Sanitize API error details in exceptions and add bandit to CI

Prevents information disclosure by truncating long API error messages
in exception strings. Raw response data remains available via
response_data for programmatic access. Adds bandit security linter
as a dev dependency with a new CI workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vdavez

.github/workflows/security.yml

@@ -0,0 +1,28 @@
+name: Security
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  bandit:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
+      with:
+        version: "latest"
+
+    - name: Set up Python
+      run: uv python install 3.12
+
+    - name: Install dependencies
+      run: uv sync --all-extras
+
+    - name: Run bandit security linter
+      run: uv run bandit -r tango/ -c pyproject.toml

pyproject.toml

@@ -36,6 +36,7 @@ dev = [
     "pytest-recording>=0.13.0",
     "python-dotenv>=1.0.0",
     "pyyaml>=6.0",
+    "bandit>=1.7.0",
 ]
 notebooks = [
     "jupyter>=1.0.0",
@@ -113,6 +114,10 @@ exclude_lines = [
     "if __name__ == .__main__.:",
 ]
 
+[tool.bandit]
+exclude_dirs = ["tests", "scripts"]
+skips = []
+
 [tool.hatch.build.targets.wheel]
 packages = ["tango"]
 

tango/client.py

@@ -143,6 +143,18 @@ def _int_or_none(val: str | None) -> int | None:
             burst_reset=_int_or_none(headers.get("X-RateLimit-Burst-Reset")),
         )
 
+    @staticmethod
+    def _sanitize_error_detail(detail: Any, max_length: int = 200) -> str:
+        """Sanitize an error detail from an API response for safe inclusion in exception messages.
+
+        Truncates long messages to prevent information disclosure in logs
+        and error tracking systems.
+        """
+        text = str(detail)
+        if len(text) > max_length:
+            text = text[:max_length] + "..."
+        return text
+
     def _request(
         self,
         method: str,
@@ -176,7 +188,10 @@ def _request(
                             or error_data.get("error")
                         )
                         if detail:
-                            error_msg = f"Invalid request parameters: {detail}"
+                            error_msg = (
+                                f"Invalid request parameters: "
+                                f"{self._sanitize_error_detail(detail)}"
+                            )
                 raise TangoValidationError(
                     error_msg,
                     response.status_code,
@@ -185,7 +200,9 @@ def _request(
             elif response.status_code == 429:
                 error_data = response.json() if response.content else {}
                 detail = error_data.get("detail", "Rate limit exceeded")
-                raise TangoRateLimitError(detail, response.status_code, error_data)
+                raise TangoRateLimitError(
+                    self._sanitize_error_detail(detail), response.status_code, error_data
+                )
             elif not response.is_success:
                 raise TangoAPIError(
                     f"API request failed with status {response.status_code}", response.status_code