCM provides proper confidentiality and built-in integrity
  verification regardless of secret length.

- requirements.txt: added cryptography>=42.0.0 as explicit dependency.
@aaniya22
ci: add mutation testing for validation and redaction helpers (utksh1…
0508d0b 
…#244)
@aaniya22
Merge branch 'main' into ci/mutation-testing-244
7d88d53
@utksh1 utksh1 added area:ci CI, tooling, or automation work area:backend Backend API, database, or service work type:testing Testing work category bonus label type:devops DevOps or infrastructure work category bonus label level:advanced 55 pts difficulty label for advanced contributor PRs labels May 27, 2026
utksh1
utksh1 requested changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@utksh1 utksh1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes. mutation-testing, backend-tests, and formatting-hygiene are failing. Please make CI green and avoid bundling unrelated vault/config dependency changes into the mutation testing workflow PR.

@utksh1
Copy link
Copy Markdown
Owner

utksh1 commented May 28, 2026

Thanks for following up. Clarifying the change request so it is actionable:

Why this is blocked:
Requesting changes. mutation-testing, backend-tests, and formatting-hygiene are failing. Please make CI green and avoid bundling unrelated vault/config dependency changes into the mutation testing workflow PR.

What to do next:

  • Fix the specific issues called out above.
  • Push the updated branch and make sure the relevant CI checks pass.
  • Reply here when ready for re-review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@utksh1 utksh1 utksh1 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

area:backend Backend API, database, or service work area:ci CI, tooling, or automation work level:advanced 55 pts difficulty label for advanced contributor PRs type:devops DevOps or infrastructure work category bonus label type:testing Testing work category bonus label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CI] Add mutation testing for validation and security-critical helpers

2 participants

@aaniya22 @utksh1