Coverage for src / local_deep_research / settings / env_definitions / security.py: 100%

1""" 

2Security environment settings. 

3 

4These settings control security-related behavior like SSRF validation 

5and CORS origin restrictions. 

6""" 

7 

8import os 

9from ..env_settings import BooleanSetting, StringSetting 

10 

11 

12# External environment variables (set by pytest, CI systems) 

13# These are read directly since we don't control them 

14PYTEST_CURRENT_TEST = os.environ.get("PYTEST_CURRENT_TEST") 

15 

16 

17# LDR Security settings (our application's security configuration) 

18SECURITY_SETTINGS = [ 

19 StringSetting( 

20 key="security.cors.allowed_origins", 

21 description=( 

22 "Allowed CORS origins for API routes (comma-separated). " 

23 "Use '*' for all origins, empty for same-origin only. " 

24 "Example: 'https://example.com,https://app.example.com'" 

25 ), 

26 default=None, 

27 ), 

28 StringSetting( 

29 key="security.websocket.allowed_origins", 

30 description=( 

31 "Allowed origins for WebSocket/Socket.IO connections (comma-separated). " 

32 "Use '*' for all origins (default), empty for same-origin only. " 

33 "Example: 'https://example.com,https://app.example.com'" 

34 ), 

35 default=None, 

36 ), 

37 BooleanSetting( 

38 key="notifications.allow_private_ips", 

39 description=( 

40 "Allow notification webhooks to target private/local IP addresses. " 

41 "Environment-only to prevent SSRF bypass via the user-writable settings API. " 

42 "Only enable this if your notification endpoints are on a trusted local network." 

43 ), 

44 default=False, 

45 ), 

46]