feat: implement 15 production items (SSE, security, observability, features, infra)

Performance:
- SSE dashboard streaming endpoint (GET /v1/admin/status/stream)
- Web Worker for markdown rendering (offload from main thread)
- IndexedDB chat persistence (replace localStorage, 500msg support)

Security:
- CSRF protection middleware (Origin/Referer validation)
- Content Security Policy + security headers middleware
- API key rotation endpoint (POST /v1/admin/keys/rotate)

Observability:
- OpenTelemetry tracing with graceful NoOp fallback
- Structured error codes (FAGI-xxxx taxonomy with ErrorResponse schema)
- Audit log export (CSV + JSON at /v1/admin/audit/export/*)

Features:
- Multi-session management hook (parallel conversations)
- Conversation export (markdown/JSON/text download + clipboard)
- Head customization UI (enable/disable + weight sliders for 12 heads)

Infrastructure:
- Kubernetes Helm chart (Deployment, Service, HPA, Ingress)
- Database migration versioning (generate, verify commands)
- Blue-green deployment manifests (color-based traffic switching)

Tests: 598 Python + 56 frontend = 654 total, 0 ruff errors
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

tests/test_audit_export.py

@@ -0,0 +1,22 @@
+"""Tests for audit log export functionality."""
+
+from fusionagi.api.routes.audit_export import _get_audit_records
+
+
+def test_get_audit_records_empty():
+    """Should return empty list when no tracer is available."""
+    records = _get_audit_records()
+    assert isinstance(records, list)
+
+
+def test_get_audit_records_with_limit():
+    """Should respect limit parameter."""
+    records = _get_audit_records(limit=5)
+    assert len(records) <= 5
+
+
+def test_get_audit_records_with_since():
+    """Should filter by timestamp."""
+    import time
+    records = _get_audit_records(since=time.time() + 1000)
+    assert len(records) == 0

tests/test_dashboard_sse.py

@@ -0,0 +1,20 @@
+"""Tests for SSE dashboard streaming endpoint."""
+
+from fusionagi.api.routes.dashboard_sse import _get_system_snapshot
+
+
+def test_system_snapshot_format():
+    """Snapshot should contain all expected fields."""
+    snapshot = _get_system_snapshot()
+    assert snapshot["status"] == "healthy"
+    assert "uptime_seconds" in snapshot
+    assert "active_agents" in snapshot
+    assert "memory_usage_mb" in snapshot
+    assert "timestamp" in snapshot
+    assert isinstance(snapshot["timestamp"], float)
+
+
+def test_system_snapshot_memory():
+    """Memory usage should be a positive number."""
+    snapshot = _get_system_snapshot()
+    assert snapshot["memory_usage_mb"] > 0

tests/test_error_codes.py

@@ -0,0 +1,38 @@
+"""Tests for structured error codes."""
+
+from fusionagi.api.error_codes import (
+    ErrorCode,
+    error_json_response,
+    error_response,
+)
+
+
+def test_error_codes_unique():
+    """All error codes should have unique values."""
+    values = [e.value for e in ErrorCode]
+    assert len(values) == len(set(values))
+
+
+def test_error_response_basic():
+    """error_response should return structured dict."""
+    resp = error_response(ErrorCode.AUTH_MISSING)
+    assert resp["error"]["code"] == "FAGI-1001"
+    assert "Authentication" in resp["error"]["message"]
+
+
+def test_error_response_custom_detail():
+    """Custom detail should override default message."""
+    resp = error_response(ErrorCode.INTERNAL_ERROR, detail="Custom error")
+    assert resp["error"]["message"] == "Custom error"
+
+
+def test_error_response_extra():
+    """Extra data should appear in details."""
+    resp = error_response(ErrorCode.INPUT_INVALID, extra={"field": "prompt"})
+    assert resp["error"]["details"]["field"] == "prompt"
+
+
+def test_error_json_response():
+    """error_json_response should return a JSONResponse."""
+    r = error_json_response(ErrorCode.SESSION_NOT_FOUND, status_code=404)
+    assert r.status_code == 404

tests/test_key_rotation.py

@@ -0,0 +1,22 @@
+"""Tests for API key rotation endpoint."""
+
+from fusionagi.api.routes.key_rotation import _generate_key
+
+
+def test_generate_key_format():
+    """Generated keys should have the expected prefix and length."""
+    key = _generate_key()
+    assert key.startswith("fagi_")
+    assert len(key) > 20
+
+
+def test_generate_key_uniqueness():
+    """Each generated key should be unique."""
+    keys = {_generate_key() for _ in range(100)}
+    assert len(keys) == 100
+
+
+def test_generate_key_custom_prefix():
+    """Custom prefix should be used."""
+    key = _generate_key(prefix="test")
+    assert key.startswith("test_")

tests/test_migration_runner.py

@@ -0,0 +1,34 @@
+"""Tests for the migration runner."""
+
+from migrations.migrate import get_applied, get_connection, migrate_down, migrate_up, verify
+
+
+def test_migrate_up_and_status(tmp_path):
+    """Should apply all migrations and track them."""
+    db_path = str(tmp_path / "test.db")
+    count = migrate_up(db_path)
+    assert count >= 2  # At least the 2 existing migrations
+
+    conn = get_connection(db_path)
+    applied = get_applied(conn)
+    assert "001_initial_schema" in applied
+    assert "002_add_sessions_and_audit" in applied
+
+
+def test_migrate_down(tmp_path):
+    """Should rollback the last migration."""
+    db_path = str(tmp_path / "test.db")
+    migrate_up(db_path)
+    result = migrate_down(db_path)
+    assert result is True
+
+    conn = get_connection(db_path)
+    applied = get_applied(conn)
+    assert "002_add_sessions_and_audit" not in applied
+    assert "001_initial_schema" in applied
+
+
+def test_verify():
+    """Verify should apply migrations to a temp DB cleanly."""
+    result = verify()
+    assert result is True

tests/test_otel.py

@@ -0,0 +1,39 @@
+"""Tests for OpenTelemetry tracing (graceful fallback)."""
+
+from fusionagi.api.otel import NoOpSpan, NoOpTracer, get_tracer, trace_span
+
+
+def test_noop_span():
+    """NoOpSpan operations should be safe no-ops."""
+    span = NoOpSpan()
+    span.set_attribute("key", "value")
+    span.set_status(None)
+    span.record_exception(Exception("test"))
+    span.end()
+
+
+def test_noop_tracer():
+    """NoOpTracer should return NoOpSpan."""
+    tracer = NoOpTracer()
+    span = tracer.start_span("test")
+    assert isinstance(span, NoOpSpan)
+
+
+def test_noop_context_manager():
+    """NoOpTracer context manager should work."""
+    tracer = NoOpTracer()
+    with tracer.start_as_current_span("test") as span:
+        assert isinstance(span, NoOpSpan)
+        span.set_attribute("key", "value")
+
+
+def test_get_tracer_returns_tracer():
+    """get_tracer should return a tracer (NoOp when otel not installed)."""
+    tracer = get_tracer()
+    assert tracer is not None
+
+
+def test_trace_span_context_manager():
+    """trace_span should work as a context manager."""
+    with trace_span("test_span", attributes={"key": "value"}) as span:
+        assert span is not None

tests/test_security_middleware.py

@@ -0,0 +1,17 @@
+"""Tests for CSRF and CSP security middleware."""
+
+from fusionagi.api.security import get_csp_middleware, get_csrf_middleware
+
+
+def test_csrf_middleware_class():
+    """CSRF middleware should be a valid class."""
+    cls = get_csrf_middleware()
+    assert cls is not None
+    assert cls.__name__ == "CSRFMiddleware"
+
+
+def test_csp_middleware_class():
+    """CSP middleware should be a valid class."""
+    cls = get_csp_middleware()
+    assert cls is not None
+    assert cls.__name__ == "CSPMiddleware"