f81e839ba2
- validate instance names at the host lib and web boundary against
[a-z0-9][a-z0-9_-]{0,63} to prevent path traversal via Server.name
- fail-closed on SECRET_KEY: load_config returns None when env unset,
create_app raises if missing or "dev" outside TESTING
- close login timing oracle by hashing a dummy digest when the user
is not found, equalizing response time
- set SESSION_COOKIE_SECURE outside TESTING
- delete_instance tolerates stop_service and fusermount3 failures so
partially-initialized instances clean up without contract breaks;
drops the is_mount() preflight that violated AGENTS.md
- document claim_next_job's single-process assumption
- clarify emit_step contract via docstring
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| test_auth.py | ||
| test_blueprints.py | ||
| test_config.py | ||
| test_health.py | ||
| test_host_commands.py | ||
| test_job_logs.py | ||
| test_job_worker.py | ||
| test_l4d2_facade.py | ||
| test_models.py | ||
| test_overlays.py | ||
| test_pages.py | ||
| test_security.py | ||
| test_servers.py | ||
| test_status_and_server_logs.py | ||