simple-module-hosting 0.0.13__tar.gz → 0.0.15__tar.gz

{simple_module_hosting-0.0.13 → simple_module_hosting-0.0.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_hosting
-Version: 0.0.13
+Version: 0.0.15
 Summary: FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -26,8 +26,8 @@ Requires-Dist: fastapi-inertia>=1.0
 Requires-Dist: fastapi>=0.115
 Requires-Dist: httpx>=0.27
 Requires-Dist: jinja2>=3.1
-Requires-Dist: simple-module-core==0.0.13
-Requires-Dist: simple-module-db==0.0.13
+Requires-Dist: simple-module-core==0.0.15
+Requires-Dist: simple-module-db==0.0.15
 Requires-Dist: starlette>=0.44
 Requires-Dist: tomlkit>=0.13
 Requires-Dist: uvicorn[standard]>=0.34

{simple_module_hosting-0.0.13 → simple_module_hosting-0.0.15}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_hosting"
-version = "0.0.13"
+version = "0.0.15"
 description = "FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding"
 readme = "README.md"
 license = "MIT"
@@ -26,8 +26,8 @@ dependencies = [
     "fastapi-inertia>=1.0",
     "httpx>=0.27",
     "jinja2>=3.1",
-    "simple_module_core==0.0.13",
-    "simple_module_db==0.0.13",
+    "simple_module_core==0.0.15",
+    "simple_module_db==0.0.15",
     "starlette>=0.44",
     "tomlkit>=0.13",
     "uvicorn[standard]>=0.34",

{simple_module_hosting-0.0.13 → simple_module_hosting-0.0.15}/simple_module_hosting/_observability.py

@@ -26,10 +26,16 @@ _QUIET_PREFIXES = ("/health", "/static/")
 class CorrelationIdMiddleware:
     """Generate or propagate a correlation ID for every request.
 
-    Reads the incoming ``X-Correlation-ID`` header (or generates a UUID4) and
-    stores it in a :class:`~contextvars.ContextVar` so that every log record
-    emitted during the request automatically includes the ID.  The same value
-    is echoed back in the response header.
+    Reads the incoming ``X-Correlation-ID`` header (or generates a UUID4) and:
+
+    * stores it in the ``simple_module_hosting.logging.correlation_id``
+      ContextVar so the stdlib logging filter (or a user-supplied structlog
+      processor — see ``docs/framework/middleware.md``) picks it up with no
+      per-handler plumbing;
+    * exposes it on ``request.state.correlation_id`` for handlers that
+      prefer the request object over the contextvar;
+    * echoes the value back as the ``X-Correlation-ID`` response header so
+      clients can cross-reference their request with server-side logs.
     """
 
     HEADER = "X-Correlation-ID"
@@ -43,6 +49,8 @@ class CorrelationIdMiddleware:
             return
 
         cid = Headers(scope=scope).get(self.HEADER) or uuid.uuid4().hex
+        # Skip allocating a Request wrapper — downstream Request(scope).state reads this same dict.
+        scope.setdefault("state", {})["correlation_id"] = cid
 
         async def send_with_header(message: Message) -> None:
             if message["type"] == _MSG_RESPONSE_START:

{simple_module_hosting-0.0.13 → simple_module_hosting-0.0.15}/simple_module_hosting/logging.py

@@ -38,6 +38,9 @@ class JsonFormatter(logging.Formatter):
         "entity",
         "entity_id",
         "db_duration_ms",
+        # Bound by log filters on Celery / job-runner workers.
+        "task_id",
+        "task_name",
     )
 
     def format(self, record: logging.LogRecord) -> str:

simple_module_hosting-0.0.15/tests/test_check_migrations.py

@@ -0,0 +1,84 @@
+"""Boot-time migration-drift check.
+
+``check_migrations`` is called from inside the app's lifespan in
+``app_builder.py``. If it loses its teeth — e.g. someone refactors and forgets
+to raise — a behind-head DB would silently boot and produce confusing missing-
+column errors at runtime. This file pins:
+
+* DB at head → returns the status dict.
+* DB behind head → raises ``RuntimeError`` with a helpful message.
+* No alembic config available → returns the "no migrations" sentinel.
+"""
+
+from __future__ import annotations
+
+import pytest
+from simple_module_hosting.migrations import check_migrations, resolve_head_revision
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import create_async_engine
+
+
+@pytest.mark.anyio
+async def test_returns_no_migrations_sentinel_when_alembic_ini_absent(tmp_path):
+    """Pointing at a missing alembic.ini → status dict, no exception."""
+    engine = create_async_engine("sqlite+aiosqlite:///:memory:")
+    try:
+        result = await check_migrations(engine, alembic_ini_path=str(tmp_path / "missing.ini"))
+    finally:
+        await engine.dispose()
+    assert result["current_revision"] is None
+    assert result["head_revision"] is None
+    assert result["is_current"] is True
+
+
+@pytest.mark.anyio
+async def test_db_at_head_returns_current_status():
+    """Stamp the in-memory DB at head and check_migrations should pass cleanly."""
+    head = resolve_head_revision()
+    if head is None:
+        pytest.skip("Repository alembic.ini not resolvable from cwd")
+
+    engine = create_async_engine("sqlite+aiosqlite:///:memory:")
+    try:
+        async with engine.begin() as conn:
+            await conn.execute(
+                text("CREATE TABLE alembic_version (version_num VARCHAR(32) NOT NULL PRIMARY KEY)")
+            )
+            await conn.execute(
+                text("INSERT INTO alembic_version (version_num) VALUES (:v)"),
+                {"v": head},
+            )
+        result = await check_migrations(engine)
+    finally:
+        await engine.dispose()
+
+    assert result["current_revision"] == head
+    assert result["head_revision"] == head
+    assert result["is_current"] is True
+
+
+@pytest.mark.anyio
+async def test_unstamped_db_raises_drift_error():
+    """An empty in-memory DB (no alembic_version row) must hard-fail."""
+    if resolve_head_revision() is None:
+        pytest.skip("Repository alembic.ini not resolvable from cwd")
+
+    engine = create_async_engine("sqlite+aiosqlite:///:memory:")
+    try:
+        with pytest.raises(RuntimeError, match="revision\\(s\\) behind"):
+            await check_migrations(engine)
+    finally:
+        await engine.dispose()
+
+
+@pytest.mark.anyio
+async def test_resolve_head_revision_consistent():
+    """Sanity: ``resolve_head_revision`` returns the same string twice in a row.
+
+    The function is invoked from both the cached fixture in conftest and the
+    real lifespan; if it ever became non-deterministic the cached value would
+    diverge from the live one and the migration check would lie.
+    """
+    a = resolve_head_revision()
+    b = resolve_head_revision()
+    assert a == b

simple_module_hosting-0.0.15/tests/test_lifespan_order.py

@@ -0,0 +1,85 @@
+"""Verify ``create_app``'s lifespan walks modules forward and backward.
+
+CLAUDE.md says ``on_startup`` runs in topological order and ``on_shutdown``
+in reverse — a regression here means a dependent module's startup hook runs
+before its dependency's hook is ready (or, on shutdown, the dependency tears
+down resources while the dependent is still using them).
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from unittest.mock import patch
+
+import pytest
+from simple_module_core.module import ModuleBase, ModuleMeta
+from simple_module_hosting.app_builder import create_app
+from simple_module_hosting.settings import Settings
+
+if TYPE_CHECKING:
+    from fastapi import FastAPI
+
+
+_calls: list[str] = []
+
+
+class _TrackingModule(ModuleBase):
+    """Records its own name into the module-level _calls list on each hook.
+
+    Subclasses set their own ``meta`` so each one is identifiable inside
+    the dependency graph; the hook bodies stay on the base.
+    """
+
+    async def on_startup(self, app: FastAPI) -> None:  # type: ignore[override]
+        _calls.append(f"start:{self.meta.name}")
+
+    async def on_shutdown(self, app: FastAPI) -> None:  # type: ignore[override]
+        _calls.append(f"stop:{self.meta.name}")
+
+
+class _ModA(_TrackingModule):
+    meta = ModuleMeta(name="A")
+
+
+class _ModB(_TrackingModule):
+    meta = ModuleMeta(name="B", depends_on=["A"])
+
+
+class _ModC(_TrackingModule):
+    meta = ModuleMeta(name="C", depends_on=["B"])
+
+
+@pytest.mark.anyio
+async def test_lifespan_startup_forward_shutdown_reverse(monkeypatch) -> None:
+    """Three modules A→B→C: startup must be A,B,C and shutdown C,B,A.
+
+    We stub ``discover_modules`` rather than registering real entry points
+    so this test stays hermetic; the topological-sort layer is exercised
+    end-to-end by other tests already.
+    """
+    _calls.clear()
+    instances: list[ModuleBase] = [_ModA(), _ModB(), _ModC()]
+
+    async def _no_migration_check(engine, *args, **kwargs):
+        return {"current_revision": None, "head_revision": None, "is_current": True}
+
+    with (
+        patch("simple_module_hosting.app_builder.discover_modules", return_value=instances),
+        patch("simple_module_hosting.app_builder.check_migrations", _no_migration_check),
+    ):
+        settings = Settings(
+            database_url="sqlite+aiosqlite:///:memory:",
+            environment="testing",
+            secret_key="x" * 32,
+            multi_tenant=False,
+        )
+        app = create_app(settings)
+
+        ctx = app.router.lifespan_context(app)
+        await ctx.__aenter__()
+        await ctx.__aexit__(None, None, None)
+
+    starts = [c for c in _calls if c.startswith("start:")]
+    stops = [c for c in _calls if c.startswith("stop:")]
+    assert starts == ["start:A", "start:B", "start:C"], _calls
+    assert stops == ["stop:C", "stop:B", "stop:A"], _calls

{simple_module_hosting-0.0.13 → simple_module_hosting-0.0.15}/tests/test_logging.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 
 import json
 import logging
+from typing import TYPE_CHECKING
 
 import httpx
 from simple_module_hosting.logging import (
@@ -12,6 +13,13 @@ from simple_module_hosting.logging import (
     correlation_id,
     setup_logging,
 )
+from simple_module_hosting.middleware import CorrelationIdMiddleware
+from starlette.applications import Starlette
+from starlette.responses import JSONResponse
+from starlette.routing import Route
+
+if TYPE_CHECKING:
+    from starlette.requests import Request
 
 # ── JsonFormatter ──────────────────────────────────────────────────────
 
@@ -174,6 +182,29 @@ class TestCorrelationIdMiddleware:
         r2 = await client.get("/health")
         assert r1.headers["x-correlation-id"] != r2.headers["x-correlation-id"]
 
+    async def test_state_contextvar_and_header_agree(self):
+        # Background tasks read the ContextVar; handlers read request.state;
+        # clients read the response header — all three must agree per request.
+        async def echo(request: Request) -> JSONResponse:
+            return JSONResponse(
+                {
+                    "state": request.state.correlation_id,
+                    "contextvar": correlation_id.get(""),
+                }
+            )
+
+        app = Starlette(routes=[Route("/echo", echo)])
+        app.add_middleware(CorrelationIdMiddleware)
+
+        transport = httpx.ASGITransport(app=app)
+        async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as c:
+            resp = await c.get("/echo", headers={CorrelationIdMiddleware.HEADER: "trace-xyz"})
+
+        assert resp.headers[CorrelationIdMiddleware.HEADER] == "trace-xyz"
+        body = resp.json()
+        assert body["state"] == "trace-xyz"
+        assert body["contextvar"] == "trace-xyz"
+
 
 # ── Request logging middleware (integration) ────────────────────────────
 

simple_module_hosting-0.0.15/tests/test_middleware_order.py

@@ -0,0 +1,79 @@
+"""Pin the documented middleware execution order.
+
+CLAUDE.md spells out the pipeline:
+
+    CorrelationId → RequestLogging → Security → Session → <module>
+                  → Tenant (opt-in) → Locale → InertiaLayoutData → app
+
+Tenant/Locale must see ``request.state.user`` set by AuthMiddleware so
+DB queries get filtered correctly; CorrelationId must wrap everything so
+every log line carries its id. Order matters and a swap is the kind of
+regression that breaks production without breaking any happy-path test.
+``app.user_middleware`` lists middlewares in execution order (Starlette
+LIFOs ``add_middleware`` calls, FastAPI surfaces them already reversed).
+"""
+
+from __future__ import annotations
+
+import pytest
+from simple_module_hosting.app_builder import create_app
+from simple_module_hosting.settings import Settings
+
+_EXPECTED_MULTI_TENANT = (
+    "CorrelationIdMiddleware",
+    "RequestLoggingMiddleware",
+    "SecurityHeadersMiddleware",
+    "SessionMiddleware",
+    "AuthMiddleware",
+    "TenantMiddleware",
+    "LocaleMiddleware",
+    "InertiaLayoutDataMiddleware",
+)
+
+_EXPECTED_SINGLE_TENANT = (
+    "CorrelationIdMiddleware",
+    "RequestLoggingMiddleware",
+    "SecurityHeadersMiddleware",
+    "SessionMiddleware",
+    "AuthMiddleware",
+    "LocaleMiddleware",
+    "InertiaLayoutDataMiddleware",
+)
+
+
+def _names(app) -> tuple[str, ...]:
+    return tuple(m.cls.__name__ for m in app.user_middleware)
+
+
+@pytest.mark.parametrize(
+    ("multi_tenant", "expected"),
+    [(True, _EXPECTED_MULTI_TENANT), (False, _EXPECTED_SINGLE_TENANT)],
+)
+def test_middleware_pipeline_order(multi_tenant: bool, expected: tuple[str, ...]) -> None:
+    settings = Settings(
+        database_url="sqlite+aiosqlite:///:memory:",
+        environment="testing",
+        secret_key="x" * 32,
+        multi_tenant=multi_tenant,
+    )
+    app = create_app(settings)
+    assert _names(app) == expected, (
+        "Middleware pipeline order drifted from CLAUDE.md. "
+        f"Got {_names(app)!r}, expected {expected!r}."
+    )
+
+
+def test_tenant_middleware_absent_when_disabled() -> None:
+    """``multi_tenant=False`` must not register TenantMiddleware at all.
+
+    Just toggling off the header would still leak the DB context-var setter
+    onto every request; the middleware itself is what must vanish.
+    """
+    settings = Settings(
+        database_url="sqlite+aiosqlite:///:memory:",
+        environment="testing",
+        secret_key="x" * 32,
+        multi_tenant=False,
+    )
+    app = create_app(settings)
+    assert "TenantMiddleware" not in _names(app)

simple_module_hosting-0.0.15/tests/test_redirects.py

@@ -0,0 +1,129 @@
+"""Direct unit tests for ``safe_referer_or_root``.
+
+The helper is the only barrier between an attacker-controlled ``Referer`` and
+a 303 redirect back to that URL. The existing test surface only goes through
+``/i18n/set-locale``, which exercises a handful of vectors. This file pins the
+contract directly with adversarial inputs that the integration test set didn't
+reach (``javascript:``, embedded ``@`` userinfo, ``\\evil.example``,
+CRLF-injection attempts, mixed-case schemes, fragments).
+"""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+
+import pytest
+from simple_module_hosting.redirects import safe_referer_or_root
+
+
+def _make_request(*, referer: str | None = None, scheme: str = "http", host: str = "testserver"):
+    """Return a minimal duck-typed object matching what safe_referer_or_root reads.
+
+    The real helper only touches ``request.headers.get("referer")`` and
+    ``request.url.scheme`` / ``request.url.netloc`` — a SimpleNamespace beats
+    spinning up a Starlette Request just to validate URL parsing.
+    """
+    headers: dict[str, str] = {}
+    if referer is not None:
+        headers["referer"] = referer
+    return SimpleNamespace(
+        headers=headers,
+        url=SimpleNamespace(scheme=scheme, netloc=host),
+    )
+
+
+class TestSafeRefererBasics:
+    def test_no_referer_returns_root(self) -> None:
+        assert safe_referer_or_root(_make_request()) == "/"
+
+    def test_empty_string_referer_returns_root(self) -> None:
+        assert safe_referer_or_root(_make_request(referer="")) == "/"
+
+    def test_same_origin_relative_path_preserved(self) -> None:
+        assert safe_referer_or_root(_make_request(referer="/dashboard")) == "/dashboard"
+
+    def test_same_origin_absolute_url_collapses_to_path(self) -> None:
+        req = _make_request(referer="http://testserver/products?q=pen")
+        assert safe_referer_or_root(req) == "/products?q=pen"
+
+
+class TestSafeRefererBlocksHostedirects:
+    """Every input here is an attempt to redirect off-site.
+
+    A regression that returns the input verbatim is a reflected open-redirect.
+    """
+
+    @pytest.mark.parametrize(
+        "malicious",
+        [
+            "https://evil.example/steal",
+            "http://evil.example/x",
+            "//evil.example/x",
+            "//evil.example",
+            r"\\evil.example/x",  # backslash-prefixed — some browsers normalize
+            "http://testserver.evil.example/",  # suffix-confusion
+            "http://evil.example@testserver/",  # userinfo trick: host is "evil.example"
+            "javascript:alert(1)",
+            "data:text/html,<script>alert(1)</script>",
+            "vbscript:msgbox(1)",
+            "FILE:///etc/passwd",
+            "HTTPS://EVIL.EXAMPLE/",
+            "not-a-path",
+            "  ",
+            "ftp://evil.example/",
+        ],
+    )
+    def test_rejects_hostile_referer(self, malicious: str) -> None:
+        req = _make_request(referer=malicious)
+        result = safe_referer_or_root(req)
+        # The helper must never return anything that, when used as a Location
+        # header, takes the browser off-site. The contract is "/" or a path
+        # starting with "/" on the same origin.
+        assert result.startswith("/"), (
+            f"safe_referer_or_root({malicious!r}) returned {result!r}; "
+            "must fall back to a same-origin path"
+        )
+        # And specifically: no second slash that would make the browser see
+        # this as a protocol-relative URL.
+        assert not result.startswith("//"), (
+            f"safe_referer_or_root({malicious!r}) returned protocol-relative {result!r}"
+        )
+
+    def test_userinfo_at_sign_does_not_smuggle_host(self) -> None:
+        """``http://evil@testserver/`` parses as host=testserver in urlsplit.
+
+        That's actually safe — the helper compares parsed.netloc which includes
+        the userinfo. The defense is that ``parsed.netloc != current.netloc``
+        when userinfo is present, so the comparison correctly rejects.
+        """
+        req = _make_request(referer="http://attacker@testserver/admin")
+        assert safe_referer_or_root(req) == "/"
+
+
+class TestSafeRefererSchemeAndHostMatching:
+    def test_scheme_mismatch_rejects_https_referer_on_http_request(self) -> None:
+        req = _make_request(referer="https://testserver/x", scheme="http")
+        assert safe_referer_or_root(req) == "/"
+
+    def test_host_mismatch_rejects_subdomain(self) -> None:
+        req = _make_request(referer="http://admin.testserver/x")
+        assert safe_referer_or_root(req) == "/"
+
+    def test_port_mismatch_rejects(self) -> None:
+        req = _make_request(referer="http://testserver:8080/x", host="testserver")
+        assert safe_referer_or_root(req) == "/"
+
+
+class TestSafeRefererPathHandling:
+    def test_query_string_preserved(self) -> None:
+        req = _make_request(referer="http://testserver/x?a=1&b=2")
+        assert safe_referer_or_root(req) == "/x?a=1&b=2"
+
+    def test_fragment_dropped(self) -> None:
+        """Fragments aren't sent to the server, so we don't echo them in Location."""
+        req = _make_request(referer="http://testserver/x#section")
+        assert safe_referer_or_root(req) == "/x"
+
+    def test_empty_path_becomes_root(self) -> None:
+        req = _make_request(referer="http://testserver")
+        assert safe_referer_or_root(req) == "/"

simple_module_hosting-0.0.15/tests/test_session_cookie_security.py

@@ -0,0 +1,54 @@
+"""SameSite/HttpOnly invariants for the framework's session cookie.
+
+CLAUDE.md treats SameSite=Lax as the CSRF defence — there is no explicit
+token middleware. If a future Starlette upgrade silently switched the
+default to ``None`` (used to be the case on older versions), CSRF
+protection would evaporate without any test catching it.
+
+The session cookie is also Set-Cookie'd with HttpOnly so a successful XSS
+can't directly exfiltrate the user_id+user_ctx blob.
+"""
+
+from __future__ import annotations
+
+import httpx
+import pytest
+
+
+def _set_cookie_for(name: str, response: httpx.Response) -> str:
+    """Return the raw Set-Cookie header for ``name`` (or '' if absent).
+
+    httpx joins multiple Set-Cookie headers with ', ' which makes
+    ``response.headers.get`` ambiguous for cookies whose value contains a
+    comma. We walk the raw header list instead.
+    """
+    for header_name, header_value in response.headers.multi_items():
+        if header_name.lower() == "set-cookie" and header_value.startswith(f"{name}="):
+            return header_value
+    return ""
+
+
+@pytest.mark.anyio
+async def test_session_cookie_is_samesite_lax_and_httponly(client) -> None:
+    """Any response that creates the session cookie must mark it Lax + HttpOnly.
+
+    An unauthenticated request to a protected page (``/dashboard/``)
+    deterministically writes to the session: ``AuthMiddleware`` stores the
+    intended target in ``session["next"]`` before redirecting to the login
+    page. That guarantees ``SessionMiddleware.save()`` emits a Set-Cookie
+    header regardless of how other middleware happens to touch the session.
+    """
+    resp = await client.get("/dashboard/", follow_redirects=False)
+    raw = _set_cookie_for("session", resp)
+
+    assert raw, (
+        "Protected route didn't set the session cookie — has SessionMiddleware "
+        "or AuthMiddleware been removed from the pipeline?"
+    )
+    lowered = raw.lower()
+    assert "samesite=lax" in lowered, (
+        f"Session cookie missing SameSite=Lax — CSRF defence weakened. Raw: {raw!r}"
+    )
+    assert "httponly" in lowered, (
+        f"Session cookie missing HttpOnly — exposes user_id to XSS. Raw: {raw!r}"
+    )

simple_module_hosting-0.0.15/tests/test_strict_discovery_wiring.py

@@ -0,0 +1,116 @@
+"""``create_app(settings)`` must propagate strict-discovery in non-dev environments.
+
+``app_builder.create_app`` calls ``discover_modules(strict=not settings.is_development)``.
+The existing tests cover ``discover_modules`` directly with strict=True, but
+nothing pins the wiring — a regression that hard-coded ``strict=False`` would
+silently restore the old "drop a broken module and keep booting" behaviour in
+production, which is exactly what CLAUDE.md says must not happen.
+
+Reuses the ``_FakeEntryPoint`` and ``_patch_entry_points`` helpers from
+``framework/core/tests/test_discovery.py`` (the canonical location for the
+entry-point stubbing pattern) rather than redeclaring the same shim here.
+"""
+
+from __future__ import annotations
+
+import contextlib
+import importlib.util
+from pathlib import Path
+
+import pytest
+from simple_module_core.exceptions import InvalidModuleError
+from simple_module_hosting.app_builder import create_app
+from simple_module_hosting.settings import Settings
+
+
+def _load_discovery_helpers():
+    """Side-load ``framework/core/tests/test_discovery.py`` without mutating ``sys.path``.
+
+    The core-tests directory isn't a package (no ``__init__.py``), and adding
+    it to ``sys.path`` would expose every ``test_*`` module in there as a
+    top-level import for the rest of the session — risking name collisions.
+    ``spec_from_file_location`` loads just the one file we need into a
+    private namespace.
+    """
+    discovery_path = Path(__file__).resolve().parents[2] / "core" / "tests" / "test_discovery.py"
+    spec = importlib.util.spec_from_file_location("_core_test_discovery_helpers", discovery_path)
+    assert spec is not None and spec.loader is not None
+    mod = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(mod)
+    return mod._FakeEntryPoint, mod._boom_loader, mod._patch_entry_points
+
+
+_FakeEntryPoint, _boom_loader, _patch_entry_points = _load_discovery_helpers()
+
+
+class _NotAModule:
+    """A class returned by an entry point that isn't a ModuleBase subclass."""
+
+
+def _prod_settings() -> Settings:
+    return Settings(
+        database_url="sqlite+aiosqlite:///:memory:",
+        environment="production",
+        secret_key="x" * 32,
+        multi_tenant=False,
+    )
+
+
+def test_create_app_in_production_fails_on_broken_entrypoint(monkeypatch):
+    """A failed entry-point load in production must abort ``create_app``."""
+    _patch_entry_points(monkeypatch, [_FakeEntryPoint("boom", _boom_loader)])
+    with pytest.raises(InvalidModuleError, match="Failed to load"):
+        create_app(_prod_settings())
+
+
+def test_create_app_in_production_fails_on_non_modulebase(monkeypatch):
+    """Same contract for non-ModuleBase classes registered as entry points."""
+    _patch_entry_points(monkeypatch, [_FakeEntryPoint("notmod", _NotAModule)])
+    with pytest.raises(InvalidModuleError, match="not a ModuleBase"):
+        create_app(_prod_settings())
+
+
+def test_discover_modules_called_with_strict_mirroring_environment(monkeypatch):
+    """The wiring assertion: ``app_builder`` passes ``strict=not is_development``.
+
+    We don't actually run ``create_app`` in dev — that triggers Inertia setup
+    and ``emit_frontend_types``, which mutates the generated i18n type files
+    on disk because the entry-point stub yields zero modules. Asserting the
+    keyword argument is sufficient to pin the wiring contract.
+    """
+    captured: dict[str, object] = {}
+
+    def _spy(*args, **kwargs):
+        captured["strict"] = kwargs.get("strict")
+        return []
+
+    monkeypatch.setattr("simple_module_hosting.app_builder.discover_modules", _spy)
+    # Block dev-mode side effects (write_module_pages_manifest +
+    # emit_frontend_types) — with zero modules they'd rewrite the
+    # generated i18n files to empty.
+    monkeypatch.setattr(
+        "simple_module_hosting.app_builder.emit_frontend_types", lambda *a, **kw: None
+    )
+    import simple_module_hosting.manifest as manifest_mod
+
+    monkeypatch.setattr(manifest_mod, "write_module_pages_manifest", lambda *a, **kw: None)
+
+    # Dev environment — strict must be False.
+    dev = Settings(
+        database_url="sqlite+aiosqlite:///:memory:",
+        environment="development",
+        secret_key="x" * 32,
+        multi_tenant=False,
+    )
+    # Builder will fail later (no Inertia templates, no settings module),
+    # but we already captured ``strict`` from the spy.
+    with contextlib.suppress(Exception):
+        create_app(dev)
+    assert captured.get("strict") is False, "Dev mode must pass strict=False"
+
+    # Production environment — strict must be True.
+    captured.clear()
+    prod = _prod_settings()
+    with contextlib.suppress(Exception):
+        create_app(prod)
+    assert captured.get("strict") is True, "Production mode must pass strict=True"