Two stale unit-test groups left over from earlier intentional changes:
1. tests/unit/api/test_deps.py — TestGetCurrentStoreApi
get_current_store_api gained a leading `request: Request` param in
commit 6276e9e3 (terminal-device pairing) so the device-token path
could record last_seen IP. The three tests still passed `(creds, db)`
positionally, so `creds` bound to `request` and the function blew up
with `Session has no attribute 'credentials'`. Pass a mock request
first using the existing `_make_request` helper.
2. tests/unit/utils/test_page_context.py — TestBaseUrlCalculation
d591200d switched the storefront base_url builder to use
`store.subdomain or store.store_code` (lowercase slug) because the
store-context middleware resolves URLs by the lowercase slug; the
uppercase `store_code` is for internal use. Tests still asserted the
old uppercase shape. Update the two URL assertions to the lowercase
subdomain, invert `test_base_url_uses_store_code_not_subdomain` into
`test_base_url_uses_subdomain_not_store_code`, and add a fallback
test that exercises the `or store.store_code` path when subdomain
is None.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move all auth schemas (UserContext, UserLogin, LoginResponse, etc.) from
legacy models/schema/auth.py to app/modules/tenancy/schemas/auth.py per
MOD-019. Update 84 import sites across 14 modules. Legacy file now
re-exports for backwards compatibility.
Add missing tenancy service methods for cross-module consumers:
- merchant_service.get_merchant_by_owner_id()
- merchant_service.get_merchant_count_for_owner()
- admin_service.get_user_by_id() (public, was private-only)
- platform_service.get_active_store_count()
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add validate-security, validate-performance, validate-audit hooks
to .pre-commit-config.yaml (previously only architecture was checked)
- Break single "Run all validators" CI step into 4 explicit steps
(architecture, security, performance, audit) for clearer pipeline output
- Add noqa: SEC001 suppressions for test fixture hashed_password values
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cover all core authentication paths: helpers (_get_token_from_request,
_validate_user_token, _get_user_model, _validate_customer_token),
admin/store/merchant/customer auth (cookie + header + API variants),
optional auth, store permission factories, and store ownership checks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
