feat(04-01): add Wave 0 xfail stubs for DOC-02, ADMIN-06, SEC-08, SEC-09

- test_documents.py: append 4 stubs (content_stream 200, 206, admin_403, no_presigned_url) - test_audit.py: create new file with 4 stubs (viewer, no_doc_content, user_403, export_csv) - test_security.py: create new file with 2 stubs (credentials_enc_not_in_response, delete_user_cleans_files) - All stubs: xfail(strict=False), body is pytest.xfail("not implemented yet")
2026-05-25 18:25:18 +02:00
parent e0075989df
commit c8a0443ad2
3 changed files with 108 additions and 0 deletions
@@ -0,0 +1,36 @@
+"""
+Security invariant tests — Wave 0 xfail stubs for Phase 4.
+
+All tests in this file are xfail stubs. They will be implemented in Plans
+04-06 and 04-08 (security hardening). The stubs ensure pytest collects them
+and keeps CI green before implementation code exists.
+
+Requirements: SEC-08 (credentials_enc exclusion), SEC-09 (delete-user-cleans-files).
+"""
+from __future__ import annotations
+
+import os
+
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# SEC-08: credentials_enc never in API response
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.xfail(strict=False)
+async def test_credentials_enc_not_in_response(async_client, auth_user):
+    """No API response for current user includes credentials_enc field."""
+    pytest.xfail("not implemented yet")
+
+
+# ---------------------------------------------------------------------------
+# SEC-09: Delete user cleans up MinIO objects
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.xfail(strict=False)
+async def test_delete_user_cleans_files(async_client, admin_user):
+    """Admin DELETE /api/admin/users/{id} triggers MinIO object deletion before DB removal."""
+    pytest.xfail("not implemented yet")