Add comprehensive integration and orchestration test suites for TailOpsMCP

- Implemented a detailed integration test suite in `test_system_integration.py` covering end-to-end workflows, multi-system orchestration, and security compliance.
- Created a robust orchestration test suite in `test_workflow_orchestration.py` focusing on workflow execution lifecycle, error handling, approval workflows, scheduling, and parallel execution.
- Utilized mocks for various services to simulate realistic scenarios and validate system behavior under different conditions.
- Included tests for edge cases, performance, and reliability to ensure system robustness and fault tolerance.

Author: mdlmarkham

.github/workflows/test.yml

@@ -0,0 +1,386 @@
+# TailOpsMCP Security Configuration
+# Enhanced security and identity controls configuration
+
+# Security Audit Logging Configuration
+security:
+  audit_logging:
+    enabled: true
+    retention_days: 2555  # 7 years for compliance
+    encryption_enabled: true
+    real_time_processing: true
+    database_path: "./logs/security_audit.db"
+    log_file_path: "./logs/security_audit.log"
+    
+  # Identity Management Configuration
+  identity_management:
+    session_timeout: 3600  # 1 hour in seconds
+    max_concurrent_sessions: 3
+    mfa_required_roles: ["admin", "operations", "security"]
+    oidc_enabled: true
+    tailscale_integration: true
+    session_cleanup_interval: 300  # 5 minutes
+    
+  # Access Control Configuration
+  access_control:
+    default_deny: true
+    contextual_permissions: true
+    risk_based_access: true
+    separation_of_duties: true
+    approval_chain_required: true
+    
+  # Security Monitoring Configuration
+  security_monitoring:
+    threat_detection_enabled: true
+    anomaly_detection: true
+    real_time_alerts: true
+    automated_response: false  # Enable with caution
+    
+    # Threat Detection Thresholds
+    brute_force_threshold: 5
+    brute_force_time_window: 300  # 5 minutes
+    privilege_escalation_threshold: 3
+    data_dumping_threshold: 100
+    lateral_movement_threshold: 5
+    
+  # Compliance Framework Configuration
+  compliance:
+    standards: ["SOC2", "ISO27001", "PCI-DSS"]
+    automated_reporting: true
+    evidence_collection: true
+    retention_policies: true
+    assessment_frequency: "quarterly"
+    
+  # Data Retention Policies
+  retention:
+    audit_logs: 2555  # 7 years
+    security_events: 2555  # 7 years
+    user_sessions: 30  # 30 days
+    security_alerts: 365  # 1 year
+    compliance_reports: 2555  # 7 years
+    threat_intelligence: 90  # 90 days
+    
+  # Network Security Configuration
+  network_security:
+    private_ip_ranges:
+      - "10.0.0.0/8"
+      - "172.16.0.0/12"
+      - "192.168/16"
+     0.0.0/8"
+      - "169.254.0 - "127..0/16"
+    allowed_ports.0.0: [22, 80, 443, 8080]
+    block_metadata_services: true
+    allowlist_enabled: false
+: ["*"]    allowed_hosts  # Use ["*"] for wildcard, [] for deny all
+
+# Authentication Configuration
+authentication:
+  # Tailscale OIDC Integration
+  tailscale_oidc:
+    enabled: true
+    issuer: "https://login.tailscale.com"
+    audience: "tailops-mcp"
+    claims_mapping:
+      user_id: "sub"
+      username: "preferred_username"
+      email: "email"
+      groups: "groups"
+      roles: "roles"
+      
+  # Session Management
+  session_management:
+    token_length: 32
+    refresh_enabled: true
+    revocation_enabled: true
+    concurrent_sessions_limit: 3
+    
+  # Multi-Factor Authentication
+  mfa:
+    required_for_roles: ["admin", "security", "operations"]
+    methods: ["TOTP", "SMS", "Email"]
+    backup_codes: true
+    grace_period: 300  # 5 minutes
+
+# Authorization Configuration
+authorization:
+  # Role-Based Access Control
+  rbac:
+    roles:
+      admin:
+        permissions: ["*"]
+        description: "Full system access"
+      security:
+        permissions: ["security:*", "audit:read", "compliance:*"]
+        description: "Security team access"
+      operations:
+        permissions: ["operations:*", "fleet:*", "monitoring:*"]
+        description: "Operations team access"
+      user:
+        permissions: ["targets:read", "targets:connect", "logs:read"]
+        description: "Standard user access"
+        
+  # Contextual Access Control
+  contextual:
+    time_restrictions:
+      business_hours: [8, 17]  # 8 AM to 5 PM
+      business_days: [1, 2, 3, 4, 5]  # Monday to Friday
+    location_restrictions:
+      allowed_countries: ["US", "CA", "GB"]
+      block_vpn: false
+    device_restrictions:
+      require_trusted_devices: false
+      allowed_device_types: ["desktop", "laptop", "mobile"]
+
+# Security Monitoring Configuration
+monitoring:
+  # Real-time Monitoring
+  real_time:
+    enabled: true
+    alert_channels: ["log", "email"]
+    escalation_rules:
+      critical: ["immediate"]
+      high: ["15min"]
+      medium: ["1hour"]
+      low: ["24hour"]
+      
+  # Log Analysis
+  log_analysis:
+    enabled: true
+    retention: 90  # days
+    analysis_interval: 300  # 5 minutes
+    pattern_matching: true
+    anomaly_detection: true
+      
+  # Threat Intelligence
+  threat_intelligence:
+    enabled: true
+    sources: ["internal", "commercial"]
+    update_frequency: "daily"
+    confidence_threshold: 0.7
+
+# Incident Response Configuration
+incident_response:
+  # Automated Response
+  automated_response:
+    enabled: false  # Enable with caution
+    actions:
+      brute_force: ["block_ip", "alert_security"]
+      privilege_escalation: ["alert_security", "require_approval"]
+      data_exfiltration: ["block_operation", "alert_management"]
+      
+  # Manual Response
+  manual_response:
+    escalation_matrix:
+      level_1: ["security_team"]
+      level_2: ["security_manager"]
+      level_3: ["cto", "legal"]
+      
+  # Communication
+  communication:
+    channels:
+      email:
+        enabled: true
+        smtp_server: "smtp.example.com"
+        from_address: "[email protected]"
+      slack:
+        enabled: false
+        webhook_url: ""
+      teams:
+        enabled: false
+        webhook_url: ""
+
+# Compliance Configuration
+compliance:
+  # SOC2 Configuration
+  soc2:
+    enabled: true
+    controls:
+      - "CC6.1"  # Logical and Physical Access Controls
+      - "CC6.2"  # User Registration
+      - "CC6.3"  # User Access Management
+      - "CC7.1"  # System Operations
+      - "CC8.1"  # Change Management
+      
+  # ISO 27001 Configuration
+  iso27001:
+    enabled: true
+    controls:
+      - "A.9.1.1"  # Access Control Policy
+      - "A.9.2.1"  # User Registration
+      - "A.9.4.1"  # Information Access Restriction
+      - "A.12.4.1"  # Event Logging
+      - "A.12.6.1"  # Technical Vulnerability Management
+      
+  # PCI DSS Configuration
+  pci_dss:
+    enabled: false  # Enable only if handling payment data
+    controls:
+      - "8.2.3"  # Multi-factor Authentication
+      - "10.1"   # Audit Trails
+      - "10.2"   # Automated Audit Trails
+      
+  # GDPR Configuration
+  gdpr:
+    enabled: false  # Enable only if handling EU personal data
+    data_retention: 2555  # days
+    consent_required: true
+    right_to_erasure: true
+    data_portability: true
+
+# Risk Management Configuration
+risk_management:
+  # Risk Assessment
+  risk_assessment:
+    enabled: true
+    factors:
+      - "user_profile"
+      - "resource_sensitivity"
+      - "operation_type"
+      - "time_context"
+      - "location_context"
+      
+  # Risk Scoring
+  risk_scoring:
+    thresholds:
+      low: 0.3
+      medium: 0.6
+      high: 0.8
+      critical: 0.95
+      
+  # Risk Mitigation
+  mitigation:
+    automatic_blocking: false
+    approval_required: true
+    additional_monitoring: true
+
+# Security Policies Configuration
+policies:
+  # Password Policy
+  password_policy:
+    min_length: 12
+    require_uppercase: true
+    require_lowercase: true
+    require_numbers: true
+    require_symbols: true
+    prevent_reuse: 5
+    max_age: 90  # days
+    
+  # Session Policy
+  session_policy:
+    idle_timeout: 1800  # 30 minutes
+    absolute_timeout: 3600  # 1 hour
+    concurrent_sessions: 3
+    session_regeneration: true
+    
+  # Access Policy
+  access_policy:
+    default_deny: true
+    least_privilege: true
+    periodic_review: true
+    review_frequency: 90  # days
+    
+  # Data Handling Policy
+  data_policy:
+    classification_required: true
+    encryption_required: true
+    backup_required: true
+    retention_enforced: true
+
+# Environment-Specific Overrides
+environments:
+  development:
+    security:
+      audit_logging:
+        retention_days: 30
+      security_monitoring:
+        automated_response: false
+    compliance:
+      standards: ["internal"]
+      
+  staging:
+    security:
+      audit_logging:
+        retention_days: 90
+      security_monitoring:
+        real_time_alerts: true
+    compliance:
+      standards: ["SOC2", "ISO27001"]
+      
+  production:
+    security:
+      audit_logging:
+        retention_days: 2555
+        encryption_enabled: true
+      security_monitoring:
+        real_time_alerts: true
+        automated_response: true
+    compliance:
+      standards: ["SOC2", "ISO27001", "PCI-DSS"]
+
+# Notification Configuration
+notifications:
+  # Security Alerts
+  security_alerts:
+    enabled: true
+    channels: ["email", "log"]
+    recipients:
+      security_team: ["[email protected]"]
+      management: ["[email protected]"]
+      
+  # Compliance Reports
+  compliance_reports:
+    enabled: true
+    frequency: "monthly"
+    recipients: ["[email protected]"]
+    
+  # System Health
+  system_health:
+    enabled: true
+    frequency: "daily"
+    recipients: ["[email protected]"]
+
+# Integration Configuration
+integrations:
+  # Tailscale Integration
+  tailscale:
+    enabled: true
+    serve_enabled: true
+    auth_enabled: true
+    oidc_enabled: true
+    
+  # Proxmox Integration
+  proxmox:
+    enabled: false  # Enable if using Proxmox
+    api_endpoint: ""
+    credentials: ""
+    
+  # SIEM Integration
+  siem:
+    enabled: false
+    endpoint: ""
+    api_key: ""
+    
+  # Threat Intelligence
+  threat_intel:
+    enabled: false
+    providers: []
+    api_keys: {}
+
+# Development and Testing Configuration
+development:
+  # Testing Mode
+  testing:
+    enabled: false
+    mock_services: false
+    bypass_authentication: false
+    
+  # Debug Configuration
+  debug:
+    enabled: false
+    log_level: "INFO"
+    audit_all_requests: false
+    
+  # Development Security
+  dev_security:
+    allow_localhost: true
+    relaxed_cors: true
+    debug_endpoints: true