Skip to content

AUDIT_P0_FIXES.md

Latest commit

 

History

History
196 lines (152 loc) · 5.61 KB

AUDIT_P0_FIXES.md

File metadata and controls

196 lines (152 loc) · 5.61 KB

BugTraceAI-CLI: P0 Audit Fixes (March 15, 2026)

Executive Summary

Applied critical alignment fixes to product versioning, packaging, licensing, and CI. All changes maintain backward compatibility and improve release integrity for local deployments.

Context: BugTraceAI-CLI is a local/LAN-only penetration testing framework (not SaaS). Fixes are tailored for that model.

Changes Applied

1. ✅ Centralized Versioning (bugtrace/__init__.py)

Problem: Version defined in 4 places (pyproject.toml, config.py, openapi.yaml, API routes).

  • pyproject.toml:3: 3.4.6-beta
  • openapi.yaml:16: 2.0.0
  • config.py:31: 3.4.6-beta
  • routes/*.py: hardcoded 2.0.0

Solution:

# bugtrace/__init__.py (NEW - was empty)
__version__ = "3.4.6-beta"
__author__ = "BugTraceAI Team"
__license__ = "AGPL-3.0"

Impact:

  • Single source of truth for version
  • All modules import from bugtrace.__version__
  • CI validates version consistency

2. ✅ Fixed Package Name Typo (pyproject.toml)

Problem:

name = "bgtraceai-cli"  # ❌ Missing 'u'
  • Installs as wrong package name on PyPI
  • Users searching for bugtraceai-cli find nothing

Solution:

name = "bugtraceai-cli"  # ✓ Corrected
dynamic = ["version"]    # Version from __init__.py
license = { text = "AGPL-3.0" }  # Explicit license in metadata

3. ✅ Synchronized License Declarations

Problem: README + LICENSE = AGPL-3.0, but API exposed MIT.

# openapi.yaml (OLD)
license:
  name: MIT  # ❌ Contradicts README
  url: https://opensource.org/licenses/MIT

Solution: Aligned all surfaces to AGPL-3.0:

  • pyproject.toml: license = { text = "AGPL-3.0" }
  • openapi.yaml: name: AGPL-3.0
  • bugtrace/api/main.py: license_info={"name": "AGPL-3.0", "url": "..."}
  • bugtrace/__init__.py: __license__ = "AGPL-3.0"

Verification:

$ from bugtrace.api.main import app
$ app.openapi()["info"]["license"]
# {'name': 'AGPL-3.0', 'url': 'https://www.gnu.org/licenses/agpl-3.0.html'}

4. ✅ Fixed Config Metadata

Problem:

# config.py (OLD)
APP_NAME: str = "BgTraceAI-CLI"  # ❌ Typo (extra 'g')
VERSION: str = "3.4.6-beta"      # ❌ Hardcoded, not synced

Solution:

# config.py (NEW)
from bugtrace import __version__

APP_NAME: str = "BugTraceAI-CLI"  # ✓ Corrected
VERSION: str = __version__        # ✓ Synced from bugtrace.__version__

5. ✅ Upgraded CI/CD Validation (.github/workflows/tests.yml)

Problem: Only ran python -m bugtrace --help (smoke test).

  • No unit tests
  • No API health checks
  • No version consistency validation

Solution: Added real verification steps:

- name: Verify Package Version
  run: |
    python -c "from bugtrace import __version__; print(f'✓ Version: {__version__}')"
    python -c "from bugtrace.core.config import settings; print(f'✓ Config: {settings.VERSION}')"

- name: Run Sanity Tests
  run: |
    pytest tests/test_bugtrace_sanity.py -q --tb=short

- name: Test Database Connection
  run: |
    python -c "from bugtrace.core.database import get_db_manager; db = get_db_manager()"

- name: Verify API Import
  run: |
    python -c "from bugtrace.api.main import app; print(f'✓ API: {app.title}')"

Impact:

  • Detects version drifts on push
  • Catches broken imports/dependencies early
  • Validates database schema compatibility

Verification Checklist

bugtrace/__init__.py exports __version__ = "3.4.6-beta"
bugtrace.core.config.settings.VERSION equals __version__
bugtrace.core.config.settings.APP_NAME = "BugTraceAI-CLI" (no typo)
bugtrace.api.main.app.openapi()["info"]["license"]["name"] = "AGPL-3.0"
pyproject.toml package name = "bugtraceai-cli" (correct spelling)
.github/workflows/tests.yml runs version validation + sanity checks

Backward Compatibility

No breaking changes

  • All changes are additive or transparent
  • Version is still 3.4.6-beta (same number, centralized)
  • API functionality unchanged
  • Existing deployments work without reconfiguration

Next Steps (P1 - Days 4-7)

  1. Documentation (DEVELOPMENT.md)

    • How to install from source
    • Local dev setup with hot-reload
    • Debugging guide for agents/API

  2. Environment Docs (.env.example update)

    • All config variables with descriptions
    • Examples for localhost vs LAN deployments
    • Warnings about internet exposure

  3. Dependency Consolidation

    • Align requirements.txt with pyproject.toml
    • Add [project.optional-dependencies] for dev/test extras

  4. Container Support Documentation

    • How to build & run Docker locally
    • Port mapping for LAN access
    • MCP server setup in container

Timeline

  • Applied: 2026-03-15
  • Status: Ready for testing
  • Testing: Run python -m pytest tests/test_bugtrace_sanity.py to verify

Files Modified

✓ bugtrace/__init__.py (NEW - 4 lines)
✓ pyproject.toml (3 edits: name, license, dynamic version)
✓ openapi.yaml (2 edits: version, license)
✓ bugtrace/core/config.py (2 edits: import, APP_NAME, VERSION)
✓ bugtrace/api/main.py (1 edit: license_info)
✓ .github/workflows/tests.yml (5 new test steps)

Author Notes

These fixes establish a baseline for local tool quality:

  • Single versionable surface (not SaaS, so no external version tracking needed)
  • Legal clarity (AGPL-3.0, not MIT ambiguity)
  • Quick integrity checks (CI validates on every push)

For a tool that users download + install themselves, these prevent the most common support issues: "What version am I running?" and "Is this really AGPL?".