Phase 1 MVP - Complete implementation

- Auth: register, login, JWT with refresh tokens, blocklist
- Projects/Folders/Documents CRUD with soft deletes
- Tags CRUD and assignment
- FTS5 search with highlights and tag filtering
- ADR-001, ADR-002, ADR-003 compliant
- Security fixes applied (JWT_SECRET_KEY, exception handler, cookie secure)
- 25 tests passing

tests/__init__.py

@@ -0,0 +1 @@
+# Tests package

tests/conftest.py

@@ -0,0 +1,54 @@
+import asyncio
+import os
+import pytest
+import pytest_asyncio
+from httpx import ASGITransport, AsyncClient
+from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker, AsyncSession
+
+# Set test database before importing app
+os.environ["DATABASE_URL"] = "sqlite+aiosqlite:///:memory:"
+
+from app.main import app
+from app.database import Base, get_db, async_engine
+
+
+@pytest.fixture(scope="session")
+def event_loop():
+    loop = asyncio.get_event_loop_policy().new_event_loop()
+    yield loop
+    loop.close()
+
+
+@pytest_asyncio.fixture(scope="function")
+async def db_session():
+    """Create a fresh in-memory database for each test."""
+    # Create tables
+    async with async_engine.begin() as conn:
+        # Import and run schema creation
+        from app.database import _create_schema
+        await conn.run_sync(_create_schema)
+
+    async_session = async_sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False)
+
+    async with async_session() as session:
+        yield session
+        await session.rollback()
+
+    # Drop all tables after test
+    async with async_engine.begin() as conn:
+        for table in reversed(Base.metadata.sorted_tables):
+            await conn.execute(table.delete())
+
+
+@pytest_asyncio.fixture(scope="function")
+async def client(db_session):
+    """Async HTTP client for testing."""
+    async def override_get_db():
+        yield db_session
+
+    app.dependency_overrides[get_db] = override_get_db
+
+    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as ac:
+        yield ac
+
+    app.dependency_overrides.clear()

tests/test_auth.py

@@ -0,0 +1,70 @@
+import pytest
+
+
+@pytest.mark.asyncio
+async def test_register(client):
+    response = await client.post(
+        "/api/v1/auth/register",
+        json={"username": "testuser", "password": "testpass123"}
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert data["username"] == "testuser"
+    assert data["role"] == "agent"
+    assert "id" in data
+
+
+@pytest.mark.asyncio
+async def test_register_duplicate(client):
+    await client.post("/api/v1/auth/register", json={"username": "dup", "password": "pass123"})
+    response = await client.post(
+        "/api/v1/auth/register",
+        json={"username": "dup", "password": "pass123"}
+    )
+    assert response.status_code == 400
+
+
+@pytest.mark.asyncio
+async def test_login(client):
+    await client.post("/api/v1/auth/register", json={"username": "loginuser", "password": "pass123"})
+    response = await client.post(
+        "/api/v1/auth/login",
+        json={"username": "loginuser", "password": "pass123"}
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert "access_token" in data
+    assert data["token_type"] == "bearer"
+
+
+@pytest.mark.asyncio
+async def test_login_invalid_password(client):
+    await client.post("/api/v1/auth/register", json={"username": "user1", "password": "pass123"})
+    response = await client.post(
+        "/api/v1/auth/login",
+        json={"username": "user1", "password": "wrongpass"}
+    )
+    assert response.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_me(client):
+    await client.post("/api/v1/auth/register", json={"username": "meuser", "password": "pass123"})
+    login_resp = await client.post(
+        "/api/v1/auth/login",
+        json={"username": "meuser", "password": "pass123"}
+    )
+    token = login_resp.json()["access_token"]
+
+    response = await client.get(
+        "/api/v1/auth/me",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["username"] == "meuser"
+
+
+@pytest.mark.asyncio
+async def test_me_unauthorized(client):
+    response = await client.get("/api/v1/auth/me")
+    assert response.status_code == 401

tests/test_documents.py

@@ -0,0 +1,136 @@
+import pytest
+
+
+async def setup_project_and_get_token(client):
+    await client.post("/api/v1/auth/register", json={"username": "docuser", "password": "pass123"})
+    login = await client.post("/api/v1/auth/login", json={"username": "docuser", "password": "pass123"})
+    token = login.json()["access_token"]
+    proj_resp = await client.post(
+        "/api/v1/projects",
+        json={"name": "Doc Test Project"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    return token, proj_resp.json()["id"]
+
+
+@pytest.mark.asyncio
+async def test_create_document(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    response = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "My Document", "content": "# Hello\n\nWorld"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert data["title"] == "My Document"
+    assert data["content"] == "# Hello\n\nWorld"
+    assert data["project_id"] == proj_id
+
+
+@pytest.mark.asyncio
+async def test_get_document(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    create_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Get Doc Test"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    doc_id = create_resp.json()["id"]
+    response = await client.get(
+        f"/api/v1/documents/{doc_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["title"] == "Get Doc Test"
+
+
+@pytest.mark.asyncio
+async def test_update_document_content(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    create_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Original Title", "content": "Original Content"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    doc_id = create_resp.json()["id"]
+    response = await client.put(
+        f"/api/v1/documents/{doc_id}/content",
+        json={"content": "Updated Content"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["content"] == "Updated Content"
+
+
+@pytest.mark.asyncio
+async def test_soft_delete_document(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    create_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "To Delete"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    doc_id = create_resp.json()["id"]
+    del_resp = await client.delete(
+        f"/api/v1/documents/{doc_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert del_resp.status_code == 204
+
+
+@pytest.mark.asyncio
+async def test_assign_tag(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    doc_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Tagged Doc"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    doc_id = doc_resp.json()["id"]
+    tag_resp = await client.post(
+        "/api/v1/tags",
+        json={"name": "important", "color": "#ff0000"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    tag_id = tag_resp.json()["id"]
+    assign_resp = await client.post(
+        f"/api/v1/documents/{doc_id}/tags",
+        json={"tag_ids": [tag_id]},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert assign_resp.status_code == 204
+
+    get_resp = await client.get(
+        f"/api/v1/documents/{doc_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert len(get_resp.json()["tags"]) == 1
+    assert get_resp.json()["tags"][0]["name"] == "important"
+
+
+@pytest.mark.asyncio
+async def test_remove_tag(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    doc_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Tagged Doc 2"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    doc_id = doc_resp.json()["id"]
+    tag_resp = await client.post(
+        "/api/v1/tags",
+        json={"name": "temp", "color": "#00ff00"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    tag_id = tag_resp.json()["id"]
+    await client.post(
+        f"/api/v1/documents/{doc_id}/tags",
+        json={"tag_ids": [tag_id]},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    remove_resp = await client.delete(
+        f"/api/v1/documents/{doc_id}/tags/{tag_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert remove_resp.status_code == 204

tests/test_folders.py

@@ -0,0 +1,90 @@
+import pytest
+
+
+async def setup_project(client, token):
+    resp = await client.post(
+        "/api/v1/projects",
+        json={"name": "Test Project"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    return resp.json()["id"]
+
+
+async def get_token(client):
+    await client.post("/api/v1/auth/register", json={"username": "folderuser", "password": "pass123"})
+    login = await client.post("/api/v1/auth/login", json={"username": "folderuser", "password": "pass123"})
+    return login.json()["access_token"]
+
+
+@pytest.mark.asyncio
+async def test_create_folder(client):
+    token = await get_token(client)
+    proj_id = await setup_project(client, token)
+    response = await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "Architecture"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert data["name"] == "Architecture"
+    assert data["project_id"] == proj_id
+    assert data["parent_id"] is None
+
+
+@pytest.mark.asyncio
+async def test_create_subfolder(client):
+    token = await get_token(client)
+    proj_id = await setup_project(client, token)
+    parent_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "Parent"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    parent_id = parent_resp.json()["id"]
+    child_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "Child", "parent_id": parent_id},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert child_resp.status_code == 201
+    assert child_resp.json()["parent_id"] == parent_id
+
+
+@pytest.mark.asyncio
+async def test_list_folders(client):
+    token = await get_token(client)
+    proj_id = await setup_project(client, token)
+    await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "Folder 1"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "Folder 2"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    response = await client.get(
+        f"/api/v1/projects/{proj_id}/folders",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert len(response.json()["folders"]) == 2
+
+
+@pytest.mark.asyncio
+async def test_soft_delete_folder(client):
+    token = await get_token(client)
+    proj_id = await setup_project(client, token)
+    folder_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/folders",
+        json={"name": "To Delete"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    folder_id = folder_resp.json()["id"]
+    del_resp = await client.delete(
+        f"/api/v1/folders/{folder_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert del_resp.status_code == 204

tests/test_projects.py

@@ -0,0 +1,98 @@
+import pytest
+
+
+async def get_token(client, username="projuser", password="pass123"):
+    await client.post("/api/v1/auth/register", json={"username": username, "password": password})
+    login = await client.post("/api/v1/auth/login", json={"username": username, "password": password})
+    return login.json()["access_token"]
+
+
+@pytest.mark.asyncio
+async def test_create_project(client):
+    token = await get_token(client)
+    response = await client.post(
+        "/api/v1/projects",
+        json={"name": "My Project", "description": "Description"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert data["name"] == "My Project"
+    assert data["description"] == "Description"
+
+
+@pytest.mark.asyncio
+async def test_list_projects(client):
+    token = await get_token(client)
+    await client.post("/api/v1/projects", json={"name": "Project 1"}, headers={"Authorization": f"Bearer {token}"})
+    await client.post("/api/v1/projects", json={"name": "Project 2"}, headers={"Authorization": f"Bearer {token}"})
+    response = await client.get("/api/v1/projects", headers={"Authorization": f"Bearer {token}"})
+    assert response.status_code == 200
+    assert len(response.json()["projects"]) == 2
+
+
+@pytest.mark.asyncio
+async def test_get_project(client):
+    token = await get_token(client)
+    create_resp = await client.post(
+        "/api/v1/projects", json={"name": "Get Test"}, headers={"Authorization": f"Bearer {token}"}
+    )
+    proj_id = create_resp.json()["id"]
+    response = await client.get(
+        f"/api/v1/projects/{proj_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["name"] == "Get Test"
+
+
+@pytest.mark.asyncio
+async def test_update_project(client):
+    token = await get_token(client)
+    create_resp = await client.post(
+        "/api/v1/projects", json={"name": "Original"}, headers={"Authorization": f"Bearer {token}"}
+    )
+    proj_id = create_resp.json()["id"]
+    response = await client.put(
+        f"/api/v1/projects/{proj_id}",
+        json={"name": "Updated"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["name"] == "Updated"
+
+
+@pytest.mark.asyncio
+async def test_soft_delete_project(client):
+    token = await get_token(client)
+    create_resp = await client.post(
+        "/api/v1/projects", json={"name": "To Delete"}, headers={"Authorization": f"Bearer {token}"}
+    )
+    proj_id = create_resp.json()["id"]
+
+    del_resp = await client.delete(
+        f"/api/v1/projects/{proj_id}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert del_resp.status_code == 204
+
+    # Should not appear in list
+    list_resp = await client.get("/api/v1/projects", headers={"Authorization": f"Bearer {token}"})
+    assert len(list_resp.json()["projects"]) == 0
+
+
+@pytest.mark.asyncio
+async def test_restore_project(client):
+    token = await get_token(client)
+    create_resp = await client.post(
+        "/api/v1/projects", json={"name": "To Restore"}, headers={"Authorization": f"Bearer {token}"}
+    )
+    proj_id = create_resp.json()["id"]
+    await client.delete(f"/api/v1/projects/{proj_id}", headers={"Authorization": f"Bearer {token}"})
+
+    restore_resp = await client.post(
+        f"/api/v1/projects/{proj_id}/restore",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert restore_resp.status_code == 200
+    assert restore_resp.json()["name"] == "To Restore"

tests/test_search.py

@@ -0,0 +1,69 @@
+import pytest
+
+
+async def setup_project_and_get_token(client):
+    await client.post("/api/v1/auth/register", json={"username": "searchuser", "password": "pass123"})
+    login = await client.post("/api/v1/auth/login", json={"username": "searchuser", "password": "pass123"})
+    token = login.json()["access_token"]
+    proj_resp = await client.post(
+        "/api/v1/projects",
+        json={"name": "Search Test Project"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    return token, proj_resp.json()["id"]
+
+
+@pytest.mark.asyncio
+async def test_search_basic(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Python Tutorial", "content": "Learn Python programming language"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Rust Tutorial", "content": "Learn Rust programming language"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    response = await client.get(
+        "/api/v1/search?q=Python",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    results = response.json()["results"]
+    assert len(results) == 1
+    assert results[0]["title"] == "Python Tutorial"
+
+
+@pytest.mark.asyncio
+async def test_search_returns_excerpt_with_highlight(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "FastAPI Guide", "content": "Building APIs with FastAPI framework"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    response = await client.get(
+        "/api/v1/search?q=FastAPI",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    results = response.json()["results"]
+    assert len(results) == 1
+    assert "**FastAPI**" in results[0]["excerpt"]
+
+
+@pytest.mark.asyncio
+async def test_search_no_results(client):
+    token, proj_id = await setup_project_and_get_token(client)
+    await client.post(
+        f"/api/v1/projects/{proj_id}/documents",
+        json={"title": "Random Doc", "content": "Some random content"},
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    response = await client.get(
+        "/api/v1/search?q=nonexistent",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    assert response.status_code == 200
+    assert len(response.json()["results"]) == 0