CrispStrobe
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 54 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 24 additions & 2 deletions b/‎.gitignore‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 125 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎__init__.py‎
Lines changed: 2 additions & 1 deletion b/‎__init__.py‎
Lines changed: 2 additions & 1 deletion
@@ -0,0 +1,54 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+          cache-dependency-path: |
+            requirements.txt
+            requirements-dev.txt
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
+
+      - name: Lint (ruff)
+        run: ruff check .
+
+      - name: Type check (mypy)
+        run: mypy --no-incremental cli.py services
+
+      - name: Security scan (bandit, medium+)
+        run: bandit -r . -x ./.mypy_cache,./__pycache__,./.git,./tests -ll
+
+      - name: Run tests with coverage
+        run: |
+          pytest tests/ \
+            --cov=services --cov=utils --cov=config \
+            --cov-report=term --cov-report=xml
+
+      - name: Upload coverage XML
+        if: matrix.python-version == '3.11'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-xml
+          path: coverage.xml
@@ -1,3 +1,25 @@
 .git/
-**pycache**/
-internxt_python_cli.egg-info/
+**/__pycache__/
+*.pyc
+internxt_python_cli.egg-info/
+
+# Test / coverage / cache artifacts
+.coverage
+.coverage.*
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+htmlcov/
+coverage.xml
+
+# Virtualenvs
+venv/
+.venv/
+env/
+
+# OS
+.DS_Store
+
+# Editor
+.vscode/
+.idea/
@@ -0,0 +1,125 @@
+# Changelog
+
+## Unreleased — Audit & Test Infrastructure
+
+A multi-tool security/correctness audit was run (ruff, mypy, bandit, pylint,
+vulture, pyflakes), every medium+ finding was fixed, and a pytest suite was
+built up alongside CI to lock in those fixes.
+
+### Bug fixes (high impact)
+
+- **`utils/api.py`** — `delete_permanently()` built `data={'items':[…]}` but
+  the inner `delete()` method never accepted a body, so the items list was
+  silently dropped on the wire. Backup-file purges after `safety_pattern`
+  uploads were no-ops, leaking trash storage. **Fixed:** extended `delete()`
+  to accept and forward `data=`, and updated `delete_permanently()` to
+  pass it through.
+- **`__init__.py`** — file was missing the opening `"""` of its docstring,
+  so importing the package raised `SyntaxError`. **Fixed.**
+- **`config/config.py`** — `'NETWORK_URL'` was defined twice in the config
+  dict; the second definition (`https://api.internxt.com`) silently
+  overrode the first. The dead key has been removed; the active value is
+  unchanged.
+- **`services/drive.py`** — `create_folder_recursive` was defined twice
+  (104 lines of dead code). **Fixed:** removed the dead first definition.
+- **`utils/api.py`** — `move_file` and `move_folder` were each defined twice
+  (the second silently overriding the first). **Fixed:** removed the
+  duplicates.
+- **`services/webdav_server.py`** — `start()` referenced `active_server`
+  unbound when `server_choice` was anything other than
+  `auto`/`waitress`/`cheroot`, raising `UnboundLocalError`. **Fixed:**
+  initialize upfront and raise an explicit `ValueError` for unknown choices.
+- **`services/webdav_server.py`** — `start()` hardcoded `host="0.0.0.0"`,
+  ignoring the `host` setting in webdav config (which itself was being
+  silently dropped by `read_webdav_config`). **Fixed:** default to
+  `127.0.0.1` (loopback only) and pass through the user-set `host` from
+  config so `0.0.0.0` is opt-in.
+- **`services/webdav_provider.py`** — the `finally:` clause in `end_write`
+  called `self._upload_buffer.cleanup()` without checking `hasattr`, so an
+  exception before `begin_write` had set the buffer would crash with
+  `AttributeError` masking the real error. **Fixed.**
+- **`services/crypto.py`** — `generate_filename_encryption_iv` called
+  `hmac.new(key, hashlib.sha512)` — `hashlib.sha512` was being passed as
+  `msg` instead of `digestmod`. The function would `TypeError` at
+  runtime. (Currently dead code, but a real latent bug.) **Fixed.**
+- **`services/webdav_provider.py`** — `set_property()` (the PROPPATCH
+  handler used by macOS Finder & Windows Explorer to set folder
+  timestamps) imported two functions from `wsgidav.util` that don't exist
+  in any released wsgidav version (`rfc_1123_to_timestamp`,
+  `rfc_3339_to_timestamp`). Any timestamp PROPPATCH would crash with
+  `ImportError`. **Fixed:** use `parse_time_string` for RFC 1123 with a
+  stdlib `datetime.fromisoformat` fallback for ISO 8601 / RFC 3339.
+- **`services/webdav_provider.py` / `services/drive.py`** — `set_property()`
+  called `drive_service.set_folder_timestamps(...)`, but that method was
+  never defined. **Fixed:** added the method, which calls
+  `api.update_folder_metadata` and invalidates the parent-folder cache.
+- **`cli.py config` command** — referenced `DRIVE_WEB_URL` which had been
+  commented out of the config dict. The `config` command crashed with
+  "Config key DRIVE_WEB_URL was not found in process.env" on every run.
+  **Fixed:** tolerate missing keys with `(not configured)` placeholder.
+- **`install.py`** — used `subprocess.run(..., shell=True)` with a
+  string-concatenated `pip install` command. **Fixed:** switched to argv
+  form using `sys.executable`.
+
+### Security hardening (Bandit medium+ findings)
+
+All Bandit medium+ findings (was 14, now 0) are resolved or annotated:
+
+- **`services/network_utils.py:test_webdav_connection`** — `verify=False`
+  was unconditional. Restricted to localhost loopback; remote URLs now
+  use real TLS verification.
+- **`services/webdav_server.py`** — multiple `0.0.0.0` binds replaced
+  with the configurable `host` from webdav config (defaults to loopback).
+- **`services/crypto.py:206`** (SHA1 in PBKDF2) and
+  **`services/crypto.py:257`** (MD5 in OpenSSL EVP-style key derivation)
+  — both required for protocol compatibility with the Internxt server.
+  Annotated with `# nosec` and rationale comments; MD5 marked
+  `usedforsecurity=False`.
+- **`services/drive.py:739`** — MD5 used as a non-cryptographic
+  cache-key hash. Switched to SHA-256.
+
+### Hygiene
+
+- All bare `except:` clauses replaced with `except Exception:` or
+  specific exception types.
+- All unused imports removed (cli.py, services/*, utils/api.py, debug/*).
+- All ~180 empty f-strings (`f"static text"`) replaced with regular strings.
+- `raise ... from e` chains added where pylint suggested (proper
+  exception causality preservation).
+- mypy implicit-Optional defaults annotated explicitly.
+- `cli.py test` smoke command's two stale URL assertions updated to
+  match the actual configured endpoints.
+
+### Test infrastructure (new)
+
+- **`tests/`** — 403 pytest tests covering crypto round-trips, path
+  resolution, upload/download conflict handling (skip/overwrite/safety
+  pattern), WebDAV provider (resource + collection + isolated session),
+  WebDAV server lifecycle, all major CLI commands (Click `CliRunner`),
+  SSL cert lifecycle, range parsing, credential persistence, batch `mv`
+  with wildcards, memory-gated upload concurrency. **71% line coverage**
+  across the codebase.
+- **End-to-end cycle test** (`test_upload_download_e2e.py`) — writes a
+  real local file, runs `upload_file_to_folder` (real crypto, mocked
+  network), captures the encrypted bytes "on the wire", then runs
+  `download_file` against them and asserts byte-for-byte recovery. This
+  catches any drift in the Internxt encryption protocol.
+- **`pyproject.toml`** — pytest, coverage, ruff config.
+- **`requirements-dev.txt`** — pinned floor for pytest, pytest-cov, ruff,
+  mypy, bandit.
+- **`.github/workflows/ci.yml`** — runs ruff → mypy → bandit (medium+) →
+  pytest with coverage on Python 3.10 / 3.11 / 3.12.
+
+### Test coverage by module
+
+| Module                          | Coverage |
+|---------------------------------|---------:|
+| `config/config.py`              |     85% |
+| `services/auth.py`              |    100% |
+| `services/crypto.py`            |     85% |
+| `services/drive.py`             |     76% |
+| `services/network_utils.py`     |     90% |
+| `services/webdav_provider.py`   |     57% |
+| `services/webdav_server.py`     |     47% |
+| `utils/api.py`                  |     74% |
+| **Total**                       |    **71%** |
@@ -1,7 +1,8 @@
+"""
 Internxt Python CLI
 A Python implementation of the Internxt CLI for encrypted cloud storage
 """
 
 __version__ = "1.0.1"
 __author__ = "Internxt"
-__description__ = "Encrypted cloud storage CLI"
+__description__ = "Encrypted cloud storage CLI"