fix(ci): annotate cache.py:38 redis return type (CAR-1330 dev lint fix)

mypy no-any-return: annotate value: str | bytes | None so mypy doesn't widen redis client return to Any. Pre-existing dev branch issue blocking CAR-1356. Mirrors CAR-1340 uat fix (2b20946).
fix(ci): dedupe _public_limiter/_auth_limiter declarations in rate_limit.py (CAR-1330 dev lint fix)
2026-06-09 17:34:21 +00:00 · 2026-06-09 17:34:11 +00:00 · 2026-06-09 17:34:02 +00:00 · 2026-06-09 17:27:08 +00:00 · 2026-06-09 01:01:09 +00:00 · 2026-06-02 15:10:01 +00:00
6 changed files with 32 additions and 18 deletions
@@ -118,7 +118,7 @@ jobs:
          echo "CalVer tag: $VERSION"

      - name: Log in to Gitea Container Registry
-        run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin

      - name: Extract metadata
        id: meta
@@ -1,11 +0,0 @@
-{
-  "mcpServers": {
-    "gitea": {
-      "type": "http",
-      "url": "https://git-mcp.farh.net/mcp",
-      "headers": {
-        "Authorization": "Bearer ${GITEA_TOKEN}"
-      }
-    }
-  }
-}
@@ -4,8 +4,8 @@ import bcrypt


 def hash_password(password: str) -> str:
-    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+    return str(bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode())


 def verify_password(plain_password: str, hashed_password: str) -> bool:
-    return bcrypt.checkpw(plain_password.encode(), hashed_password.encode())
+    return bool(bcrypt.checkpw(plain_password.encode(), hashed_password.encode()))
@@ -35,7 +35,7 @@ class CacheClient:
    async def get(self, key: str) -> str | None:
        if not self._client:
            return None
-        value = await self._client.get(key)
+        value: str | bytes | None = await self._client.get(key)
        if value is None:
            return None
        if isinstance(value, bytes):
@@ -14,6 +14,7 @@ def _build_engine_kwargs() -> dict:
        kwargs.update(
            pool_size=10,
            max_overflow=20,
+            pool_timeout=30,
            pool_pre_ping=True,
            pool_recycle=3600,
        )
@@ -1,16 +1,40 @@
 """Health check and error metrics endpoints."""

-from fastapi import APIRouter, Depends
+import logging
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import AsyncSession

 from cartsnitch_api.auth.dependencies import verify_service_key
+from cartsnitch_api.database import get_db
 from cartsnitch_api.middleware.error_handler import get_error_monitor

+logger = logging.getLogger(__name__)
+
 router = APIRouter(tags=["health"])


@router.get("/health")
-async def health():
-    return {"status": "ok"}
+async def health(db: AsyncSession = Depends(get_db)):
+    """Liveness + DB connectivity probe.
+
+    Returns HTTP 200 when the API process is responsive *and* the database
+    is reachable, so Kubernetes readiness probes can correctly route traffic
+    away from pods that have lost their database connection.
+
+    Returns HTTP 503 when the database is unreachable so K8s marks the pod
+    unhealthy and stops sending traffic to it.
+    """
+    try:
+        await db.execute(text("SELECT 1"))
+    except Exception as exc:
+        logger.exception("Health check failed: database unreachable")
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail={"status": "unavailable", "database": "disconnected"},
+        ) from exc
+    return {"status": "ok", "database": "connected"}


@router.get("/internal/error-stats", dependencies=[Depends(verify_service_key)])
Author	SHA1	Message	Date
cs_betty	c1147590dd	fix(ci): annotate cache.py:38 redis return type (CAR-1330 dev lint fix) CI / lint (pull_request) Successful in 6s Details CI / typecheck (pull_request) Successful in 16s Details CI / test (pull_request) Successful in 21s Details CI / build-and-push (pull_request) Has been skipped Details mypy no-any-return: annotate value: str \| bytes \| None so mypy doesn't widen redis client return to Any. Pre-existing dev branch issue blocking CAR-1356. Mirrors CAR-1340 uat fix (`2b20946`).	2026-06-09 17:34:21 +00:00
cs_betty	94d6173054	fix(ci): dedupe _public_limiter/_auth_limiter declarations in rate_limit.py (CAR-1330 dev lint fix) CI / lint (pull_request) Successful in 7s Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details mypy no-redef: the second forward-decl block at line 124 was a duplicate of the block at line 111. Pre-existing dev branch issue blocking CAR-1356. Mirrors CAR-1340 uat fix (`2b20946`).	2026-06-09 17:34:11 +00:00
cs_betty	f59668bf0a	fix(ci): format tests/conftest.py (CAR-1330 dev lint fix) CI / lint (pull_request) Successful in 6s Details CI / build-and-push (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details Remove extra blank line at line 120. Pre-existing dev branch issue blocking CAR-1356 PR #50. Mirrors CAR-1340 uat fix (`2b20946`).	2026-06-09 17:34:02 +00:00
cs_betty	14b0e73cee	fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) CI / lint (pull_request) Failing after 4s Details CI / typecheck (pull_request) Failing after 17s Details CI / test (pull_request) Successful in 23s Details CI / build-and-push (pull_request) Has been skipped Details Parity fix with uat. Prevents reintroduction on next dev->uat promotion. The automatic github.token has no package/registry write scope; auth's proven-green ci.yml uses secrets.REGISTRY_TOKEN instead. cc @cpfarhood	2026-06-09 17:27:08 +00:00
Savannah Savings	3860a5d061	Merge pull request 'Fix CAR-1132: SQLite UUID binding and User.id defaults in test fixtures' (#42 ) from betty/car-1132-comprehensive-fix into dev CI / lint (push) Failing after 7s Details CI / typecheck (pull_request) Failing after 18s Details CI / test (pull_request) Successful in 22s Details CI / build-and-push (pull_request) Has been skipped Details CI / build-and-push (push) Has been skipped Details CI / typecheck (push) Failing after 17s Details CI / lint (pull_request) Failing after 3s Details CI / test (push) Successful in 22s Details	2026-06-09 01:01:09 +00:00
Savannah Savings	7a7aaca064	Fix PostgreSQL connection pool issues (CAR-1077) (#39 ) CI / build-and-push (push) Has been skipped Details CI / test (pull_request) Failing after 1m2s Details CI / build-and-push (pull_request) Has been skipped Details CI / lint (push) Successful in 5s Details CI / typecheck (push) Successful in 28s Details CI / lint (pull_request) Successful in 6s Details CI / test (push) Failing after 1m0s Details CI / typecheck (pull_request) Successful in 29s Details QA approved by Checkout Charlie; CTO Dev review approved by Savannah Savings. Adds pool_timeout=30 and DB-connectivity /health probe. Strict CI improvement (lint+typecheck green); remaining test failure pre-existing on dev, tracked under CAR-1132/PR#42.	2026-06-02 15:10:01 +00:00
Barcode Betty	76781ed238	style: fix ruff format in conftest.py CI / lint (pull_request) Successful in 5s Details CI / typecheck (pull_request) Successful in 29s Details CI / test (pull_request) Failing after 1m0s Details CI / build-and-push (pull_request) Has been skipped Details Add missing blank line between the _set_timestamp_defaults helper and the next top-level constant so `ruff format --check .` passes. Pre-existing on dev's HEAD; surfaced after rebasing PR #39 onto dev in `2b20946`. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 14:58:18 +00:00
Barcode Betty	2b20946ad7	fix: /health returns 503 on DB failure, pool_timeout=30, CI typecheck fixes CI / lint (pull_request) Failing after 4s Details CI / typecheck (pull_request) Failing after 25s Details CI / test (pull_request) Failing after 1m5s Details CI / build-and-push (pull_request) Has been skipped Details QA review of PR #39 (CAR-1121) identified three blocking issues; this commit addresses all three plus the typecheck errors flagged as CI RED. CAR-1077 (PR #39) changes: - database.py: add pool_timeout=30 so the engine fails fast when the connection pool is exhausted (defends against the "server closed connection unexpectedly" pod failures). - routes/health.py: /health now calls SELECT 1 through Depends(get_db) and raises HTTPException(503) when the database is unreachable, so Kubernetes readiness probes can correctly mark the pod unhealthy and stop routing traffic to it. Logs the failure at exception level for observability. - Drop .mcp.json from this PR (root-level MCP server config, not related to the pool fix; tracked separately). CI typecheck fixes (pre-existing on dev, were failing mypy on PR #39): - auth/passwords.py: cast bcrypt return values so mypy doesn't widen to Any. - config.py: silence the false-positive call-arg on Settings() — the three required fields are populated from the environment by pydantic-settings at runtime. - cache.py: coerce the bytes/str union returned by the redis client to the documented str \| None return type. - middleware/rate_limit.py: annotate the three module-level limiters with the RateLimitBackend protocol, cast the redis zrange score to float before arithmetic, and add max_requests/window_seconds to the protocol so the response-header builder can read them. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 14:53:16 +00:00