Hugh Brown 858575cf6c test: add comprehensive tests for all security fixes ...

Add 20 tests covering:
- require_user_actor: rejects agents and null users, passes valid users
- Webhook HMAC: rejects missing/invalid signatures, accepts valid ones,
  allows unsigned when no secret configured
- Prompt injection: sanitized skill name/URL, fenced external data in
  dispatch messages, system instructions precede data
- Security headers: verify nosniff, DENY, referrer-policy defaults
- Payload size: rejects oversized body and content-length
- Rate limiting: blocks after threshold, independent per-key
- Gateway token: has_token field present, token field absent
- Agent auth logs: no token_prefix in source

Also fix deprecated HTTP_413_REQUEST_ENTITY_TOO_LARGE status code.

All 407 tests pass.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-07 23:35:10 +05:30

18 KiB

Raw Blame History

View Raw