chore(types): enable warn_return_any and cast all no-any-return sites

Turn on mypy warn_return_any (pyproject) and resolve the 84 resulting [no-any-return] errors across 43 files with typing.cast() at the return sites — runtime no-ops that make the declared return type explicit where a dependency (SQLAlchemy scalar/first/one, httpx .json(), subprocess, docker SDK) hands back Any. No behavior change: no DTO/table field types altered, no validation/coercion calls added, every cast reflects the true runtime type. Locks in return-type strictness so the class of bug where a function silently widens to Any can't regress. mypy decnet/ clean; adversarially verified behavior-preserving (84 casts 1:1 with prior returns). Bump tornado 6.5.5 -> 6.5.7 (CVE-2026-49854, transitive via snakeviz).
2026-06-12 18:21:22 -04:00
parent 337520c7ad
commit 721122a7ef
42 changed files with 128 additions and 124 deletions
--- a/decnet/templates/mongodb/server.py
+++ b/decnet/templates/mongodb/server.py
@@ -147,7 +147,7 @@ _MONGO_SET_NAME = os.environ.get("MONGO_REPL_SET", "")  # empty = standalone

 def _new_objectid() -> bytes:
    """12-byte BSON ObjectId — fresh per call."""
-    return _seed.fresh_bytes(12)
+    return cast(bytes, _seed.fresh_bytes(12))

 # Minimal BSON helpers
 def _bson_str(key: str, val: str) -> bytes:
--- a/decnet/templates/pop3/server.py
+++ b/decnet/templates/pop3/server.py
@@ -205,7 +205,7 @@ def _seed_dict_to_rfc822(entry: dict) -> str | None:
    date = str(entry.get("date") or "")
    body = entry["body"]
    if "\r\n\r\n" in body or "\n\n" in body:
-        return body  # already a full RFC 822 message
+        return cast(str, body)  # already a full RFC 822 message
    return (
        f"Date: {date}\r\n"
        f"From: {from_name} <{from_addr}>\r\n"
--- a/decnet/templates/smb/server.py
+++ b/decnet/templates/smb/server.py
@@ -22,6 +22,7 @@ from __future__ import annotations
 import asyncio
 import os
 import struct
+from typing import cast

 import instance_seed
 from ntlmssp import find_ntlmssp, parse_type3
@@ -184,7 +185,7 @@ def _negotiate_response(message_id: int) -> bytes:
        + struct.pack("<H", 0)              # SecurityBufferLength
        + struct.pack("<I", 0)              # Reserved2
    )
-    return _smb2_header(SMB2_NEGOTIATE, STATUS_SUCCESS, message_id) + body
+    return cast(bytes, _smb2_header(SMB2_NEGOTIATE, STATUS_SUCCESS, message_id) + body)


 def _session_setup_response(message_id: int, session_id: int, sec_blob: bytes, status: int) -> bytes:
--- a/decnet/templates/sniffer/server.py
+++ b/decnet/templates/sniffer/server.py
@@ -28,7 +28,7 @@ import hashlib
 import os
 import struct
 import time
-from typing import Any
+from typing import Any, cast

 from scapy.layers.inet import IP, TCP
 from scapy.sendrecv import sniff
@@ -841,14 +841,14 @@ _dedup_last_cleanup: float = 0.0
 def _dedup_key_for(event_type: str, fields: dict[str, Any]) -> str:
    """Build a dedup fingerprint from the most significant fields."""
    if event_type == "tls_client_hello":
-        return fields.get("ja3", "") + "|" + fields.get("ja4", "")
+        return cast(str, fields.get("ja3", "") + "|" + fields.get("ja4", ""))
    if event_type == "tls_session":
-        return (fields.get("ja3", "") + "|" + fields.get("ja3s", "") +
+        return cast(str, fields.get("ja3", "") + "|" + fields.get("ja3s", "") +
                "|" + fields.get("ja4", "") + "|" + fields.get("ja4s", ""))
    if event_type == "tls_certificate":
-        return fields.get("subject_cn", "") + "|" + fields.get("issuer", "")
+        return cast(str, fields.get("subject_cn", "") + "|" + fields.get("issuer", ""))
    # tls_resumption or unknown — dedup on mechanisms
-    return fields.get("mechanisms", fields.get("resumption", ""))
+    return cast(str, fields.get("mechanisms", fields.get("resumption", "")))


 def _is_duplicate(event_type: str, fields: dict[str, Any]) -> bool: