agent: tighten YAML audit regression test

bluecloud-gilfoyle[bot] · bluecloud-gilfoyle[bot] · commit ef7736ebe8c5 · 2026-05-30T12:52:55.000Z
diff --git a/docs/architecture/YAML-TRUST-BOUNDARY.md b/docs/architecture/YAML-TRUST-BOUNDARY.md
@@ -10,11 +10,11 @@ The file is parsed only with `yaml.safe_load` in these call sites:
 - `src/mcp_server_python_docs/ingestion/sphinx_json.py` when ingestion populates
   the synonym table.
 
-There are no `yaml.load`, `yaml.unsafe_load`, or custom non-`SafeLoader` parser
-call sites in `src/`. The regression test
+There are no `yaml.load` or `yaml.unsafe_load` parser call sites in `src/` or
+`tests/`. The regression test
 `tests/test_synonyms.py::test_yaml_loaded_only_via_safe_load` scans source files
-for unsafe YAML loaders, confirms both expected `safe_load` call sites, and
-asserts that `synonyms.yaml` is the only YAML file under
+and tests for unsafe YAML loaders, confirms both expected source `safe_load`
+call sites, and asserts that `synonyms.yaml` is the only YAML file under
 `src/mcp_server_python_docs/`.
 
 Recommended future `SECURITY.md` wording for human review:
diff --git a/tests/test_synonyms.py b/tests/test_synonyms.py
@@ -84,6 +84,7 @@ def test_yaml_loaded_only_via_safe_load():
     """Lock in the packaged-YAML trust boundary for synonyms.yaml."""
     repo_root = Path(__file__).resolve().parents[1]
     src_root = repo_root / "src"
+    scan_roots = (src_root, repo_root / "tests")
     expected_yaml_input = (
         "src/mcp_server_python_docs/data/synonyms.yaml"
     )
@@ -94,21 +95,19 @@ def test_yaml_loaded_only_via_safe_load():
 
     unsafe_load_call = re.compile(r"\byaml[.]load\s*[(]")
     unsafe_loader_name = re.compile(r"\byaml[.]unsafe_load\b")
-    loader_override = re.compile(r"\bLoader\s*=")
     safe_load_call = re.compile(r"\byaml[.]safe_load\s*[(]")
 
     violations: list[str] = []
     safe_load_sites: set[str] = set()
 
-    for source_path in sorted(src_root.rglob("*.py")):
-        relative_path = source_path.relative_to(repo_root).as_posix()
-        for line_number, line in enumerate(source_path.read_text().splitlines(), 1):
-            if unsafe_load_call.search(line) or unsafe_loader_name.search(line):
-                violations.append(f"{relative_path}:{line_number}: unsafe YAML load")
-            if loader_override.search(line) and "SafeLoader" not in line:
-                violations.append(f"{relative_path}:{line_number}: custom YAML Loader")
-            if safe_load_call.search(line):
-                safe_load_sites.add(relative_path)
+    for scan_root in scan_roots:
+        for source_path in sorted(scan_root.rglob("*.py")):
+            relative_path = source_path.relative_to(repo_root).as_posix()
+            for line_number, line in enumerate(source_path.read_text().splitlines(), 1):
+                if unsafe_load_call.search(line) or unsafe_loader_name.search(line):
+                    violations.append(f"{relative_path}:{line_number}: unsafe YAML load")
+                if source_path.is_relative_to(src_root) and safe_load_call.search(line):
+                    safe_load_sites.add(relative_path)
 
     yaml_inputs = sorted(
         path.relative_to(repo_root).as_posix()
