fred-core 3.2.0__tar.gz → 3.4.0__tar.gz

{fred_core-3.2.0 → fred_core-3.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fred-core
-Version: 3.2.0
+Version: 3.4.0
 Summary: Core shared utilities for Fred backends (config, storage, security, and runtime helpers).
 Author-email: Thales <noreply@thalesgroup.com>
 License: Apache-2.0

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/common/config_loader.py

@@ -14,15 +14,49 @@
 
 from __future__ import annotations
 
+import sys
 from typing import Callable, TypeVar
 
 import yaml
+from pydantic import ValidationError
 
 from .config_files import ConfigFiles
 
 TConfig = TypeVar("TConfig")
 
 
+def _render_config_error_banner(config_file: str, error: Exception) -> None:
+    """Print a loud, unmissable configuration-error banner to stderr.
+
+    A misconfigured service must not start silently and fail later with an
+    opaque error inside a request handler. We surface the root cause in red at
+    startup. Colours are emitted only on a TTY so log files stay clean.
+    """
+    use_colour = sys.stderr.isatty()
+    red = "\033[1;31m" if use_colour else ""
+    reset = "\033[0m" if use_colour else ""
+    bar = "=" * 78
+
+    if isinstance(error, ValidationError):
+        details = "\n".join(
+            f"  - {' -> '.join(str(p) for p in err['loc']) or '(root)'}: {err['msg']}"
+            for err in error.errors()
+        )
+    else:
+        details = f"  - {error}"
+
+    print(
+        f"\n{red}{bar}\n"
+        f"  CONFIGURATION ERROR — refusing to start\n"
+        f"  file: {config_file}\n"
+        f"{bar}{reset}\n"
+        f"{details}\n"
+        f"{red}{bar}{reset}\n",
+        file=sys.stderr,
+        flush=True,
+    )
+
+
 def parse_yaml_mapping_file(config_file: str) -> dict:
     """Load a YAML file and ensure it is a non-empty mapping."""
     with open(config_file, encoding="utf-8") as file:
@@ -42,7 +76,13 @@ def load_configuration_with_config_files(
     """Load env + config path using ConfigFiles and parse via callback."""
     config_files.load_environment(dotenv_path)
     config_file = config_files.resolve_config_file_path()
-    configuration = parser(config_file)
+    try:
+        configuration = parser(config_file)
+    except (ValidationError, ValueError) as exc:
+        # Render the root cause in red and stop, rather than letting an opaque
+        # traceback (or a deferred runtime 401) bury what is wrong.
+        _render_config_error_banner(config_file, exc)
+        raise SystemExit(1) from exc
     config_files.mark_config_loaded(config_file)
     return configuration
 

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/common/structures.py

@@ -16,7 +16,7 @@ import os
 from enum import Enum
 from typing import Annotated, Any, Dict, Literal, Optional, Union
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, model_validator
 
 
 class OwnerFilter(str, Enum):
@@ -81,6 +81,25 @@ class OpenSearchStoreConfig(BaseModel):
     secure: bool = Field(default=False, description="Use TLS (https)")
     verify_certs: bool = Field(default=False, description="Verify TLS certs")
 
+    @model_validator(mode="after")
+    def _require_password(self) -> "OpenSearchStoreConfig":
+        """Fail fast at config load if OpenSearch is configured without credentials.
+
+        Reaching this validator means a ``storage.opensearch`` block is present in
+        the active configuration, so the service genuinely depends on OpenSearch.
+        A missing password only surfaces later as an opaque HTTP 401 deep inside a
+        request handler — we convert it into an actionable startup failure instead.
+        """
+        if not self.password:
+            raise ValueError(
+                f"OpenSearch is configured (host={self.host!r}, username="
+                f"{self.username!r}) but no password was provided. "
+                "Set the OPENSEARCH_PASSWORD environment variable (in your .env) "
+                "to the OpenSearch password for this user, or remove the "
+                "storage.opensearch block if OpenSearch is not used."
+            )
+        return self
+
 
 class OpenSearchIndexConfig(BaseModel):
     type: Literal["opensearch"]

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/documents/__init__.py

@@ -38,6 +38,7 @@ from fred_core.documents.document_structures import (
     Tagging,
 )
 from fred_core.documents.postgres_document_store import PostgresDocumentMetadataStore
+from fred_core.documents.tag_models import TagRow
 
 __all__ = [
     # Pydantic models / enums
@@ -64,4 +65,5 @@ __all__ = [
     "DocumentMetadataDeserializationError",
     "DocumentMetadataRow",
     "PostgresDocumentMetadataStore",
+    "TagRow",
 ]

fred_core-3.4.0/fred_core/documents/tag_models.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+from datetime import datetime
+
+from sqlalchemy import String
+from sqlalchemy.orm import Mapped, mapped_column
+
+from fred_core.models.base import Base, JsonColumn, TimestampColumn
+
+
+class TagRow(Base):
+    """ORM model for the ``tag`` table — shared between knowledge-flow and the importer."""
+
+    __tablename__ = "tag"
+
+    tag_id: Mapped[str] = mapped_column(String, primary_key=True)
+    created_at: Mapped[datetime | None] = mapped_column(TimestampColumn, nullable=True)
+    updated_at: Mapped[datetime | None] = mapped_column(
+        TimestampColumn, index=True, nullable=True
+    )
+    owner_id: Mapped[str | None] = mapped_column(String, index=True, nullable=True)
+    name: Mapped[str | None] = mapped_column(String, index=True, nullable=True)
+    path: Mapped[str | None] = mapped_column(String, index=True, nullable=True)
+    description: Mapped[str | None] = mapped_column(String, nullable=True)
+    type: Mapped[str | None] = mapped_column(String, index=True, nullable=True)
+    doc: Mapped[dict | None] = mapped_column(JsonColumn, nullable=True)

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/history/base_history_store.py

@@ -148,6 +148,22 @@ class BaseHistoryStore(ABC):
         """
         raise NotImplementedError
 
+    async def session_exists(
+        self,
+        session_id: str,
+    ) -> bool:
+        """
+        Return True iff any history row exists for ``session_id`` (any owner).
+
+        Why this exists:
+        - paired with :meth:`session_belongs_to_user`, this lets a caller enforce a
+          private-per-owner policy: a session that EXISTS but does not belong to the
+          authenticated user must be refused (RUNTIME-07 rev. 2, finding F-C). It
+          distinguishes a brand-new session (allow — the caller becomes owner) from
+          another user's session (deny).
+        """
+        raise NotImplementedError
+
 
 class NoOpHistoryStore(BaseHistoryStore):
     """
@@ -199,3 +215,9 @@ class NoOpHistoryStore(BaseHistoryStore):
         user_id: str,
     ) -> bool:
         return False
+
+    async def session_exists(
+        self,
+        session_id: str,
+    ) -> bool:
+        return False

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/history/postgres_history_store.py

@@ -368,6 +368,21 @@ class PostgresHistoryStore(BaseHistoryStore):
             )
             return (result.scalar() or 0) > 0
 
+    async def session_exists(
+        self,
+        session_id: str,
+        session: AsyncSession | None = None,
+    ) -> bool:
+        """Return True iff any history row exists for ``session_id`` (any owner)."""
+        await self._ensure_tables()
+        async with use_session(self._sessions, session) as s:
+            result = await s.execute(
+                select(func.count()).where(
+                    SessionHistoryRow.session_id == session_id,
+                )
+            )
+            return (result.scalar() or 0) > 0
+
     # ------------------------------------------------------------------
     # Rank helper
     # ------------------------------------------------------------------

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/security/oidc.py

@@ -28,7 +28,11 @@ from fastapi.security import OAuth2PasswordBearer
 from jwt import PyJWKClient
 
 from fred_core.common import ThreadSafeLRUCache, get_config, read_env_bool
-from fred_core.security.structure import KeycloakUser, UserSecurity
+from fred_core.security.structure import (
+    KeycloakUser,
+    SecurityConfiguration,
+    UserSecurity,
+)
 from fred_core.security.whitelist_access_control.access_control import (
     is_user_whitelisted,
     is_whitelist_active,
@@ -138,6 +142,54 @@ def initialize_user_security(config: UserSecurity):
     )
 
 
+def apply_security_profile(config: SecurityConfiguration) -> None:
+    """
+    Enforce a hardened security profile at startup (RUNTIME-07 rev. 2, F5/F6).
+
+    When ``security.profile == 'c3'``:
+    - force strict JWT issuer + audience validation (closes F5 soft defaults),
+    - require user + m2m auth enabled — no no-security / mock-admin (F6),
+    - require ReBAC (OpenFGA) enabled, so the pod authorizes every request and
+      fails closed (no permissive Noop engine).
+
+    The control-plane issues NO signed grant; authorization is decided at the pod
+    by a Keycloak JWT + OpenFGA check. Raises ValueError on any violation so the
+    service FAILS CLOSED — it refuses to start in an insecure configuration rather
+    than silently degrading. No-op for any non-c3 profile (dev behavior unchanged).
+    """
+    global STRICT_ISSUER, STRICT_AUDIENCE
+
+    if config.profile != "c3":
+        return
+
+    STRICT_ISSUER = True
+    STRICT_AUDIENCE = True
+
+    violations: list[str] = []
+    if not config.user.enabled:
+        violations.append(
+            "security.user.enabled must be true (no-security/mock-admin is forbidden)"
+        )
+    if not config.m2m.enabled:
+        violations.append("security.m2m.enabled must be true")
+    rebac = config.rebac
+    if rebac is None or not rebac.enabled:
+        violations.append(
+            "security.rebac.enabled must be true (pod-side OpenFGA authorization "
+            "is mandatory and must fail closed)"
+        )
+
+    if violations:
+        raise ValueError(
+            "C3 security profile violations (refusing to start): "
+            + "; ".join(violations)
+        )
+
+    logger.info(
+        "[SECURITY] C3 profile active: strict issuer+audience, OpenFGA ReBAC enforced"
+    )
+
+
 def split_realm_url(realm_url: str) -> tuple[str, str]:
     """
     Split a Keycloak realm URL like:
@@ -281,18 +333,16 @@ def decode_jwt(token: str) -> KeycloakUser:
         _iso(payload_peek.get("nbf")),
     )
 
-    # Soft checks (warn-only unless STRICT_* enabled)
+    # Soft observability logs only. Strict enforcement (C3) happens in jwt.decode
+    # below, on the SIGNATURE-VERIFIED payload, via exact issuer/audience.
     iss = payload_peek.get("iss")
     aud = payload_peek.get("aud")
-    if iss and KEYCLOAK_URL and not str(iss).startswith(KEYCLOAK_URL):
+    if iss and KEYCLOAK_URL and str(iss) != KEYCLOAK_URL:
         logger.warning(
-            "[SECURITY] JWT issuer mismatch (soft): iss=%s expected_prefix=%s",
+            "[SECURITY] JWT issuer mismatch (soft): iss=%s expected=%s",
             iss,
             KEYCLOAK_URL,
         )
-        if STRICT_ISSUER:
-            raise HTTPException(status_code=401, detail="Invalid token issuer")
-
     if KEYCLOAK_CLIENT_ID:
         aud_list = aud if isinstance(aud, list) else [aud] if aud else []
         if KEYCLOAK_CLIENT_ID not in aud_list:
@@ -301,8 +351,6 @@ def decode_jwt(token: str) -> KeycloakUser:
                 aud_list,
                 KEYCLOAK_CLIENT_ID,
             )
-            if STRICT_AUDIENCE:
-                raise HTTPException(status_code=401, detail="Invalid token audience")
 
     # JWKS fetch + decode
     try:
@@ -320,15 +368,23 @@ def decode_jwt(token: str) -> KeycloakUser:
             headers={"WWW-Authenticate": "Bearer error='invalid_token'"},
         )
 
+    # Under the C3 profile, STRICT_AUDIENCE/STRICT_ISSUER are set: PyJWT then
+    # enforces exact audience (== client_id) and exact issuer (== realm URL) on the
+    # verified payload, and rejects a confused `alg` (algorithms pinned to RS256).
+    # In dev (soft) we keep verification of signature + expiry only.
+    verify_aud = bool(STRICT_AUDIENCE and KEYCLOAK_CLIENT_ID)
+    expected_audience: str | None = KEYCLOAK_CLIENT_ID if verify_aud else None
+    expected_issuer: str | None = (
+        KEYCLOAK_URL if (STRICT_ISSUER and KEYCLOAK_URL) else None
+    )
     try:
         payload = jwt.decode(
             token,
             signing_key,
             algorithms=["RS256"],
-            options={
-                "verify_exp": True,
-                "verify_aud": False,
-            },  # we do soft aud check above
+            audience=expected_audience,
+            issuer=expected_issuer,
+            options={"verify_exp": True, "verify_aud": verify_aud},
             leeway=CLOCK_SKEW_SECONDS,
         )
         logger.debug("[SECURITY] JWT token successfully decoded")

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/security/structure.py

@@ -101,3 +101,12 @@ class SecurityConfiguration(BaseModel):
     user: UserSecurity
     authorized_origins: List[AnyHttpUrl] = []
     rebac: RebacConfiguration | None = None
+    profile: Literal["c3"] | None = Field(
+        default=None,
+        description=(
+            "Hardened security profile (RUNTIME-07). 'c3' forces strict JWT "
+            "issuer/audience validation, forbids no-security/mock-admin, and "
+            "requires OpenFGA ReBAC enabled (pod-side authorization, fail-closed) "
+            "— failing startup otherwise. The control-plane issues no signed grant."
+        ),
+    )

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/tasks/__init__.py

@@ -19,10 +19,13 @@ from fred_core.tasks.models import (
     IngestionDetail,
     IngestionProcessingProfile,
     IngestionTaskEvent,
+    MigrationDetail,
+    MigrationTaskEvent,
     StartEvaluationParams,
     StartEvaluationRequest,
     StartIngestionParams,
     StartIngestionRequest,
+    StartMigrationRequest,
     StartTaskRequest,
     StartTaskResponse,
     TaskEvent,
@@ -51,6 +54,8 @@ __all__ = [
     "IngestionProcessingProfile",
     "TaskEvent",
     "IngestionTaskEvent",
+    "MigrationDetail",
+    "MigrationTaskEvent",
     "EvaluationTaskEvent",
     "TaskLogEvent",
     "IngestionDetail",
@@ -59,6 +64,7 @@ __all__ = [
     "StartTaskRequest",
     "StartTaskResponse",
     "StartIngestionRequest",
+    "StartMigrationRequest",
     "StartIngestionParams",
     "StartEvaluationRequest",
     "StartEvaluationParams",

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/tasks/models.py

@@ -113,8 +113,20 @@ class TaskLogEvent(_TaskEventBase):
     detail: TaskLogDetail
 
 
+class MigrationDetail(BaseModel):
+    step_id: str
+    processed: int
+    total: int
+    failed: int
+
+
+class MigrationTaskEvent(_TaskEventBase):
+    kind: Literal["migration"] = "migration"
+    detail: MigrationDetail | None = None
+
+
 TaskEvent = Annotated[
-    Union[IngestionTaskEvent, EvaluationTaskEvent, TaskLogEvent],
+    Union[IngestionTaskEvent, EvaluationTaskEvent, TaskLogEvent, MigrationTaskEvent],
     Field(discriminator="kind"),
 ]
 
@@ -141,8 +153,12 @@ class StartEvaluationRequest(BaseModel):
     params: StartEvaluationParams
 
 
+class StartMigrationRequest(BaseModel):
+    kind: Literal["migration"] = "migration"
+
+
 StartTaskRequest = Annotated[
-    Union[StartIngestionRequest, StartEvaluationRequest],
+    Union[StartIngestionRequest, StartEvaluationRequest, StartMigrationRequest],
     Field(discriminator="kind"),
 ]
 

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/tasks/service.py

@@ -24,6 +24,7 @@ from fred_core.scheduler import SchedulerBackend, TemporalClientProvider
 from fred_core.tasks.bus import IEventBus, MemoryEventBus, PostgresEventBus
 from fred_core.tasks.models import (
     IngestionTaskEvent,
+    MigrationTaskEvent,
     StartTaskRequest,
     StartTaskResponse,
     TaskEvent,
@@ -193,6 +194,16 @@ class TaskService:
                 owner=run.created_by,
                 detail=TaskLogDetail(level=level, message=message),
             )
+        if run.kind == "migration":
+            return MigrationTaskEvent(
+                task_id=run.task_id,
+                state=state,
+                seq=0,  # reassigned by record()
+                timestamp=_utcnow(),
+                error=message,
+                target=target,
+                owner=run.created_by,
+            )
         # ingestion (and any future progress-counter kind) — detail is optional
         return IngestionTaskEvent(
             task_id=run.task_id,

{fred_core-3.2.0 → fred_core-3.4.0}/fred_core/tests/common/test_config_loader.py

@@ -81,3 +81,31 @@ def test_load_configuration_with_config_files_tracks_loaded_paths(
     assert configuration == {"app": {"name": "fred"}}
     assert config_files.get_loaded_env_file_path() == str(env_file)
     assert config_files.get_loaded_config_file_path() == str(config_file)
+
+
+def test_load_configuration_renders_banner_and_exits_on_error(
+    tmp_path, monkeypatch, capsys
+) -> None:
+    config_file = tmp_path / "configuration.yaml"
+    config_file.write_text("app:\n  name: fred\n", encoding="utf-8")
+
+    monkeypatch.delenv("ENV_FILE", raising=False)
+    monkeypatch.delenv("CONFIG_FILE", raising=False)
+
+    config_files = ConfigFiles(
+        logger=logging.getLogger("fred_core.tests.config_loader"),
+        default_config_file=str(config_file),
+    )
+
+    def failing_parser(_path: str) -> dict:
+        raise ValueError("Set the OPENSEARCH_PASSWORD environment variable")
+
+    with pytest.raises(SystemExit) as exc_info:
+        load_configuration_with_config_files(config_files, failing_parser)
+
+    assert exc_info.value.code == 1
+    err = capsys.readouterr().err
+    assert "CONFIGURATION ERROR" in err
+    assert "OPENSEARCH_PASSWORD" in err
+    # An aborted load must not record the config as successfully loaded.
+    assert config_files.get_loaded_config_file_path() is None

fred_core-3.4.0/fred_core/tests/common/test_structures.py

@@ -0,0 +1,47 @@
+# Copyright Thales 2026
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+import pytest
+from pydantic import ValidationError
+
+from fred_core.common import OpenSearchStoreConfig
+
+
+def test_opensearch_config_requires_password(monkeypatch) -> None:
+    monkeypatch.delenv("OPENSEARCH_PASSWORD", raising=False)
+
+    with pytest.raises(ValidationError, match="OPENSEARCH_PASSWORD"):
+        OpenSearchStoreConfig(host="https://localhost:9200", username="admin")
+
+
+def test_opensearch_config_password_from_env(monkeypatch) -> None:
+    monkeypatch.setenv("OPENSEARCH_PASSWORD", "secret")  # pragma: allowlist secret
+
+    cfg = OpenSearchStoreConfig(host="https://localhost:9200", username="admin")
+
+    assert cfg.password == "secret"  # nosec B105  # pragma: allowlist secret
+
+
+def test_opensearch_config_explicit_password_wins(monkeypatch) -> None:
+    monkeypatch.delenv("OPENSEARCH_PASSWORD", raising=False)
+
+    cfg = OpenSearchStoreConfig(
+        host="https://localhost:9200",
+        username="admin",
+        password="inline",  # nosec B106  # pragma: allowlist secret
+    )
+
+    assert cfg.password == "inline"  # nosec B105  # pragma: allowlist secret

fred_core-3.4.0/fred_core/tests/security/test_oidc_strict.py

@@ -0,0 +1,101 @@
+# Copyright Thales 2026
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+
+"""Strict JWT validation under the C3 profile (RUNTIME-07 rev. 2, finding F-E).
+
+When STRICT_ISSUER / STRICT_AUDIENCE are set, decode_jwt must enforce EXACT issuer
+and audience on the signature-verified payload (PyJWT verify_aud=True), not a
+prefix/peek check. These tests sign real RS256 tokens and mock only the JWKS key
+resolution.
+"""
+
+from __future__ import annotations
+
+import time
+from types import SimpleNamespace
+
+import jwt as pyjwt
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from fastapi import HTTPException
+
+from fred_core.security import oidc
+
+_REALM = "http://localhost:8080/realms/app"
+_CLIENT = "app"
+
+
+@pytest.fixture
+def _rsa_keypair():
+    key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    priv_pem = key.private_bytes(
+        serialization.Encoding.PEM,
+        serialization.PrivateFormat.PKCS8,
+        serialization.NoEncryption(),
+    )
+    return priv_pem, key.public_key()
+
+
+@pytest.fixture(autouse=True)
+def _strict_keycloak(monkeypatch, _rsa_keypair):
+    _, public_key = _rsa_keypair
+    monkeypatch.setattr(oidc, "KEYCLOAK_ENABLED", True)
+    monkeypatch.setattr(oidc, "KEYCLOAK_URL", _REALM)
+    monkeypatch.setattr(oidc, "KEYCLOAK_CLIENT_ID", _CLIENT)
+    monkeypatch.setattr(oidc, "STRICT_ISSUER", True)
+    monkeypatch.setattr(oidc, "STRICT_AUDIENCE", True)
+    monkeypatch.setattr(
+        oidc,
+        "_get_jwks_client",
+        lambda: SimpleNamespace(
+            get_signing_key_from_jwt=lambda token: SimpleNamespace(key=public_key)
+        ),
+    )
+
+
+def _token(priv_pem: bytes, *, iss: str, aud: str, sub: str = "u-1") -> str:
+    return pyjwt.encode(
+        {
+            "iss": iss,
+            "aud": aud,
+            "sub": sub,
+            "preferred_username": "alice",
+            "exp": int(time.time()) + 3600,
+        },
+        priv_pem,
+        algorithm="RS256",
+    )
+
+
+def test_strict_accepts_exact_issuer_and_audience(_rsa_keypair):
+    priv_pem, _ = _rsa_keypair
+    user = oidc.decode_jwt(_token(priv_pem, iss=_REALM, aud=_CLIENT))
+    assert user.uid == "u-1"
+
+
+def test_strict_rejects_wrong_audience(_rsa_keypair):
+    priv_pem, _ = _rsa_keypair
+    with pytest.raises(HTTPException) as exc:
+        oidc.decode_jwt(_token(priv_pem, iss=_REALM, aud="some-other-client"))
+    assert exc.value.status_code == 401
+
+
+def test_strict_rejects_wrong_issuer(_rsa_keypair):
+    priv_pem, _ = _rsa_keypair
+    with pytest.raises(HTTPException) as exc:
+        oidc.decode_jwt(
+            _token(priv_pem, iss="http://evil/realms/app", aud=_CLIENT, sub="u-2")
+        )
+    assert exc.value.status_code == 401
+
+
+def test_strict_rejects_issuer_prefix_attack(_rsa_keypair):
+    """A prefix-matching issuer must be rejected under exact-match strict mode."""
+    priv_pem, _ = _rsa_keypair
+    with pytest.raises(HTTPException) as exc:
+        oidc.decode_jwt(
+            _token(priv_pem, iss=_REALM + ".evil.com", aud=_CLIENT, sub="u-3")
+        )
+    assert exc.value.status_code == 401