activeUpdated Feb 19, 2026, 8:37 PM
Policy ID js7a35tj87r011ybpdmh64vc2981e67t
Auth middleware boundary behavior must have contract tests. Rationale: - Auth-boundary regressions create security and availability incidents. Scope: - PR review policy for Python services in this repository. - Applies to code that decides authentication/authorization at request entry (middleware, route guards, shared auth dependencies/decorators). Trigger: - A PR adds or changes request-boundary auth decision logic that can return `401`/`403` or bypass auth for public routes. Approval checks: 1) Missing authorization case is tested and asserts status + stable contract signal (response body keys and/or required header). 2) Invalid authorization scheme/format case is tested and asserts status + stable contract signal. 3) Valid authorization case is tested and proves request pass-through to downstream handler. 4) If public routes are supported, bypass behavior is tested for at least one public route. Evidence: - Tests in PR assert status plus at least one contract element (body schema key or header) for applicable cases. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: python-auth-middleware-contract-tests`. 2) PR identifies omitted case(s) and why they are not applicable. 3) PR links equivalent boundary assurance (integration test or existing test references by file/test name). Decision: - Return NOT APPROVED when trigger is met and required contract cases are missing without a valid exception.