v1.7.12: security hardening — CORS fix, security headers, fail-closed rate limiter, OpenAPI docs disabled by default, config auth privacy, webhook validation

backend/tests/conftest.py

@@ -51,18 +51,32 @@ def client(mock_events_collection, mock_watermarks_collection, monkeypatch):
 
     # Mock Redis so tests don't require a running Redis server
     class FakeRedis:
+        _store = {}
+
         async def get(self, key):
-            return None
+            return self._store.get(key)
 
         async def setex(self, key, ttl, value):
+            self._store[key] = value
+
+        async def incr(self, key):
+            self._store[key] = self._store.get(key, 0) + 1
+            return self._store[key]
+
+        async def expire(self, key, ttl):
             pass
 
     async def fake_get_arq_pool():
         return FakeRedis()
 
+    async def fake_get_redis():
+        return FakeRedis()
+
     monkeypatch.setattr("redis_client.get_arq_pool", fake_get_arq_pool)
+    monkeypatch.setattr("redis_client.get_redis", fake_get_redis)
     monkeypatch.setattr("routes.ask.get_arq_pool", fake_get_arq_pool)
-    monkeypatch.setattr("routes.jobs.get_redis", fake_get_arq_pool)
+    monkeypatch.setattr("routes.jobs.get_redis", fake_get_redis)
+    monkeypatch.setattr("rate_limiter.get_redis", fake_get_redis)
 
     from main import app
 

backend/tests/test_api.py

@@ -268,7 +268,7 @@ def test_health(client):
 
 
 def test_metrics(client):
-    response = client.get("/metrics")
+    response = client.get("/metrics", headers={"X-Forwarded-For": "127.0.0.1"})
     assert response.status_code == 200
     assert "aoc_request_duration_seconds" in response.text