fetch_ml

jfraeysd/fetch_ml

Fork 0

Commit graph

Author	SHA1	Message	Date
Jeremie Fraeys	a8180f1f26	feat(security): HIPAA compliance mode and PHI denylist validation Add compliance_mode field to Config with strict HIPAA validation: - Requires SnapshotStore.Secure=true in HIPAA mode - Requires NetworkMode="none" for tenant isolation - Requires non-empty SeccompProfile - Requires NoNewPrivileges=true - Enforces credentials via environment variables only (no inline YAML) Add PHI denylist validation for AllowedSecrets: - Blocks secrets matching patterns: patient, ssn, mrn, medical_record, diagnosis, dob, birth, mrn_number, patient_id, patient_name - Prevents accidental PHI exfiltration via secret channels Add comprehensive test coverage in hipaa_validation_test.go: - Network mode enforcement tests - NoNewPrivileges requirement tests - Seccomp profile validation tests - Inline credential rejection tests - PHI denylist validation tests Closes: compliance_mode, PHI denylist items from security plan	2026-02-23 19:43:19 -05:00
Jeremie Fraeys	fccced6bb3	test(security): add comprehensive security unit tests Adds 13 security tests across 4 files for hardening verification: Path Traversal Tests (path_traversal_test.go): - TestSecurePathValidator_ValidRelativePath - TestSecurePathValidator_PathTraversalBlocked - TestSecurePathValidator_SymlinkEscape - Tests symlink resolution and path boundary enforcement File Type Validation Tests (filetype_test.go): - TestValidateFileType_AllowedTypes - TestValidateFileType_DangerousTypesBlocked - TestValidateModelFile - Tests magic bytes validation and dangerous extension blocking Secrets Management Tests (secrets_test.go): - TestExpandSecrets_BasicExpansion - TestExpandSecrets_NestedAndMissingVars - TestValidateNoPlaintextSecrets_HeuristicDetection - Tests env variable expansion and plaintext secret detection with entropy Audit Logging Tests (audit_test.go): - TestAuditLogger_ChainIntegrity - TestAuditLogger_VerifyChain - TestAuditLogger_LogFileAccess - TestAuditLogger_Disabled - Tests tamper-evident chain hashing and file access logging	2026-02-23 18:00:45 -05:00

Author

SHA1

Message

Date

Jeremie Fraeys

a8180f1f26

feat(security): HIPAA compliance mode and PHI denylist validation

Add compliance_mode field to Config with strict HIPAA validation:
- Requires SnapshotStore.Secure=true in HIPAA mode
- Requires NetworkMode="none" for tenant isolation
- Requires non-empty SeccompProfile
- Requires NoNewPrivileges=true
- Enforces credentials via environment variables only (no inline YAML)

Add PHI denylist validation for AllowedSecrets:
- Blocks secrets matching patterns: patient, ssn, mrn, medical_record,
  diagnosis, dob, birth, mrn_number, patient_id, patient_name
- Prevents accidental PHI exfiltration via secret channels

Add comprehensive test coverage in hipaa_validation_test.go:
- Network mode enforcement tests
- NoNewPrivileges requirement tests
- Seccomp profile validation tests
- Inline credential rejection tests
- PHI denylist validation tests

Closes: compliance_mode, PHI denylist items from security plan

2026-02-23 19:43:19 -05:00

Jeremie Fraeys

fccced6bb3

test(security): add comprehensive security unit tests

Adds 13 security tests across 4 files for hardening verification:

**Path Traversal Tests (path_traversal_test.go):**
- TestSecurePathValidator_ValidRelativePath
- TestSecurePathValidator_PathTraversalBlocked
- TestSecurePathValidator_SymlinkEscape
- Tests symlink resolution and path boundary enforcement

**File Type Validation Tests (filetype_test.go):**
- TestValidateFileType_AllowedTypes
- TestValidateFileType_DangerousTypesBlocked
- TestValidateModelFile
- Tests magic bytes validation and dangerous extension blocking

**Secrets Management Tests (secrets_test.go):**
- TestExpandSecrets_BasicExpansion
- TestExpandSecrets_NestedAndMissingVars
- TestValidateNoPlaintextSecrets_HeuristicDetection
- Tests env variable expansion and plaintext secret detection with entropy

**Audit Logging Tests (audit_test.go):**
- TestAuditLogger_ChainIntegrity
- TestAuditLogger_VerifyChain
- TestAuditLogger_LogFileAccess
- TestAuditLogger_Disabled
- Tests tamper-evident chain hashing and file access logging

2026-02-23 18:00:45 -05:00

2 commits