test(api): add rate limit and admin e2e tests, fix aggregate date query

- Add tests/test_rate_limit.py covering InMemoryRateLimiter, config
  registry, middleware skip behavior, decorator compatibility
- Add tests/e2e/test_admin_flow.py with 7 E2E tests for cleanup,
  inactive relations, wellness aggregate, and auth
- Fix aggregate_wellness date comparison: parse ISO string to
  datetime.date for asyncpg compatibility
- Add apps/worker/.env.example documenting worker config

Author: gahyun-git

apps/api/src/admin/repository.py

@@ -1,5 +1,6 @@
 """Admin-specific database queries."""
 
+import datetime as dt
 from datetime import datetime
 from typing import Any
 from uuid import UUID
@@ -85,7 +86,7 @@ async def aggregate_wellness(
         select(WellnessLog.status, func.count().label("count"))
         .where(
             WellnessLog.host_id == host_id,
-            func.date(WellnessLog.created_at) == date,
+            func.date(WellnessLog.created_at) == dt.date.fromisoformat(date),
         )
         .group_by(WellnessLog.status)
     )

apps/api/tests/e2e/test_admin_flow.py

@@ -0,0 +1,217 @@
+"""E2E: Admin endpoints — cleanup, inactive relations, wellness aggregate."""
+
+from datetime import UTC, datetime, timedelta
+from unittest.mock import patch
+
+import pytest
+from httpx import AsyncClient
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from src.notifications.model import DeviceToken
+from src.relations.model import CareRelation
+from src.users.model import User
+from src.wellness.model import WellnessLog
+from tests.e2e.conftest import CAREGIVER_USER_ID, HOST_USER_ID
+
+pytestmark = [
+    pytest.mark.filterwarnings("ignore::jwt.warnings.InsecureKeyLengthWarning"),
+]
+
+
+# ── Seed helpers ──────────────────────────────────────────────────
+async def _seed_host_and_caregiver(db: AsyncSession) -> tuple[User, User]:
+    """Insert host + caregiver users."""
+    host = User(
+        id=HOST_USER_ID,
+        email="host-admin@test.com",
+        name="Admin Host",
+        role="host",
+        provider="google",
+        provider_id="google-admin-host",
+        email_verified=True,
+    )
+    caregiver = User(
+        id=CAREGIVER_USER_ID,
+        email="cg-admin@test.com",
+        name="Admin Caregiver",
+        role="concierge",
+        provider="google",
+        provider_id="google-admin-cg",
+        email_verified=True,
+    )
+    db.add_all([host, caregiver])
+    await db.commit()
+    return host, caregiver
+
+
+# ── Tests ─────────────────────────────────────────────────────────
+
+
+class TestAdminCleanup:
+    async def test_cleanup_deletes_old_wellness_logs(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, _ = await _seed_host_and_caregiver(db_session)
+
+        # Insert old wellness log (120 days ago)
+        old_log = WellnessLog(
+            host_id=host.id,
+            status="normal",
+            summary="Old log",
+            details={},
+            created_at=datetime.now(UTC) - timedelta(days=120),
+        )
+        # Insert recent wellness log
+        new_log = WellnessLog(
+            host_id=host.id,
+            status="normal",
+            summary="Recent log",
+            details={},
+        )
+        db_session.add_all([old_log, new_log])
+        await db_session.commit()
+
+        resp = await client.post(
+            "/api/v1/admin/cleanup",
+            json={"retention_days": 90, "resource_type": "wellness_logs"},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["deleted_wellness_logs"] == 1
+        assert data["deactivated_tokens"] == 0
+
+    async def test_cleanup_deactivates_old_tokens(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, _ = await _seed_host_and_caregiver(db_session)
+
+        # Insert old device token
+        old_token = DeviceToken(
+            user_id=host.id,
+            token="old-fcm-token-001",  # noqa: S106
+            platform="android",
+            is_active=True,
+            updated_at=datetime.now(UTC) - timedelta(days=100),
+        )
+        db_session.add(old_token)
+        await db_session.commit()
+
+        resp = await client.post(
+            "/api/v1/admin/cleanup",
+            json={"retention_days": 90, "resource_type": "device_tokens"},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["deactivated_tokens"] == 1
+
+
+class TestAdminInactiveRelations:
+    async def test_list_inactive_relations(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, caregiver = await _seed_host_and_caregiver(db_session)
+
+        # Create active relation with no wellness logs → should be inactive
+        relation = CareRelation(
+            host_id=host.id,
+            caregiver_id=caregiver.id,
+            role="concierge",
+            is_active=True,
+        )
+        db_session.add(relation)
+        await db_session.commit()
+
+        resp = await client.get(
+            "/api/v1/admin/inactive-relations",
+            params={"threshold_days": 7},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert len(data) >= 1
+        found = [r for r in data if r["host_id"] == str(host.id)]
+        assert len(found) == 1
+        assert found[0]["role"] == "concierge"
+
+    async def test_active_relation_with_recent_log_excluded(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, caregiver = await _seed_host_and_caregiver(db_session)
+
+        relation = CareRelation(
+            host_id=host.id,
+            caregiver_id=caregiver.id,
+            role="concierge",
+            is_active=True,
+        )
+        recent_log = WellnessLog(
+            host_id=host.id,
+            status="normal",
+            summary="Just now",
+            details={},
+        )
+        db_session.add_all([relation, recent_log])
+        await db_session.commit()
+
+        resp = await client.get(
+            "/api/v1/admin/inactive-relations",
+            params={"threshold_days": 7},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        # Host with recent log should NOT appear
+        found = [r for r in data if r["host_id"] == str(host.id)]
+        assert len(found) == 0
+
+
+class TestAdminWellnessAggregate:
+    async def test_aggregate_returns_counts_by_status(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, _ = await _seed_host_and_caregiver(db_session)
+        today = datetime.now(UTC).strftime("%Y-%m-%d")
+
+        logs = [
+            WellnessLog(host_id=host.id, status="normal", summary="ok", details={}),
+            WellnessLog(host_id=host.id, status="normal", summary="ok2", details={}),
+            WellnessLog(host_id=host.id, status="warning", summary="hmm", details={}),
+        ]
+        db_session.add_all(logs)
+        await db_session.commit()
+
+        resp = await client.get(
+            "/api/v1/admin/wellness/aggregate",
+            params={"host_id": str(host.id), "date": today},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total_logs"] == 3
+        assert data["by_status"]["normal"] == 2
+        assert data["by_status"]["warning"] == 1
+
+    async def test_aggregate_empty_date(
+        self, client: AsyncClient, db_session: AsyncSession
+    ) -> None:
+        host, _ = await _seed_host_and_caregiver(db_session)
+
+        resp = await client.get(
+            "/api/v1/admin/wellness/aggregate",
+            params={"host_id": str(host.id), "date": "2020-01-01"},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total_logs"] == 0
+        assert data["by_status"] == {}
+
+
+class TestAdminAuth:
+    @patch("src.lib.internal_auth.settings")
+    async def test_missing_key_returns_401_when_configured(
+        self, mock_settings: object, client: AsyncClient
+    ) -> None:
+        """When INTERNAL_API_KEY is set, missing header returns 401."""
+        mock_settings.INTERNAL_API_KEY = "e2e-secret"  # type: ignore[attr-defined]
+        resp = await client.post(
+            "/api/v1/admin/cleanup",
+            json={"retention_days": 90},
+        )
+        assert resp.status_code == 401

apps/api/tests/test_rate_limit.py

@@ -0,0 +1,148 @@
+"""Tests for rate limiting: middleware, decorator, per-endpoint limits."""
+
+from unittest.mock import AsyncMock, patch
+
+import pytest
+from fastapi import Request
+from fastapi.testclient import TestClient
+
+from src.admin.schemas import CleanupResponse
+from src.lib.rate_limit import (
+    InMemoryRateLimiter,
+    RateLimitConfig,
+    default_key_func,
+    get_rate_limiter,
+    reset_rate_limiters,
+)
+
+pytestmark = [
+    pytest.mark.filterwarnings("ignore::jwt.warnings.InsecureKeyLengthWarning"),
+]
+
+
+# ── InMemoryRateLimiter unit tests ──────────────────────────────
+
+
+class TestInMemoryRateLimiter:
+    def test_allows_under_limit(self) -> None:
+        limiter = InMemoryRateLimiter(requests=5, window=60)
+        allowed, remaining, _ = limiter.is_allowed("key1")
+        assert allowed is True
+        assert remaining == 4
+
+    def test_blocks_over_limit(self) -> None:
+        limiter = InMemoryRateLimiter(requests=3, window=60)
+        for _ in range(3):
+            limiter.is_allowed("key1")
+        allowed, remaining, _ = limiter.is_allowed("key1")
+        assert allowed is False
+        assert remaining == 0
+
+    def test_different_keys_independent(self) -> None:
+        limiter = InMemoryRateLimiter(requests=2, window=60)
+        for _ in range(2):
+            limiter.is_allowed("key_a")
+        # key_a exhausted
+        allowed_a, _, _ = limiter.is_allowed("key_a")
+        assert allowed_a is False
+        # key_b still has quota
+        allowed_b, remaining_b, _ = limiter.is_allowed("key_b")
+        assert allowed_b is True
+        assert remaining_b == 1
+
+
+# ── Config-keyed limiter registry ───────────────────────────────
+
+
+class TestGetRateLimiter:
+    @patch("src.lib.rate_limit.settings")
+    def test_returns_in_memory_when_no_redis(self, mock_settings: object) -> None:
+        mock_settings.REDIS_URL = None  # type: ignore[attr-defined]
+        reset_rate_limiters()
+        config = RateLimitConfig(requests=10, window=60)
+        limiter = get_rate_limiter(config)
+        assert isinstance(limiter, InMemoryRateLimiter)
+
+    def test_same_config_returns_same_instance(self) -> None:
+        reset_rate_limiters()
+        config_a = RateLimitConfig(requests=10, window=60)
+        config_b = RateLimitConfig(requests=10, window=60)
+        assert get_rate_limiter(config_a) is get_rate_limiter(config_b)
+
+    def test_different_config_returns_different_instance(self) -> None:
+        reset_rate_limiters()
+        config_a = RateLimitConfig(requests=10, window=60)
+        config_b = RateLimitConfig(requests=20, window=60)
+        assert get_rate_limiter(config_a) is not get_rate_limiter(config_b)
+
+
+# ── Middleware tests ────────────────────────────────────────────
+
+
+class TestRateLimitMiddleware:
+    def test_health_endpoint_skips_rate_limit(self, client: TestClient) -> None:
+        """/health is skipped by middleware — no rate limit headers."""
+        resp = client.get("/health")
+        assert "X-RateLimit-Limit" not in resp.headers
+
+    def test_logout_endpoint_gets_rate_limit_headers(self, client: TestClient) -> None:
+        """Non-skipped endpoints should get rate limit headers."""
+        # POST /logout doesn't need DB — safe to call in unit tests
+        resp = client.post("/api/v1/auth/logout")
+        assert resp.status_code == 204
+        assert "X-RateLimit-Limit" in resp.headers
+        assert resp.headers["X-RateLimit-Limit"] == "100"
+
+    @patch("src.admin.service.cleanup_data")
+    def test_admin_endpoints_skip_rate_limit(
+        self, mock_cleanup: AsyncMock, client: TestClient
+    ) -> None:
+        """Admin endpoints should bypass rate limiting."""
+        mock_cleanup.return_value = CleanupResponse(
+            deleted_wellness_logs=0, deactivated_tokens=0
+        )
+        resp = client.post(
+            "/api/v1/admin/cleanup",
+            json={"retention_days": 90},
+        )
+        assert resp.status_code == 200
+        assert "X-RateLimit-Limit" not in resp.headers
+
+
+# ── Decorator tests ─────────────────────────────────────────────
+
+
+class TestRateLimitDecorator:
+    def test_login_rate_limit_decorator_preserves_validation(
+        self, client: TestClient
+    ) -> None:
+        """login endpoint has rate_limit(10, 60) — decorator doesn't break FastAPI."""
+        resp = client.post("/api/v1/auth/login", json={})
+        assert resp.status_code == 422
+
+    def test_refresh_rate_limit_decorator_preserves_validation(
+        self, client: TestClient
+    ) -> None:
+        """refresh endpoint has rate_limit(20, 60) — decorator doesn't break FastAPI."""
+        resp = client.post("/api/v1/auth/refresh", json={})
+        assert resp.status_code == 422
+
+
+# ── default_key_func ────────────────────────────────────────────
+
+
+class TestDefaultKeyFunc:
+    def test_uses_forwarded_for(self) -> None:
+        mock_request = AsyncMock(spec=Request)
+        mock_request.headers = {"X-Forwarded-For": "1.2.3.4, 5.6.7.8"}
+        mock_request.url.path = "/test"
+        key = default_key_func(mock_request)
+        assert key == "1.2.3.4:/test"
+
+    def test_uses_client_host(self) -> None:
+        mock_request = AsyncMock(spec=Request)
+        mock_request.headers = {}
+        mock_request.client.host = "127.0.0.1"
+        mock_request.url.path = "/api"
+        key = default_key_func(mock_request)
+        assert key == "127.0.0.1:/api"