fix: add bandit SAST + pip-audit to CI, fix assert in production code (#20)

fix: add bandit SAST + pip-audit to CI, fix assert in production code, upgrade 4 vulnerable deps. Closes #19, Refs devonartis/agentwrit#31

Author: devonartis

.github/workflows/ci.yml

@@ -113,6 +113,28 @@ jobs:
             exit 1
           fi
 
+  sast:
+    name: SAST (bandit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run bandit -r src/ -q
+
+  dep-audit:
+    name: Dependency Audit (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run pip-audit
+
   secrets-scan:
     name: Secrets Scan
     runs-on: ubuntu-latest

pyproject.toml

@@ -64,4 +64,6 @@ dev-dependencies = [
     "python-multipart>=0.0.24",
     "uvicorn>=0.44.0",
     "flask>=3.0.0",
+    "bandit>=1.9.4",
+    "pip-audit>=2.10.0",
 ]

src/agentwrit/orchestrator.py

@@ -12,6 +12,7 @@
 from typing import TYPE_CHECKING
 
 from agentwrit.agent import Agent
+from agentwrit.errors import AgentWritError
 
 if TYPE_CHECKING:
     from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
@@ -80,7 +81,8 @@ def orchestrate(
         agent_name = label or f"{orch_id}/{task_id}"
 
         # The app JWT is required as Bearer auth for launch token creation.
-        assert self._app._session is not None
+        if self._app._session is None:
+            raise AgentWritError("App not authenticated — call authenticate() first")
         app_token = self._app._session.access_token
 
         lt_response = self._transport.request(