test(compliance): MCP 2025-11-25 protocol compliance harness (#4301)

* test(compliance): add MCP 2025-11-25 protocol compliance harness

Build a FastMCP-based test harness that probes ContextForge against the
MCP 2025-11-25 specification across three targets: reference stdio,
gateway proxy (federated), and gateway virtual server. Includes a new
reference server (mcp-servers/python/compliance_reference_server) with
tools/resources/prompts covering lifecycle, transport, pagination,
notifications, subscriptions, roots, sampling, elicitation, and logging.

Key additions:
- tests/protocol_compliance/: parametrized test suite with XPASS-capture,
  drift detection across targets, and gap-tracking workflow
- scripts/compliance_matrix.py: orchestrator that runs the suite across
  engine modes (python/shadow/edge/full) and aggregates results
- Runtime-mutable MCP mode tests covering shadow<->edge flip, boot-mode
  rails, publish/audit response contract, and data-plane runtime header
- OAuth 2.1 / Authorization tests against Keycloak (tier-gated skip)
- Security Best Practices probes (origin validation, bind address,
  confused-deputy)
- Rewrite tests/e2e/test_mcp_cli_protocol.py as test_mcp_protocol_e2e.py
  using FastMCP Client directly (no external CLI deps)
- Makefile: test-protocol-compliance* targets; testing-up folds in sso
  profile so Keycloak comes up with the gateway stack
- pre-commit: scope name-tests-test hook to tests/unit/ (integration,
  e2e, and compliance suites legitimately host non-test Python modules)

Closes #4273 (runtime-mutable MCP mode observability coverage).

Signed-off-by: Jonathan Springer <jps@s390x.com>

* refactor(tests): group test helpers under tests/*/helpers/ subdirs

Move loose non-test Python modules into conventional helpers/ subdirs
so the test-naming hook can exclude a single pattern instead of
enumerating each file.

Moves:
- tests/e2e/mcp_test_helpers.py -> tests/e2e/helpers/mcp_test_helpers.py
- tests/protocol_compliance/_helpers.py ->
  tests/protocol_compliance/helpers/compliance.py
- tests/protocol_compliance/_drift.py ->
  tests/protocol_compliance/helpers/drift.py

Updates all import sites across tests/e2e, tests/e2e_rust, and
tests/protocol_compliance.

Config cleanup:
- name-tests-test now excludes tests/*/(helpers|fixtures|targets|pages)/
  as a single verbose-regex alternative instead of file-by-file.
- Top-level pre-commit exclude and detect-secrets excludes converted
  to verbose-regex with inline comments.
- Dropped non-existent excludes (scripts/sign_image.sh, scripts/zap,
  sonar-project.properties) and the redundant .secrets.baseline
  entry (detect-secrets skips its own baseline automatically).
- detect-secrets hook in pre-commit now carries its own exclude list,
  kept in sync with the Makefile invocation.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* fix(keycloak): enable service-accounts on the mcp-gateway dev realm client

The local Keycloak dev realm disables the client_credentials grant, so
compliance tests that exercise OAuth 2.1 token issuance against the
preconfigured `mcp-gateway` client fail with
`unauthorized_client: Client not enabled to retrieve service account`.

Flip `serviceAccountsEnabled` to `true` so fresh `docker compose` volume
imports come up with the grant available. Existing stacks can apply the
same change via the Keycloak Admin API against the running realm; the
stored volume overrides the import file once the realm exists, which is
why the change has to land here to stick across rebuilds.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* test(compliance): PR-review follow-ups — silent-failure fixes, behavioral coverage, type design, stream attribution

Bundles the fixes surfaced by running the pr-review-toolkit agents
(code-reviewer, pr-test-analyzer, comment-analyzer,
silent-failure-hunter, type-design-analyzer) plus two iterations of
Codex stop-review feedback.

Silent-failure fixes:
  - _parse_junit / _run_slice / stale-junit unlink /
    _wait_data_plane_converges return-value check close the
    "0/0/0/0 row" silent path in the matrix orchestrator.
  - Reference server stdout+stderr captured to a session tmp log; tail
    dumped on readiness timeout instead of swallowed.
  - flip_runtime_mode / _delete_if_exists / _wait_for_federation_sync
    / _probe_state / Keycloak token fetch surface last-status
    diagnostics instead of collapsing to None.
  - conftest fixture-resolution narrows catch-all so ImportError /
    NameError / SyntaxError from a broken fixture definition
    propagate; only runtime unreachability skips.
  - pytest_runtest_logreport wraps sidecar write in try/except so an
    unwriteable log doesn't poison the run.

Type design:
  - ComplianceTarget: __init_subclass__ enforces name and
    supported_transports on every concrete subclass; base client()
    validates transport support and dispatches to abstract
    _open_client(); per-subclass boilerplate deleted.
  - SliceResult: stored `ran` field removed (derive from
    skip_reason); __post_init__ rejects negative counts and the
    inconsistent "skipped slice with non-zero counts" state.
  - ReferenceUpstream: frozen, no raw Popen field — process handle
    stays in fixture closure so tests can't race teardown.
  - KeycloakConfig: token_endpoint is now a property; __repr__
    redacts client_secret.

Stream attribution:
  - MCP 2025-11-25 § Listening for Messages is explicit:
    server→client *requests* (roots/list, sampling/createMessage,
    elicitation/create) MUST NOT ride the standalone GET /mcp/
    stream; they travel on the POST-correlated stream. GAP-002..005
    and seven xfail reasons wrongly blamed #4205 (standalone-stream
    closure). Rewrote the Why sections and reasons to point at
    POST-correlated-stream relay instead.
  - GAP-011 (resource-subscription updates) is the only gap that
    legitimately points at #4205.
  - Added a canonical "Stream-attribution note" to COMPLIANCE_GAPS.md.
  - Filed GAP-011 (resource subscriptions) and GAP-012 (gateway
    returns -32000 where spec requires -32601).

Behavioral coverage (6 new tests + 4 reference-server witnesses):
  - notifications/cancelled end-to-end delivery.
  - logging/setLevel filter-threshold round-trip.
  - JSON-RPC reserved codes -32700 / -32601 / -32602.
  - tools/call argument-type validation (narrowed to McpError).
  - initialize-twice lifecycle rejection.
  - MCP-Protocol-Version mismatch handling.
  - Reference-server side-effect witnesses for mutate_resource_list /
    mutate_prompt_list / bump_subscribable notifications and the
    subscribe/unsubscribe handler round-trip.

  Each raw-httpx test fails on 5xx and accepts 4xx as HTTP-level
  rejection; no false-green paths where a server crash would read as
  compliance.

Bug fixes:
  - Reference server: mutator tools now use a dedicated
    _mutation_counter to prevent ephemeral_0 name-collisions.
  - test_drift._collect narrows to pytest.skip.Exception; other probe
    errors are recorded so drift diffs show the root cause.
  - Makefile PYTEST_IGNORE excludes tests/protocol_compliance.

Matrix rust_full slice: 58 passed / 0 failed / 40 xfailed / 0 xpassed
/ 11 skipped (was 53/0/34/0/11). Zero unexpected failures.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* fix(e2e): align test_oauth_jwks_e2e JWT secret with gateway minimum

Test defaulted its JWT secret to "my-test-key" (11 chars) when
JWT_SECRET_KEY was unset; the gateway's validator requires ≥32 chars
so every admin-API call the fixtures make would fail with
401 "Invalid authentication credentials" on default deployments.

Import JWT_SECRET from helpers.mcp_test_helpers — the 40-char default
the rest of the e2e suite already shares — so this test self-configures
without requiring the operator to export JWT_SECRET_KEY. Overriding
via the env var still works.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* ci(pre-commit): exclude tests/**/targets/ from name-tests-test in the lite config

The main pre-commit config already excludes these POM-style support
directories, but CI runs the lite config (Makefile:4175 —
`pre-commit run --config .pre-commit-lite.yaml`) which was a
near-duplicate that hadn't been kept in sync. Add `targets` to its
excluded-dir alternation so the four compliance-harness target modules
stop tripping the hook in CI.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* chore(deps): pin authlib>=1.7.0 in the dev group via exclude-newer-package override

authlib is a transitive dep of fastmcp, which the compliance harness
uses as a test client — both live in the dev dependency group.
mcpgateway itself imports nothing from authlib, so the constraint goes
in `[dependency-groups] dev` rather than main project deps.

Release 1.7.0 (2026-04-18) ships security fixes but was blocked by the
repo-wide `exclude-newer = "10 days"` newness filter, leaving the
lockfile on 1.6.9. Adds an `exclude-newer-package` entry for authlib
(2026-04-19) so the filter allows the new release.

Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Jonathan Springer <jps@s390x.com>

Author: jonpspri

.pre-commit-config.yaml

@@ -18,7 +18,23 @@
 # report issues (linters). Modified files will need to be staged again.
 # -----------------------------------------------------------------------------
 
-exclude: '(^|/)(\.pre-commit-.*\.yaml|normalize_special_characters\.py|test_input_validation\.py|ai_artifacts_normalizer\.py)$|(^|/)mcp-servers/templates/|(^|/)plugin_templates/|(^|/)tests/load/|.*\.(jinja|j2)$'  # ignore these files, all templates, load tests, and jinja files
+exclude: |
+  (?x)(
+    # Specific files (auto-generated or intentionally exempt)
+    (^|/)(
+      \.pre-commit-.*\.yaml          # transient pre-commit state/baselines
+      |normalize_special_characters\.py
+      |test_input_validation\.py
+      |ai_artifacts_normalizer\.py
+    )$
+    # Template trees (not real source)
+    |(^|/)mcp-servers/templates/
+    |(^|/)plugin_templates/
+    # Load tests (separate lifecycle)
+    |(^|/)tests/load/
+    # Jinja templates
+    |.*\.(jinja|j2)$
+  )
 fail_fast: true
 
 repos:
@@ -347,10 +363,16 @@ repos:
 
       - id: name-tests-test
         name: 🐍 Python Tests Naming
-        description: Verifies test files in tests/ directories start with `test_`.
+        description: Verifies test files start with `test_` in unit, e2e, protocol_compliance, security, and playwright suites.
         language: python
-        files: (^|/)tests/.+\.py$
-        exclude: ^tests/(.*/)?(pages|helpers|fuzzers|scripts|fixtures|migration|utils|manual|async|load.*|populate)/.*\.py$|^tests/e2e/mcp_test_helpers\.py$
+        files: ^tests/(unit|e2e|protocol_compliance|security|playwright)/.+\.py$
+        exclude: |
+          (?x)^(
+            # POM / helper / fixture / target support modules — by convention,
+            # any *.py under a helpers/, fixtures/, targets/, or pages/ dir is
+            # not a test file.
+            tests/(unit|e2e|protocol_compliance|security|playwright)/(.*/)?(helpers|fixtures|targets|pages)/.*\.py
+          )$
         args: [--pytest-test-first] # `test_.*\.py`
 
 
@@ -614,3 +636,13 @@ repos:
         description: Detects secrets within a repository using IBM's detect-secrets.
         args: ['--baseline', '.secrets.baseline', --use-all-plugins, --fail-on-unaudited]
         types: [text]
+        # Keep in sync with DETECT_SECRETS_FILES_EXCLUDE in Makefile.
+        # (.secrets.baseline is auto-excluded by detect-secrets itself.)
+        exclude: |
+          (?x)(
+            package-lock\.json$
+            |Cargo\.lock$
+            |uv\.lock$
+            |go\.sum$
+            |mcpgateway/sri_hashes\.json$
+          )

.pre-commit-lite.yaml

@@ -354,7 +354,7 @@ repos:
         description: Verifies test files in tests/ directories start with `test_`.
         language: python
         files: (^|/)tests/.+\.py$
-        exclude: ^tests/(.*/)?(pages|helpers|fuzzers|scripts|fixtures|migration|utils|manual|async|load|loadtest|jmeter|client|populate)/.*\.py$|^tests/e2e/mcp_test_helpers\.py$
+        exclude: ^tests/(.*/)?(pages|helpers|fuzzers|scripts|fixtures|migration|utils|manual|async|load|loadtest|jmeter|client|populate|targets)/.*\.py$
         args: [--pytest-test-first] # `test_.*\.py`
 
   # - repo: https://github.com/pycqa/bandit

.secrets.baseline

@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json|^.secrets.baseline$",
+    "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-18T21:54:58Z",
+  "generated_at": "2026-04-19T08:51:02Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -326,71 +326,71 @@
         "hashed_secret": "319037749ce37e577db0b3628c7f90e333544391",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 893,
+        "line_number": 929,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6ae2832e494d1098e8901fe156083e39399a24f1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 895,
+        "line_number": 931,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "43fc45734b96bcb1b6cef373e949eb3524ae199b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1586,
+        "line_number": 1622,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "9d989e8d27dc9e0ec3389fc855f142c3d40f0c50",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1797,
+        "line_number": 1834,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "d3ac7a4ef1a838b4134f2f6e7f3c0d249d74b674",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6219,
+        "line_number": 6256,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "5932862bcd24dd27d0dc0407ec94fe9d6ea24aeb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6716,
+        "line_number": 6753,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "c77c805e32f173e4321ee9187de9c29cb3804513",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6728,
+        "line_number": 6765,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "8fe3df8a68ddd0d4ab2214186cbb8e38ccd0e06a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6800,
+        "line_number": 6837,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "93ac8946882128457cd9e283b30ca851945e6690",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 7870,
+        "line_number": 7916,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5977,12 +5977,12 @@
         "verified_result": null
       }
     ],
-    "tests/e2e/mcp_test_helpers.py": [
+    "tests/e2e/helpers/mcp_test_helpers.py": [
       {
         "hashed_secret": "07b7b454e840ca79e1582edcf973b051fc56e079",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 39,
+        "line_number": 45,
         "type": "Secret Keyword",
         "verified_result": null
       }

Makefile

@@ -724,10 +724,12 @@ clean:
 # =============================================================================
 # help: 🧪 TESTING
 # help: smoketest            - Run smoketest.py --verbose (build container, add MCP server, test endpoints)
-# help: test-mcp-cli         - Run MCP protocol tests via mcp-cli against live gateway (localhost:8080)
-# help:                        Requires: mcp-cli installed, ContextForge running (docker-compose up)
-# help:                        Override gateway URL: MCP_CLI_BASE_URL=http://localhost:4444 make test-mcp-cli
-# help:                        No LLM or API key required - tests MCP protocol only
+# help: test-protocol-compliance - MCP protocol compliance harness: full (target, transport) matrix across reference + gateway (K=<filter> to pick one)
+# help: test-protocol-compliance-reference - Protocol compliance harness, reference server only (fast, always-on)
+# help: test-protocol-compliance-gateway - Protocol compliance harness, gateway-proxy + gateway-virtual targets (requires working gateway boot)
+# help: test-protocol-compliance-matrix - Protocol compliance matrix across every runnable engine; summary table (pass MATRIX_ARGS='--format markdown --out X' to override)
+# help: test-mcp-protocol-e2e - MCP protocol E2E via FastMCP client against live gateway (K=<filter> to pick one; MCP_E2E_CLIENT_TIMEOUT env to extend the 5s client timeout)
+# help: test-mcp-cli         - [DEPRECATED] Alias for test-mcp-protocol-e2e (accepts same K=<filter>)
 # help: test                 - Run unit tests with pytest
 # help: test-verbose         - Run tests sequentially with real-time test name output
 # help: test-profile         - Run tests and show slowest 20 tests (durations >= 1s)
@@ -759,9 +761,10 @@ clean:
 # Dirs/files always excluded from standard pytest runs
 PYTEST_IGNORE := tests/fuzz tests/manual test.py \
     tests/e2e/test_entra_id_integration.py \
-    tests/e2e/test_mcp_cli_protocol.py \
+    tests/e2e/test_mcp_protocol_e2e.py \
     tests/e2e/test_mcp_rbac_transport.py \
-    tests/e2e_rust
+    tests/e2e_rust \
+    tests/protocol_compliance
 
 # Expand to --ignore=<path> flags for pytest CLI
 PYTEST_IGNORE_FLAGS := $(foreach p,$(PYTEST_IGNORE),--ignore=$(p))
@@ -773,13 +776,46 @@ smoketest:
 	@$(VENV_DIR)/bin/python ./smoketest.py --verbose || { echo "❌ Smoketest failed!"; exit 1; }
 	@echo "✅ Smoketest passed!"
 
-test-mcp-cli:  ## MCP protocol tests via mcp-cli + wrapper stdio (no LLM needed)
-	@echo "🔌 Running MCP protocol tests via mcp-cli against $${MCP_CLI_BASE_URL:-http://localhost:8080}..."
+test-mcp-protocol-e2e:  ## MCP protocol E2E via FastMCP client (K=<filter> to pick one)
+	@echo "🔌 Running MCP protocol E2E tests against $${MCP_CLI_BASE_URL:-http://localhost:8080}..."
 	@echo "   Env: MCP_CLI_BASE_URL (gateway URL)  JWT_SECRET_KEY  PLATFORM_ADMIN_EMAIL"
+	@echo "   Timeout: $${MCP_E2E_CLIENT_TIMEOUT:-5.0}s per client operation (override MCP_E2E_CLIENT_TIMEOUT)"
+	@if [ -n "$(K)" ]; then echo "   Filter: -k \"$(K)\""; fi
 	@/bin/bash -c 'source $(VENV_DIR)/bin/activate && \
-		$(VENV_DIR)/bin/pytest tests/e2e/test_mcp_cli_protocol.py -v -s --tb=short \
-			|| { echo "❌ mcp-cli protocol tests failed!"; exit 1; }; \
-		echo "✅ mcp-cli protocol tests passed!"'
+		$(VENV_DIR)/bin/pytest tests/e2e/test_mcp_protocol_e2e.py $(if $(K),-k "$(K)") -v -s --tb=short \
+			|| { echo "❌ MCP protocol E2E tests failed!"; exit 1; }; \
+		echo "✅ MCP protocol E2E tests passed!"'
+
+test-mcp-cli:  ## [DEPRECATED] Alias for test-mcp-protocol-e2e (subprocess + mcp-cli path removed)
+	@echo "⚠️  'make test-mcp-cli' is deprecated — use 'make test-mcp-protocol-e2e'."
+	@echo "   The mcp-cli + mcpgateway.wrapper subprocess path was replaced by the FastMCP client."
+	@$(MAKE) test-mcp-protocol-e2e
+
+test-protocol-compliance:  ## MCP protocol compliance harness — full (target, transport) matrix (K=<filter> to pick one)
+	@echo "📜 Running MCP protocol compliance harness (tests/protocol_compliance)..."
+	@if [ -n "$(K)" ]; then echo "   Filter: -k \"$(K)\""; fi
+	@/bin/bash -c 'source $(VENV_DIR)/bin/activate && \
+		$(VENV_DIR)/bin/pytest tests/protocol_compliance $(if $(K),-k "$(K)") -v --tb=short \
+			|| { echo "❌ protocol compliance harness failed!"; exit 1; }; \
+		echo "✅ protocol compliance harness passed!"'
+
+test-protocol-compliance-reference:  ## Protocol compliance harness — reference server only (fast, always-on)
+	@echo "📜 Running MCP protocol compliance harness (reference target only)..."
+	@/bin/bash -c 'source $(VENV_DIR)/bin/activate && \
+		$(VENV_DIR)/bin/pytest tests/protocol_compliance -k "reference-stdio" -v --tb=short \
+			|| { echo "❌ reference-target compliance harness failed!"; exit 1; }; \
+		echo "✅ reference-target compliance harness passed!"'
+
+test-protocol-compliance-gateway:  ## Protocol compliance harness — gateway-proxy + gateway-virtual (needs in-process gateway boot to succeed)
+	@echo "📜 Running MCP protocol compliance harness (gateway targets)..."
+	@/bin/bash -c 'source $(VENV_DIR)/bin/activate && \
+		$(VENV_DIR)/bin/pytest tests/protocol_compliance -k "gateway_proxy or gateway_virtual" -v --tb=short \
+			|| { echo "❌ gateway-target compliance harness failed!"; exit 1; }; \
+		echo "✅ gateway-target compliance harness passed!"'
+
+test-protocol-compliance-matrix:  ## MCP compliance matrix across every runnable engine (reference, python, rust_edge, rust_full) with aggregated summary
+	@/bin/bash -c 'source $(VENV_DIR)/bin/activate && \
+		$(VENV_DIR)/bin/python scripts/compliance_matrix.py $(MATRIX_ARGS)'
 
 test-mcp-rbac:  ## RBAC + multi-transport MCP protocol tests (needs live gateway + SSE)
 	@echo "🔐 Running RBAC + multi-transport MCP protocol tests against $${MCP_CLI_BASE_URL:-http://localhost:8080}..."
@@ -1619,7 +1655,7 @@ testing-up:                                ## Start testing stack (Locust + A2A
 	@mkdir -p reports
 	HOST_UID=$(HOST_UID) HOST_GID=$(HOST_GID) \
 	LOCUST_EXPECT_WORKERS=$(TESTING_LOCUST_WORKERS) \
-	$(COMPOSE_CMD_MONITOR) --profile testing --profile inspector up -d --scale locust_worker=$(TESTING_LOCUST_WORKERS)
+	$(COMPOSE_CMD_MONITOR) --profile testing --profile inspector --profile sso up -d --scale locust_worker=$(TESTING_LOCUST_WORKERS)
 	@echo ""
 	@echo "✅ Testing stack started!"
 	@echo ""
@@ -1630,6 +1666,7 @@ testing-up:                                ## Start testing stack (Locust + A2A
 	@echo "Fast Test Server     http://localhost:8880         MCP benchmark target"
 	@echo "A2A Echo Agent       http://localhost:9100         A2A protocol target"
 	@echo "MCP Inspector        http://localhost:6274         Interactive MCP client"
+	@echo "Keycloak             http://localhost:8180         SSO / OAuth 2.1 provider (realm: mcp-gateway)"
 	@echo ""
 	@echo "   🔒 For DAST security scanning, also start ZAP: make testing-zap-up"
 	@echo ""
@@ -1676,7 +1713,7 @@ testing-rebuild-rust-full:                 ## Rebuild Rust image with no cache,
 .PHONY: testing-down
 testing-down:                              ## Stop testing stack
 	@echo "🧪 Stopping testing stack..."
-	$(COMPOSE_CMD_MONITOR) --profile testing --profile inspector --profile dast down --remove-orphans
+	$(COMPOSE_CMD_MONITOR) --profile testing --profile inspector --profile dast --profile sso down --remove-orphans
 	@echo "✅ Testing stack stopped."
 
 .PHONY: testing-status
@@ -7703,8 +7740,17 @@ async-clean:
 	@pkill -f "aiomonitor" || true
 	@pkill -f "snakeviz" || true
 
-# Exclude pattern for detect-secrets to skip common directories and auto generated files
-DETECT_SECRETS_FILES_EXCLUDE := '^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json'
+# Exclude pattern for detect-secrets to skip common directories and auto generated files.
+# Uses Python verbose-regex mode (?x) so each alternative can be commented.
+# Backslash line continuations collapse the value to one line with interleaved
+# spaces — harmless under (?x).
+DETECT_SECRETS_FILES_EXCLUDE := '(?x)( \
+  package-lock\.json$$         \
+  |Cargo\.lock$$               \
+  |uv\.lock$$                  \
+  |go\.sum$$                   \
+  |mcpgateway/sri_hashes\.json$$ \
+)'
 
 .PHONY: detect-secrets-scan
 detect-secrets-scan: uv                      ## 🔍  detect-secrets scan for secrets in repository