Update dependencies, improve security, and add CI config (#11)

* Update dependencies, improve security, and add CI config

- Update dependencies to latest versions (FastAPI, Pydantic, Uvicorn)
- Bump Python requirement to 3.11+
- Fix license metadata to GPL-3.0-or-later
- Remove unused asyncio-mqtt dependency
- Implement path sanitization in project creation
- Improve CORS configuration (restrict defaults, explicit methods)
- Add pytest-cov for test coverage reporting
- Update Makefile with coverage and install-dev targets
- Add Renovate configuration
- Remove dead code in claude_manager.py
* Potential fix for pull request finding 'Unused import'
* Update claude_code_api/api/projects.py

Author: Mehdi-Bl

Makefile

@@ -5,9 +5,26 @@ install:
 	pip install -e .
 	pip install requests
 
+install-dev:
+	pip install -e ".[test,dev]"
+	pip install requests
+
 test:
+	python -m pytest --cov=claude_code_api --cov-report=html tests/ -v
+
+test-no-cov:
 	python -m pytest tests/ -v
 
+coverage:
+	@echo "Opening coverage report..."
+	@if [ "$$(uname)" = "Darwin" ]; then \
+		open htmlcov/index.html; \
+	elif [ "$$(uname)" = "Linux" ]; then \
+		xdg-open htmlcov/index.html || echo "Please open htmlcov/index.html in your browser"; \
+	else \
+		echo "Please open htmlcov/index.html in your browser"; \
+	fi
+
 test-real:
 	python tests/test_real_api.py
 
@@ -44,7 +61,10 @@ help:
 	@echo ""
 	@echo "Python API:"
 	@echo "  make install     - Install Python dependencies"
-	@echo "  make test        - Run Python unit tests with real Claude integration"
+	@echo "  make install-dev - Install Python development dependencies"
+	@echo "  make test        - Run Python unit tests with coverage"
+	@echo "  make test-no-cov - Run Python unit tests without coverage"
+	@echo "  make coverage    - Open HTML coverage report"
 	@echo "  make test-real   - Run REAL end-to-end tests (curls actual API)"
 	@echo "  make start       - Start Python API server (development with reload)"
 	@echo "  make start-prod  - Start Python API server (production)"

claude_code_api/api/projects.py

@@ -16,6 +16,8 @@
 )
 from claude_code_api.core.database import db_manager, Project
 from claude_code_api.core.claude_manager import create_project_directory, cleanup_project_directory
+from claude_code_api.core.security import validate_path
+from claude_code_api.core.config import settings
 
 logger = structlog.get_logger()
 router = APIRouter()
@@ -69,7 +71,14 @@ async def create_project(
 
     # Create project directory
     if project_request.path:
-        project_path = project_request.path
+        # Validate path
+        try:
+            project_path = validate_path(project_request.path, settings.project_root)
+        try:
+            project_path = validate_path(project_request.path, settings.project_root)
+        except HTTPException:
+            raise
+
         os.makedirs(project_path, exist_ok=True)
     else:
         project_path = create_project_directory(project_id)

claude_code_api/core/claude_manager.py

@@ -192,32 +192,6 @@ async def send_input(self, text: str):
                     error=str(e)
                 )
 
-    async def _start_mock_process(self, prompt: str, model: str):
-        """Start mock process for testing."""
-        self.is_running = True
-        
-        # Create mock Claude response
-        mock_response = {
-            "type": "result",
-            "sessionId": self.session_id,
-            "model": model or "claude-3-5-haiku-20241022",
-            "message": {
-                "role": "assistant", 
-                "content": f"Hello! You said: '{prompt}'. This is a mock response from Claude Code API Gateway."
-            },
-            "usage": {
-                "input_tokens": len(prompt.split()),
-                "output_tokens": 15,
-                "total_tokens": len(prompt.split()) + 15
-            },
-            "cost_usd": 0.001,
-            "duration_ms": 100
-        }
-        
-        # Put the response in the queue
-        await self.output_queue.put(mock_response)
-        await self.output_queue.put(None)  # End signal
-    
     async def stop(self):
         """Stop Claude process."""
         self.is_running = False

claude_code_api/core/config.py

@@ -94,15 +94,15 @@ def parse_api_keys(cls, v):
     log_format: str = "json"
 
     # CORS Configuration
-    allowed_origins: List[str] = Field(default=["*"])
-    allowed_methods: List[str] = Field(default=["*"])
+    allowed_origins: List[str] = Field(default=["http://localhost:8000", "http://127.0.0.1:8000"])
+    allowed_methods: List[str] = Field(default=["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"])
     allowed_headers: List[str] = Field(default=["*"])
 
     @field_validator('allowed_origins', 'allowed_methods', 'allowed_headers', mode='before')
     def parse_cors_lists(cls, v):
         if isinstance(v, str):
             return [x.strip() for x in v.split(',') if x.strip()]
-        return v or ["*"]
+        return v
 
     # Rate Limiting
     rate_limit_requests_per_minute: int = 100

claude_code_api/core/security.py

@@ -0,0 +1,58 @@
+"""Security utilities."""
+
+import os
+import structlog
+from fastapi import HTTPException, status
+
+logger = structlog.get_logger()
+
+def validate_path(path: str, base_path: str) -> str:
+    """
+    Validate that a path is safe and within the base path.
+    Prevents directory traversal attacks.
+
+    Args:
+        path: The path to validate (can be absolute or relative)
+        base_path: The allowed base directory
+
+    Returns:
+        The normalized absolute path if valid
+
+    Raises:
+        HTTPException: If path is invalid or outside base_path
+    """
+    try:
+        # Normalize base path to absolute path
+        abs_base_path = os.path.abspath(base_path)
+
+        # Handle relative paths by joining with base_path
+        if not os.path.isabs(path):
+            abs_path = os.path.abspath(os.path.join(abs_base_path, path))
+        else:
+            abs_path = os.path.abspath(path)
+
+        # Check if path is within base_path
+        # os.path.commonpath returns the longest common sub-path
+        # If valid, commonpath should be equal to base_path
+        if os.path.commonpath([abs_base_path, abs_path]) != abs_base_path:
+            logger.warning(
+                "Path traversal attempt detected",
+                path=path,
+                resolved_path=abs_path,
+                base_path=abs_base_path
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid path: Path traversal detected"
+            )
+
+        return abs_path
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error("Path validation error", error=str(e), path=path)
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Invalid path: {str(e)}"
+        )

claude_code_api/main.py

@@ -96,8 +96,8 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
     CORSMiddleware,
     allow_origins=settings.allowed_origins,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=settings.allowed_methods,
+    allow_headers=settings.allowed_headers,
 )
 
 # Authentication middleware

pyproject.toml

@@ -7,31 +7,30 @@ name = "claude-code-api"
 version = "1.0.0"
 description = "OpenAI-compatible API gateway for Claude Code with streaming support"
 readme = "README.md"
-license = {text = "MIT"}
+license = {text = "GPL-3.0-or-later"}
 authors = [
     {name = "Claude Code API Team"}
 ]
 keywords = ["claude", "api", "openai", "streaming", "ai"]
 classifiers = [
     "Development Status :: 4 - Beta",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
+    "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)",
     "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
     "Topic :: Software Development :: Libraries :: Python Modules",
     "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
 ]
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 dependencies = [
-    "fastapi>=0.104.0",
-    "uvicorn[standard]>=0.24.0",
-    "pydantic>=2.5.0",
+    "fastapi>=0.115.0",
+    "uvicorn[standard]>=0.32.0",
+    "pydantic>=2.9.0",
     "httpx>=0.25.0",
     "aiofiles>=23.2.1",
     "structlog>=23.2.0",
-    "asyncio-mqtt>=0.16.1",
     "python-multipart>=0.0.6",
     "pydantic-settings>=2.1.0",
     "sqlalchemy>=2.0.23",
@@ -105,7 +104,7 @@ exclude_lines = [
 
 [tool.black]
 line-length = 88
-target-version = ['py310']
+target-version = ['py311']
 include = '\\.pyi?$'
 extend-exclude = '''
 /(
@@ -128,7 +127,7 @@ line_length = 88
 known_first_party = ["claude_code_api"]
 
 [tool.mypy]
-python_version = "3.10"
+python_version = "3.11"
 check_untyped_defs = true
 disallow_any_generics = true
 disallow_incomplete_defs = true

renovate.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ],
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true
+    }
+  ],
+  "labels": ["dependencies"]
+}

setup.py

@@ -13,15 +13,14 @@
     author="Claude Code API Team",
     url="https://github.com/claude-code-api/claude-code-api",
     packages=find_packages(),
-    python_requires=">=3.10",
+    python_requires=">=3.11",
     install_requires=[
-        "fastapi>=0.104.0",
-        "uvicorn[standard]>=0.24.0",
-        "pydantic>=2.5.0",
+        "fastapi>=0.115.0",
+        "uvicorn[standard]>=0.32.0",
+        "pydantic>=2.9.0",
         "httpx>=0.25.0",
         "aiofiles>=23.2.1",
         "structlog>=23.2.0",
-        "asyncio-mqtt>=0.16.1",
         "python-multipart>=0.0.6",
         "pydantic-settings>=2.1.0",
         "sqlalchemy>=2.0.23",
@@ -55,11 +54,11 @@
     classifiers=[
         "Development Status :: 4 - Beta",
         "Intended Audience :: Developers",
-        "License :: OSI Approved :: MIT License",
+        "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
+        "Programming Language :: Python :: 3.13",
         "Topic :: Software Development :: Libraries :: Python Modules",
         "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
     ],

tests/test_security.py

@@ -0,0 +1,29 @@
+import pytest
+from fastapi import HTTPException
+from claude_code_api.core.security import validate_path
+
+def test_validate_path_valid():
+    base = "/tmp/projects"
+    path = "project1"
+    assert validate_path(path, base) == "/tmp/projects/project1"
+
+def test_validate_path_traversal():
+    base = "/tmp/projects"
+    path = "../etc/passwd"
+    with pytest.raises(HTTPException) as exc:
+        validate_path(path, base)
+    assert exc.value.status_code == 400
+    assert "Path traversal detected" in exc.value.detail
+
+def test_validate_path_absolute_traversal():
+    base = "/tmp/projects"
+    path = "/etc/passwd"
+    with pytest.raises(HTTPException) as exc:
+        validate_path(path, base)
+    assert exc.value.status_code == 400
+    assert "Path traversal detected" in exc.value.detail
+
+def test_validate_path_absolute_valid():
+    base = "/tmp/projects"
+    path = "/tmp/projects/project1"
+    assert validate_path(path, base) == "/tmp/projects/project1"