Implement security hardening, notification pipeline, and CI test suite

Security hardening:

- Added IP/user rate limiting with Redis-backed counters and fail-open behavior.

- Added message anti-spam controls (per-chat rate + duplicate cooldown).

- Implemented refresh token rotation with JTI tracking and revoke support.

Notification pipeline:

- Added Celery app and async notification tasks for mention/offline delivery.

- Added Redis-based presence tracking and integrated it into realtime connect/disconnect.

- Added notification dispatch from message flow and notifications listing endpoint.

Quality gates and CI:

- Added pytest async integration tests for auth and chat/message lifecycle.

- Added pytest config, test fixtures, and GitHub Actions CI workflow.

- Fixed bcrypt/passlib compatibility by pinning bcrypt version.

- Documented worker and quality-gate commands in README.

app/messages/service.py

@@ -4,13 +4,16 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from app.chats.service import ensure_chat_membership
 from app.messages import repository
 from app.messages.models import Message
+from app.messages.spam_guard import enforce_message_spam_policy
 from app.messages.schemas import MessageCreateRequest, MessageUpdateRequest
+from app.notifications.service import dispatch_message_notifications
 
 
 async def create_chat_message(db: AsyncSession, *, sender_id: int, payload: MessageCreateRequest) -> Message:
     await ensure_chat_membership(db, chat_id=payload.chat_id, user_id=sender_id)
     if payload.type.value == "text" and not (payload.text and payload.text.strip()):
         raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail="Text message cannot be empty")
+    await enforce_message_spam_policy(user_id=sender_id, chat_id=payload.chat_id, text=payload.text)
 
     message = await repository.create_message(
         db,
@@ -21,6 +24,11 @@ async def create_chat_message(db: AsyncSession, *, sender_id: int, payload: Mess
     )
     await db.commit()
     await db.refresh(message)
+    try:
+        await dispatch_message_notifications(db, message)
+    except Exception:
+        # Notifications should not block message delivery.
+        pass
     return message
 
 

app/messages/spam_guard.py

@@ -0,0 +1,37 @@
+import hashlib
+
+from fastapi import HTTPException, status
+from redis.exceptions import RedisError
+
+from app.config.settings import settings
+from app.utils.redis_client import get_redis_client
+
+
+def _hash_text(text: str) -> str:
+    return hashlib.sha256(text.encode("utf-8")).hexdigest()
+
+
+async def enforce_message_spam_policy(*, user_id: int, chat_id: int, text: str | None) -> None:
+    redis = get_redis_client()
+    rate_key = f"spam:msg_rate:{user_id}:{chat_id}"
+    try:
+        count = await redis.incr(rate_key)
+        if count == 1:
+            await redis.expire(rate_key, 60)
+        if count > settings.message_rate_limit_per_minute:
+            raise HTTPException(
+                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+                detail="Message rate limit exceeded for this chat.",
+            )
+
+        normalized = (text or "").strip()
+        if normalized:
+            dup_key = f"spam:dup:{user_id}:{chat_id}:{_hash_text(normalized)}"
+            if await redis.exists(dup_key):
+                raise HTTPException(
+                    status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+                    detail="Duplicate message cooldown is active.",
+                )
+            await redis.set(dup_key, "1", ex=settings.duplicate_message_cooldown_seconds)
+    except RedisError:
+        return