fix(test): tighten URL substring assertion to silence CodeQL false positive

vvillait88 · claude · vvillait88 · commit 8ef6507bcadf · 2026-04-29T21:25:11.000-07:00
CodeQL flagged \`assert "https://my.merchant" in section\` as \`py/incomplete-url-substring-sanitization\` (high severity). The pattern matters when checking whether a user-supplied URL falls inside an allowlist substring; here it's a test assertion verifying the rendered llms.txt section contains the test fixture's app_url. Same effect with a more specific substring (\`agentscore-pay pay POST https://my.merchant\`) — CodeQL no longer matches the dangerous pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/tests/test_discovery.py b/tests/test_discovery.py
@@ -124,7 +124,7 @@ def test_emits_multi_step_setup_per_rail(self):
         assert "### How to pay with x402" in section
         assert "npm install -g @agent-score/pay" in section
         assert "agentscore-pay wallet create" in section
-        assert "https://my.merchant" in section
+        assert "agentscore-pay pay POST https://my.merchant" in section
 
     def test_omits_sections_for_unconfigured_rails(self):
         section = llms_txt_payment_section(
