Add unit and integration tests for Python ecosystem packages

- Created unit tests for `rag-pipeline` and `inference-orchestrator` covering various utility functions and classes.
- Implemented integration tests for both packages, ensuring full coverage of API endpoints and service interactions.
- Added scripts for running tests and checking coverage with customizable thresholds and HTML report generation.
- Introduced `.gitignore` files to exclude unnecessary files from version control.
- Updated README files to provide clear instructions on running tests and understanding the test structure.

Author: rostilos

java-ecosystem/services/pipeline-agent/src/it/java/org/rostilos/codecrow/pipelineagent/BasePipelineAgentIT.java

@@ -0,0 +1,138 @@
+package org.rostilos.codecrow.pipelineagent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.restassured.RestAssured;
+import io.restassured.specification.RequestSpecification;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.rostilos.codecrow.core.model.project.Project;
+import org.rostilos.codecrow.core.model.workspace.Workspace;
+import org.rostilos.codecrow.core.persistence.repository.project.ProjectRepository;
+import org.rostilos.codecrow.security.jwt.utils.JwtUtils;
+import org.rostilos.codecrow.testsupport.base.IntegrationTest;
+import org.rostilos.codecrow.testsupport.cleanup.DatabaseCleaner;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.server.LocalServerPort;
+
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
+import jakarta.transaction.Transactional;
+
+import static io.restassured.RestAssured.given;
+
+/**
+ * Base class for pipeline-agent integration tests.
+ * <p>
+ * Sets up Testcontainers PostgreSQL, REST Assured,
+ * and provides helpers for project-level JWT authentication.
+ * </p>
+ * <p>
+ * Authentication: Pipeline-agent uses project-level JWTs where
+ * the JWT subject is the project ID (numeric string). The
+ * {@link org.rostilos.codecrow.security.pipelineagent.jwt.ProjectInternalJwtFilter}
+ * validates these tokens and loads the Project from the database.
+ * </p>
+ */
+@IntegrationTest
+@SpringBootTest(
+        classes = ProcessingApplication.class,
+        webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+abstract class BasePipelineAgentIT {
+
+    @LocalServerPort
+    protected int port;
+
+    @Autowired
+    protected ObjectMapper objectMapper;
+
+    @Autowired
+    protected ProjectRepository projectRepository;
+
+    @Autowired
+    protected JwtUtils jwtUtils;
+
+    @Autowired
+    protected DatabaseCleaner databaseCleaner;
+
+    @PersistenceContext
+    protected EntityManager entityManager;
+
+    @BeforeAll
+    void setupRestAssured() {
+        RestAssured.port = port;
+        RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+    }
+
+    @BeforeEach
+    void cleanDatabase() {
+        databaseCleaner.cleanAll();
+    }
+
+    // ─── Authentication helpers ──────────────────────────
+
+    /**
+     * Create a request with a valid project JWT in the Authorization header.
+     *
+     * @param projectId the project ID to encode in the JWT subject
+     */
+    protected RequestSpecification projectAuthRequest(Long projectId) {
+        String token = jwtUtils.generateJwtTokenForUser(projectId, String.valueOf(projectId));
+        return given()
+                .header("Authorization", "Bearer " + token)
+                .contentType("application/json");
+    }
+
+    /**
+     * Create an unauthenticated request (no Authorization header).
+     */
+    protected RequestSpecification unauthenticatedRequest() {
+        return given()
+                .contentType("application/json");
+    }
+
+    // ─── Test data helpers ───────────────────────────────
+
+    /**
+     * Create a workspace and project in the database for testing.
+     * Returns the project ID.
+     */
+    @Transactional
+    protected Long createTestProject(String namespace, String projectName) {
+        // Create workspace first
+        Workspace workspace = new Workspace("test-ws", "Test Workspace", "Integration test workspace");
+        entityManager.persist(workspace);
+        entityManager.flush();
+
+        // Create project
+        Project project = new Project();
+        project.setWorkspace(workspace);
+        project.setNamespace(namespace);
+        project.setName(projectName);
+        entityManager.persist(project);
+        entityManager.flush();
+
+        return project.getId();
+    }
+
+    /**
+     * Create a workspace and project with a specific workspace slug.
+     * Returns the project ID.
+     */
+    @Transactional
+    protected Long createTestProject(String wsSlug, String namespace, String projectName) {
+        Workspace workspace = new Workspace(wsSlug, "Workspace " + wsSlug, "Test workspace");
+        entityManager.persist(workspace);
+        entityManager.flush();
+
+        Project project = new Project();
+        project.setWorkspace(workspace);
+        project.setNamespace(namespace);
+        project.setName(projectName);
+        entityManager.persist(project);
+        entityManager.flush();
+
+        return project.getId();
+    }
+}

java-ecosystem/services/pipeline-agent/src/it/java/org/rostilos/codecrow/pipelineagent/HealthCheckControllerIT.java

@@ -0,0 +1,47 @@
+package org.rostilos.codecrow.pipelineagent;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.Matchers.*;
+
+/**
+ * Integration tests for pipeline-agent HealthCheckController.
+ * Health endpoint is public — no authentication required.
+ */
+class HealthCheckControllerIT extends BasePipelineAgentIT {
+
+    @Test
+    @DisplayName("Health endpoint returns OK")
+    void healthEndpoint_returnsOk() {
+        given()
+        .when()
+            .get("/actuator/health")
+        .then()
+            .statusCode(200)
+            .body(equalTo("OK"));
+    }
+
+    @Test
+    @DisplayName("Health endpoint is accessible without auth")
+    void healthEndpoint_noAuth_accessible() {
+        unauthenticatedRequest()
+        .when()
+            .get("/actuator/health")
+        .then()
+            .statusCode(200);
+    }
+
+    @Test
+    @DisplayName("Health endpoint accepts any request method context")
+    void healthEndpoint_withInvalidToken_stillAccessible() {
+        given()
+            .header("Authorization", "Bearer invalid-token")
+        .when()
+            .get("/actuator/health")
+        .then()
+            .statusCode(200)
+            .body(equalTo("OK"));
+    }
+}

java-ecosystem/services/pipeline-agent/src/it/java/org/rostilos/codecrow/pipelineagent/PipelineActionControllerIT.java

@@ -0,0 +1,202 @@
+package org.rostilos.codecrow.pipelineagent;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.Matchers.*;
+
+/**
+ * Integration tests for ProviderPipelineActionController.
+ * Processing endpoints require project-level JWT authentication.
+ * The JWT subject must be the project ID, and the request body's
+ * projectId must match the JWT's subject.
+ */
+class PipelineActionControllerIT extends BasePipelineAgentIT {
+
+    @Nested
+    @DisplayName("POST /api/processing/webhook/pr")
+    class PrProcessing {
+
+        @Test
+        @DisplayName("PR processing — unauthenticated — 401")
+        void prProcessing_noAuth_returns401() {
+            unauthenticatedRequest()
+                .body("""
+                    {
+                        "projectId": 1,
+                        "pullRequestId": 42,
+                        "sourceBranch": "feature/test",
+                        "targetBranch": "main",
+                        "commitHash": "abc123",
+                        "rawDiff": "diff content",
+                        "changedFiles": []
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/pr")
+            .then()
+                .statusCode(401);
+        }
+
+        @Test
+        @DisplayName("PR processing — invalid JWT — 401")
+        void prProcessing_invalidToken_returns401() {
+            given()
+                .header("Authorization", "Bearer invalid.jwt.token")
+                .contentType("application/json")
+                .body("""
+                    {
+                        "projectId": 1,
+                        "pullRequestId": 42,
+                        "sourceBranch": "feature/test",
+                        "targetBranch": "main"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/pr")
+            .then()
+                .statusCode(401);
+        }
+
+        @Test
+        @DisplayName("PR processing — JWT for non-existent project — 404")
+        void prProcessing_nonExistentProject_returns404() {
+            projectAuthRequest(99999L)
+                .body("""
+                    {
+                        "projectId": 99999,
+                        "pullRequestId": 42,
+                        "sourceBranch": "feature/test",
+                        "targetBranch": "main"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/pr")
+            .then()
+                .statusCode(404);
+        }
+
+        @Test
+        @DisplayName("PR processing — project ID mismatch — 401")
+        void prProcessing_projectIdMismatch_returns401() {
+            Long projectId = createTestProject("pr-mismatch-ns", "Mismatch Project");
+
+            // JWT subject is projectId but body says different projectId
+            projectAuthRequest(projectId)
+                .body("""
+                    {
+                        "projectId": 99999,
+                        "pullRequestId": 42,
+                        "sourceBranch": "feature/test",
+                        "targetBranch": "main"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/pr")
+            .then()
+                .statusCode(401);
+        }
+
+        @Test
+        @DisplayName("PR processing — valid auth, valid project — accepted or processes")
+        void prProcessing_validAuth_accepted() {
+            Long projectId = createTestProject("pr-valid-ns", "Valid PR Project");
+
+            projectAuthRequest(projectId)
+                .body("""
+                    {
+                        "projectId": %d,
+                        "pullRequestId": 42,
+                        "sourceBranch": "feature/test",
+                        "targetBranch": "main",
+                        "commitHash": "abc123def456",
+                        "rawDiff": "diff --git a/file.txt b/file.txt",
+                        "changedFiles": [{"path": "file.txt", "status": "modified"}]
+                    }
+                    """.formatted(projectId))
+            .when()
+                .post("/api/processing/webhook/pr")
+            .then()
+                // The endpoint returns streaming NDJSON; may succeed or fail
+                // depending on external service availability, but auth should pass
+                .statusCode(anyOf(is(200), is(400), is(500)));
+        }
+    }
+
+    @Nested
+    @DisplayName("POST /api/processing/webhook/branch")
+    class BranchProcessing {
+
+        @Test
+        @DisplayName("Branch processing — unauthenticated — 401")
+        void branchProcessing_noAuth_returns401() {
+            unauthenticatedRequest()
+                .body("""
+                    {
+                        "projectId": 1,
+                        "branchName": "main",
+                        "commitHash": "abc123"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/branch")
+            .then()
+                .statusCode(401);
+        }
+
+        @Test
+        @DisplayName("Branch processing — invalid JWT — 401")
+        void branchProcessing_invalidToken_returns401() {
+            given()
+                .header("Authorization", "Bearer not-a-valid-jwt")
+                .contentType("application/json")
+                .body("""
+                    {
+                        "projectId": 1,
+                        "branchName": "main"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/branch")
+            .then()
+                .statusCode(401);
+        }
+
+        @Test
+        @DisplayName("Branch processing — JWT for non-existent project — 404")
+        void branchProcessing_nonExistentProject_returns404() {
+            projectAuthRequest(88888L)
+                .body("""
+                    {
+                        "projectId": 88888,
+                        "branchName": "main"
+                    }
+                    """)
+            .when()
+                .post("/api/processing/webhook/branch")
+            .then()
+                .statusCode(404);
+        }
+
+        @Test
+        @DisplayName("Branch processing — valid auth — accepted or processes")
+        void branchProcessing_validAuth_accepted() {
+            Long projectId = createTestProject("branch-valid-ns", "Valid Branch Project");
+
+            projectAuthRequest(projectId)
+                .body("""
+                    {
+                        "projectId": %d,
+                        "branchName": "main",
+                        "commitHash": "def456abc789"
+                    }
+                    """.formatted(projectId))
+            .when()
+                .post("/api/processing/webhook/branch")
+            .then()
+                .statusCode(anyOf(is(200), is(400), is(500)));
+        }
+    }
+}