roksta 0.2.7__cp314-cp314t-macosx_10_13_universal2.whl → 0.3.1__cp314-cp314t-macosx_10_13_universal2.whl

tests/functions/{api_v0_01 → api_v1_01}/test__openai_proxy.py

@@ -7,7 +7,8 @@ from unittest.mock import patch
 
 
 # Ensure the functions/ directory is importable as a top-level module location
-PROJECT_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))
+# Project root is three levels up from this test file (tests/functions/api_v1_00/...)
+PROJECT_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
 FUNCTIONS_DIR = os.path.join(PROJECT_ROOT, 'functions')
 if FUNCTIONS_DIR not in sys.path:
     sys.path.insert(0, FUNCTIONS_DIR)
@@ -22,6 +23,8 @@ _names_to_fake = [
     'utils',
     'auth',
     'openai',
+    'firebase_admin',
+    'billing',
 ]
 for name in _names_to_fake:
     _orig_sys_modules[name] = sys.modules.get(name)
@@ -82,12 +85,7 @@ auth_mod.validate_auth_key = _fake_validate_auth_key
 sys.modules['auth'] = auth_mod
 
 # Fake openai module with APIError and a default OpenAI class
-repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
-functions_root = os.path.join(repo_root, 'functions')
-module_path = os.path.join(functions_root, 'api_v0_01', '_openai_proxy.py')
-spec = importlib.util.spec_from_file_location('api_v0_01._openai_proxy', module_path)
-_openai = importlib.util.module_from_spec(spec)
-spec.loader.exec_module(_openai)
+openai_mod = types.ModuleType('openai')
 
 class APIError(Exception):
     pass
@@ -107,12 +105,42 @@ class DummyOpenAI:
         raise NotImplementedError("parse not implemented for dummy client")
 
 
-_openai.OpenAI = DummyOpenAI
-_openai.APIError = APIError
-sys.modules['openai'] = _openai
+openai_mod.OpenAI = DummyOpenAI
+openai_mod.APIError = APIError
+sys.modules['openai'] = openai_mod
+
+# Fake billing module to satisfy imports in v1_00 _openai_proxy (billing helpers)
+billing_mod = types.ModuleType('billing')
+
+def _fake_ensure_balance_positive(db, user_id):
+    return (True, 100.0)
+
+def _fake_calculate_cost(model_id, input_tokens, output_tokens):
+    return 0.0
+
+def _fake_bill_with_retry(db, user_id, model_id, usage, cost, reason='usage'):
+    return ("ok", 100.0)
+
+billing_mod.ensure_balance_positive = _fake_ensure_balance_positive
+billing_mod.calculate_cost = _fake_calculate_cost
+billing_mod.bill_with_retry = _fake_bill_with_retry
+sys.modules['billing'] = billing_mod
+
+# Fake firebase_admin module providing a minimal firestore.client to avoid
+# attempting to initialize the real Firebase SDK during tests
+firebase_admin_mod = types.ModuleType('firebase_admin')
+firebase_admin_mod.firestore = types.SimpleNamespace(client=lambda: types.SimpleNamespace(), Client=type('Client', (), {}))
+sys.modules['firebase_admin'] = firebase_admin_mod
 
 # Import the module under test after preparing the fake imports
-_openai = importlib.import_module('_openai_proxy')
+# Use a package-qualified import to ensure we always import the v1_00 implementation
+repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
+functions_root = os.path.join(repo_root, 'functions')
+module_path = os.path.join(functions_root, 'api_v1_00', '_openai_proxy.py')
+spec = importlib.util.spec_from_file_location('api_v1_00._openai_proxy', module_path)
+_openai = importlib.util.module_from_spec(spec)
+spec.loader.exec_module(_openai)
+
 
 # Restore original sys.modules mappings to avoid side-effects for other tests
 for name, orig in _orig_sys_modules.items():
@@ -317,12 +345,15 @@ def test_successful_create_calls_openai_and_returns_payload():
         def create(self, **params):
             class FakeResp:
                 def model_dump(self_inner, mode='json'):
-                    return {'result': 'ok', 'received_model': params.get('model')}
+                    return {'result': 'ok', 'received_model': params.get('model'), 'usage': {'input_tokens': 1, 'output_tokens': 2}}
             return FakeResp()
 
     with patch.object(_openai, 'validate_auth_key', return_value=True), \
          patch.object(_openai, 'verify_firebase_token', return_value={}), \
          patch.object(_openai, 'get_api_key', return_value='OPENAI-KEY'), \
+         patch.object(_openai, 'ensure_balance_positive', return_value=(True, 100.0)), \
+         patch.object(_openai, 'bill_with_retry', return_value=("ok", 95.0)), \
+         patch.object(_openai.firestore, 'client', return_value=types.SimpleNamespace()), \
          patch.object(_openai.openai, 'OpenAI', FakeClient):
         resp = _openai._openai_proxy(req)
 
@@ -364,12 +395,15 @@ def test_successful_parse_calls_openai_and_returns_parsed_and_usage():
             # detect whether text_format was left as a string
             is_text_format_string = isinstance(params.get('text_format'), str)
             parsed = {'result': 'ok', 'received_model': params.get('model'), 'is_text_format_string': is_text_format_string}
-            usage = {'prompt_tokens': 5}
+            usage = {'input_tokens': 1, 'output_tokens': 2, 'prompt_tokens': 5}
             return FakeResp(parsed, usage)
 
     with patch.object(_openai, 'validate_auth_key', return_value=True), \
          patch.object(_openai, 'verify_firebase_token', return_value={}), \
          patch.object(_openai, 'get_api_key', return_value='OPENAI-KEY'), \
+         patch.object(_openai, 'ensure_balance_positive', return_value=(True, 100.0)), \
+         patch.object(_openai, 'bill_with_retry', return_value=("ok", 95.0)), \
+         patch.object(_openai.firestore, 'client', return_value=types.SimpleNamespace()), \
          patch.object(_openai.openai, 'OpenAI', FakeClient2):
         resp = _openai._openai_proxy(req)
 
@@ -380,7 +414,7 @@ def test_successful_parse_calls_openai_and_returns_parsed_and_usage():
     assert payload['payload']['output_parsed']['received_model'] == 'gem-model'
     # The proxy should have replaced the text_format string with the model (i.e., not a string)
     assert payload['payload']['output_parsed']['is_text_format_string'] is False
-    assert payload['payload']['usage'] == {'prompt_tokens': 5}
+    assert payload['payload']['usage']['prompt_tokens'] == 5
 
 
 def test_openai_api_error_with_status_code_is_returned_as_error_status():
@@ -404,6 +438,8 @@ def test_openai_api_error_with_status_code_is_returned_as_error_status():
     with patch.object(_openai, 'validate_auth_key', return_value=True), \
          patch.object(_openai, 'verify_firebase_token', return_value={}), \
          patch.object(_openai, 'get_api_key', return_value='OPENAI-KEY'), \
+         patch.object(_openai, 'ensure_balance_positive', return_value=(True, 100.0)), \
+         patch.object(_openai.firestore, 'client', return_value=types.SimpleNamespace()), \
          patch.object(_openai.openai, 'OpenAI', ErrClient):
         resp = _openai._openai_proxy(req)
 

tests/functions/{api_v0_01 → api_v1_01}/test__redeem_credit_code.py

@@ -92,8 +92,8 @@ sys.modules['firebase_admin'] = firebase_admin
 # -----------------------------
 repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
 functions_root = os.path.join(repo_root, 'functions')
-module_path = os.path.join(functions_root, 'api_v0_01', '_redeem_credit_code.py')
-spec = importlib.util.spec_from_file_location('api_v0_01._redeem_credit_code', module_path)
+module_path = os.path.join(functions_root, 'api_v1_00', '_redeem_credit_code.py')
+spec = importlib.util.spec_from_file_location('api_v1_00._redeem_credit_code', module_path)
 _redeem = importlib.util.module_from_spec(spec)
 spec.loader.exec_module(_redeem)
 

tests/functions/{api_v0_01 → api_v1_01}/test__sync_emails.py

@@ -90,11 +90,12 @@ sys.modules['firebase_admin'] = firebase_admin
 # -----------------------------
 repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
 functions_root = os.path.join(repo_root, 'functions')
-module_path = os.path.join(functions_root, 'api_v0_01', '_sync_emails.py')
-spec = importlib.util.spec_from_file_location('api_v0_01._sync_emails', module_path)
+module_path = os.path.join(functions_root, 'api_v1_00', '_sync_emails.py')
+spec = importlib.util.spec_from_file_location('api_v1_00._sync_emails', module_path)
 _sync = importlib.util.module_from_spec(spec)
 spec.loader.exec_module(_sync)
 
+
 # Restore original sys.modules mappings to avoid side-effects for other tests
 for name, orig in _orig_sys_modules.items():
     if orig is None:

tests/functions/{api_v0_01 → api_v1_01}/test__take_payment.py

@@ -210,8 +210,8 @@ sys.modules['ulid'] = ulid_mod
 # Import the module under test after preparing the fake imports
 repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
 functions_root = os.path.join(repo_root, 'functions')
-module_path = os.path.join(functions_root, 'api_v0_01', '_take_payment.py')
-spec = importlib.util.spec_from_file_location('api_v0_01._take_payment', module_path)
+module_path = os.path.join(functions_root, 'api_v1_00', '_take_payment.py')
+spec = importlib.util.spec_from_file_location('api_v1_00._take_payment', module_path)
 _take_payment = importlib.util.module_from_spec(spec)
 spec.loader.exec_module(_take_payment)
 

tests/functions/{api_v0_01 → api_v1_01}/test__use_activation_code.py

@@ -171,11 +171,12 @@ sys.modules['firebase_admin'] = firebase_admin_mod
 # -----------------------------
 repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
 functions_root = os.path.join(repo_root, 'functions')
-module_path = os.path.join(functions_root, 'api_v0_01', '_use_activation_code.py')
-spec = importlib.util.spec_from_file_location('api_v0_01._use_activation_code', module_path)
+module_path = os.path.join(functions_root, 'api_v1_00', '_use_activation_code.py')
+spec = importlib.util.spec_from_file_location('api_v1_00._use_activation_code', module_path)
 _use_activation = importlib.util.module_from_spec(spec)
 spec.loader.exec_module(_use_activation)
 
+
 # Restore original sys.modules mappings to avoid side-effects for other tests
 for name, orig in _orig_sys_modules.items():
     if orig is None:

tests/functions/test_utils.py

@@ -0,0 +1,484 @@
+import importlib.util
+import os
+import sys
+import types
+import json
+import base64
+import uuid
+import pytest
+
+
+# Helper to create simple module stubs
+def _make_fake_firebase_functions():
+    fake_https = types.ModuleType('firebase_functions.https_fn')
+
+    class FakeResponse:
+        def __init__(self, response=None, mimetype=None, status=200, **kwargs):
+            # Mirror the small subset of the real Response API used by the code/tests
+            self.status_code = status
+            if isinstance(response, bytes):
+                self._text = response.decode('utf-8')
+            else:
+                # If a non-string is passed (unlikely), coerce to JSON text for assertions
+                self._text = response if isinstance(response, str) else (json.dumps(response) if response is not None else '')
+            self.mimetype = mimetype
+            self.headers = {'Content-Type': mimetype} if mimetype else {}
+
+        def get_data(self, as_text=False):
+            return self._text if as_text else self._text.encode('utf-8')
+
+    fake_https.Response = FakeResponse
+    # Provide a Request attribute used in type annotations in the module under test
+    fake_https.Request = types.SimpleNamespace
+
+    fake_root = types.ModuleType('firebase_functions')
+    fake_root.https_fn = fake_https
+    return fake_root, fake_https
+
+
+def _make_fake_firebase_admin():
+    fake = types.ModuleType('firebase_admin')
+    # Minimal auth object so import succeeds; tests here don't rely on actual auth behaviour
+    fake.auth = types.SimpleNamespace(verify_id_token=lambda token: {'uid': 'test'})
+    return fake
+
+
+def _make_fake_google_secretmanager():
+    google = types.ModuleType('google')
+    google_cloud = types.ModuleType('google.cloud')
+    secretmanager = types.ModuleType('google.cloud.secretmanager')
+
+    class FakeClient:
+        def access_secret_version(self, request):
+            raise RuntimeError("SecretManager should not be called in these tests")
+
+    secretmanager.SecretManagerServiceClient = FakeClient
+    google_cloud.secretmanager = secretmanager
+    google.cloud = google_cloud
+    return google, google_cloud, secretmanager
+
+
+def _load_utils_module(monkeypatch):
+    """Load a fresh copy of functions/utils.py as an isolated module.
+
+    This helper inserts necessary fake modules into sys.modules via the
+    provided monkeypatch fixture before loading the module so its import-time
+    dependencies succeed and are controllable by the tests.
+    """
+    repo_root = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))
+    utils_path = os.path.join(repo_root, 'functions', 'utils.py')
+    assert os.path.exists(utils_path), f"Expected functions/utils.py to exist at {utils_path}"
+
+    # Prepare and register lightweight stubs needed at import time
+    fake_firebase_root, fake_https = _make_fake_firebase_functions()
+    monkeypatch.setitem(sys.modules, 'firebase_functions', fake_firebase_root)
+    monkeypatch.setitem(sys.modules, 'firebase_functions.https_fn', fake_https)
+
+    fake_firebase_admin = _make_fake_firebase_admin()
+    monkeypatch.setitem(sys.modules, 'firebase_admin', fake_firebase_admin)
+
+    google, google_cloud, secretmanager = _make_fake_google_secretmanager()
+    monkeypatch.setitem(sys.modules, 'google', google)
+    monkeypatch.setitem(sys.modules, 'google.cloud', google_cloud)
+    monkeypatch.setitem(sys.modules, 'google.cloud.secretmanager', secretmanager)
+
+    # Create a unique module name so each test gets a fresh module object
+    module_name = f"tests.utils_isolated_{uuid.uuid4().hex}"
+    spec = importlib.util.spec_from_file_location(module_name, utils_path)
+    module = importlib.util.module_from_spec(spec)
+    # Ensure the new module is discoverable under its name during execution
+    monkeypatch.setitem(sys.modules, module_name, module)
+    spec.loader.exec_module(module)
+    return module
+
+
+def test_create_json_response_returns_expected_json_and_status(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    resp = mod.create_json_response(True, {"alpha": 1}, 201)
+
+    assert hasattr(resp, 'status_code')
+    assert resp.status_code == 201
+
+    body_text = resp.get_data(as_text=True)
+    parsed = json.loads(body_text)
+    assert parsed == {"success": True, "payload": {"alpha": 1}}
+
+
+def test_get_sealedbox_private_key_raises_when_pynacl_privatekey_missing(monkeypatch):
+    # Ensure a nacl.public module exists but does NOT expose PrivateKey so the
+    # import inside get_sealedbox_private_key raises and the function reports
+    # that encryption support is unavailable.
+    nacl_mod = types.ModuleType('nacl')
+    nacl_public = types.ModuleType('nacl.public')
+
+    # Provide PublicKey/SealedBox but omit PrivateKey to trigger the import error
+    class PublicKeyStub:
+        def __init__(self, data):
+            self._data = bytes(data)
+
+    class SealedBoxStub:
+        def __init__(self, key):
+            pass
+
+    nacl_public.PublicKey = PublicKeyStub
+    nacl_public.SealedBox = SealedBoxStub
+
+    monkeypatch.setitem(sys.modules, 'nacl', nacl_mod)
+    monkeypatch.setitem(sys.modules, 'nacl.public', nacl_public)
+
+    mod = _load_utils_module(monkeypatch)
+
+    with pytest.raises(Exception) as excinfo:
+        mod.get_sealedbox_private_key()
+
+    assert 'Encryption support is unavailable' in str(excinfo.value)
+
+
+def test_get_sealedbox_private_key_initializes_and_caches_private_key(monkeypatch):
+    # Provide a PrivateKey implementation and stub get_secret_key to return
+    # a valid 32-byte base64-encoded secret. Verify the value is cached and
+    # the secret fetch is only performed once.
+    key_bytes = b"\x02" * 32
+
+    nacl_mod = types.ModuleType('nacl')
+    nacl_public = types.ModuleType('nacl.public')
+
+    class PrivateKeyStub:
+        def __init__(self, data):
+            # Accept bytes-like input
+            self._data = bytes(data)
+
+        def __repr__(self):
+            return f"PrivateKeyStub(len={len(self._data)})"
+
+    nacl_public.PrivateKey = PrivateKeyStub
+    monkeypatch.setitem(sys.modules, 'nacl', nacl_mod)
+    monkeypatch.setitem(sys.modules, 'nacl.public', nacl_public)
+
+    mod = _load_utils_module(monkeypatch)
+
+    calls = {'count': 0}
+
+    def fake_get_secret_key(name):
+        calls['count'] += 1
+        return base64.b64encode(key_bytes).decode('ascii')
+
+    # Replace the module-level get_secret_key with our fake
+    mod.get_secret_key = fake_get_secret_key
+
+    # Ensure fresh start
+    mod._SEALEDBOX_PRIVATE_KEY = None
+
+    first = mod.get_sealedbox_private_key()
+    second = mod.get_sealedbox_private_key()
+
+    assert first is second
+    assert calls['count'] == 1
+    assert hasattr(first, '_data') and first._data == key_bytes
+
+
+def test_get_sealedbox_private_key_invalid_length_does_not_cache_and_raises(monkeypatch):
+    # Provide PrivateKey but have the secret manager return an invalid-length key
+    invalid_key = b"\x03" * 16
+
+    nacl_mod = types.ModuleType('nacl')
+    nacl_public = types.ModuleType('nacl.public')
+
+    class PrivateKeyStub:
+        def __init__(self, data):
+            self._data = bytes(data)
+
+    nacl_public.PrivateKey = PrivateKeyStub
+    monkeypatch.setitem(sys.modules, 'nacl', nacl_mod)
+    monkeypatch.setitem(sys.modules, 'nacl.public', nacl_public)
+
+    mod = _load_utils_module(monkeypatch)
+
+    def fake_get_secret_key(name):
+        return base64.b64encode(invalid_key).decode('ascii')
+
+    mod.get_secret_key = fake_get_secret_key
+
+    # Ensure fresh start
+    mod._SEALEDBOX_PRIVATE_KEY = None
+
+    with pytest.raises(Exception) as excinfo:
+        mod.get_sealedbox_private_key()
+
+    assert 'Failed to initialize sealed-box private key' in str(excinfo.value)
+    # Failure should not be cached
+    assert mod._SEALEDBOX_PRIVATE_KEY is None
+
+
+# ------------------------- Additional tests to improve coverage -------------------------
+
+def test_get_secret_key_returns_secret_on_success(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    fake_payload = types.SimpleNamespace(data=b'secret-value')
+    fake_response = types.SimpleNamespace(payload=fake_payload)
+
+    class FakeClient:
+        def access_secret_version(self, request):
+            return fake_response
+
+    # Patch the SecretManager client on the imported module
+    monkeypatch.setattr(mod.secretmanager, 'SecretManagerServiceClient', FakeClient, raising=True)
+
+    result = mod.get_secret_key('my-secret')
+    assert result == 'secret-value'
+
+
+def test_get_secret_key_raises_on_backend_error(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    class FakeClient:
+        def access_secret_version(self, request):
+            raise RuntimeError('boom')
+
+    monkeypatch.setattr(mod.secretmanager, 'SecretManagerServiceClient', FakeClient, raising=True)
+
+    with pytest.raises(Exception) as excinfo:
+        mod.get_secret_key('does-not-matter')
+    assert 'Failed to retrieve secret key from Secret Manager' in str(excinfo.value)
+
+
+def test_verify_firebase_token_success(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+    req = types.SimpleNamespace(headers={'Authorization': 'Bearer SOME_TOKEN'})
+
+    res = mod.verify_firebase_token(req)
+    assert res == {'uid': 'test'}
+
+
+def test_verify_firebase_token_missing_or_invalid_header_raises(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+    req = types.SimpleNamespace(headers={})
+
+    with pytest.raises(Exception) as excinfo:
+        mod.verify_firebase_token(req)
+    # The implementation wraps the underlying message, but the cause should be present
+    assert 'Missing or invalid Authorization' in str(excinfo.value)
+
+
+def test_verify_firebase_token_verify_id_token_failure_raises(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    def fake_verify(token):
+        raise ValueError('invalid token')
+
+    # Replace the verifier with one that raises
+    mod.auth.verify_id_token = fake_verify
+
+    req = types.SimpleNamespace(headers={'Authorization': 'Bearer x'})
+    with pytest.raises(Exception) as excinfo:
+        mod.verify_firebase_token(req)
+    assert 'invalid token' in str(excinfo.value)
+
+
+def test_get_api_key_delegates_to_get_secret_key(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    called = {}
+
+    def fake_get_secret_key(name):
+        called['name'] = name
+        return 'X'
+
+    mod.get_secret_key = fake_get_secret_key
+
+    result = mod.get_api_key(mod.LlmFamily.OPENAI)
+    assert result == 'X'
+    assert called['name'] == 'openai-api-key'
+
+
+def test_get_request_json_plaintext_returns_parsed_json(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    def get_json(silent=False):
+        return {'a': 1}
+
+    req = types.SimpleNamespace(headers={}, get_json=get_json)
+    result = mod.get_request_json(req, strict=False)
+    assert result == {'a': 1}
+
+
+def test_get_request_json_plaintext_strict_raises_on_get_json_error(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    def get_json(silent=False):
+        raise ValueError('bad json')
+
+    req = types.SimpleNamespace(headers={}, get_json=get_json)
+    with pytest.raises(Exception):
+        mod.get_request_json(req, strict=True)
+
+
+def test_get_request_json_plaintext_non_strict_returns_none_on_get_json_error(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    def get_json(silent=False):
+        raise ValueError('bad json')
+
+    req = types.SimpleNamespace(headers={}, get_json=get_json)
+    result = mod.get_request_json(req, strict=False)
+    assert result is None
+
+
+def _install_sealedbox_stub(monkeypatch, decrypt_behavior):
+    """Helper: install a nacl.public.SealedBox stub whose decrypt returns or throws.
+
+    decrypt_behavior may be either:
+      - a bytes object to return from decrypt(), or
+      - a callable that accepts ciphertext and returns bytes / raises.
+    """
+    nacl_mod = types.ModuleType('nacl')
+    nacl_public = types.ModuleType('nacl.public')
+
+    class SealedBox:
+        def __init__(self, key):
+            self._key = key
+
+        def decrypt(self, ciphertext):
+            if callable(decrypt_behavior):
+                return decrypt_behavior(ciphertext)
+            return decrypt_behavior
+
+    nacl_public.SealedBox = SealedBox
+    nacl_mod.public = nacl_public
+
+    # Ensure both module paths exist in sys.modules so `from nacl.public import SealedBox` works
+    monkeypatch.setitem(sys.modules, 'nacl', nacl_mod)
+    monkeypatch.setitem(sys.modules, 'nacl.public', nacl_public)
+
+
+def test_get_request_json_encrypted_success_using_get_data(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    plaintext = b'{"ok": true}'
+    ciphertext = b'FAKECIPHERTEXT'
+    body_b64 = base64.b64encode(ciphertext)
+
+    # Request exposes get_data(as_text=False)
+    def get_data(as_text=False):
+        return body_b64
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, get_data=get_data)
+
+    # SealedBox.decrypt will return the plaintext regardless of ciphertext
+    _install_sealedbox_stub(monkeypatch, plaintext)
+    # Stub the private key loader so it doesn't call Secret Manager
+    monkeypatch.setattr(mod, 'get_sealedbox_private_key', lambda: 'DUMMY', raising=False)
+
+    res = mod.get_request_json(req, strict=True)
+    assert res == {"ok": True}
+
+
+def test_get_request_json_encrypted_fallback_when_get_data_rejects_as_text_arg(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    plaintext = b'{"ok": 1}'
+    ciphertext = b'CT'
+    body_b64 = base64.b64encode(ciphertext)
+
+    def get_data(*args, **kwargs):
+        # Simulate a stub that raises when given the as_text kwarg
+        if 'as_text' in kwargs:
+            raise TypeError('no as_text')
+        return body_b64
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, get_data=get_data)
+
+    _install_sealedbox_stub(monkeypatch, plaintext)
+    monkeypatch.setattr(mod, 'get_sealedbox_private_key', lambda: 'DUMMY', raising=False)
+
+    res = mod.get_request_json(req, strict=True)
+    assert res == {"ok": 1}
+
+
+def test_get_request_json_encrypted_uses_data_attribute_if_no_get_data(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    plaintext = b'{"v": 42}'
+    ciphertext = b'CT2'
+    body_b64 = base64.b64encode(ciphertext)
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, data=body_b64)
+
+    _install_sealedbox_stub(monkeypatch, plaintext)
+    monkeypatch.setattr(mod, 'get_sealedbox_private_key', lambda: 'DUMMY', raising=False)
+
+    res = mod.get_request_json(req, strict=True)
+    assert res == {"v": 42}
+
+
+def test_get_request_json_encrypted_invalid_base64(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    # Make b64 decoder throw to exercise that error path deterministically
+    def fake_b64decode(_):
+        raise Exception('bad base64')
+
+    monkeypatch.setattr(mod.base64, 'b64decode', fake_b64decode, raising=True)
+
+    def get_data(as_text=False):
+        return b'NOT-BASE64'
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, get_data=get_data)
+
+    # Non-strict should return None
+    res = mod.get_request_json(req, strict=False)
+    assert res is None
+
+    # Strict should raise
+    with pytest.raises(Exception):
+        mod.get_request_json(req, strict=True)
+
+
+def test_get_request_json_encrypted_decrypt_failure(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    ciphertext = b'CT'
+    body_b64 = base64.b64encode(ciphertext)
+
+    # SealedBox.decrypt will raise to simulate decryption failure
+    def raise_on_decrypt(_):
+        raise RuntimeError('bad decrypt')
+
+    _install_sealedbox_stub(monkeypatch, raise_on_decrypt)
+    monkeypatch.setattr(mod, 'get_sealedbox_private_key', lambda: 'DUMMY', raising=False)
+
+    def get_data(as_text=False):
+        return body_b64
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, get_data=get_data)
+
+    # Non-strict returns None
+    assert mod.get_request_json(req, strict=False) is None
+
+    # Strict raises
+    with pytest.raises(Exception):
+        mod.get_request_json(req, strict=True)
+
+
+def test_get_request_json_encrypted_invalid_json_after_decrypt(monkeypatch):
+    mod = _load_utils_module(monkeypatch)
+
+    # Decrypt returns bytes that are not valid JSON
+    _install_sealedbox_stub(monkeypatch, b'not-json')
+    monkeypatch.setattr(mod, 'get_sealedbox_private_key', lambda: 'DUMMY', raising=False)
+
+    body_b64 = base64.b64encode(b'CT')
+
+    def get_data(as_text=False):
+        return body_b64
+
+    req = types.SimpleNamespace(headers={mod.ENCRYPTION_HEADER_NAME: 'true'}, get_data=get_data)
+
+    assert mod.get_request_json(req, strict=False) is None
+    with pytest.raises(Exception):
+        mod.get_request_json(req, strict=True)
+
+
+# End of additional tests