34 new tests (89 total, still ~0.1s).
test_settings.py — exercises BackendSettings directly with _env_file=None
so the developer's local .env does not leak in:
- default port ranges and invariants,
- non-integer / out-of-range port rejection,
- cpu_alert_th out-of-range rejection,
- env override roundtrip,
- extra="ignore" tolerates typos (regression: an unknown env var
should not crash startup).
test_metrics_schema.py — black-box tests of parse_metrics() with each
case named after the attack it guards against:
- happy path with full and partial (optional fields) payloads,
- every required field individually missing,
- every percentage field individually out of [0, 100],
- extra="forbid" rejects smuggled keys (e.g. {"injected": "<!channel>"}),
- unsafe device_id patterns (slashes, newlines, path traversal,
65-char overflow, empty string),
- invalid raw JSON,
- NaN / Infinity / -Infinity which json.loads accepts but the
schema (Field + the finite-value validator) rejects.
Richard Nixon
9413797a51