chore(types): enable warn_return_any and cast all no-any-return sites

Turn on mypy warn_return_any (pyproject) and resolve the 84 resulting [no-any-return] errors across 43 files with typing.cast() at the return sites — runtime no-ops that make the declared return type explicit where a dependency (SQLAlchemy scalar/first/one, httpx .json(), subprocess, docker SDK) hands back Any. No behavior change: no DTO/table field types altered, no validation/coercion calls added, every cast reflects the true runtime type. Locks in return-type strictness so the class of bug where a function silently widens to Any can't regress. mypy decnet/ clean; adversarially verified behavior-preserving (84 casts 1:1 with prior returns). Bump tornado 6.5.5 -> 6.5.7 (CVE-2026-49854, transitive via snakeviz).
2026-06-12 18:21:22 -04:00
parent 337520c7ad
commit 721122a7ef
42 changed files with 128 additions and 124 deletions
--- a/decnet/web/db/sqlmodel_repo/credentials/_core.py
+++ b/decnet/web/db/sqlmodel_repo/credentials/_core.py
@@ -4,7 +4,7 @@ from __future__ import annotations

 import json
 from datetime import datetime, timezone
-from typing import Any, List, Optional
+from typing import Any, List, Optional, cast

 from sqlalchemy import desc, func, or_, select, update
 from sqlalchemy.exc import IntegrityError
@@ -67,7 +67,7 @@ class CredentialsCoreMixin(_MixinBase):
                    existing.outcome = payload["outcome"]
                session.add(existing)
                await session.commit()
-                return existing.id
+                return cast(int, existing.id)
            row = Credential(
                attacker_ip=payload["attacker_ip"],
                decky_name=payload["decky_name"],
@@ -103,7 +103,7 @@ class CredentialsCoreMixin(_MixinBase):
                        existing2.outcome = payload["outcome"]
                    session2.add(existing2)
                    await session2.commit()
-                    return existing2.id
+                    return cast(int, existing2.id)
            await session.refresh(row)
            return row.id  # type: ignore[return-value]

--- a/decnet/web/db/sqlmodel_repo/credentials/reuse.py
+++ b/decnet/web/db/sqlmodel_repo/credentials/reuse.py
@@ -7,7 +7,7 @@ from __future__ import annotations
 import json
 import uuid as _uuid
 from datetime import datetime, timezone
-from typing import Any, List, Optional
+from typing import Any, List, Optional, cast

 from sqlalchemy import desc, func, select
 from sqlmodel import col
@@ -137,7 +137,7 @@ class CredentialReuseMixin(_MixinBase):
            d = existing.model_dump(mode="json")
            d["inserted"] = False
            d["changed"] = changed
-            return d
+            return cast(dict[str, Any], d)

    async def find_credential_reuse_candidates(
        self, min_targets: int = 2
@@ -236,7 +236,7 @@ class CredentialReuseMixin(_MixinBase):
                except (json.JSONDecodeError, TypeError):
                    d[key] = []
            await self._enrich_with_secret(session, [d])
-            return d
+            return cast(dict[str, Any], d)

    @staticmethod
    async def _enrich_with_secret(