coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(local-identity): post-Stage4 cleanups and micro-fixes

Browse Source 
- audit: chmod only on file creation, not every append (TOCTOU fix)
- jwt_utils: add extract_unverified_payload() helper
- cli: use extract_unverified_payload + JWTError instead of inline decode
- keys: extract _public_key_bytes() helper, import _b64url from jwt_utils
- security: FileNotFoundError try/except instead of path.exists() (TOCTOU fix)
- serve: cache JWK response at server init instead of per-request recompute

138 tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-02 08:25:21 +01:00
parent 3890dca25d
commit 52d44daec2
6 changed files with 37 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
local-identity/src/local_identity/security.py
View File

@@ -24,9 +24,10 @@ class CheckResult:
def _check_mode(path: Path, expected: int) -> CheckResult:
"""Return a CheckResult for a single path against the expected mode."""
if not path.exists():
try:
actual = stat.S_IMODE(os.stat(path).st_mode)
except FileNotFoundError:
return CheckResult(str(path), "warn", "does not exist (skipped)")
actual = stat.S_IMODE(os.stat(path).st_mode)
if actual != expected:
return CheckResult(
str(path), "fail",