Fix CI lint failures from ruff

Thirteen ruff findings on the first CI run, all cosmetic:
- F401 unused typing.Any imports in findings.py, blast_radius.py, reasoning.py
- F401 unused POLICIES import in policy.py (POLICY_BY_ID is the surface used)
- F401 unused get_rest_client import in seed_splunk.py
- F541 four f-strings without placeholders (seed_splunk, test_injection, test_pipeline)
- F841 unused local 'app' in seed_splunk's ensure_kv_collection
- E402 module-level imports after load_dotenv in smoke_test_splunk.py — added
  noqa comments since the late import is intentional (env vars must load before
  splunklib reads them)

Local `ruff check .` now reports "All checks passed". Pytest still green.

Author: JonathanSolvesProblems

agentgate/findings.py

@@ -8,7 +8,6 @@
 from __future__ import annotations
 
 import json
-from typing import Any
 
 from rich.console import Console
 

agentgate/middleware/blast_radius.py

@@ -7,7 +7,6 @@
 from __future__ import annotations
 
 import time
-from typing import Any
 
 from ..graph import GraphArtifact, blast_radius
 from ..models import Severity, StageResult, ToolCall

agentgate/middleware/policy.py

@@ -12,7 +12,7 @@
 from typing import Iterable
 
 from ..models import Decision, Severity, StageResult, ToolCall
-from ..policies import POLICIES, POLICY_BY_ID, Policy
+from ..policies import POLICY_BY_ID, Policy
 
 DESTRUCTIVE_SPL_RE = re.compile(
     r"(?:\|\s*delete\b|\bcrawl\b|outputlookup[^|]*append\s*=\s*false|"

agentgate/middleware/reasoning.py

@@ -10,7 +10,6 @@
 from __future__ import annotations
 
 import time
-from typing import Any
 
 from ollama import Client
 

scripts/seed_splunk.py

@@ -24,7 +24,7 @@
 REPO_ROOT = Path(__file__).resolve().parents[1]
 sys.path.insert(0, str(REPO_ROOT))
 
-from agentgate.splunk_client import get_rest_client, get_service, rest  # noqa: E402
+from agentgate.splunk_client import get_service, rest  # noqa: E402
 
 console = Console()
 fake = Faker()
@@ -172,7 +172,7 @@
     {"asset_id": "host:webfront01", "asset_type": "host", "compliance_tags": ["PCI"], "criticality": "high", "owner": "frontend"},
     {"asset_id": "user:svc_payment", "asset_type": "user", "compliance_tags": ["PCI"], "criticality": "high", "owner": "payments"},
     {"asset_id": "user:svc_hl7", "asset_type": "user", "compliance_tags": ["HIPAA"], "criticality": "high", "owner": "clinical"},
-    {"asset_id": f"sourcetype:windows:security", "asset_type": "sourcetype", "compliance_tags": ["SOX", "PCI"], "criticality": "high", "owner": "soc"},
+    {"asset_id": "sourcetype:windows:security", "asset_type": "sourcetype", "compliance_tags": ["SOX", "PCI"], "criticality": "high", "owner": "soc"},
 ]
 
 
@@ -223,7 +223,6 @@ def upsert_saved_search(service: Any, spec: dict[str, Any]) -> None:
 
 
 def ensure_kv_collection(service: Any) -> None:
-    app = service.apps[DEMO_APP]  # search app for visibility
     collections = service.kvstore
     if KV_COLLECTION in collections:
         console.print(f"  KV collection {KV_COLLECTION!r} already exists")
@@ -364,7 +363,7 @@ def main() -> int:
         if "\nAGENTGATE_HEC_TOKEN=\n" in (env_text + "\n") or env_text.rstrip().endswith("AGENTGATE_HEC_TOKEN="):
             env_text = env_text.replace("AGENTGATE_HEC_TOKEN=", f"AGENTGATE_HEC_TOKEN={audit_token}")
             env_path.write_text(env_text)
-            console.print(f"  [green]wrote AGENTGATE_HEC_TOKEN to .env[/green]")
+            console.print("  [green]wrote AGENTGATE_HEC_TOKEN to .env[/green]")
 
     console.print("\n[bold]3. Saved searches[/bold]")
     for spec in SAVED_SEARCHES:

scripts/smoke_test_splunk.py

@@ -12,8 +12,8 @@
 REPO_ROOT = Path(__file__).resolve().parents[1]
 load_dotenv(REPO_ROOT / ".env")
 
-import splunklib.client as splunk_client
-import splunklib.results as splunk_results
+import splunklib.client as splunk_client  # noqa: E402  (load_dotenv must run first)
+import splunklib.results as splunk_results  # noqa: E402
 
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 

tests/test_injection.py

@@ -79,9 +79,9 @@ def test_metrics_report() -> None:
     print(f"in-scope corpus:  positives={len(POSITIVE)} negatives={len(NEGATIVE)}")
     print(f"  TP={tp} FN={fn} TN={tn} FP={fp}")
     print(f"  precision={precision:.3f}  recall={recall:.3f}  F1={f1:.3f}  specificity={specificity:.3f}")
-    print(f"out-of-scope corpus (INJECAGENT-style tool hijacking, not in heuristic threat model):")
+    print("out-of-scope corpus (INJECAGENT-style tool hijacking, not in heuristic threat model):")
     print(f"  total={len(OUT_OF_SCOPE)}  intentionally-missed-by-heuristic={oos_missed}/{len(OUT_OF_SCOPE)}")
-    print(f"  -> routed to Foundation-Sec semantic stage in production pipeline")
+    print("  -> routed to Foundation-Sec semantic stage in production pipeline")
     assert precision >= 0.85, f"precision too low: {precision}"
     assert recall >= 0.85, f"recall too low: {recall}"
     assert specificity >= 0.90, f"specificity too low: {specificity}"

tests/test_pipeline.py

@@ -79,7 +79,7 @@ def test_benign_corpus_zero_false_positives(pipeline: Pipeline) -> None:
         v = pipeline.evaluate(tc)
         if v.decision != Decision.ALLOW:
             bad.append((tc.arguments["query"], v.summary))
-    assert not bad, f"benign calls wrongly gated:\n" + "\n".join(f"  {q!r}: {s}" for q, s in bad)
+    assert not bad, "benign calls wrongly gated:\n" + "\n".join(f"  {q!r}: {s}" for q, s in bad)
 
 
 def test_friendly_fire_blocks(pipeline: Pipeline) -> None: