fix: correct tojson|safe usage in templates and update validator

- Remove |safe from |tojson in HTML attributes (x-data) - quotes must become " for browsers to parse correctly - Update LANG-002 and LANG-003 architecture rules to document correct |tojson usage patterns: - HTML attributes: |tojson (no |safe) - Script blocks: |tojson|safe - Fix validator to warn when |tojson|safe is used in x-data (breaks HTML attribute parsing) - Improve code quality across services, APIs, and tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-13 22:59:51 +01:00
parent 94d268f330
commit 9920430b9e
123 changed files with 1408 additions and 840 deletions
--- a/tests/integration/security/test_authentication.py
+++ b/tests/integration/security/test_authentication.py
@@ -6,6 +6,7 @@ API Structure:
 - /api/v1/admin/* - Admin endpoints (require admin token)
 - /api/v1/vendor/* - Vendor endpoints (require vendor token with vendor_id claim)
 """
+
 import pytest


--- a/tests/integration/security/test_authorization.py
+++ b/tests/integration/security/test_authorization.py
@@ -6,6 +6,7 @@ Tests role-based access control:
 - Admin endpoints require admin role
 - Vendor endpoints require vendor context (vendor_id in token)
 """
+
 import pytest


@@ -29,7 +30,9 @@ class TestAuthorization:

        for endpoint in admin_endpoints:
            response = client.get(endpoint, headers=admin_headers)
-            assert response.status_code == 200, f"Admin should have access to {endpoint}"
+            assert response.status_code == 200, (
+                f"Admin should have access to {endpoint}"
+            )

    def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
        """Test that vendor endpoints require vendor context in token"""
@@ -38,9 +41,7 @@ class TestAuthorization:
        # Should fail - admin token lacks vendor_id claim
        assert response.status_code in [401, 403]

-    def test_vendor_owner_access_control(
-        self, client, admin_headers, test_vendor
-    ):
+    def test_vendor_owner_access_control(self, client, admin_headers, test_vendor):
        """Test admin can access vendor by vendor code"""
        response = client.get(
            f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers
--- a/tests/integration/security/test_input_validation.py
+++ b/tests/integration/security/test_input_validation.py
@@ -4,6 +4,7 @@ Input validation tests for the API.

 Tests SQL injection prevention, parameter validation, and JSON validation.
 """
+
 import pytest


@@ -27,14 +28,10 @@ class TestInputValidation:
    def test_parameter_validation(self, client, admin_headers):
        """Test parameter validation for API endpoints"""
        # Test invalid pagination parameters
-        response = client.get(
-            "/api/v1/admin/products?limit=-1", headers=admin_headers
-        )
+        response = client.get("/api/v1/admin/products?limit=-1", headers=admin_headers)
        assert response.status_code == 422  # Validation error

-        response = client.get(
-            "/api/v1/admin/products?skip=-1", headers=admin_headers
-        )
+        response = client.get("/api/v1/admin/products?skip=-1", headers=admin_headers)
        assert response.status_code == 422  # Validation error

    def test_json_validation(self, client, admin_headers, test_company):
@@ -51,8 +48,6 @@ class TestInputValidation:
        response = client.post(
            "/api/v1/admin/vendors",
            headers=admin_headers,
-            json={
-                "name": "Test Vendor"
-            },  # Missing required company_id, vendor_code
+            json={"name": "Test Vendor"},  # Missing required company_id, vendor_code
        )
        assert response.status_code == 422  # Validation error