Implement security hardening, notification pipeline, and CI test suite

Security hardening:

- Added IP/user rate limiting with Redis-backed counters and fail-open behavior.

- Added message anti-spam controls (per-chat rate + duplicate cooldown).

- Implemented refresh token rotation with JTI tracking and revoke support.

Notification pipeline:

- Added Celery app and async notification tasks for mention/offline delivery.

- Added Redis-based presence tracking and integrated it into realtime connect/disconnect.

- Added notification dispatch from message flow and notifications listing endpoint.

Quality gates and CI:

- Added pytest async integration tests for auth and chat/message lifecycle.

- Added pytest config, test fixtures, and GitHub Actions CI workflow.

- Fixed bcrypt/passlib compatibility by pinning bcrypt version.

- Documented worker and quality-gate commands in README.

tests/conftest.py

@@ -0,0 +1,40 @@
+import os
+import sys
+from pathlib import Path
+
+# Set test env before importing app modules.
+os.environ["POSTGRES_DSN"] = "sqlite+aiosqlite:///./test.db"
+os.environ["AUTO_CREATE_TABLES"] = "false"
+os.environ["REDIS_URL"] = "redis://localhost:6399/15"
+os.environ["SECRET_KEY"] = "test-secret-key-1234567890"
+os.environ["CELERY_TASK_ALWAYS_EAGER"] = "true"
+PROJECT_ROOT = Path(__file__).resolve().parents[1]
+sys.path.insert(0, str(PROJECT_ROOT))
+
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+from app.database.base import Base
+from app.database.session import AsyncSessionLocal, engine
+from app.main import app
+
+
+@pytest.fixture(autouse=True)
+async def reset_db() -> None:
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.drop_all)
+        await conn.run_sync(Base.metadata.create_all)
+    yield
+
+
+@pytest.fixture
+async def client() -> AsyncClient:
+    transport = ASGITransport(app=app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        yield ac
+
+
+@pytest.fixture
+async def db_session():
+    async with AsyncSessionLocal() as session:
+        yield session

tests/test_auth_flow.py

@@ -0,0 +1,69 @@
+from sqlalchemy import select
+
+from app.auth.models import EmailVerificationToken
+
+
+async def test_register_verify_login_and_me(client, db_session):
+    register_payload = {
+        "email": "alice@example.com",
+        "username": "alice",
+        "password": "strongpass123",
+    }
+    register_response = await client.post("/api/v1/auth/register", json=register_payload)
+    assert register_response.status_code == 201
+
+    login_response_before_verify = await client.post(
+        "/api/v1/auth/login",
+        json={"email": register_payload["email"], "password": register_payload["password"]},
+    )
+    assert login_response_before_verify.status_code == 403
+
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+
+    verify_response = await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+    assert verify_response.status_code == 200
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": register_payload["email"], "password": register_payload["password"]},
+    )
+    assert login_response.status_code == 200
+    token_data = login_response.json()
+    assert "access_token" in token_data
+    assert "refresh_token" in token_data
+
+    me_response = await client.get(
+        "/api/v1/auth/me",
+        headers={"Authorization": f"Bearer {token_data['access_token']}"},
+    )
+    assert me_response.status_code == 200
+    me_data = me_response.json()
+    assert me_data["email"] == "alice@example.com"
+    assert me_data["email_verified"] is True
+
+
+async def test_refresh_token_rotation(client, db_session):
+    payload = {
+        "email": "bob@example.com",
+        "username": "bob",
+        "password": "strongpass123",
+    }
+    await client.post("/api/v1/auth/register", json=payload)
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    refresh_token = login_response.json()["refresh_token"]
+
+    refresh_response = await client.post("/api/v1/auth/refresh", json={"refresh_token": refresh_token})
+    assert refresh_response.status_code == 200
+    rotated_refresh_token = refresh_response.json()["refresh_token"]
+    assert rotated_refresh_token != refresh_token
+
+    old_refresh_reuse = await client.post("/api/v1/auth/refresh", json={"refresh_token": refresh_token})
+    assert old_refresh_reuse.status_code == 401

tests/test_chat_message_flow.py

@@ -0,0 +1,61 @@
+from sqlalchemy import select
+
+from app.auth.models import EmailVerificationToken
+from app.chats.models import ChatType
+
+
+async def _create_verified_user(client, db_session, email: str, username: str, password: str) -> dict:
+    await client.post(
+        "/api/v1/auth/register",
+        json={"email": email, "username": username, "password": password},
+    )
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+    login_response = await client.post("/api/v1/auth/login", json={"email": email, "password": password})
+    return login_response.json()
+
+
+async def test_private_chat_message_lifecycle(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "u1@example.com", "user_one", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "u2@example.com", "user_two", "strongpass123")
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+
+    create_chat_response = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_response.status_code == 200
+    chat_id = create_chat_response.json()["id"]
+
+    send_message_response = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "hello @user_two"},
+    )
+    assert send_message_response.status_code == 201
+    message_id = send_message_response.json()["id"]
+
+    list_messages_response = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert list_messages_response.status_code == 200
+    assert len(list_messages_response.json()) == 1
+
+    edit_message_response = await client.put(
+        f"/api/v1/messages/{message_id}",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"text": "edited text"},
+    )
+    assert edit_message_response.status_code == 200
+    assert edit_message_response.json()["text"] == "edited text"
+
+    delete_message_response = await client.delete(
+        f"/api/v1/messages/{message_id}",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+    )
+    assert delete_message_response.status_code == 204