test: add comprehensive tests for all security fixes

Add 20 tests covering: - require_user_actor: rejects agents and null users, passes valid users - Webhook HMAC: rejects missing/invalid signatures, accepts valid ones, allows unsigned when no secret configured - Prompt injection: sanitized skill name/URL, fenced external data in dispatch messages, system instructions precede data - Security headers: verify nosniff, DENY, referrer-policy defaults - Payload size: rejects oversized body and content-length - Rate limiting: blocks after threshold, independent per-key - Gateway token: has_token field present, token field absent - Agent auth logs: no token_prefix in source Also fix deprecated HTTP_413_REQUEST_ENTITY_TOO_LARGE status code. All 407 tests pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 13:47:27 -07:00
parent 547965a5cb
commit 858575cf6c
2 changed files with 545 additions and 2 deletions
--- a/backend/app/api/board_webhooks.py
+++ b/backend/app/api/board_webhooks.py
@@ -505,13 +505,13 @@ async def ingest_board_webhook(
    content_length = request.headers.get("content-length")
    if content_length and int(content_length) > max_payload_bytes:
        raise HTTPException(
-            status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
+            status_code=status.HTTP_413_CONTENT_TOO_LARGE,
            detail=f"Payload exceeds maximum size of {max_payload_bytes} bytes.",
        )
    raw_body = await request.body()
    if len(raw_body) > max_payload_bytes:
        raise HTTPException(
-            status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
+            status_code=status.HTTP_413_CONTENT_TOO_LARGE,
            detail=f"Payload exceeds maximum size of {max_payload_bytes} bytes.",
        )
    _verify_webhook_signature(webhook, raw_body, request)