Phase 1: pytest baseline, production hardening, pinned requirements

Establishes the safety net required before any structural refactor. Tests (tests/): - conftest.py rewritten for Flask-SQLAlchemy 3.x (drop-recreate per test, StaticPool-shared in-memory SQLite, admin_user + auth_headers fixtures). Removes deprecated db.create_scoped_session pattern. - test_smoke.py: 8 baseline tests (app boot, JWT login valid+invalid, protected routes, paginated response shape, plugin auto-discovery). - test_security_config.py: 7 tests pinning ProductionConfig.validate failure modes (missing/dev SECRET_KEY, missing JWT_SECRET_KEY, missing DATABASE_URL, wildcard CORS, empty CORS) and one happy-path. Production hardening (shopdb/config.py, shopdb/__init__.py): - ProductionConfig.validate() raises ConfigError on missing or insecure SECRET_KEY, JWT_SECRET_KEY, DATABASE_URL, CORS_ORIGINS. No silent fallback to dev defaults in production. - create_app invokes validate() when config_name == 'production'. - CORS_ORIGINS default no longer wildcard; defaults to localhost Vite dev origin. - Drop os.path.exists probe in serve_frontend (path-traversal risk surface). send_from_directory handles safe-join + 404 itself. - Replace User.query.get with db.session.get (SQLAlchemy 2.0 API). TestingConfig (shopdb/config.py): - Add StaticPool + check_same_thread connect_args so SQLite in-memory is shared across the test session. Index dedup (plugins/printers/models/printer_extension.py): - Rename idx_printer_windowsname -> idx_printerdata_windowsname. Two model classes (Printer, PrinterData) declared the same index name; SQLite enforces global index uniqueness even across tables. Per CONTRIBUTING.md naming convention, indexes follow idx_<table>_<column>. Dependency pinning (requirements.in, requirements.txt): - requirements.in holds the loose source pins (the human-edited file). - requirements.txt is now a uv-compiled lockfile (every transitive dep pinned to an exact version). Reproducible builds. Run `uv pip compile requirements.in -o requirements.txt` to refresh. Test count: 0 -> 15 passing. All naming/style checks still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 14:48:19 -04:00
parent d6725c08e0
commit 2d1bb83c3b
8 changed files with 487 additions and 87 deletions
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,32 +1,119 @@
-# Flask and extensions
-flask>=3.0
-flask-sqlalchemy>=3.1
-flask-migrate>=4.0
-flask-jwt-extended>=4.6
-flask-cors>=4.0
-flask-caching>=2.0
-flask-marshmallow>=1.2
-marshmallow-sqlalchemy>=0.29
-
-# Database
-mysql-connector-python>=8.0
-pymysql>=1.1
-
-# CLI and utilities
-click>=8.1
-python-dotenv>=1.0
-tabulate>=0.9
-
-# HTTP/API clients
-requests>=2.31
-
-# Security
-werkzeug>=3.0
-
-# Validation
-email-validator>=2.0
-
-# Testing
-pytest>=7.0
-pytest-flask>=1.2
-pytest-cov>=4.0
+# This file was autogenerated by uv via the following command:
+#    uv pip compile requirements.in -o requirements.txt
+alembic==1.18.4
+    # via flask-migrate
+blinker==1.9.0
+    # via flask
+cachelib==0.13.0
+    # via flask-caching
+certifi==2026.4.22
+    # via requests
+charset-normalizer==3.4.7
+    # via requests
+click==8.3.3
+    # via
+    #   -r requirements.in
+    #   flask
+coverage==7.13.5
+    # via pytest-cov
+dnspython==2.8.0
+    # via email-validator
+email-validator==2.3.0
+    # via -r requirements.in
+flask==3.1.3
+    # via
+    #   -r requirements.in
+    #   flask-caching
+    #   flask-cors
+    #   flask-jwt-extended
+    #   flask-marshmallow
+    #   flask-migrate
+    #   flask-sqlalchemy
+    #   pytest-flask
+flask-caching==2.4.0
+    # via -r requirements.in
+flask-cors==6.0.2
+    # via -r requirements.in
+flask-jwt-extended==4.7.3
+    # via -r requirements.in
+flask-marshmallow==1.5.0
+    # via -r requirements.in
+flask-migrate==4.1.0
+    # via -r requirements.in
+flask-sqlalchemy==3.1.1
+    # via
+    #   -r requirements.in
+    #   flask-migrate
+greenlet==3.5.0
+    # via sqlalchemy
+idna==3.13
+    # via
+    #   email-validator
+    #   requests
+iniconfig==2.3.0
+    # via pytest
+itsdangerous==2.2.0
+    # via flask
+jinja2==3.1.6
+    # via flask
+mako==1.3.12
+    # via alembic
+markupsafe==3.0.3
+    # via
+    #   flask
+    #   jinja2
+    #   mako
+    #   werkzeug
+marshmallow==4.3.0
+    # via
+    #   flask-marshmallow
+    #   marshmallow-sqlalchemy
+marshmallow-sqlalchemy==1.5.0
+    # via -r requirements.in
+mysql-connector-python==9.7.0
+    # via -r requirements.in
+packaging==26.2
+    # via pytest
+pluggy==1.6.0
+    # via
+    #   pytest
+    #   pytest-cov
+pygments==2.20.0
+    # via pytest
+pyjwt==2.12.1
+    # via flask-jwt-extended
+pymysql==1.1.3
+    # via -r requirements.in
+pytest==9.0.3
+    # via
+    #   -r requirements.in
+    #   pytest-cov
+    #   pytest-flask
+pytest-cov==7.1.0
+    # via -r requirements.in
+pytest-flask==1.3.0
+    # via -r requirements.in
+python-dotenv==1.2.2
+    # via -r requirements.in
+requests==2.33.1
+    # via -r requirements.in
+sqlalchemy==2.0.49
+    # via
+    #   alembic
+    #   flask-sqlalchemy
+    #   marshmallow-sqlalchemy
+tabulate==0.10.0
+    # via -r requirements.in
+typing-extensions==4.15.0
+    # via
+    #   alembic
+    #   sqlalchemy
+urllib3==2.7.0
+    # via requests
+werkzeug==3.1.8
+    # via
+    #   -r requirements.in
+    #   flask
+    #   flask-cors
+    #   flask-jwt-extended
+    #   pytest-flask