fix(auth): eliminate duplicate DB sessions in auth and RBAC middleware (#3886)

* fix: eliminate duplicate DB sessions in auth and RBAC middleware

Implements session reuse pattern from PR #3600 and PR #3813 to achieve
1 shared database session per request across all middleware layers.

**Changes:**
- Auth middleware: Added _get_or_create_session() helper to reuse
  request.state.db from ObservabilityMiddleware (lines 134, 159, 213)
- RBAC middleware: Updated deprecated get_db() to accept optional
  request parameter and reuse middleware session when available
- Transaction control: Delegated all commit/rollback to get_db() per
  PR #3813 (removed db.commit() from auth middleware)
- Added 7 unit tests for auth session reuse patterns
- Added 7 unit tests for RBAC get_db() deprecation
- Added 6 integration tests for end-to-end session sharing validation

**Impact:**
- Reduces session creation from 4-6 per request to 1 per request
- Prevents connection pool exhaustion under load
- Achieves 100% test coverage (435 statements, 0 missing)

**Security:**
- Transaction isolation maintained (get_db() controls all commits)
- Connection invalidation for PgBouncer compatibility
- Backwards compatible (existing dependency overrides work)

Closes #3622

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>

* fix: ensure auth logs are committed in hard-deny paths

Fixes critical bug where auth failure logs were lost when API requests
received hard-deny responses (401/403) that return JSONResponse immediately
without reaching get_db().

**Root Cause:**
- Auth middleware writes logs to session but delegated commit to get_db()
- Hard-deny API responses return JSONResponse immediately (lines 243-247)
- Route handler never runs, get_db() never called, logs never committed
- Browser requests work fine (continue to route handler at line 236)

**Fix:**
- Added db.commit() after logging in both success and failure paths
- Logs persist immediately, even if request doesn't reach get_db()
- For requests that continue to route handler, get_db() commits again (no-op)
- SQLAlchemy allows multiple commits - second commit is safe

**Test Coverage:**
- Added regression test: test_auth_failure_logs_committed_before_hard_deny_api_response
- All 29 auth middleware tests pass
- Maintained 100% code coverage

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>

* fix(build): use system uv binary consistently in Makefile

Replace hardcoded 'uv' commands with $(UV_BIN) variable reference
across all targets to ensure consistent resolution of the uv binary
path. Export UV_BIN to make it available to recursive make calls.

This fixes build failures where make targets tried to execute
'uv' from inside the activated virtual environment, where it
doesn't exist. The uv tool is a system-level package manager
and should be resolved from the system PATH or ~/.local/bin.

Changes:
- Use $(UV_BIN) in install, install-dev, install-db, update targets
- Use $(UV_BIN) in ensure_pip_package macro (fixes recursive make)
- Use $(UV_BIN) in sbom, alembic, pypiserver, maturin targets
- Export UV_BIN for visibility in child make processes

Benefits:
- Fixes "No such file or directory" errors for uv
- Makes Makefile more robust across different uv installations
- Maintains existing fallback logic (PATH or ~/.local/bin/uv)
- No breaking changes for existing setups

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>

* fix(auth): prevent stale session reference and ensure log persistence

Fix two bugs in auth middleware session handling:

1. _get_or_create_session() stored newly created sessions in
   request.state.db but then closed them after logging, leaving a stale
   closed-session reference for downstream get_db() to find. Remove the
   request.state.db assignment for owned sessions so route handlers
   create their own sessions via get_db().

2. Generic Exception path (non-HTTP auth failures) did not commit
   security logs before closing the owned session, silently losing log
   entries. Add db.commit() consistent with the success and hard-deny
   paths.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): rollback shared session on logging failure and rewrite integration tests

Address two findings from code review:

1. When security logging raises an exception (commit failure, connection
   error), the shared session from ObservabilityMiddleware is left in
   PendingRollbackError state.  Downstream call_next()/get_db() then
   inherits a broken session.  Add db.rollback() (with invalidate()
   fallback) in all three exception handlers — matching the pattern
   used by ObservabilityMiddleware and main.py:get_db().

2. Rewrite integration tests: the originals targeted nonexistent routes
   (/api/v1/servers, /admin/llm/providers) and had assertions too weak
   to catch regressions (session_count <= 1 passes when 0 sessions are
   created).  New tests directly exercise _get_or_create_session(),
   rbac.get_db() reuse, shared-session rollback, and the full
   middleware stack via /health.

Test coverage: 100% (460 statements, 0 missing) across both auth
middleware and rbac modules.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: update secrets baseline after rebase

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: exclude .npmrc from sdist to fix check-manifest

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mohan Lakshmaiah <mohan.economist@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>

Author: MohanLaksh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|Cargo.lock|^.secrets.baseline$|scripts/sign_image.sh|scripts/zap|sonar-project.properties|^/Users/brian/dev/github.ibm.com/contextforge-org/sps-pipeline-config/.secrets.baseline$|^./.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-03-30T23:20:07Z",
+  "generated_at": "2026-03-31T10:20:49Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -344,71 +344,71 @@
         "hashed_secret": "844c398e469ef3fb919da3778944365ab2175fb7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 367,
+        "line_number": 368,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "319037749ce37e577db0b3628c7f90e333544391",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 792,
+        "line_number": 793,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6ae2832e494d1098e8901fe156083e39399a24f1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 794,
+        "line_number": 795,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "9d989e8d27dc9e0ec3389fc855f142c3d40f0c50",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1497,
+        "line_number": 1498,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "d3ac7a4ef1a838b4134f2f6e7f3c0d249d74b674",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5836,
+        "line_number": 5837,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "5932862bcd24dd27d0dc0407ec94fe9d6ea24aeb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6333,
+        "line_number": 6334,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "c77c805e32f173e4321ee9187de9c29cb3804513",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6345,
+        "line_number": 6346,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "8fe3df8a68ddd0d4ab2214186cbb8e38ccd0e06a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6417,
+        "line_number": 6418,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "93ac8946882128457cd9e283b30ca851945e6690",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 7520,
+        "line_number": 7521,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -8316,15 +8316,15 @@
         "hashed_secret": "ab73a3eaca01a7059dcdff6f95556ec7fd83de96",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1388,
+        "line_number": 1389,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "92dd4a2de441b63e6ac51fdb81a05a416dffd182",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1475,
+        "line_number": 1476,
         "type": "Secret Keyword",
         "verified_result": null
       }

MANIFEST.in

@@ -192,6 +192,7 @@ exclude .hadolint.yaml
 exclude .ruff.toml
 exclude .pre-commit-config.yaml
 exclude .secrets.baseline
+exclude .npmrc
 
 # Backup and temporary files
 global-exclude *~

Makefile

@@ -146,8 +146,8 @@ endef
 define ensure_pip_package
 	@test -d "$(VENV_DIR)" || $(MAKE) venv
 	@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
-		uv pip show $(1) >/dev/null 2>&1 || \
-		uv pip install -q $(1)"
+		$(UV_BIN) pip show $(1) >/dev/null 2>&1 || \
+		$(UV_BIN) pip install -q $(1)"
 endef
 
 # =============================================================================
@@ -178,6 +178,7 @@ uv:
 
 # UV_BIN: prefer uv in PATH, fallback to ~/.local/bin/uv
 UV_BIN := $(shell type -p uv 2>/dev/null || echo "$(HOME)/.local/bin/uv")
+export UV_BIN
 
 .PHONY: venv
 venv: uv
@@ -192,15 +193,15 @@ activate:
 
 .PHONY: install
 install: venv
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install ."
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install ."
 
 .PHONY: install-db
 install-db: venv
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install .[redis,postgres]"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install .[redis,postgres]"
 
 .PHONY: install-dev
 install-dev: venv
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install --group dev ."
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install --group dev ."
 	@if [ "$(ENABLE_RUST_BUILD)" = "1" ]; then \
 		echo "🦀 Building Rust plugins..."; \
 		$(MAKE) rust-dev || echo "⚠️  Rust plugins not available (optional)"; \
@@ -211,7 +212,7 @@ install-dev: venv
 .PHONY: update
 update:
 	@echo "⬆️   Updating installed dependencies..."
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install -U --group dev ."
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install -U --group dev ."
 
 # help: check-env            - Verify all required env vars in .env are present
 .PHONY: check-env check-env-dev
@@ -2987,7 +2988,7 @@ mutmut-clean:
 .PHONY: ensure-pip-licenses pip-licenses license-check scc scc-report
 
 ensure-pip-licenses:
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install -q pip-licenses"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install -q pip-licenses"
 
 pip-licenses: ensure-pip-licenses
 	@mkdir -p $(dir $(LICENSES_MD))
@@ -3865,9 +3866,9 @@ tox:                                ## 🧪  Multi-Python tox matrix (uv)
 sbom: uv							## 🛡️  Generate SBOM & security report
 	@echo "🛡️   Generating SBOM & security report..."
 	@rm -Rf "$(VENV_DIR).sbom"
-	@uv venv "$(VENV_DIR).sbom"
-	@/bin/bash -c "source $(VENV_DIR).sbom/bin/activate && uv pip install .[dev]"
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install -q cyclonedx-bom sbom2doc"
+	@$(UV_BIN) venv "$(VENV_DIR).sbom"
+	@/bin/bash -c "source $(VENV_DIR).sbom/bin/activate && $(UV_BIN) pip install .[dev]"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install -q cyclonedx-bom sbom2doc"
 	@echo "🔍  Generating SBOM from environment..."
 	@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
 		python3 -m cyclonedx_py environment \
@@ -6317,7 +6318,7 @@ LOCAL_PYPI_AUTH := $(LOCAL_PYPI_DIR)/.htpasswd
 
 local-pypi-install:
 	@echo "📦  Installing pypiserver..."
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install 'pypiserver>=2.3.0' passlib"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install 'pypiserver>=2.3.0' passlib"
 	@mkdir -p $(LOCAL_PYPI_DIR)
 
 local-pypi-start: local-pypi-install local-pypi-stop
@@ -6409,7 +6410,7 @@ local-pypi-test:
 local-pypi-clean: clean dist local-pypi-start-auth local-pypi-upload-auth local-pypi-test
 	@echo "🎉  Full local PyPI cycle complete!"
 	@echo "📊  Package info:"
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip show $(PROJECT_NAME)"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip show $(PROJECT_NAME)"
 
 # Convenience target to restart server
 local-pypi-restart: local-pypi-stop local-pypi-start
@@ -6587,7 +6588,7 @@ devpi-test:
 devpi-clean: clean dist devpi-upload devpi-test
 	@echo "🎉  Full devpi cycle complete!"
 	@echo "📊  Package info:"
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip show mcp-contextforge-gateway"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip show mcp-contextforge-gateway"
 
 .PHONY: devpi-status
 devpi-status:
@@ -6756,7 +6757,7 @@ shell-linters-install:     ## 🔧  Install shellcheck, shfmt, bashate
 	if ! $(VENV_DIR)/bin/bashate -h >/dev/null 2>&1 ; then \
 	  echo "🛠  Installing bashate (into venv)..." ; \
 	  test -d "$(VENV_DIR)" || $(MAKE) venv ; \
-	  /bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install -q bashate" ; \
+	  /bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install -q bashate" ; \
 	fi
 	@echo "✅  Shell linters ready."
 
@@ -6823,7 +6824,7 @@ ALEMBIC_CONFIG = mcpgateway/alembic.ini
 
 alembic-install:
 	@echo "➜ Installing Alembic ..."
-	@/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install -q alembic sqlalchemy"
+	@/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install -q alembic sqlalchemy"
 
 .PHONY: db-init
 db-init: ## Initialize alembic migrations
@@ -8171,7 +8172,7 @@ rust-ensure-deps:                       ## Ensure Rust toolchain, maturin, and a
 	@if ! command -v maturin > /dev/null 2>&1; then \
 		if [ -f "$(VENV_DIR)/bin/activate" ]; then \
 			echo "📦 Installing maturin into venv..."; \
-			/bin/bash -c "source $(VENV_DIR)/bin/activate && uv pip install maturin"; \
+			/bin/bash -c "source $(VENV_DIR)/bin/activate && $(UV_BIN) pip install maturin"; \
 		elif command -v pip > /dev/null 2>&1; then \
 			echo "📦 Installing maturin globally (venv not found)..."; \
 			pip install maturin; \