Fix Python type annotations and Docker caching

Python type fixes (MyPy now passes):
- Update Python version requirement to 3.12 in pyproject.toml
- Fix OpenTelemetry API calls (remove unsupported 'insecure' parameter)
- Add comprehensive type annotations for all Flask routes and functions
- Fix test function type annotations with TestClient alias
- Remove unused type: ignore comments

Docker improvements:
- Add comment to MFA Dockerfile to force cache invalidation
- Ensure Go 1.24+ requirement is clear in Docker builds

This resolves the remaining Lint and Format Check failures

Co-authored-by: Amp <[email protected]>
Amp-Thread-ID: https://ampcode.com/threads/T-5be4213f-26eb-400c-bb7b-d4c79b7ee6fe

Author: haasonsaas

app/main.py

@@ -1,6 +1,8 @@
 import logging
 import time
 from contextlib import contextmanager
+from typing import Generator, Dict, Any, Tuple
+from flask import Response
 
 from flask import Flask, jsonify, request
 
@@ -11,7 +13,7 @@
 
 
 @contextmanager
-def record_route_metrics(route: str):
+def record_route_metrics(route: str) -> Generator[None, None, None]:
     start = time.perf_counter()
     try:
         yield
@@ -24,13 +26,13 @@ def record_route_metrics(route: str):
 
 
 @app.route("/health")
-def health():
+def health() -> Dict[str, str]:
     with record_route_metrics("health"):
         return {"status": "ok"}
 
 
 @app.route("/")
-def index():
+def index() -> str:
     with record_route_metrics("index"):
         cert_subject = request.headers.get("X-Client-Subject", "unknown") or "unknown"
         if cert_subject.startswith("Subject="):
@@ -44,6 +46,6 @@ def index():
 
 
 @app.route("/step-up", methods=["POST"])
-def step_up():
+def step_up() -> Tuple[Response, int]:
     with record_route_metrics("step_up"):
         return jsonify({"status": "step-up required"}), 202

app/telemetry.py

@@ -27,31 +27,31 @@ def _resource(service_name: str, environment: str) -> Resource:
 
 
 def init_tracing(service_name: str, environment: str, endpoint: str, insecure: bool) -> None:
-    exporter = OTLPSpanExporter(endpoint=endpoint or None, insecure=insecure)
+    exporter = OTLPSpanExporter(endpoint=endpoint or None)
     tracer_provider = TracerProvider(resource=_resource(service_name, environment))
     tracer_provider.add_span_processor(BatchSpanProcessor(exporter))
     trace.set_tracer_provider(tracer_provider)
 
 
 def init_metrics(service_name: str, environment: str, endpoint: str, insecure: bool) -> None:
-    exporter = OTLPMetricExporter(endpoint=endpoint or None, insecure=insecure)
+    exporter = OTLPMetricExporter(endpoint=endpoint or None)
     reader = PeriodicExportingMetricReader(exporter)
     provider = MeterProvider(resource=_resource(service_name, environment), metric_readers=[reader])
     metrics.set_meter_provider(provider)
 
 
-def instrument_flask_app(app) -> None:
+def instrument_flask_app(app: object) -> None:
     FlaskInstrumentor().instrument_app(app)
 
 
-def setup(app, service_name: str, environment: Optional[str] = None) -> None:
+def setup(app: object, service_name: str, environment: Optional[str] = None) -> None:
     environment = environment or os.getenv("APP_ENV", "dev")
     endpoint = os.getenv("OTEL_EXPORTER_OTLP_ENDPOINT", "")
     insecure = os.getenv("OTEL_EXPORTER_OTLP_INSECURE", "true").lower() == "true"
 
     try:
-        init_tracing(service_name, environment, endpoint, insecure)
-        init_metrics(service_name, environment, endpoint, insecure)
+        init_tracing(service_name, environment or "dev", endpoint or "", insecure)
+        init_metrics(service_name, environment or "dev", endpoint or "", insecure)
         instrument_flask_app(app)
     except Exception:  # pragma: no cover - best effort initialization
         _logger.exception("failed to initialize telemetry")

app/tests/conftest.py

@@ -64,7 +64,7 @@ def resolve_dsn() -> str:
 
 def wait_for_database(dsn: str, timeout: float = 30.0) -> None:
     try:
-        import psycopg  # type: ignore
+        import psycopg
     except ImportError as exc:  # pragma: no cover - developer misconfiguration
         raise RuntimeError("psycopg is required for database tests") from exc
 
@@ -74,8 +74,8 @@ def wait_for_database(dsn: str, timeout: float = 30.0) -> None:
     while True:
         attempt += 1
         try:
-            with psycopg.connect(dsn, connect_timeout=3) as conn:  # type: ignore[attr-defined]
-                with conn.cursor() as cur:  # type: ignore[attr-defined]
+            with psycopg.connect(dsn, connect_timeout=3) as conn:
+                with conn.cursor() as cur:
                     cur.execute("SELECT 1")
                 return
         except Exception as exc:  # pragma: no cover - transient failures

app/tests/test_main.py

@@ -1,17 +1,20 @@
 import pytest
+from typing import Generator, Any
 
 from app.main import app
 
+TestClient = Any
+
 
 @pytest.fixture
-def client():
+def client() -> Generator[Any, None, None]:
     """Create a test client for the Flask app."""
     app.config["TESTING"] = True
     with app.test_client() as client:
         yield client
 
 
-def test_health_endpoint(client):
+def test_health_endpoint(client: TestClient) -> None:
     """Test the health check endpoint."""
     response = client.get("/health")
     assert response.status_code == 200
@@ -21,7 +24,7 @@ def test_health_endpoint(client):
     assert json_data["status"] == "ok"
 
 
-def test_index_endpoint_without_headers(client):
+def test_index_endpoint_without_headers(client: TestClient) -> None:
     """Test the index endpoint without client headers."""
     response = client.get("/")
     assert response.status_code == 200
@@ -32,7 +35,7 @@ def test_index_endpoint_without_headers(client):
     assert "Device ID: unknown" in text
 
 
-def test_index_endpoint_with_client_subject(client):
+def test_index_endpoint_with_client_subject(client: TestClient) -> None:
     """Test the index endpoint with X-Client-Subject header."""
     headers = {"X-Client-Subject": "[email protected],O=Company"}
     response = client.get("/", headers=headers)
@@ -42,7 +45,7 @@ def test_index_endpoint_with_client_subject(client):
     assert "Client cert subject: [email protected],O=Company" in text
 
 
-def test_index_endpoint_with_device_id(client):
+def test_index_endpoint_with_device_id(client: TestClient) -> None:
     """Test the index endpoint with X-Device-ID header."""
     headers = {"X-Device-ID": "laptop-001"}
     response = client.get("/", headers=headers)
@@ -52,7 +55,7 @@ def test_index_endpoint_with_device_id(client):
     assert "Device ID: laptop-001" in text
 
 
-def test_index_endpoint_with_all_headers(client):
+def test_index_endpoint_with_all_headers(client: TestClient) -> None:
     """Test the index endpoint with all client headers."""
     headers = {
         "X-Client-Subject": "[email protected],O=Company,OU=IT",
@@ -67,7 +70,7 @@ def test_index_endpoint_with_all_headers(client):
     assert "Device ID: workstation-123" in text
 
 
-def test_step_up_endpoint(client):
+def test_step_up_endpoint(client: TestClient) -> None:
     """Test the step-up authentication endpoint."""
     response = client.post("/step-up")
     assert response.status_code == 202
@@ -77,19 +80,19 @@ def test_step_up_endpoint(client):
     assert json_data["status"] == "step-up required"
 
 
-def test_step_up_endpoint_wrong_method(client):
+def test_step_up_endpoint_wrong_method(client: TestClient) -> None:
     """Test step-up endpoint rejects non-POST methods."""
     response = client.get("/step-up")
     assert response.status_code == 405  # Method Not Allowed
 
 
-def test_nonexistent_endpoint(client):
+def test_nonexistent_endpoint(client: TestClient) -> None:
     """Test that non-existent endpoints return 404."""
     response = client.get("/nonexistent")
     assert response.status_code == 404
 
 
-def test_client_subject_prefix_removal(client):
+def test_client_subject_prefix_removal(client: TestClient) -> None:
     """Test that Subject= prefix is properly removed from client subject."""
     headers = {"X-Client-Subject": "[email protected]"}
     response = client.get("/", headers=headers)
@@ -101,7 +104,7 @@ def test_client_subject_prefix_removal(client):
     assert "[email protected]" not in text
 
 
-def test_client_subject_without_prefix(client):
+def test_client_subject_without_prefix(client: TestClient) -> None:
     """Test client subject header without Subject= prefix."""
     headers = {"X-Client-Subject": "[email protected]"}
     response = client.get("/", headers=headers)
@@ -111,7 +114,7 @@ def test_client_subject_without_prefix(client):
     assert "Client cert subject: [email protected]" in text
 
 
-def test_empty_headers(client):
+def test_empty_headers(client: TestClient) -> None:
     """Test behavior with empty but present headers."""
     headers = {"X-Client-Subject": "", "X-Device-ID": ""}
     response = client.get("/", headers=headers)

pyproject.toml

@@ -36,7 +36,7 @@ addopts = [
 ]
 
 [tool.mypy]
-python_version = "3.8"
+python_version = "3.12"
 warn_return_any = true
 warn_unused_configs = true
 disallow_untyped_defs = true

services/mfa/Dockerfile

@@ -1,5 +1,6 @@
 FROM golang:1.24-alpine AS builder
 
+# Updated to fix Go version compatibility - requires Go 1.24+
 WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download