From 7dbc71d664778db4f3c0a94da9031496809e1ac7 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Wed, 15 Apr 2026 12:51:38 -0400
Subject: [PATCH] test: add profiler behavioral analysis and RBAC endpoint
 tests

- test_profiler_behavioral.py: attacker behavior pattern matching tests
- api/test_rbac.py: comprehensive RBAC role separation tests
- api/config/: configuration API endpoint tests (CRUD, reinit, user management)
---
 tests/api/config/__init__.py                  |   0
 .../__pycache__/__init__.cpython-314.pyc      | Bin 0 -> 151 bytes
 .../conftest.cpython-314-pytest-9.0.3.pyc     | Bin 0 -> 151 bytes
 ..._deploy_limit.cpython-314-pytest-9.0.3.pyc | Bin 0 -> 6049 bytes
 ...st_get_config.cpython-314-pytest-9.0.3.pyc | Bin 0 -> 13658 bytes
 .../test_reinit.cpython-314-pytest-9.0.3.pyc  | Bin 0 -> 10383 bytes
 ...update_config.cpython-314-pytest-9.0.3.pyc | Bin 0 -> 9457 bytes
 ...er_management.cpython-314-pytest-9.0.3.pyc | Bin 0 -> 20833 bytes
 tests/api/config/conftest.py                  |   1 +
 tests/api/config/test_deploy_limit.py         |  57 ++++
 tests/api/config/test_get_config.py           |  69 +++++
 tests/api/config/test_reinit.py               |  76 +++++
 tests/api/config/test_update_config.py        |  77 +++++
 tests/api/config/test_user_management.py      | 188 ++++++++++++
 tests/api/test_rbac.py                        | 116 ++++++++
 tests/test_profiler_behavioral.py             | 277 ++++++++++++++++++
 16 files changed, 861 insertions(+)
 create mode 100644 tests/api/config/__init__.py
 create mode 100644 tests/api/config/__pycache__/__init__.cpython-314.pyc
 create mode 100644 tests/api/config/__pycache__/conftest.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/__pycache__/test_deploy_limit.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/__pycache__/test_get_config.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/__pycache__/test_reinit.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/__pycache__/test_update_config.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/__pycache__/test_user_management.cpython-314-pytest-9.0.3.pyc
 create mode 100644 tests/api/config/conftest.py
 create mode 100644 tests/api/config/test_deploy_limit.py
 create mode 100644 tests/api/config/test_get_config.py
 create mode 100644 tests/api/config/test_reinit.py
 create mode 100644 tests/api/config/test_update_config.py
 create mode 100644 tests/api/config/test_user_management.py
 create mode 100644 tests/api/test_rbac.py
 create mode 100644 tests/test_profiler_behavioral.py

diff --git a/tests/api/config/__init__.py b/tests/api/config/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/api/config/__pycache__/__init__.cpython-314.pyc b/tests/api/config/__pycache__/__init__.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..a06feb9bb3ecf3c03988f3366f6fa6e359390f9a
GIT binary patch
literal 151
zcmdPq<K<!if-O<^GC}lX5CH>>P{wCAAftgHh(Vb_lhJP_LlF~@{~08C%S1mTKQ~oB
zF|Q<3KO{dtr&!;`)!ENAM871pxTIJ=u^>}FIX^EgGhIJEJ~J<~BtBlRpz;=nO>TZl
aX-=wL5i8ITkTu01#wTV*M#ds$APWExLLvwN

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/conftest.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/conftest.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..b77e9290782cf9fba5427b793468fd48d1517f32
GIT binary patch
literal 151
zcmdPq<K<!if;V;dGDCrMGKd2Mj8MjBHXx&cA&5blL6gyMB|{NN;xkC{mWh5wer~FM
zVqQt6en@_PPO-j=tFxbLh<-_GaY?a$VnL>Ua(-S~W;&Px3F;M8-r}&y%}*)KNwq6t
V0U81_t(X-^d}3x~WGrF=vH&(cB5VKv

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/test_deploy_limit.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/test_deploy_limit.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..ea634d6ccf80bc9ece371f27d06834dcaad9a3d4
GIT binary patch
literal 6049
zcmdT|U2NOd6~2_HKT5J}CzaDWwizdNtfrA7%fD0I)v>+UU78xKp%!aeR+VU*wJge)
zR1|wC=CvIb>}4qS&~(GlJZxA3>}gK}HgqWV&~Cs0IZmR0YqveD4}Ei!0^N)~>>N_0
z7*(0uVK1ZQkLTQb&bgQ8T=IV8iMB9D;CSizzsUda5|Ts3I@r2!_aH;a7I~2f%skN;
z<LsJqmtB2ij@3MUW{+3%LXT_SH|N*<Mw@#+Fvn?JA9=yM5Ve9f&PRyA3Z5~Djfddv
zBEzOgw9uFG@Hsrf;BmO_?l>*<I+VI7_#J-jU%@Zn@aqtmqa?<Cf-%osV{}g`tL0W=
zjLuT2q%4Bq%a%2ztV+511sbDcO5KF8cOL;^i)6@xv)3?zR4{^T*kvkxL~z4E?B?-j
zR^<|(&1vOqfuB)ws}kk&QmLS9tVu<Umy5h6shS$s56;X^pPOA2r=LEzC`?T+ii@+)
zEb6RA%hEZRmRFTDsdxdT;F?lgl{Sott2m7TeKN74tVxM%QIivkic(M$X0U`2JCQBP
ziJVegl9!DJ(Hvha$ZN6|FKy_Z(5X?Fqlot6nv$1j2m<@yUwr^zi|l%dr@h8Tx7ld5
z>*Uo7x7g9U&~fj=L;ItcrA-j}Ngw!~xATPA5!_?-{G=I?DZ9#U(Ox`|G4>+aV(^TA
z!;o)0P(Mm|a)KN;8^|)mI80<%#y!xBe`t|*_Yj#Gam!51vpM+`WSTEZT1BC&kZ(=O
zX|ht}Ri&PMKCeh>@wmq4vV{Ww5|${Rr@XqNR9=d2j^?EtIL9l}%W<ldHHpTT3KBFx
zCavs&$*L@=@nuO9R}@H_T-ppLCx+t5(eZdPo;-C5Y89fAR;ESqLbd>9q<Hby2o1xD
z1_AWY8q8Cy&y#jQ6ZWZt0G~kiKJyYTQjMIcW~5qR=~iIr&;Ib|Zo(}ypu+EZVCi4#
zK`?$Tnr1G0j(dK}rI}v@#{<6#q?uejfzV9|j`lj1Mq};L7##=;^`h7fAi!M?1$&W6
zFxHYj155f9h<TCOa-a2ZkoNPo!+j#K8T*F#qPO5Fx#33g*g<ST@Cv?+JHZHkA&_B0
zWXJ_FH&(x%=13(r!!E!xu=yx?gy6cA@s7_CvR<(l&-=J|&igIv1>-qtY33QO{h^F6
z#R%QcW>T(U$QT|%NC=<D+rl^&+AOJYK4LHC320pIX&R}$VQEQ6NQND*-y+rw^Ic7T
zotAau?DTtz5yC>7<BD3_d#rJU$iB8-%QoSD)REbeUuYLPGX4Z}Pix>jJ|m375xM2g
zkqKClt@8>axYJC@lV<1zp>zFb3lCbc8fR;N5e_{1P@{Fdvf$9H_VwR1s<8gYOb9En
z{*jg2<)1g@wsrLnXTnhZo@amQsQy96wYAPLXI+!<z`nLV+cvtdZP2#u+SfK@*(TU~
zYSbni5+2O7HB~P16)G38B3tKr<=}}^3d6q-D)?L6^n7I2b+#RlIs2J`*NumA@8-me
zvG3tSwp_^bRC)!T%DlY9Yl;S&WBq~3SBzfiVos9sytzl|VRQR3w=7j}Z|tCE(>a}M
zH0^aikFhpR7NyDyoGQ@^a!ykDNnTY~xV@;c9bQN#>f^x~cVj&$7iAGQLfDq|@Kjk_
zQK-C`#cgBHcUsC)*toB`boLchDeArzDGQsV`pMgH^Xl%>#wjEaY6-<5gps|rtO`SG
z{KJE#jj@=DjbpmUxE|dLJ5p9IU|SMl7-1A)d@thgOP&Hp7K~0^WA<E=lh>Hd6vi8h
zsob~g0$dkLU>R4ntX5XxBJvXVDnDs<jKoyfh+J|p#%#`@WiqBB?LcwdiUUGD&ZyM{
zLcM7iLKl>ZM7dW7W8AB;Hi}O~JphbE#33b^B5Z(q&@sNwJyF^)*hH4<9U|_sA}}nP
zQ`Sn5N<9SK;>%^Zpvgs5_ZAeeQ1wHixi$<_ak-$poGpmO?3$zpL^Zo4VFbNx%1A8K
zWtLKf>IcLng|1~aQMy<vWQ#_{C~`{3HqJWMu6uI@8OzE6w_6c4WmPKb5o7B$<}WVE
z1xa_q0-!wl1#xm_8In$A*r}vU#T<Losf;_#PC1nkr!wYLhD^nbHesg6RFX**H;#dU
z0p59-{NW)Z#pVizq^Tviqg3;jpl87gxq-R~YqZWLf{`D_e-OXiS3NQL>-Fj*Q#;)0
z8hg6Rp8k+)GkOkR`OXeER%6Gi?AR{r3bI?%K>a!oz196@_iaCayRG~3Gu7~s+a3Is
zGgqIy`dGDpyxKmo>m!{#cM03+{hY8N@7Bz2h=kf}!S3x~ca`nGtQxQ#?60x)-wxYf
z4R+hAEnFJ5#p`UprQLE^-@tgbky8MN+riE%n|e!rQ~uHFmBE|Q6QI?i$?a$oglaUo
z6HOUHYCD*!L6`B{VN;jjl2N<a5O1Kv3A5RdlMcDzY&O~m(eHE<&osPHjNRcN7yndo
z2YRh%Zk&0CnM<%&dO>=ZnHyq%cMPQWjxuv2?0d(iPJ;6L&ROjJV2D8+L2OOpe*D!)
zT>k%;#0kOi=LpIF9k*>Ew7$3yfNVA$Ha!U6Ll2f(QM>hugC2Y@<DY<gWBu(Wdaw`4
z19BKJ$l-GideG*ehOLR7lYliwXl-i~Frj_lxD6`Nv9GP)+Ps_S0Vi|{2Qpj}JqVsZ
zV5Qm-8J{Ul2hdTQq*x;~h+PR@MoM0w2N#hZ+=r}(Ui@JF!%Wy9>q~Y$-Z$u4BU>#=
zw{SS)HR#%(9Q8N|B+RCu3x}E}3~FN?ILLZqq!!fDNxH2W*2#LquXR0bk`HA40U_$h
zW@~$!#tB{f+J>!+H<9)GQNAx<)B91r5Y%$brg}#W!sj!n-p6&SH#l<-)l<tkgUwY|
zq#|FDwH4qWCbOeB8;VQn9L2W?iZ!F~21F><jN;n>#ahsA1pF*SA4V8Jz$#FDS*9@r
z{5V5TAUulDhrlBoLFh*~if{}d#_V~E3VwhAUNmR%BD3Yc=SK7-#!p~;lO@q4HVh%8
z5RjM9#}M$TMMn^D{n4)>q!C6D#t_B<V(oMi<;M}ej_?EmkMIqIX@oNf@SaQPJi?O*
z-$a-~IE^raFbnV>=)@r>oiOWEClgPDBW7E@)S67F)kmgxxS1L|Q)OrV_hiB!s`<LM
zeO;GRH+;RfBhjiq{f_*${FBwIgExCqpw)UOwtFW)sP<0m^rj6Vy&Xx{pv(B}_|umv
zrg*a<-av<x*=)!Y4!PlMHrfc${}wq=i}Y<r`l|kcD=-0o?Z`mQU;pj+2da@iTeXEt
znk`=U4_MkQhxH8%Wg9sK=(*EJJhNY*7V|-%7V|Ek79hRL%zJ=ZfCSWH-VfAb_6R8N
zd#5Jh^al@v=tqoo>VAuX8;eeVP&7Gv+~mH%u;Wy!P#GA0z;4og^)_P#>t54E50{Iw
zhRY|8yqe;-8odi%v8>N%z)_`QUMl9`o0<9k;9HU}!pAZ5Q={?iOJ~=zbXE6ciyN|H
z@K=iKj^Z=Y@zKox7<{2D7o^AOx1a;oBdkh*T{pupe<kD%@_P6q()TeL1m^1Uf4}#&
z-plL_rsq?aiy6D?Ca&IHly<p$JKaoMy%Qwhui)AJ-R>IGxy^Kb>WVPK*n40XrQKsq
Qy&cSPqxX&rBx9!k1{dV5M*si-

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/test_get_config.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/test_get_config.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..614399487eb5b5237cee8069af45d6b38d397bd1
GIT binary patch
literal 13658
zcmeGjOKcn0ahF_vm!$r-{-PxRNL!+9$(9{|62(%SI<BfNR0>U16O2epOem7tUD~w@
zw{8-kGMXSx(I9FMty`q6o%GTkdPq-B4lN1<r6kKz7DW>T$RRx`)}e?GZD-!@J}%c(
zM7mMZ09sJ<=KbHBd7pVRqrE<_n}P4`C;yT7t&?HKF`|DK4Ow%t40DA!#|Z3K7?~xZ
z<#B7)(#AZ_$+k8%$1dByZ6EgOmGj|nWggct!Lps{)grR1jCxi>J$D)PI72<YjCwXh
zJ&(Y4G6DNXIPRfwojMrf;qN(y;nv=)Vweu54X71nhJkA4PhbU$U=6b#=Ab3S3S6Jo
z%4tThJ#A%}@32>_XKijKV+mV^jXh`$Wvu7^GJPt{9eJE#roXXUOP%;L!!$EvoZj28
zUB~iaJ0o<4Z9S~8W3;!&(yNsf?1Ezq_^y7#WG(11HEgGRItmFBEvBA4g{3jp&V((!
z+T8UK#<rX46<H_7dS7J)hu}2KsCap+-jCqguq>yS4O#aY=##MvZh;TmLu^5+V+=T{
zeukE-^|X8lqju;m>)|9T*p9Io>oHaw0Y28{OY4}v_A}0~Q}FC-)YBOz;}X2n-wfLb
zhhNv}H*v{CKf?_4x`e}S;PB4TR}38X8OC3niY|TJLdAw<ZF<>|rGQ?%P$^V}c@q^q
zWl+(hx2%U66<t8ZUjvn@3#oL@y+tMDyopLRg;Wx1x2R;Ml2AAO)36gyv+4Z)`h7|J
zYgZWe*Y44|2i#xVgzcMf+B)?eqn{Qfp0>0eoVMFd``Ihh3$C!&w4d!|>}R_^Dm_$J
zs`xY5%XI~-)H(*YgZhQ7WA!@TtKEOo1NyuM*$KE;ni-)1?ybhMDA{h}Z_#^eY#Z&{
ze1A2W>K8pp@2?M(Z7k~^+a@$^!o2b{eXx1mS0CopRMwr#72Fn|#X9OOvW|dD>KCSx
zLB@8Do&GTFJMuf&@Bh(P(!_@*eipw^_k=58zXwLo8TPwfXx;=4Q3*ibE&51frLDaC
z>H~+G%UXG5-2DQ-p`75;=MgI8yhCUaTEh<0xl&oixl*aOtcQ7ND+5xO_;2&NsALAM
zkAaMvsS?`Y<gYpkd%$q=|DmLn5F{u6-moiNWmpU4$X43~e_89MG)cQkrvhCsrAgYf
z9;_4p=XdrC?SuocNz3MdcK2>^08co>{ww|_S@-r8I<`1~6ohx%7qtgGTO9aeIWTB_
z0yH)*rWLd<os5GSbe?_lkTt;u_RaM6$EFe~|3qAt{O7aDq<=h}I-i*EUrfl8{;U)i
zC4Vv@$^K|6=8whCN3%&;>b~a-MKg)eg##hAwBqg0%9Cj^F%y*&>C`>Pqw%O17yUO`
z#W5L=#-NoU#hSUaU*W{KltJ_$f<yOwQ3?8x{X6$$F7*W@OzeX~>1157MR8=9asWYZ
zLD|D<*~3a@ES^cGFHOZ$awM6UO2|t6L^AzUG#Q!7%49T=L`sf}7othU+OvO3v5`q(
zi#-Y#i^|c0b`J%lnL~y#LEQaa92_A26J(hC1JWK$IT(=kk%XRr6mVZw+zBa>lH_P=
zJg#s^GsT*Wr)G>ZJgScRsN&5)9~aYNEHW9DCKV3H1TdS3DNe*w(W&@N_MYX$iJR<9
zkJg(y5a>2PkZ$Nt&PtK-bS&<^>_4H75XK7Cs<GMuEUl*Y!Z2CIl1K#%dBA!shEss<
zPM(0g{g?oS)$Rbvcc;%Art3ecwhByxf!b4P*`G*3uiNxq)fC#gPqD%pQ+UIG755{V
zOLAP2BT-SQii}5-$%q)wh~w$03@jhT1KE+MvWcV&bXDxhG?b8(`iL}{&L(4|Xhh>R
z(o1ngr0DrLwxIa>$+CjAI4Fu~QK^ZXPm5DgITHU)CK*kUb)j%iOX-w|BDC0y00a;w
zP_5X<lL=T&iaQExIwGf^iKj#tWGOt3M_n5SjFDbrq(_aY-5oYYj))DWR`we!9yFFc
zWQ_C~BL$sl?W<!tq!LW+`M`eB54}lvS?=29H+{;n&}4cl9*U;qL}(<PPD-JH!Bazn
zBOzpmL^ij&vq?e(I0s7%&xP*HC8d?{ET0z9&xHutvEpgy6V<KK8vs9It}v^1rn>&s
z#+Mscob@YJ{_Cf2oVjs4*Ks6Qd34prR5!0N)@u8|7^}yAWnk6Gcq*6qrg^?8$92p}
z1kCdt%bfOG<T`SE6OB@2wwIy{T!$XJV<>$a+oOey2vk_%D_%N!_2`d|T^RuMn*GJ&
z*mEBNrtW8tt96&48x6&#`;0A8Tx~j6*|EfT=D5Ihk$`zVu*_+{MJ|xzJJslt0l$r<
zX(=PJzy)B8xys-Yzc<JA-pCR#&jSUt-y+wW<M*o3B?EpNOVd(DWP$5l;j438<F(k;
zhnKlV^|#11&ceJfwv<O{_8lxvV+#c_nhXf!tZZwX>w9G?#|2+_=-Sk4Ba3_x@MS)@
z4AAgf!~!&7As@TL1+Puf3>AU2*G6a>6xL&qk-M+yB`&y9QFHC|i<g0`FZ9e_UgTQ<
zyIw_riOD&>h4PRhFZ56p_^QWXjm=(GGhiLiihy6QqUDVU<h);5du{Yp@5|m<Zl$6%
z=L}wt%~u4Mo!W2F8Jzw8^_Uu8!U)Y$kvmv}rY#i2Xfhy>vr<u)bGFRYUj5#(vqk+a
zI$LHh%+;!qC5+H46}f{IXxc(Sj3xsDIV%+nIcNLa$b3cnvQzslI@@Pw=0?=`5=Lm2
zirm2(G;N_EMw0=7oXs3QOnuG8RJGo1g0trn>1%LkJ=;9q#QvNeujhWz-v#Jf-ZO_G
zc!zs*4+MYf>fZ~&e8Z_q2yO=lwnOl)<rD+K->oEgk0Zecw*Fd390wa0{qPncR<mwL
zNmet<hE_9c*jm(T#(~vrM6;=!*I&vdTFn~5cF+Mejt&~${hMPoqdF^ngeB^6X+3z$
zmtr-emaq~uczJtIq1DVmtY&6Cj<XCs4%I&E8VpU3!+{Pb4t)GHtC=h8GFi>sU^RO>
zY$sN;Kk4)<(Q4KZ=7GaaqrWk5cw^0uTOW4`Rx|n<H)&ct#A@a-X~Vo_P|>T8LJu`6
zx`B#+1S%C;&D>x$+oBR2J0>a>TFu;GHQS<+iArEKdp+zTy3_prD$Q!vO!imH=*<V*
zUz=k!qgHSIv?%ekrS;&nHCxSm#A@a<?dQ+Hmq2_&(^Oc`%0yGqnmqvw3Mb+hL9alx
z6$V8`Ix8D>6(3yri60)(7vf@<l!(Rs6Y$<kO>~QR7mN5Z5p4+21TrL|GYEO#iRcU>
zqGyYU#xl{10L@;C{Q~J$M86&p-6TYOR*5wTY7yYkEut+=M8lql)+6%R6VXZ`b|Tn`
zU>AY_g1rC&ytohXE(F~OLJ0OFIDp_Ff*u6uJ|P}La2P<KLhM8Q2mr;S4$kmU717iy
zK7`;Hg5wB~dg_=?BK9zXM-cQQcocwC0bp0*V^Mqz(v&vygHP)+m5vZ)iueSS!gsV(
z0Vd4iFTS%kPUbou%2giwzkcy`&K=2d0Os*Qru`PVPJHHJY$=c4#$vRL5n13m$?NRP
z^5Scq+cD3#E_2#%k!!^#AI6sQD9ygZL3tWmD2UNyKyGubcWa1L-3kli+2)}-kgA8O
zQK|+MrD_P?;rc5eC~z&KLb4w==|-+)=Yrr=W)(Q<U}o#n1a5FJvl|`E+SYSW0|8QS
zmDP&Y15As4ARHP;!5iG%3PwTP-0%c4eV^*)MoqQD)Nw6e9h{)H5jVH(1#WI0!8=Bs
z+lGr8|8<uvJS{Xgw|q}U&Hd}Tx#jB>aeXwoxp@WO*hb~4fDfYPMrEmRf1jHhI%wVR
z=7y&>`3x=NA#VECadWd9+}x-WN4}~~Q{v`kDRBC5oeQq(nv|d8dK^YKocaPcw`#-q
zi&LFm+(ONUW%JJ-vzuG3P*=pwt#m3Db8|x~>TYh%LMjQaEh^!90)d@UNw5>6jpb|%
zOgEOZ0|f3SVo}3P@RVw>5#w@JOi6x8PK)uFAM733xa5zX2iu1~n*l>dynCjt&}<XR
z+fKTO?L?JksDu=-5OG6vz<7pccAF}zs`oD4%+jTsS%@^GSo&hByoGCf10f5SuUW1t
z6q*7aFxX_}2bGt+d3i|{^~#ozB$NgVWFu8H+G!SzG&V$3Hbhi5h^Sc#!k_dm_+n@R
z5?}RF@M>_y8Cdc8uXp6UJI$(b2gBE`F&q!7an5F6CBV(-)efxq_T1Q!^M*>P=J~QI
z;5SoY-g86FaRBCdQ0HpDMXrY^%rUxTz;9zgTFQt(&fT5Bm%DBR9wO?XxczL~86W#g
z_Kc1DRR>_VIQEQ_yJf@FTRYe@Ja=nne-}jFu6e8ng1<UhggnA=%~=gvL2E5h7BXud
zkf}da4q|jw2*^CFQRd08VYaAx&>~o-4~DHoc|@HJOH>cK!W`U1?$J)e;}&F}O>p&L
z^?8-~V5Rlo!O96XgX_o!QjK8Wuq>5KOwxu86_H_^=^^~Ty8W?mPg+2+bqfCx!@->W
zCpq(Za<C31UWVne!O2Qb(SW=BvoqjOk4;>O>%J)^yc{$G<2tX!Yzi%@U{Xzt!z~mO
zzYaCXgY(CL;9>ZF)poQF=9>2{R&_1&UBm?UdD{TNDD$zE@pOM8p<MTD-2lhF$_`k#
zx&AId-?I0gfFR&ioVrDtJk*tjh-$;`R*kS=aqbr57sZ4O_Gp@<IJ7kK%vbDc6@{CM
ziqC+bL+Vl@O{}KmAx$m|LZq9_8VrR|$?7~lm5ybT@sr}WAPr9n>3IOFR+eSoW0>ce
z=e(<S#^U^8(+`@K+3I<=`eREC+q!0DEH$f$t?o1B@@$)y3)pJ2DYusG)p7w_?Kb6F
P*iMpr*8-UMBn;%gU|=_A

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/test_reinit.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/test_reinit.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..a983b7925191b87e4ee895b1ec32a5b4de71db79
GIT binary patch
literal 10383
zcmeHNU2GKB6`t9h{qfGOe*rt#u*(u`HaNRBHuxW6uz^rQt&v#*byy9%V|&ATcYS9J
z*p!NrR&5hiO%z2<8mXbGqM9@h>07J5G_-1~Di7;m$7s}_y!0Ve9~@k%s-Jq!{N7#G
z7*|TmLr3c~=gvL%&YgQ_&Ue0Zy{|IhW8gS?;m_&S3WiBy!8|xaS^XNzFgKVBjKDt2
zD6DpNoN&%Kg3Jj{aRv1nx8jBx$FrUjUd0<^UT}}pnjP8aU5wxqxGv}q55ZN>bm}Uj
z_@Ko$qd=WT8mNMy3T~=hU=!^;RJ+PewDVH!sy5NCf@)X2iFQ7!U5&u*W+MD&`0S@6
ztjZB7pBn|mBhDzf8Cgmiv#CuEu9*}5R!@Vt!Ni#nx>hrRd54wkbm)cPdNvN)MsUIy
zxV6rdl*~#>^on#bN^&!bM54)Dc04^174zu?k<!_;5*->odU|*?F*F<>KK131VPSNw
z`=QMyBqd?=QrZ-s*CR`cs3-(fekzx}B+ceUB{?bMb2Y17vB}(&6ce*bIyRciW#pLN
zM@*4qMUKI+VtU`&1#^h`S#_(F6)$F_L`u3WWpa6mB&KpHiQw1ZhCjI(#0}<Cu4<X9
zU*PHs4W|nuql?^`d-fHfF#7x_+__b-WRk{oqRv#p-%AX`t&X}FCd>q(qcN=l#RzR_
zT!qhq6&(0!2rj`bcm%IdA@~Gd@W<Sp#sVH^gusiiv{%_1&QmTQ^h))K%U*I&ePVx=
zLX}W0)Wlrt_XjVFr=$}o3bjI=uqDp=nf;C!D{SpD#$P&~yd&-y@jlo-@4WE)>7#M3
z`vk*GpJ_1+CVs~-P0X0)eDKnU|G}2<1iRy|4pw;bY-fj~(|AT<n@~T7GprpW)uv{j
zcUexQ2QE(RD7jNvw-k4n^J0!LRbSF>i+u-E+r`-Jo@0f2p@Dj$^7c;iKEe|l+H$6C
z%-M=BrE%ol!girC?vAlVS3P4eV*Q|cF5^C7)E={E^E}B4fj&0x>|@C&tYf3ulYKTF
zb>18I3Qeus?HXYRUCLKnV5iT;UES})dcSAR=EQ8tY?fc|J#inbck|gdsP*1SJx%#J
ztuUWL2ySR=z5g*s(d_X;NZ1wUOXk$Si8=L~qcG3LoL0b`zWczOh5tWi@E$&N&V;~j
z#={IdPF>NYpveOVoM|@FGB-4sno4IwNiiGB&yWczBxW+9Om0GM4PDI5031l5iP=;L
zutQ8<l877vbIaR@(A!5<7a-H6S=EthN1P#-(@9Bn%JQV@16ar^31v1fsUAR(tdvw#
z-s~%p&d+(;qx+*B(N5J%#4CwRIxDFhf{yAQPfMAUJm<J}{j|z!gPGMk@+FCsf^O4d
zM)l;y*-TDM%~f3s1BjDwZ<yqAO8ENPRt>c-x0}GF!>Sq>oKYroBt0i8>0EZrb3_t}
zL_)U#Atxmfpi5Sr`Pnv%59B<m`%xTNs}yDEUJ32lo1g89XhvPCCnaShMM|k0P8k}u
zqv$NMKB!wCRK4bm-e%Vv0|U3&xen}Ye?<0OGnCMPc7wKv9F+mCXJml%l;pb}8qg~a
zMC1rGJ~R+v=W4M{dqfT$((5{*u96_EKunWLC16OZ4;6jxRJT4@m8W`Eeb3})ak>*C
zQEL)OSbYHZJW1xJ@-Q!|AF2}<XVMuZot0I0CI=R>+K`YZb2FKgW}2AD<SvStL{^-V
z)QW^Gj!W2sS~;jq7)<goAvvPfCB}1PN>mck)qF<GYSXWBFUq-WB%r#JnKY~@j2BiX
zq2w+}SrWo0;c)=^)VI@xPP)*c7xexQ(uHo7ONoj|8@JJg{j~7`y3i#D;Qr0cA^RW@
z*)wXrHeLGLl+eBzIf3^e&q6J_WBHE|YJ3L4%0IjeU-iA#ms{_7t6tsm>g=sO^GzSj
z-t%q+^{M&s4<>)bt+<>G?p4Ogd;ZBdU7i&bdb8NeF}vB0pI2bBuiiRWXd8q!jiqf?
zd`xY__jkOu<DNHouO@Ws`25NF{zACBP~EfQVrqkMi&{6_!tcH@wBlv_)ysV20^eBR
z!f(o&Sm49UobkKMg$sP6RkW0EcUtPlT-YpqLRl|jf0hxgK!bZQ89m?Wd8O~h5U8(K
zeE0C12bcJ8for)XYGQ$JS>}x2U9P2oL&D+`r7xnjWko9=b1i1Ky-R#^f!jB~OA`zH
zzGcq%-R1Tb_-4JhMCprYZCTL@)ZE_%t8(9q!Ur?>FS!p^`DXLUz3e=DGRWO-0qw(T
z_GFm*uqKFl8+&pO_hI|s(@^+z@Hh*nKZG^82W1kOg?ZpR1wk&ex*fh;J;+_3Z3qw?
z8Udt}3LrT;pv^nu&T_$V9)jZOQ3xn7fE>313O#_d0^boTKr)920i-|fhJYe)c9;q%
zAiy580@V>K1T|YROxXa^zEj!IC2j?F<_L`d(r#x3t@NGjb`U^9pgy*dy%iJ+6&u>x
z!A@}i=|OT4_ml)X-mw~UWK_@P!)31-<d|m&b~p$i;g3iHhroU6ZyHor5)2gyMwFxp
z1;pdb>CavVUqgae4x!kEB8*};iYHODqKJZs_{e_LJ5XR8N)Dhnh@uNcHwp~)NiPa~
z%_9|L0QEy4RR86)bOk7$?VrhEtb7K=Ac`X>j)IW!y>2$$r|vnMXwPYM1wQ*?It6G>
zo`VKBX!(5*=srKKsW0+qr{)h8!o7v+zQ@C(fv@|#LURYm7j8BU@$3)Tp$hJu!KXpJ
z6BrzTQ_-i+gPr!NJK*IsK6S?<B^I2}vgFWtuEi%^lsj-g;0~;h!R`dyfoENJU^#(u
zOcdO~Hq9N>7r6uA+7xRj`*EAxhvJj=oi_NaOWc9ot}JscatDwD7~9C+b_e{1w(GkC
zzYr+n4(iNVr+O~Wz{<G;x8)8hr(YkjxT)DEW3hChisnMo<K<F*)9=|%dHNS|9#>-e
zBXe#i-qqNpJy(`{x9<k4-w^i$7(8+IZ3+yksb?#{A~w6M+0fR?)(Ev5+WJh_Db#If
z%bT__u86e;ge}6>c%a0QSB^dU%2k>@n`dz3xN^W+^M3dPo%~dAYfOwi^^xY%w-d-~
zF~`a}cJd{tdbnest1PBr7~m^nIzw<d$zBvsfj~miJy%81mv*2RDhJ%5jlu?2b)>Vv
zDuzr}0W=TQZj+sWVz3h+G&*4c#kd6ABbvzpHu$dZjrgud0>p#&-!$BiejKq&>nc)Z
zLl40>QHQwo5Qhw7Q;IJb;k^FfUF4Wmt@DH)o!sb!_I9}n>Mg+1gMJ;hT4~s_@G5a7
z4Lov2Db0L758WW*%0mVVD9(MJS>)oS!1g$X>Oc+p-<f@D_U&u)-AlnvC@lwj7lOT@
z6oS2XgZ-M)zrgn|LzVWs3sp!Pu((9&i`WFH176qkUP`x{>lZBv{om(pc#R%E%znTg
z@8^Ct_%x_@g2OxERFp0@B57`Q4B+yik+ha1wxE-vpwm?ZotTP6K3#G=G!<(>?K+Wk
zt(J<dD@w(FF_H9osaSi2<ssK<_lS|S6|p};ByGX$1F2Yyq#sPhK6)fwE*0wn$7`ly
zx0Wm-6wPo%@YBGV_X>gO=i{!E%=B9pFzRVnd*&>Nw0i|$+!C(<VBC84n-nlsQXHWC
zd|RL|RBdQ$haQe10Q2FdMBG;bVEiVShy{%lfZ_ak0l3}}Tn2Exq5;>oxjrLpsO?&X
zFjbbz$`YgolbM;6B-;r>Z96D*Wm3w9^qrzqbgi;DGgr!K9*%mdje1(&qZHglU^O(%
zE5S9$nc3O0w5;J8X3Kch3A<*S;zJrhMf?;ph47{i1tkr7$Z@ng0Yb*u*kncsG&;=e
z)?h~8WlNY7S&A+fpeeF6*=wN7iW?I@+h5y$&)ZNY@zeBJC4LI^Eld2~0@pS_qzk@n
znKOQOxwZnoS1&G6`XX9eR<r^&G(t2TYXt&!EP@0K)H{Kp9dIg7z>dI|{J$q)u%WkJ
zKF0Dd>kzP7jeyk^5irbpSXr3z8-b?B`!5qPq=xnrm8S<5GCTrVv%O$xJ_fdWzd!;O
z00LI#e=DZXP^9X1+}8u&=JYQu?D*3ok*Y0mUc-(b6k*3kvu2a3s>gWsH>Tg#iVFS>
z-xQ1Rm5?~EhJoG^4D@e;#Fg7dGf5l|IC$P7aDUfvkl^|pBj-VG4#mh<unE2*NY6Uv
z=-s6reZQ!O2C+4FHm3l*0+1ay37USz+>p{48SG3Mj0|>)^h=-^mpXu?;eLz3(fm3`
zdjUtXnUtUofdL8v{{wP%Q0HUX{*pn#+Ke3+YRg4O#&#MRrK@^~QG$#K3^5X^w2c3a
zk|Gj3)KU18k37i2;Qvj|Epq3Pg+1=L2`nu7lb#>-!0A@ckNfb{x4=i2IpcSii)xe$
zi%XPl8GHgQfO;9`AKN9Y=+P?{u~*B6R=~(W*qtz!H=`$lz`;&5AqNBXPVnd<IQ@3#
z;9)pLYGHrV*eKLe%IXsdeQPnQGjP}lj1uVzNh`2TXkAi0#x*S=t-AFlYCZL@PAMrb
zWg$bHguQ5EdviQ}RhfZpTZB86n-a+-)g@+U(>ZMuPD>>dB;o|)CGBOn%@9n#>MxYH
zAGWP$GSVTEhimYLF!FCetT<Vg{R_i<gLx_NS7tASRu1pCcHZ3iCb!7$_}t-O&$Fve
z#<6onQ(?;usvE!FxXjiru(h8%>eyDSu3JHErM0Bi#qKt0L0hRVsr9l0MlEP7+e&IZ
XY`akl+RB!aS}z;ZYVSKh)1LC*^7bA_

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/test_update_config.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/test_update_config.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..f1272090afb76e1bd79d16a1779291b0292cd42e
GIT binary patch
literal 9457
zcmeHM-A^0Y6~8kckBz@DkPi~l#hAdxyCDVwAz79rBoNq&MrfKkRh7n?*aOV2?Q!l5
z*^sJIy4$K<wNhJERol01AFA-)zaWab`%=j?NkQ|__BE9%k)Wz7Pd#V8JT?X!l1Q}5
z$UbxKz31MUx%bZbo%5S_BjEsn<4@oEtE@K>lEH#~u$HoMmm%anxk&`(1EMj;nVt45
zvYlj_)4ZK#3$O9t=4T^z=kj?rTGnk%U=NcatDrUQqMygrFR+V#oU31O7yZ1hexY6T
z<6Zs2yXfb0^@|8hH%a)P;XGZ<*sFmhSSj);{5P^5LgJ(oRwqSfVU?;60oLs1V3HA7
z!INS_WRL}&8-ZSUOcBBRA?SCR`<@wZfE3vjJL|rVX-0~kn_u3(oZ`+-6LR|-Z(FtV
zUl4MP+~BMtndNP*eC{GbYs!0?5!$W~oo0tDTY(pRH~hBMtg!>_l6mfOcE>rWnEy)E
zl|q%)Sn47vcF39m`wp{*tNPX0o$h{LV+5bzcRf*Udyjn`p{cGdXWJ${CtdSX<b{9`
zOz}ykqSkk##eOo^$gOr=`3!gMvq!ei3yk0$Ws06rhF*hpJXp52HT#VdLMM;fb%YfC
zLiqMKQ(j|re`C+x{8H82x$fTXYpiY)tnPv9KX9#X#C7krXV7oov(Q}E)@$1)*^0Re
z2vMOW6{woQ;4Wq`Xpd~4tr_&g4E|E^b`u|&WM+Oc?2(zo!OhO3Sd^1@29g=2FelF^
zvr;jqEajzw)|Zp>vZhDNHEFXZJie$cC{(^DYO+$;^j(rfD$&?7t8*W!N<sH6NMcr^
z>Q&uST<X_3Dyc<O2T=@fMnqMWs21xvQCu2Hs8~6o`|^^iiu2OF_6g?(V#eiSi^Z&{
zNm;ZTKrvJ?!WnafGt0~-J2tk=+&hiq4kpyVcPu3~W?ZU2p`KDTQCn2g86_(Pz8f1e
z8-^1qbZbTHfrM(;4nb`YF1M)ZL030DaIv_gNvf6>sos*#h`C&vN=2Gc@<o^hJp|3^
zTZ?i|lMAZO=M=C|_4c&7pe*LHhG}{}r`!^A>4KP-^ro~b&Ph0e9vL_01*UY8QibYm
z={bewMJ+AeE#}06G1(N|%W_EPGdUTSNDqjx6lqQQNGi}EH0eRSzB$1I?!u6}aM~=G
z!=G^%&brO|-GxE7*|57XqN3mG?TtByem=RN<fWuo(B$MbMaikjiOI`XC$A-O=2T<H
zS=-H+N^^x_S#SrQDlX}9cXjptON-gOT%ZGRQFOd&6x`!8fQrAj9RAhOpC4WGC)Ogd
z&*P<V&st0D^Qi}4eeixMezp`nx9%gY$2JJp%Kw{iA^!fvdVqwYtHF+yU`L6I|5`P~
zN-)04S-;0zycFzkijMN5AxHf)7q?4)aaljX@f;(!0v*<Z%|AW&*|{H&{%q-Ku&cyf
zDD_-0<x23vDrfy3Lw&HzEIxJVPYip<%&kDvi!eOee>MOj$S0jw`kCJ{SNgc$jrW22
zFgo!ToN7ZZf>>S1B`*)T0>5X-jTn&ITmiWVZ2J>({SClq8FB-40b_f}4GN*x2)Ww^
zU_$uKZh*H8j#}wKRRH#XvKyT6;f0UP{L=^_q7=h!imsS?QD8(xeITwr`#rd3igB<3
zP84y1hEZVrM4Lg#|3VWC>L|Lb<p9MHj&`6ph5}+_Lf=Bsi6Vxg3q>47H;83F?Loa4
z1%e>OV2_?akwEbdig!V%=qYTVqWw_N6FVY}vZ$q%xil3E^Aa5ad%R^eQxkByO5x-C
z6>ut{vAY!R-IsR?p!wnmz}NGLfnkX7pL9;Q1BOkvA%=naFnXySPLED7(}%c638U_h
zhsVdD?#n|A$c&W)LSI)x8H4n%F1pzXC0jS4^rSpB6G{%y?V6Qx%sDB?7Y(Hx;S>)k
zN96jXE9H1S=;ok~eTNMulukcLC>!x-4q^%Q(XE^gRVI`^0nyD@l@9rLkq$XYSyej3
zK{_Ov{%qzSh9_&@!IS->t|u!yF**!eZ@H=LmGsaZS^8L_u0VZzAB7}HZ>5v!+tEo`
zV?#85OU`B?5g3CJV(?f00Ai=ec;><RQvAJAbaa12#_;+-54xh)i3q&;6Cr%_L46n<
zAA?iv=(Q2TNI;UvBXAC3<aH57{A(wS+KlM+z?<l`g6`mr_xn{7Mtp;WQMigQitL#%
zYD*zubg+Ujs!swrzDbDIjsMFYvYIez0W$Jc6Gk|LCSk-^5JrbK->xEzOg5u0zX;q4
za2I`YL6hhmF{ig%Jcr$qc3RkxY;~x(bCgJtYrhwpGKiCyJz&fp(58qe(u@>&McRhq
z0179zr0rNdg5o%cEv$tZ5WeH~wc9;`ML}GKVKBJdN<j>)MNT|8UJ57oWt>%mf|x4x
zOqDp4E5WH%&iXxu8l)hw_|&C8F)ST3w*pNj1wjX4W@>xuM!1Go;jIPVp1Fo*!&^ry
zyfwx=`;%*EY9PXLqBkK}*Vj0a+ZK91BtV>66^*?ty<hg$+j9+(m&fimy8&KE;{a~r
ze_%HVHu99Yh8B7e9)OO6&^_X<%oY^EPeD6FiO%-tU6_EOIz0oT1~+iBAt;aw0CsYg
zPQf5J+E#kN0E3=VxPQNbfkO}MZ`i7&2k2Rt?7e6E4!+pg{`T3x_SwE~&)I&&$o88n
zvi;YCFV36(64`zu_~Kwj1Nc&oWvjD&#Ftl{?IXUJ*}maXtZYA8_9gTZY^5!}<UOq1
zk-V(-Bcu5G*T~<88*(ID^7s#6xGOm1mOQ@dJ>9Q)JUtJ0pJ>+o_6Jde$kmUe%}=PO
z%<q(tG@PQ+$5htfbEs3L`>Z;H2G)7Ai_Yam`jPGx3rn(Md;&CRS%dPR7>*lmnBvSW
zlMRr>jOzXG=auYYPC8G&4t2og5cLs=bq~WZe<S4k<kRpvPgwsCJHFSk%CxR9t<PB>
zbCKEb5VmdIP}dJswTGE*s~NQQSXC?Uw1T$YTGi@frpsebGkYBS1q)+S0UqSPfCT-`

literal 0
HcmV?d00001

diff --git a/tests/api/config/__pycache__/test_user_management.cpython-314-pytest-9.0.3.pyc b/tests/api/config/__pycache__/test_user_management.cpython-314-pytest-9.0.3.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..51269c0bec1c904f0be762b2096eec6d7222a781
GIT binary patch
literal 20833
zcmeHPYit`=cAg=J&mk#_60N5tN{VFBwnR&oEz6H2N+jExD6V#_r8lV@m62$fu|(1{
zlpQO(g*I7WlNO6jw!4keA6=oqrdHb@DT)^Pu?6Bhw$3&wD9eh3LD6o1ra%GND$upj
z0zK!>gO{U`Nd_`jO*4?r+&gp6ojZ4C&OP6E?&Ut8*UiB8Z_oWp;+blO8OMyaS=7YF
zw;?shJkJR1H<%1d_LkGu8A~H`n#<T4l{5B?{k(nHrzz+5!~R@aO9_@Lrbo?WTqWpP
zDLr=ydK{(4m!M~(^gJc#*(p7533?7n&sTz;lhP|ILC;0$`Ag7qQ+nkk=<$?ZKww*#
zu;&YW56+BhZyV-Z@c%0OZya?nOf%C6Z(o!dX7N=1Ccrx>SOlxU2{yqVu?h~s8D%|8
zw<W>~u3oEB`V=F$Uxf5a?3{JT=4R5CsAZVGo?2<z`uxqyPe!>Try1t*xAv$<C;x$A
z>X}hayYjGIOXc=Wj8GS~9b|?2b3F$wJ!)Bj7d)d*t<*62(zKkiZ_>YlJ~%MB+i)dM
zere1#F;Pp8+7ns}C#np3CSM_~_Y5m|1TS?*=H;#0bp&6*vYb{nV%<;mPueb&3I3=(
z!sZ=yjFxM6M%5h9j^*~yYKK;{w!g><?qh7)dW;oE;5i0!rL~l1S<=p^Q(*VkYR4HS
z?Gh}PpN-nc6aEXW|0b^)`j5H;O_w}jH$36p=YC2(;c}||=Dq0B+ARbMmbGbRBbL1W
z;)M#KGRhlz(NjV%dbFCgz1oW|=*6EyFWC&eWdFLC@W~r`DQM`WUD!)cF_%kylNzG<
zCN+Nb-Xx*w^4n2oAJ`|VPyV{7uPa3Qr0LxJm;Ab_g_?(8Yn|HnqS=ZfZLO{cwzkIb
zHG73x!58%!zGiy~U$b3nm9|&jQ}Is(cMIcS2CYNVA!~vSH{Y*}#L|h#m9EHmDtRF>
z8JUsdq9i+UmyAuvWk)i86*ICk9h0Q1DRDyfO7Za-F^>7J?t?NXrl#Vu{YoN!6^eQL
zXEGO4Vq!LyNu-kZ9Z$q#Vq6R@T4e4;DV3BR7vr%BxWpORn!a`bl;ctwlier|-S<JI
zaWNBWZBJk84NG{i7eyC}p1jkCmD7ji%IO&?Gd6xPmYj@_X{{WQy;^eYVobV-`q0*i
zSSB`0U*u3&T4e8APMla|XAk04yTg+EWi=5xK^k%(EOknmSY}2V8&6Hd-QNwJP)-o#
z*#MUA3QOA29;{NfBtYiQB_vW6oC~w}?a5Rolt_lz*<G5ha)gvQ2xWMgOQ)oa%v0Bu
z-H)fQW#VwJF;Olb8;?y*jlp9O$5Yd3=w#Ugr^jBHNlaxDNlCU(rJ#f)SC2^-Q!`T&
zr0Ce>RO*G;)EIfRt}!WgA&xc3zJAi}@Wcj1F(t|sV;555bSyI#e<?i`OOj_Pdcod>
zeX@OgDiKd+WOodn^jIc!DV`M3gO_={zViIK=u8itIjCfm>JQVIBVxUwmIJh6H(mA+
zo#~}BJra(xZEYcHlOK;<Oijllv1BF@8A+w4q{zVFlV=7;BG{V}`2y6}pL8$2?_<+&
z+mrEWxYN$`HQ7&2jEnJDCO(Ge#p7@pbmOFYa1_4)2lUtFRd3b3S-0kFSo2lShZmlE
zxAFb9o9$We*|qY}!l~;|T|b^}K9cqKtvi^&?hS?u*#C>+JodSPbvNVjukv+Ed|j4n
zo|lMN;+t1F^>3ML&hmA7R!_XvqbF~1&06krs`PEFPcK9#Kw*t9`%&NPeSdgtZUB;R
zxL5G{?eo`&SmN7PIrVRuYbV#o><X2>jivQcbmA7*j#b)!cs$Fs%pW0QiEmlu)W2n}
z<+bBVZY7tzjb-&RbmA7*0`+D6Z7ckqEEl=nqX<5-%Bg?LTqMiyQL-yk`Zku<OVNp2
zTx5-}&2nuEk1X+RtDO3`%(cDtn37w`CH2#vV|hJyD=()XhQw{I?QRer?>(sj-jY{Z
z&eX9#XU|k~@AP*-@`K8!4#Dm-cYhh|%(2aP;Kka0Y|~f>De>EblmyS0MoJX~DOKhn
zB`;u%or#ouLRmq-J%^P11<P)Yl*)y`!$V4{XTS~x9L&&v5bq!;B0d(;%E^w2nKZF`
z2z^8c3Va+QB5@IctH`53KzfGu5PA+BPP`57o>+#bahwnl+KGte#0nIZC;-?pVk3w}
zx7dp5HWcVniR~!DDE6Y*hhjg94iudr7M)@Q(+5zHOLSqX8^u8si1)-pAS7(FHaLjK
zAS2frE&CYU=~QAI488aS6u>r04BP>+@oxW*_PxHZC>zi30vpexjknp?iEuN4>i<ha
z1PmTv!ff_CZeqvq8NAXma2)K|Kri=B8>DV{*ny+m4R3!3WIj07e*$(N9c4j|tJDhU
zP;^cEmoaIUf^>~FYBi;6IDx-BqJsGgnuA^>T?3yQK(LB)gB09AQe^v$kZv5b78VI1
zbUlC&XdYEkiDAr0Rv=1r!%~F7$`K9ubd5vs3*}LV0h%~VfF?Td$%iIs4v2=hVuXhN
zotU3W+Wfo#?(C)bgjj_6`QndCus7o4@P013at1{9C`g9#Y{f0j30l9le0$Qg$)2e7
zfy?_sVqyZk<<p?m4FA$EKosLT4qbmV+k7<ZKejVmN3aWbcw!QOS45K#K$GA{*9MXw
zRDu}@Y~j=V*_SZ@#qqVY!GUJsrty3NpU2Bsfh)EtC1@#lqE<9Dc^t8~7g~(lCXSek
za%N0#+6EkPJZdKl;#KXFR*g;p;{hC=1B_1aT$D08=wIkOulc8~-6zEn=dOeUqG6+r
zf!0FR=;ZXw*;d_%fYAZwmNJLt<#j_Mlou?kvla%9*eL{rim20IbX=o4vrE;y%W$iZ
zg}c=`R)f*8fzi35dp@nY=d+74J<beZ{;4>)14Y;#nVXqOOxzEeu_}>8Rzz@GtSc1u
zD6SCVZrQH3p%lL;?54~buYy-XxVQ+!#ikbUm(a7*>{}?LcuWcwR@$Rr;cr4Ibjc)_
z>L;z+nVQC*@o)30r?hwB#djm`AHI1c>mAvQhHD-HPpJkyr3(Ap(}0G{>sS4uC4Xqy
z-@I^m#lLs%8wjp<zqxzO-MHYIe>v;iXRO7>1R6IOD`ILZ!PL&*0;WcXsS0l5jt|;!
zPf{GF!7{LpgKqAfK1khYWCy+6jZl9FWIpuupMc%RUKXS|27Iq5d#OjXtdzClHbt}^
zWFhnUee0-h9|ee1My-C`mTF&6ngc89fQN3_1V@x3RutlHMYPKnwGHbwCs!53g`AhK
zL><J6zNXnI)r#tIvSHmW<}@J=Qx<iC74@H+q^zh*aF6Qo7qf`7X{0T8r2^JXYoTgI
zb9#tw3>(-Z-710=bqoAxq4K(Agm_`0vU)tsU`1W%Bt~5ZE9xG_F`R5v%@FA~ZqRDC
z_UyGiu*%@JrR`uve;{y#S!RcNbt_ta-<NL(DWLca)PF{{p&gRO!D{FmzN84+HUtm~
z{V~Fv1ble8Twv&7TwsrU8$zN`zMgp+9#0frIQslc%p6QTcp5;Zi)mm4YYT&3<swIL
zt89x+Oed1!({Pb9iww}ymd*n*J0sy}-=-Qm*YU}C5*SeNQMrS7b*jyi;!_upAXVJC
z&f^Nx`e>(Kd=M&;nn0j)mkpj;3@-G)d-89??_FK$KKYZx8?kx&TZtbh{xW!P1K<5u
z%J#5-T)u}Dhae-Oa?wMCSGG>ZGlZIzIcRG}JcH^bjS_s`C_%yiKo(1BaRjOYnio52
ztcbA!34q*Kq4uEyuT48n90!FH@NXD4+;6+roYk8Rd`$}&cpN6IWSDR=-s)9P{gS7C
z+0!t8b;Yx1Zt$PWgG<=m%fVC2<)`MJqJ|Ck{CBd>{hMpuDZ>Wblsateg)Vueez2DP
zQ+6=O{j8sd<c+=TU^RDRAB-Ed?1wclZq%|LSF<3^$Bo+U95?WrFl=e7VEfYio`>*z
z-aLNKE;uMJPPcKn%bMEf9ON|}3ASY>1k4yI2(5J}F1QMo)jeo~eYWFBu<iUF+GjEo
zLb1;(wD!&R<y&SY?iV?rZXLKc2<@EFh$nth0^A0dv}6M%_QP9X!rax<HaVFB>z9x+
z5U){u(l{vLrKG<Cp@D34A)Qa|R3mW5MchULs_O@M`2Gi6@cnl{@&hk`YJQ84eF{E<
zSlRZ63dl652RV&-usT(?6|6p6=3xYHH<%2;2h*;Kn}UU$9s(}ImgWFnZ^h~9j->fi
zDq%O_^cwOwJp{43@z^$ats4Y`W0-59xkIVzfnx|v8)XvB%j?DjCJz;=TX#AQhQ~oB
z4{hf3iig(^<n-XJs4+Z5$O^%{_h1(VT=J*lxkl?W?PwXe^;K2Olr!oYe$abaP5Xf+
z(8V2f8zwaIg75Mrm9+U(duHmiuUx;H4omP>d7xd5=l+g@8}w8Y^C!n^PP9;4@X6`!
z|E7r|bwd57i6Xudh!LOG3T>}WXyU=8|D{TdScdE{WrQ92M{w*vA<S%urblr42U_A{
z=n>*?6F2w1ErN>TIe54Qyxp@{1o477PB;l?j<Y&a00PK}6wX?VNI}I00CNa7fN7=#
z8(0)PAOfyn7OmoQc;VkgF$_Y&H?A!-M@SHH6f$x<8G&ZfFsnqF6)=YPWC94Lp!5dD
zfqz2~L11L5p>MwYy(@qJ?9K4fiL-BY{kUtnp-({rua-5jZ@HUb@*<QM@go$G)Dm%6
z5D}Q=f@NX|vWq^7CbFhyG9`Kc;uzNWdmzI891akF2ai55lqSZYi0n{qenLEq3cV<f
zpg<;4={2l`LIpT2<8g&Y3YzwwD1rjM71G~;UqSlo*VPT%%_Y^oS*vnM*ITpB18cs@
zHzu>*2BT*HGd1dW!b}Z?Pb&@>{il;DtGFE)nZLB!(7Dvmx!iEz-Kx(U`j!JD%f6Ah
zQ)_(Sjl(~DEX%ddPZF`jx2|&P-!j*VlOHg*l1tvkvU(Xh0cY-pf$_TQgLuFlKY*Bf
z63&cywdHgV`wn}0KlkS+Aa&yr_H=~1(c0eunGY+T2*U2;cJ_2P_i^}14l*|*EXr<_
z=7{DO+lFXH^`S$6+50d<Sm(N+;p(O_>Vmz%P=c`pho+U=0}BSR1i=YT4=_*Q^w4Y=
zPt7~eXX!Aepbs~>+R`?dO|ex>K_8U1V8bd%OrbI_rhwtX?PtSuXG9x7i)6!eJ#cz3
z+L61X0_+*MZiUL`hR*yzrc=P#6q{oTXl2Pp)r>~hux$}jK(wXA6f`!hPiMn|A{ofA
z!OC0-LV=l&X#y0|N3?C@zQibA8wWS>Sr9bWrHp4?v_(!`O_Jg4flSvGtmhFB3e$Cd
zDLk;yf3xi~SN2<@OQ%P3T-S1V;GXzAUYZPRLzudV0$+D!772RcC9+?+(Th-EVj8O`
ziTt8MBxFPrU%)CJIPyvO2y;W4GMF_yxa&mhC~TeNfl-aXQ5e*UHt2y}OTqKk>sG^k
zOX0rd@Uiz!eI6cI4xV2wKd+En>Uahu*Y!hLXBUoV7qi~R9XXznC<)SC9uh;|3%vq#
zS3S~QRRDLrki4-Us4ebB2hd&h?1yzgch$2W*RmkZ2Zt+w6l4D1Is*1@iGcko0tWN;
zTSdSv1OY#ihky}h?o0#>Cb}Rt(gzQrqF~vr5pbmtG?~@%a1rpXJOo@-6aw}G(yT55
z0oN38TMz-)(q+=TP=^Q@7ORwse_ILuZOg;I^#z|r4*%{hST;9^=P!Hm3JpTz!^6Mu
zHG{D>ZbC?1QdkzT2u)i)wX$g0w)0o!UvKk6_<GAUKEUA0>CWk}Ijf=Tfh*Vi)%bc<
z7Q{N_1Qx_H^cmqoJ_WaKgK!~xC@#bSVY7H<x~Q2VIVxnfEJE};v;`}&2NvDvD_KZR
zU2M~HXs2)`;*0QID8A$+NSTl$`-n$G?u;<<`VE=zBR|E;rcoqO5El_i!x1z7V>Y10
zE^q}(WGXd@OKFrCsGH=J@TESdSZu;dTTrAxgv(1OI>gJUZANl@7f%d>kjg>i+(Kpj
ziAr@;Z`Bv#?}O4DYM%#uYr=LscpXWRGiNBaBa(F<UGvq?C$rv;9qApyx|D5ZJF*qw
z6@G7)>%Kmr2)=ujQ~#E^?kvAo$*xf8+gMsJMJH}?-O#@3hPPgR^W`;Xy|&h;A?tm7
z-Nsa7jJg_Q)B*e4Q|mAZY1b;>w8S^Tnwo{PL~L4E(?l<vQPQs+)sMkS8ZGxZF1=Ap
z!_u3Dvw9&q0cY;^YLv`fq-21X2>>sH=<n5*p+4YchB|?lffVpELtTWIfei98umfIZ
zs0VqOTF882g$W(pCtQCAWPa7%k4m3*u_$|p>_urd*_+#V9tMjCy5!W#e8B;0^PPe#
zs!jHGQydAOH<M}W$=;qV14Fquu}Me?W(?I3x41UXEq*vFPV@keVPMU*Q0Hafaj6@y
z4Z5DnkrXPQbBhbFIN91QMvi22U<eHz*{E2zxjW$0+z4$C;ROgSD3iUxz0w_Qtwsn8
zRph+~m6U_^^?UGDeGhcjjd~A)f?e1JVEJpS0G(nUnEr}d1+%xIN~jiWU%w5?_woPd
zZ4h|%_X_@pfUo~1;OjR!_^O*d7$v_u5E_pqaS45Fd^|2mp;+=-2&a~Ya;vyQ@#I80
zl}Ki!P71NHFBKKGE<7i5wm}0W^baXSF2pXyJILHgWcz1Z9$Y9F5})lTR1%S<ju^#j
zP<t*etgRd<g$Y;YWf21XBvdAuENxQ4-T1QuWch&Jp<|m?IDHRlSio971XP1;H@M7s
zYad(YXRkl@-pTh*XT8rTFl2|VaRL~kO&)c&8(X*|78|H7L~Q5m$PZxW_2rHTU}ImB
zmi8j}Ol7^D#y;H<p>_;S9E7OEU0lF%7vmFmFtB}3!r6qcv<!E^QjXzfT<8YL4=SGs
z!tSFmJKV~Bw3i(FW%U!)aO~y*cDS9p*+q{1s*xP~w3i*;$9;N)9Q&uX{u59x+sdMB
zCvqRkaE0vDe#3*TdX{U(lwbYmRDN0mexsvPj9(QKnYirI56M71kz-`dv}{*YWNtbp
zUV^#q$!m!e`Naydq?s&06u$|#M5bVicynah1&LA-N<zdhn9w^LkYJP;m-F~^YGP(8
z{;2o|a15zY=?KVmE6cL~$}rz&UiHFvZgKvg?t68sY+#8E+_CWNo((HwsaVI<di|!e
zE&AD(O=s<_b{10W0fVkrKMSe#P)TQPx-O*F{RZ72+orY(QtJl{XFa+uq}Ce@XY1Lp
Wstc+0M-6A|RNcE4NQtjQ5B@J0&>jc?

literal 0
HcmV?d00001

diff --git a/tests/api/config/conftest.py b/tests/api/config/conftest.py
new file mode 100644
index 0000000..fb95821
--- /dev/null
+++ b/tests/api/config/conftest.py
@@ -0,0 +1 @@
+# viewer_token fixture is now in tests/api/conftest.py (shared across all API tests)
diff --git a/tests/api/config/test_deploy_limit.py b/tests/api/config/test_deploy_limit.py
new file mode 100644
index 0000000..82e5f0a
--- /dev/null
+++ b/tests/api/config/test_deploy_limit.py
@@ -0,0 +1,57 @@
+import pytest
+from unittest.mock import patch
+
+from decnet.web.dependencies import repo
+
+
+@pytest.fixture(autouse=True)
+def contract_test_mode(monkeypatch):
+    """Skip actual Docker deployment in tests."""
+    monkeypatch.setenv("DECNET_CONTRACT_TEST", "true")
+
+
+@pytest.fixture(autouse=True)
+def mock_network():
+    """Mock network detection so deploy doesn't call `ip addr show`."""
+    with patch("decnet.web.router.fleet.api_deploy_deckies.get_host_ip", return_value="192.168.1.100"):
+        yield
+
+
+@pytest.mark.anyio
+async def test_deploy_respects_limit(client, auth_token, mock_state_file):
+    """Deploy should reject if total deckies would exceed limit."""
+    await repo.set_state("config_limits", {"deployment_limit": 1})
+    await repo.set_state("deployment", mock_state_file)
+
+    ini = """[decky-new]
+services = ssh
+"""
+    resp = await client.post(
+        "/api/v1/deckies/deploy",
+        json={"ini_content": ini},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    # 2 existing + 1 new = 3 > limit of 1
+    assert resp.status_code == 409
+    assert "limit" in resp.json()["detail"].lower()
+
+
+@pytest.mark.anyio
+async def test_deploy_within_limit(client, auth_token, mock_state_file):
+    """Deploy should succeed when within limit."""
+    await repo.set_state("config_limits", {"deployment_limit": 100})
+    await repo.set_state("deployment", mock_state_file)
+
+    ini = """[decky-new]
+services = ssh
+"""
+    resp = await client.post(
+        "/api/v1/deckies/deploy",
+        json={"ini_content": ini},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    # Should not fail due to limit
+    if resp.status_code == 409:
+        assert "limit" not in resp.json()["detail"].lower()
+    else:
+        assert resp.status_code == 200
diff --git a/tests/api/config/test_get_config.py b/tests/api/config/test_get_config.py
new file mode 100644
index 0000000..ab4a437
--- /dev/null
+++ b/tests/api/config/test_get_config.py
@@ -0,0 +1,69 @@
+import pytest
+
+
+@pytest.mark.anyio
+async def test_get_config_defaults_admin(client, auth_token):
+    """Admin gets full config with users list and defaults."""
+    resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["role"] == "admin"
+    assert data["deployment_limit"] == 10
+    assert data["global_mutation_interval"] == "30m"
+    assert "users" in data
+    assert isinstance(data["users"], list)
+    assert len(data["users"]) >= 1
+    # Ensure no password_hash leaked
+    for user in data["users"]:
+        assert "password_hash" not in user
+        assert "uuid" in user
+        assert "username" in user
+        assert "role" in user
+
+
+@pytest.mark.anyio
+async def test_get_config_viewer_no_users(client, auth_token, viewer_token):
+    """Viewer gets config without users list — server-side gating."""
+    resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["role"] == "viewer"
+    assert data["deployment_limit"] == 10
+    assert data["global_mutation_interval"] == "30m"
+    assert "users" not in data
+
+
+@pytest.mark.anyio
+async def test_get_config_returns_stored_values(client, auth_token):
+    """Config returns stored values after update."""
+    await client.put(
+        "/api/v1/config/deployment-limit",
+        json={"deployment_limit": 42},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    await client.put(
+        "/api/v1/config/global-mutation-interval",
+        json={"global_mutation_interval": "7d"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+
+    resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["deployment_limit"] == 42
+    assert data["global_mutation_interval"] == "7d"
+
+
+@pytest.mark.anyio
+async def test_get_config_unauthenticated(client):
+    resp = await client.get("/api/v1/config")
+    assert resp.status_code == 401
diff --git a/tests/api/config/test_reinit.py b/tests/api/config/test_reinit.py
new file mode 100644
index 0000000..32f09ac
--- /dev/null
+++ b/tests/api/config/test_reinit.py
@@ -0,0 +1,76 @@
+import pytest
+
+from decnet.web.dependencies import repo
+
+
+@pytest.fixture(autouse=True)
+def enable_developer_mode(monkeypatch):
+    monkeypatch.setattr("decnet.web.router.config.api_reinit.DECNET_DEVELOPER", True)
+    monkeypatch.setattr("decnet.web.router.config.api_get_config.DECNET_DEVELOPER", True)
+
+
+@pytest.mark.anyio
+async def test_reinit_purges_data(client, auth_token):
+    """Admin can purge all logs, bounties, and attackers in developer mode."""
+    # Seed some data
+    await repo.add_log({
+        "decky": "d1", "service": "ssh", "event_type": "connect",
+        "attacker_ip": "1.2.3.4", "raw_line": "test", "fields": "{}",
+    })
+    await repo.add_bounty({
+        "decky": "d1", "service": "ssh", "attacker_ip": "1.2.3.4",
+        "bounty_type": "credential", "payload": '{"user":"root"}',
+    })
+
+    resp = await client.delete(
+        "/api/v1/config/reinit",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["deleted"]["logs"] >= 1
+    assert data["deleted"]["bounties"] >= 1
+
+
+@pytest.mark.anyio
+async def test_reinit_viewer_forbidden(client, auth_token, viewer_token):
+    resp = await client.delete(
+        "/api/v1/config/reinit",
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_reinit_forbidden_without_developer_mode(client, auth_token, monkeypatch):
+    monkeypatch.setattr("decnet.web.router.config.api_reinit.DECNET_DEVELOPER", False)
+
+    resp = await client.delete(
+        "/api/v1/config/reinit",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 403
+    assert "developer mode" in resp.json()["detail"].lower()
+
+
+@pytest.mark.anyio
+async def test_config_includes_developer_mode(client, auth_token):
+    """Admin config response includes developer_mode when enabled."""
+    resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["developer_mode"] is True
+
+
+@pytest.mark.anyio
+async def test_config_excludes_developer_mode_when_disabled(client, auth_token, monkeypatch):
+    monkeypatch.setattr("decnet.web.router.config.api_get_config.DECNET_DEVELOPER", False)
+
+    resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    assert "developer_mode" not in resp.json()
diff --git a/tests/api/config/test_update_config.py b/tests/api/config/test_update_config.py
new file mode 100644
index 0000000..9f83459
--- /dev/null
+++ b/tests/api/config/test_update_config.py
@@ -0,0 +1,77 @@
+import pytest
+
+
+@pytest.mark.anyio
+async def test_update_deployment_limit_admin(client, auth_token):
+    resp = await client.put(
+        "/api/v1/config/deployment-limit",
+        json={"deployment_limit": 50},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["message"] == "Deployment limit updated"
+
+
+@pytest.mark.anyio
+async def test_update_deployment_limit_out_of_range(client, auth_token):
+    resp = await client.put(
+        "/api/v1/config/deployment-limit",
+        json={"deployment_limit": 0},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 422
+
+    resp = await client.put(
+        "/api/v1/config/deployment-limit",
+        json={"deployment_limit": 501},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 422
+
+
+@pytest.mark.anyio
+async def test_update_deployment_limit_viewer_forbidden(client, auth_token, viewer_token):
+    resp = await client.put(
+        "/api/v1/config/deployment-limit",
+        json={"deployment_limit": 50},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_update_global_mutation_interval_admin(client, auth_token):
+    resp = await client.put(
+        "/api/v1/config/global-mutation-interval",
+        json={"global_mutation_interval": "7d"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["message"] == "Global mutation interval updated"
+
+
+@pytest.mark.anyio
+async def test_update_global_mutation_interval_invalid(client, auth_token):
+    resp = await client.put(
+        "/api/v1/config/global-mutation-interval",
+        json={"global_mutation_interval": "abc"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 422
+
+    resp = await client.put(
+        "/api/v1/config/global-mutation-interval",
+        json={"global_mutation_interval": "0m"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 422
+
+
+@pytest.mark.anyio
+async def test_update_global_mutation_interval_viewer_forbidden(client, auth_token, viewer_token):
+    resp = await client.put(
+        "/api/v1/config/global-mutation-interval",
+        json={"global_mutation_interval": "7d"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
diff --git a/tests/api/config/test_user_management.py b/tests/api/config/test_user_management.py
new file mode 100644
index 0000000..3f6d807
--- /dev/null
+++ b/tests/api/config/test_user_management.py
@@ -0,0 +1,188 @@
+import pytest
+
+
+@pytest.mark.anyio
+async def test_create_user(client, auth_token):
+    resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "newuser", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["username"] == "newuser"
+    assert data["role"] == "viewer"
+    assert data["must_change_password"] is True
+    assert "password_hash" not in data
+
+
+@pytest.mark.anyio
+async def test_create_user_duplicate(client, auth_token):
+    await client.post(
+        "/api/v1/config/users",
+        json={"username": "dupuser", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "dupuser", "password": "securepass456", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 409
+
+
+@pytest.mark.anyio
+async def test_create_user_viewer_forbidden(client, auth_token, viewer_token):
+    resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "blocked", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_delete_user(client, auth_token):
+    # Create a user to delete
+    create_resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "todelete", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    user_uuid = create_resp.json()["uuid"]
+
+    resp = await client.delete(
+        f"/api/v1/config/users/{user_uuid}",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+
+
+@pytest.mark.anyio
+async def test_delete_self_forbidden(client, auth_token):
+    # Get own UUID from config
+    config_resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    users = config_resp.json()["users"]
+    admin_uuid = next(u["uuid"] for u in users if u["role"] == "admin")
+
+    resp = await client.delete(
+        f"/api/v1/config/users/{admin_uuid}",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_delete_nonexistent_user(client, auth_token):
+    resp = await client.delete(
+        "/api/v1/config/users/00000000-0000-0000-0000-000000000000",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_update_user_role(client, auth_token):
+    create_resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "roletest", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    user_uuid = create_resp.json()["uuid"]
+
+    resp = await client.put(
+        f"/api/v1/config/users/{user_uuid}/role",
+        json={"role": "admin"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+
+    # Verify role changed
+    config_resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    updated = next(u for u in config_resp.json()["users"] if u["uuid"] == user_uuid)
+    assert updated["role"] == "admin"
+
+
+@pytest.mark.anyio
+async def test_update_own_role_forbidden(client, auth_token):
+    config_resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    admin_uuid = next(u["uuid"] for u in config_resp.json()["users"] if u["role"] == "admin")
+
+    resp = await client.put(
+        f"/api/v1/config/users/{admin_uuid}/role",
+        json={"role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_reset_user_password(client, auth_token):
+    create_resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "resetme", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    user_uuid = create_resp.json()["uuid"]
+
+    resp = await client.put(
+        f"/api/v1/config/users/{user_uuid}/reset-password",
+        json={"new_password": "newpass12345"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200
+
+    # Verify must_change_password is set
+    config_resp = await client.get(
+        "/api/v1/config",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    updated = next(u for u in config_resp.json()["users"] if u["uuid"] == user_uuid)
+    assert updated["must_change_password"] is True
+
+    # Verify new password works
+    login_resp = await client.post(
+        "/api/v1/auth/login",
+        json={"username": "resetme", "password": "newpass12345"},
+    )
+    assert login_resp.status_code == 200
+
+
+@pytest.mark.anyio
+async def test_all_user_endpoints_viewer_forbidden(client, auth_token, viewer_token):
+    """Viewer cannot access any user management endpoints."""
+    resp = await client.post(
+        "/api/v1/config/users",
+        json={"username": "x", "password": "securepass123", "role": "viewer"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+    resp = await client.delete(
+        "/api/v1/config/users/fake-uuid",
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+    resp = await client.put(
+        "/api/v1/config/users/fake-uuid/role",
+        json={"role": "admin"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+    resp = await client.put(
+        "/api/v1/config/users/fake-uuid/reset-password",
+        json={"new_password": "securepass123"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
diff --git a/tests/api/test_rbac.py b/tests/api/test_rbac.py
new file mode 100644
index 0000000..e05c561
--- /dev/null
+++ b/tests/api/test_rbac.py
@@ -0,0 +1,116 @@
+"""RBAC matrix tests — verify role enforcement on every API endpoint."""
+import pytest
+
+
+# ── Read-only endpoints: viewer + admin should both get access ──────────
+
+_VIEWER_ENDPOINTS = [
+    ("GET", "/api/v1/logs"),
+    ("GET", "/api/v1/logs/histogram"),
+    ("GET", "/api/v1/bounty"),
+    ("GET", "/api/v1/deckies"),
+    ("GET", "/api/v1/stats"),
+    ("GET", "/api/v1/attackers"),
+    ("GET", "/api/v1/config"),
+]
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method,path", _VIEWER_ENDPOINTS)
+async def test_viewer_can_access_read_endpoints(client, viewer_token, method, path):
+    resp = await client.request(
+        method, path, headers={"Authorization": f"Bearer {viewer_token}"}
+    )
+    assert resp.status_code == 200, f"{method} {path} returned {resp.status_code}"
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method,path", _VIEWER_ENDPOINTS)
+async def test_admin_can_access_read_endpoints(client, auth_token, method, path):
+    resp = await client.request(
+        method, path, headers={"Authorization": f"Bearer {auth_token}"}
+    )
+    assert resp.status_code == 200, f"{method} {path} returned {resp.status_code}"
+
+
+# ── Admin-only endpoints: viewer must get 403 ──────────────────────────
+
+_ADMIN_ENDPOINTS = [
+    ("PUT", "/api/v1/config/deployment-limit", {"deployment_limit": 5}),
+    ("PUT", "/api/v1/config/global-mutation-interval", {"global_mutation_interval": "1d"}),
+    ("POST", "/api/v1/config/users", {"username": "rbac-test", "password": "pass123456", "role": "viewer"}),
+]
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method,path,body", _ADMIN_ENDPOINTS)
+async def test_viewer_blocked_from_admin_endpoints(client, viewer_token, method, path, body):
+    resp = await client.request(
+        method, path,
+        json=body,
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403, f"{method} {path} returned {resp.status_code}"
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method,path,body", _ADMIN_ENDPOINTS)
+async def test_admin_can_access_admin_endpoints(client, auth_token, method, path, body):
+    resp = await client.request(
+        method, path,
+        json=body,
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200, f"{method} {path} returned {resp.status_code}"
+
+
+# ── Unauthenticated access: must get 401 ───────────────────────────────
+
+_ALL_PROTECTED = [
+    ("GET", "/api/v1/logs"),
+    ("GET", "/api/v1/stats"),
+    ("GET", "/api/v1/deckies"),
+    ("GET", "/api/v1/bounty"),
+    ("GET", "/api/v1/attackers"),
+    ("GET", "/api/v1/config"),
+    ("PUT", "/api/v1/config/deployment-limit"),
+    ("POST", "/api/v1/config/users"),
+]
+
+
+@pytest.mark.anyio
+@pytest.mark.parametrize("method,path", _ALL_PROTECTED)
+async def test_unauthenticated_returns_401(client, method, path):
+    resp = await client.request(method, path)
+    assert resp.status_code == 401, f"{method} {path} returned {resp.status_code}"
+
+
+# ── Fleet write endpoints: viewer must get 403 ─────────────────────────
+
+@pytest.mark.anyio
+async def test_viewer_blocked_from_deploy(client, viewer_token):
+    resp = await client.post(
+        "/api/v1/deckies/deploy",
+        json={"ini_content": "[decky-rbac-test]\nservices=ssh"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_viewer_blocked_from_mutate(client, viewer_token):
+    resp = await client.post(
+        "/api/v1/deckies/test-decky/mutate",
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_viewer_blocked_from_mutate_interval(client, viewer_token):
+    resp = await client.put(
+        "/api/v1/deckies/test-decky/mutate-interval",
+        json={"mutate_interval": "5d"},
+        headers={"Authorization": f"Bearer {viewer_token}"},
+    )
+    assert resp.status_code == 403
diff --git a/tests/test_profiler_behavioral.py b/tests/test_profiler_behavioral.py
new file mode 100644
index 0000000..44f6dfc
--- /dev/null
+++ b/tests/test_profiler_behavioral.py
@@ -0,0 +1,277 @@
+"""
+Unit tests for the profiler behavioral/timing analyzer.
+
+Covers:
+  - timing_stats: mean/median/stdev/cv on synthetic event streams
+  - classify_behavior: beaconing vs interactive vs scanning vs mixed vs unknown
+  - guess_tool: attribution matching and tolerance boundaries
+  - phase_sequence: recon → exfil latency detection
+  - sniffer_rollup: OS-guess mode, hop median, retransmit sum
+  - build_behavior_record: composite output shape (JSON-encoded subfields)
+"""
+
+from __future__ import annotations
+
+import json
+from datetime import datetime, timedelta, timezone
+
+from decnet.correlation.parser import LogEvent
+from decnet.profiler.behavioral import (
+    build_behavior_record,
+    classify_behavior,
+    guess_tool,
+    phase_sequence,
+    sniffer_rollup,
+    timing_stats,
+)
+
+
+# ─── Helpers ────────────────────────────────────────────────────────────────
+
+_BASE = datetime(2026, 4, 15, 12, 0, 0, tzinfo=timezone.utc)
+
+
+def _mk(
+    ts_offset_s: float,
+    event_type: str = "connection",
+    service: str = "ssh",
+    decky: str = "decky-01",
+    fields: dict | None = None,
+    ip: str = "10.0.0.7",
+) -> LogEvent:
+    """Build a synthetic LogEvent at BASE + offset seconds."""
+    return LogEvent(
+        timestamp=_BASE + timedelta(seconds=ts_offset_s),
+        decky=decky,
+        service=service,
+        event_type=event_type,
+        attacker_ip=ip,
+        fields=fields or {},
+        raw="",
+    )
+
+
+def _regular_beacon(count: int, interval_s: float, jitter_s: float = 0.0) -> list[LogEvent]:
+    """
+    Build *count* events with alternating IATs of (interval_s ± jitter_s).
+
+    This yields:
+      - mean IAT = interval_s
+      - stdev IAT = jitter_s
+      - coefficient of variation = jitter_s / interval_s
+    """
+    events: list[LogEvent] = []
+    offset = 0.0
+    events.append(_mk(offset))
+    for i in range(1, count):
+        iat = interval_s + (jitter_s if i % 2 == 1 else -jitter_s)
+        offset += iat
+        events.append(_mk(offset))
+    return events
+
+
+# ─── timing_stats ───────────────────────────────────────────────────────────
+
+class TestTimingStats:
+    def test_empty_returns_nulls(self):
+        s = timing_stats([])
+        assert s["event_count"] == 0
+        assert s["mean_iat_s"] is None
+        assert s["cv"] is None
+
+    def test_single_event(self):
+        s = timing_stats([_mk(0)])
+        assert s["event_count"] == 1
+        assert s["duration_s"] == 0.0
+        assert s["mean_iat_s"] is None
+
+    def test_regular_cadence_cv_is_zero(self):
+        events = _regular_beacon(count=10, interval_s=60.0)
+        s = timing_stats(events)
+        assert s["event_count"] == 10
+        assert s["mean_iat_s"] == 60.0
+        assert s["cv"] == 0.0
+        assert s["stdev_iat_s"] == 0.0
+
+    def test_jittered_cadence(self):
+        events = _regular_beacon(count=20, interval_s=60.0, jitter_s=12.0)
+        s = timing_stats(events)
+        # Mean is close to 60, cv ~20% (jitter 12 / interval 60)
+        assert abs(s["mean_iat_s"] - 60.0) < 2.0
+        assert s["cv"] is not None
+        assert 0.10 < s["cv"] < 0.50
+
+
+# ─── classify_behavior ──────────────────────────────────────────────────────
+
+class TestClassifyBehavior:
+    def test_unknown_if_too_few(self):
+        s = timing_stats(_regular_beacon(count=2, interval_s=60.0))
+        assert classify_behavior(s, services_count=1) == "unknown"
+
+    def test_beaconing_regular_cadence(self):
+        s = timing_stats(_regular_beacon(count=10, interval_s=60.0, jitter_s=3.0))
+        assert classify_behavior(s, services_count=1) == "beaconing"
+
+    def test_interactive_fast_irregular(self):
+        # Very fast events with high variance ≈ a human hitting keys + think time
+        events = []
+        times = [0, 0.2, 0.5, 1.0, 5.0, 5.1, 5.3, 10.0, 10.1, 10.2, 12.0]
+        for t in times:
+            events.append(_mk(t))
+        s = timing_stats(events)
+        assert classify_behavior(s, services_count=1) == "interactive"
+
+    def test_scanning_many_services_fast(self):
+        # 10 events across 5 services, each 0.2s apart
+        events = []
+        svcs = ["ssh", "http", "smb", "ftp", "rdp"]
+        for i in range(10):
+            events.append(_mk(i * 0.2, service=svcs[i % 5]))
+        s = timing_stats(events)
+        assert classify_behavior(s, services_count=5) == "scanning"
+
+    def test_mixed_fallback(self):
+        # Moderate count, moderate cv, single service, moderate cadence
+        events = _regular_beacon(count=6, interval_s=20.0, jitter_s=10.0)
+        s = timing_stats(events)
+        # cv ~0.5, not tight enough for beaconing, mean 20s > interactive
+        result = classify_behavior(s, services_count=1)
+        assert result in ("mixed", "interactive")  # either is acceptable
+
+
+# ─── guess_tool ─────────────────────────────────────────────────────────────
+
+class TestGuessTool:
+    def test_cobalt_strike(self):
+        # Default: 60s interval, 20% jitter → cv 0.20
+        assert guess_tool(mean_iat_s=60.0, cv=0.20) == "cobalt_strike"
+
+    def test_havoc(self):
+        # 45s interval, 10% jitter → cv 0.10
+        assert guess_tool(mean_iat_s=45.0, cv=0.10) == "havoc"
+
+    def test_mythic(self):
+        assert guess_tool(mean_iat_s=30.0, cv=0.15) == "mythic"
+
+    def test_no_match_outside_tolerance(self):
+        # 5-second beacon is far from any default
+        assert guess_tool(mean_iat_s=5.0, cv=0.10) is None
+
+    def test_none_when_stats_missing(self):
+        assert guess_tool(None, None) is None
+        assert guess_tool(60.0, None) is None
+
+    def test_ambiguous_returns_none(self):
+        # If a signature set is tweaked such that two profiles overlap,
+        # guess_tool must not attribute.
+        # Cobalt (60±10s, cv 0.20±0.08) and Sliver (60±15s, cv 0.30±0.10)
+        # overlap around (60s, cv=0.25). Both match → None.
+        result = guess_tool(mean_iat_s=60.0, cv=0.25)
+        assert result is None
+
+
+# ─── phase_sequence ────────────────────────────────────────────────────────
+
+class TestPhaseSequence:
+    def test_recon_then_exfil(self):
+        events = [
+            _mk(0, event_type="scan"),
+            _mk(10, event_type="login_attempt"),
+            _mk(20, event_type="auth_failure"),
+            _mk(120, event_type="exec"),
+            _mk(150, event_type="download"),
+        ]
+        p = phase_sequence(events)
+        assert p["recon_end_ts"] is not None
+        assert p["exfil_start_ts"] is not None
+        assert p["exfil_latency_s"] == 100.0  # 120 - 20
+
+    def test_no_exfil(self):
+        events = [_mk(0, event_type="scan"), _mk(10, event_type="scan")]
+        p = phase_sequence(events)
+        assert p["exfil_start_ts"] is None
+        assert p["exfil_latency_s"] is None
+
+    def test_large_payload_counted(self):
+        events = [
+            _mk(0, event_type="download", fields={"bytes": "2097152"}),  # 2 MiB
+            _mk(10, event_type="download", fields={"bytes": "500"}),     # small
+            _mk(20, event_type="upload",   fields={"size": "10485760"}), # 10 MiB
+        ]
+        p = phase_sequence(events)
+        assert p["large_payload_count"] == 2
+
+
+# ─── sniffer_rollup ─────────────────────────────────────────────────────────
+
+class TestSnifferRollup:
+    def test_os_mode(self):
+        events = [
+            _mk(0, event_type="tcp_syn_fingerprint",
+                fields={"os_guess": "linux", "hop_distance": "3",
+                        "window": "29200", "mss": "1460"}),
+            _mk(5, event_type="tcp_syn_fingerprint",
+                fields={"os_guess": "linux", "hop_distance": "3",
+                        "window": "29200", "mss": "1460"}),
+            _mk(10, event_type="tcp_syn_fingerprint",
+                fields={"os_guess": "windows", "hop_distance": "8",
+                        "window": "64240", "mss": "1460"}),
+        ]
+        r = sniffer_rollup(events)
+        assert r["os_guess"] == "linux"  # mode
+        # Median of [3, 3, 8] = 3
+        assert r["hop_distance"] == 3
+        # Latest fingerprint snapshot wins
+        assert r["tcp_fingerprint"]["window"] == 64240
+
+    def test_retransmits_summed(self):
+        events = [
+            _mk(0, event_type="tcp_flow_timing", fields={"retransmits": "2"}),
+            _mk(10, event_type="tcp_flow_timing", fields={"retransmits": "5"}),
+            _mk(20, event_type="tcp_flow_timing", fields={"retransmits": "0"}),
+        ]
+        r = sniffer_rollup(events)
+        assert r["retransmit_count"] == 7
+
+    def test_empty(self):
+        r = sniffer_rollup([])
+        assert r["os_guess"] is None
+        assert r["hop_distance"] is None
+        assert r["retransmit_count"] == 0
+
+
+# ─── build_behavior_record (composite) ──────────────────────────────────────
+
+class TestBuildBehaviorRecord:
+    def test_beaconing_with_cobalt_strike_match(self):
+        # 60s interval, 20% jitter → cobalt strike default
+        events = _regular_beacon(count=20, interval_s=60.0, jitter_s=12.0)
+        r = build_behavior_record(events)
+        assert r["behavior_class"] == "beaconing"
+        assert r["beacon_interval_s"] is not None
+        assert 50 < r["beacon_interval_s"] < 70
+        assert r["beacon_jitter_pct"] is not None
+        assert r["tool_guess"] == "cobalt_strike"
+
+    def test_json_fields_are_strings(self):
+        events = _regular_beacon(count=5, interval_s=60.0)
+        r = build_behavior_record(events)
+        # timing_stats, phase_sequence, tcp_fingerprint must be JSON strings
+        assert isinstance(r["timing_stats"], str)
+        json.loads(r["timing_stats"])  # doesn't raise
+        assert isinstance(r["phase_sequence"], str)
+        json.loads(r["phase_sequence"])
+        assert isinstance(r["tcp_fingerprint"], str)
+        json.loads(r["tcp_fingerprint"])
+
+    def test_non_beaconing_has_null_beacon_fields(self):
+        # Scanning behavior — should not report a beacon interval
+        events = []
+        svcs = ["ssh", "http", "smb", "ftp", "rdp"]
+        for i in range(10):
+            events.append(_mk(i * 0.2, service=svcs[i % 5]))
+        r = build_behavior_record(events)
+        assert r["behavior_class"] == "scanning"
+        assert r["beacon_interval_s"] is None
+        assert r["beacon_jitter_pct"] is None