fix: resolve schemathesis and live test failures

- Add 403 response to all RBAC-gated endpoints (schemathesis UndefinedStatusCode) - Add 400 response to all endpoints accepting JSON bodies (malformed input) - Add required 'title' field to schemathesis.toml for schemathesis 4.15+ - Add xdist_group markers to live tests with module-scoped fixtures to prevent xdist from distributing them across workers (fixture isolation)
2026-04-16 01:39:04 -04:00
parent 29578d9d99
commit 89099b903d
16 changed files with 26 additions and 5 deletions
--- a/decnet/web/router/attackers/api_get_attacker_commands.py
+++ b/decnet/web/router/attackers/api_get_attacker_commands.py
@@ -13,6 +13,7 @@ router = APIRouter()
    tags=["Attacker Profiles"],
    responses={
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
        404: {"description": "Attacker not found"},
    },
 )
--- a/decnet/web/router/attackers/api_get_attacker_detail.py
+++ b/decnet/web/router/attackers/api_get_attacker_detail.py
@@ -13,6 +13,7 @@ router = APIRouter()
    tags=["Attacker Profiles"],
    responses={
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
        404: {"description": "Attacker not found"},
    },
 )
--- a/decnet/web/router/attackers/api_get_attackers.py
+++ b/decnet/web/router/attackers/api_get_attackers.py
@@ -15,6 +15,7 @@ router = APIRouter()
    tags=["Attacker Profiles"],
    responses={
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
        422: {"description": "Validation error"},
    },
 )
--- a/decnet/web/router/bounty/api_get_bounties.py
+++ b/decnet/web/router/bounty/api_get_bounties.py
@@ -10,7 +10,7 @@ router = APIRouter()


@router.get("/bounty", response_model=BountyResponse, tags=["Bounty Vault"],
-    responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
+    responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 422: {"description": "Validation error"}},)
@_traced("api.get_bounties")
 async def get_bounties(
    limit: int = Query(50, ge=1, le=1000),
--- a/decnet/web/router/config/api_get_config.py
+++ b/decnet/web/router/config/api_get_config.py
@@ -16,6 +16,7 @@ _DEFAULT_MUTATION_INTERVAL = "30m"
    tags=["Configuration"],
    responses={
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
    },
 )
@_traced("api.get_config")
--- a/decnet/web/router/config/api_manage_users.py
+++ b/decnet/web/router/config/api_manage_users.py
@@ -19,6 +19,7 @@ router = APIRouter()
    "/config/users",
    tags=["Configuration"],
    responses={
+        400: {"description": "Bad Request (e.g. malformed JSON)"},
        401: {"description": "Could not validate credentials"},
        403: {"description": "Admin access required"},
        409: {"description": "Username already exists"},
@@ -77,6 +78,7 @@ async def api_delete_user(
    "/config/users/{user_uuid}/role",
    tags=["Configuration"],
    responses={
+        400: {"description": "Bad Request (e.g. malformed JSON)"},
        401: {"description": "Could not validate credentials"},
        403: {"description": "Admin access required / cannot change own role"},
        404: {"description": "User not found"},
@@ -104,6 +106,7 @@ async def api_update_user_role(
    "/config/users/{user_uuid}/reset-password",
    tags=["Configuration"],
    responses={
+        400: {"description": "Bad Request (e.g. malformed JSON)"},
        401: {"description": "Could not validate credentials"},
        403: {"description": "Admin access required"},
        404: {"description": "User not found"},
--- a/decnet/web/router/config/api_update_config.py
+++ b/decnet/web/router/config/api_update_config.py
@@ -11,6 +11,7 @@ router = APIRouter()
    "/config/deployment-limit",
    tags=["Configuration"],
    responses={
+        400: {"description": "Bad Request (e.g. malformed JSON)"},
        401: {"description": "Could not validate credentials"},
        403: {"description": "Admin access required"},
        422: {"description": "Validation error"},
@@ -29,6 +30,7 @@ async def api_update_deployment_limit(
    "/config/global-mutation-interval",
    tags=["Configuration"],
    responses={
+        400: {"description": "Bad Request (e.g. malformed JSON)"},
        401: {"description": "Could not validate credentials"},
        403: {"description": "Admin access required"},
        422: {"description": "Validation error"},
--- a/decnet/web/router/fleet/api_get_deckies.py
+++ b/decnet/web/router/fleet/api_get_deckies.py
@@ -9,7 +9,7 @@ router = APIRouter()


@router.get("/deckies", tags=["Fleet Management"],
-    responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
+    responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 422: {"description": "Validation error"}},)
@_traced("api.get_deckies")
 async def get_deckies(user: dict = Depends(require_viewer)) -> list[dict[str, Any]]:
    return await repo.get_deckies()
--- a/decnet/web/router/health/api_get_health.py
+++ b/decnet/web/router/health/api_get_health.py
@@ -18,6 +18,7 @@ _OPTIONAL_SERVICES = {"sniffer_worker"}
    tags=["Observability"],
    responses={
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
        503: {"model": HealthResponse, "description": "System unhealthy"},
    },
 )
--- a/decnet/web/router/logs/api_get_histogram.py
+++ b/decnet/web/router/logs/api_get_histogram.py
@@ -9,7 +9,7 @@ router = APIRouter()


@router.get("/logs/histogram", tags=["Logs"],
-    responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
+    responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 422: {"description": "Validation error"}},)
@_traced("api.get_logs_histogram")
 async def get_logs_histogram(
    search: Optional[str] = None,
--- a/decnet/web/router/logs/api_get_logs.py
+++ b/decnet/web/router/logs/api_get_logs.py
@@ -10,7 +10,7 @@ router = APIRouter()


@router.get("/logs", response_model=LogsResponse, tags=["Logs"],
-    responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}})
+    responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 422: {"description": "Validation error"}})
@_traced("api.get_logs")
 async def get_logs(
    limit: int = Query(50, ge=1, le=1000),
--- a/decnet/web/router/stats/api_get_stats.py
+++ b/decnet/web/router/stats/api_get_stats.py
@@ -10,7 +10,7 @@ router = APIRouter()


@router.get("/stats", response_model=StatsResponse, tags=["Observability"],
-    responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
+    responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 422: {"description": "Validation error"}},)
@_traced("api.get_stats")
 async def get_stats(user: dict = Depends(require_viewer)) -> dict[str, Any]:
    return await repo.get_stats_summary()
--- a/decnet/web/router/stream/api_stream_events.py
+++ b/decnet/web/router/stream/api_stream_events.py
@@ -50,6 +50,7 @@ def _build_trace_links(logs: list[dict]) -> list:
            "description": "Real-time Server-Sent Events (SSE) stream"
        },
        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
        422: {"description": "Validation error"}
    },
 )