fix: replace shared engine with pytest fixture for test isolation

Diogo Andre Passagem Santos · Diogo Andre Passagem Santos · commit 32ee772b829a · 2026-03-14T23:34:52.000Z
diff --git a/tests/test_policy.py b/tests/test_policy.py
@@ -39,39 +39,42 @@ def _cap(
     )
 
 
-engine = DefaultPolicyEngine()
+@pytest.fixture()
+def engine() -> DefaultPolicyEngine:
+    """Fresh engine per test to avoid shared rate-limit state."""
+    return DefaultPolicyEngine()
 
 
 # ── READ ───────────────────────────────────────────────────────────────────────
 
 
-def test_read_allowed_no_roles() -> None:
+def test_read_allowed_no_roles(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1")
     dec = engine.evaluate(_req("cap.r"), _cap("cap.r", SafetyClass.READ), p, justification="")
     assert dec.allowed is True
 
 
-def test_read_sets_max_rows_user() -> None:
+def test_read_sets_max_rows_user(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"])
     dec = engine.evaluate(_req("cap.r"), _cap("cap.r", SafetyClass.READ), p, justification="")
     assert dec.constraints["max_rows"] == 50
 
 
-def test_read_sets_max_rows_service() -> None:
+def test_read_sets_max_rows_service(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="svc1", roles=["service"])
     dec = engine.evaluate(_req("cap.r"), _cap("cap.r", SafetyClass.READ), p, justification="")
     assert dec.constraints["max_rows"] == 500
 
 
-def test_read_respects_tighter_constraint() -> None:
+def test_read_respects_tighter_constraint(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1")
     dec = engine.evaluate(
         _req("cap.r", max_rows=5), _cap("cap.r", SafetyClass.READ), p, justification=""
     )
     assert dec.constraints["max_rows"] == 5
 
 
-def test_read_tighter_constraint_cannot_exceed_cap() -> None:
+def test_read_tighter_constraint_cannot_exceed_cap(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1")
     dec = engine.evaluate(
         _req("cap.r", max_rows=9999), _cap("cap.r", SafetyClass.READ), p, justification=""
@@ -82,7 +85,7 @@ def test_read_tighter_constraint_cannot_exceed_cap() -> None:
 # ── WRITE ──────────────────────────────────────────────────────────────────────
 
 
-def test_write_denied_no_role() -> None:
+def test_write_denied_no_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"])
     with pytest.raises(PolicyDenied, match="writer.*admin"):
         engine.evaluate(
@@ -93,15 +96,15 @@ def test_write_denied_no_role() -> None:
         )
 
 
-def test_write_denied_short_justification() -> None:
+def test_write_denied_short_justification(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["writer"])
     with pytest.raises(PolicyDenied, match="justification"):
         engine.evaluate(
             _req("cap.w"), _cap("cap.w", SafetyClass.WRITE), p, justification="too short"
         )
 
 
-def test_write_denied_whitespace_justification() -> None:
+def test_write_denied_whitespace_justification(engine: DefaultPolicyEngine) -> None:
     """Whitespace-only justification must not bypass the length requirement."""
     p = Principal(principal_id="u1", roles=["writer"])
     with pytest.raises(PolicyDenied, match="justification"):
@@ -110,7 +113,7 @@ def test_write_denied_whitespace_justification() -> None:
         )
 
 
-def test_write_allowed_writer_role() -> None:
+def test_write_allowed_writer_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["writer"])
     dec = engine.evaluate(
         _req("cap.w"),
@@ -121,7 +124,7 @@ def test_write_allowed_writer_role() -> None:
     assert dec.allowed is True
 
 
-def test_write_allowed_admin_role() -> None:
+def test_write_allowed_admin_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["admin"])
     dec = engine.evaluate(
         _req("cap.w"),
@@ -135,7 +138,7 @@ def test_write_allowed_admin_role() -> None:
 # ── DESTRUCTIVE ────────────────────────────────────────────────────────────────
 
 
-def test_destructive_denied_short_justification() -> None:
+def test_destructive_denied_short_justification(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["admin"])
     with pytest.raises(PolicyDenied, match="DESTRUCTIVE capabilities require a justification"):
         engine.evaluate(
@@ -146,7 +149,7 @@ def test_destructive_denied_short_justification() -> None:
         )
 
 
-def test_destructive_denied_whitespace_justification() -> None:
+def test_destructive_denied_whitespace_justification(engine: DefaultPolicyEngine) -> None:
     """Whitespace-only justification must not bypass the length requirement."""
     p = Principal(principal_id="u1", roles=["admin"])
     with pytest.raises(PolicyDenied, match="justification"):
@@ -158,7 +161,7 @@ def test_destructive_denied_whitespace_justification() -> None:
         )
 
 
-def test_destructive_denied_no_admin() -> None:
+def test_destructive_denied_no_admin(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["writer"])
     with pytest.raises(PolicyDenied, match="admin"):
         engine.evaluate(
@@ -169,7 +172,7 @@ def test_destructive_denied_no_admin() -> None:
         )
 
 
-def test_destructive_allowed_admin() -> None:
+def test_destructive_allowed_admin(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["admin"])
     dec = engine.evaluate(
         _req("cap.d"),
@@ -183,35 +186,35 @@ def test_destructive_allowed_admin() -> None:
 # ── PII / PCI ──────────────────────────────────────────────────────────────────
 
 
-def test_pii_requires_tenant() -> None:
+def test_pii_requires_tenant(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"])
     cap = _cap("cap.pii", SafetyClass.READ, SensitivityTag.PII)
     with pytest.raises(PolicyDenied, match="tenant"):
         engine.evaluate(_req("cap.pii"), cap, p, justification="")
 
 
-def test_pii_allowed_with_tenant() -> None:
+def test_pii_allowed_with_tenant(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"], attributes={"tenant": "acme"})
     cap = _cap("cap.pii", SafetyClass.READ, SensitivityTag.PII)
     dec = engine.evaluate(_req("cap.pii"), cap, p, justification="")
     assert dec.allowed is True
 
 
-def test_pii_enforces_allowed_fields() -> None:
+def test_pii_enforces_allowed_fields(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"], attributes={"tenant": "acme"})
     cap = _cap("cap.pii", SafetyClass.READ, SensitivityTag.PII, allowed_fields=["id", "name"])
     dec = engine.evaluate(_req("cap.pii"), cap, p, justification="")
     assert dec.constraints.get("allowed_fields") == ["id", "name"]
 
 
-def test_pii_reader_skips_allowed_fields() -> None:
+def test_pii_reader_skips_allowed_fields(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader", "pii_reader"], attributes={"tenant": "acme"})
     cap = _cap("cap.pii", SafetyClass.READ, SensitivityTag.PII, allowed_fields=["id", "name"])
     dec = engine.evaluate(_req("cap.pii"), cap, p, justification="")
     assert "allowed_fields" not in dec.constraints
 
 
-def test_pci_requires_tenant() -> None:
+def test_pci_requires_tenant(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"])
     cap = _cap("cap.pci", SafetyClass.READ, SensitivityTag.PCI)
     with pytest.raises(PolicyDenied, match="tenant"):
@@ -221,43 +224,43 @@ def test_pci_requires_tenant() -> None:
 # ── SECRETS ────────────────────────────────────────────────────────────────────
 
 
-def test_secrets_denied_no_role() -> None:
+def test_secrets_denied_no_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["reader"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
     with pytest.raises(PolicyDenied, match="secrets_reader"):
         engine.evaluate(_req("cap.sec"), cap, p, justification="long enough justification here")
 
 
-def test_secrets_denied_short_justification() -> None:
+def test_secrets_denied_short_justification(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["secrets_reader"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
     with pytest.raises(PolicyDenied, match="justification"):
         engine.evaluate(_req("cap.sec"), cap, p, justification="too short")
 
 
-def test_secrets_denied_whitespace_justification() -> None:
+def test_secrets_denied_whitespace_justification(engine: DefaultPolicyEngine) -> None:
     """Whitespace-only justification must not bypass the length requirement."""
     p = Principal(principal_id="u1", roles=["secrets_reader"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
     with pytest.raises(PolicyDenied, match="justification"):
         engine.evaluate(_req("cap.sec"), cap, p, justification="               ")
 
 
-def test_secrets_allowed_secrets_reader_role() -> None:
+def test_secrets_allowed_secrets_reader_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["secrets_reader"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
     dec = engine.evaluate(_req("cap.sec"), cap, p, justification="long enough justification here")
     assert dec.allowed is True
 
 
-def test_secrets_allowed_admin_role() -> None:
+def test_secrets_allowed_admin_role(engine: DefaultPolicyEngine) -> None:
     p = Principal(principal_id="u1", roles=["admin"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
     dec = engine.evaluate(_req("cap.sec"), cap, p, justification="long enough justification here")
     assert dec.allowed is True
 
 
-def test_secrets_denied_writer_role() -> None:
+def test_secrets_denied_writer_role(engine: DefaultPolicyEngine) -> None:
     """Writer role is insufficient for SECRETS capabilities."""
     p = Principal(principal_id="u1", roles=["writer"])
     cap = _cap("cap.sec", SafetyClass.READ, SensitivityTag.SECRETS)
@@ -268,7 +271,7 @@ def test_secrets_denied_writer_role() -> None:
 # ── Confused-deputy binding (via token) ────────────────────────────────────────
 
 
-def test_max_rows_enforcement() -> None:
+def test_max_rows_enforcement(engine: DefaultPolicyEngine) -> None:
     """max_rows in constraints is capped by the policy ceiling."""
     p = Principal(principal_id="u1")
     dec = engine.evaluate(
@@ -277,7 +280,7 @@ def test_max_rows_enforcement() -> None:
     assert dec.constraints["max_rows"] == 50
 
 
-def test_max_rows_invalid_raises_policy_denied() -> None:
+def test_max_rows_invalid_raises_policy_denied(engine: DefaultPolicyEngine) -> None:
     """Non-numeric max_rows raises PolicyDenied, not bare ValueError."""
     p = Principal(principal_id="u1")
     with pytest.raises(PolicyDenied, match="Invalid 'max_rows'"):
@@ -289,7 +292,7 @@ def test_max_rows_invalid_raises_policy_denied() -> None:
         )
 
 
-def test_max_rows_negative_clamped_to_zero() -> None:
+def test_max_rows_negative_clamped_to_zero(engine: DefaultPolicyEngine) -> None:
     """Negative max_rows is clamped to 0."""
     p = Principal(principal_id="u1")
     dec = engine.evaluate(
