test: add Cortex test suite (77 tests, no LLM calls)

Tests cover:
  - Smoke: /health, /auth/status, /distill/status (test_health.py)
  - Persona validation: path traversal, bad names, list_personas (test_persona.py)
  - Chat API: persona routing, session persistence, error handling (test_api_chat.py)
  - Files API: ALLOWED set enforcement, read/write, missing files (test_api_files.py)
  - Webhooks: NC Talk HMAC accept/reject, Google Chat JWT (test_webhooks.py)
  - Tools: scratch read/write/append/clear, tasks CRUD, cron parser + tools (test_tools.py)
  - Security: path traversal, replay attack, known gaps documented (test_security.py)

All LLM calls mocked — suite runs in ~1.4s.
Run: cd cortex && .venv/bin/pytest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/tests/test_security.py

@@ -0,0 +1,126 @@
+"""
+Security-focused tests — what should be blocked or rejected.
+
+These document the current security posture and will catch regressions.
+Tests marked 'known_gap' document real issues that are not yet fixed;
+they assert the current (insecure) behaviour so we notice when it changes.
+"""
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# Path traversal
+# ---------------------------------------------------------------------------
+
+@pytest.mark.anyio
+async def test_files_no_path_traversal_in_filename(client):
+    """File endpoint must not serve files outside the ALLOWED set."""
+    dangerous = [
+        "../config.py",
+        "../../etc/passwd",
+        "SOUL.md/../config.py",
+        ".env",
+        "TASKS.json",
+        "CRONS.json",
+    ]
+    for name in dangerous:
+        r = await client.get(f"/files/{name}")
+        assert r.status_code in (404, 422), \
+            f"Expected 404/422 for {name!r}, got {r.status_code}"
+
+
+@pytest.mark.anyio
+async def test_persona_traversal_blocked_in_chat(client, mock_llm):
+    """Path traversal in persona name must be rejected before any file access."""
+    for bad in ("../inara", "../../etc", "inara/../inara", "inara\x00extra"):
+        r = await client.post("/chat", json={"message": "hi", "persona": bad})
+        assert r.status_code == 200  # SSE stream, not HTTP error
+        import json
+        for line in r.text.splitlines():
+            if line.startswith("data: "):
+                event = json.loads(line[6:])
+                if event.get("type") == "error":
+                    break
+        else:
+            pytest.fail(f"Expected error event for persona={bad!r}, got: {r.text[:200]}")
+
+
+@pytest.mark.anyio
+async def test_orchestrate_path_traversal(client, mock_llm):
+    r = await client.post("/orchestrate", json={"task": "hi", "persona": "../../etc"})
+    assert r.status_code == 400
+
+
+# ---------------------------------------------------------------------------
+# Signature verification
+# ---------------------------------------------------------------------------
+
+@pytest.mark.anyio
+async def test_nct_replayed_request_rejected(client):
+    """A request with correct format but wrong HMAC should always be rejected."""
+    import json, hashlib, hmac as hmac_lib
+    payload = json.dumps({"type": "Create", "actor": {}, "object": {}, "target": {}}).encode()
+    # Use wrong secret to generate sig
+    wrong_sig = hmac_lib.new(b"wrong-secret", b"abc123" + payload, hashlib.sha256).hexdigest()
+    from unittest.mock import patch
+    with patch("config.settings.nextcloud_talk_bot_secret", "correct-secret"):
+        r = await client.post(
+            "/inara-nextcloud-talk-webhook",
+            content=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-Nextcloud-Talk-Random": "abc123",
+                "X-Nextcloud-Talk-Signature": wrong_sig,
+            },
+        )
+    assert r.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# Known gaps — document current behaviour, alert when it changes
+# ---------------------------------------------------------------------------
+
+@pytest.mark.anyio
+async def test_known_gap__distill_no_app_auth(client):
+    """
+    KNOWN GAP: /distill/* has no app-layer auth.
+    Anyone reaching port 8000 directly can trigger LLM calls and overwrite memory.
+    Protection is currently nginx-only.
+    This test documents the current state — update when app-layer auth is added.
+    """
+    r = await client.get("/distill/status")
+    assert r.status_code == 200  # currently open
+
+
+@pytest.mark.anyio
+async def test_known_gap__files_put_no_app_auth(client):
+    """
+    KNOWN GAP: PUT /files/{filename} has no app-layer auth.
+    Overwriting SOUL.md or IDENTITY.md changes agent behavior.
+    Protection is currently nginx-only.
+    """
+    r = await client.put("/files/PROTOCOLS.md", json={"content": "# Modified"})
+    assert r.status_code == 200  # currently open
+
+
+@pytest.mark.anyio
+async def test_known_gap__gchat_no_audience_bypass(client, mock_llm):
+    """
+    KNOWN GAP: Google Chat JWT verification is silently skipped when
+    GOOGLE_CHAT_AUDIENCE is empty (the default). Anyone can POST and get
+    LLM responses without a valid token.
+    Fix: make audience required; fail loudly if not set.
+    """
+    from unittest.mock import patch
+    with patch("config.settings.google_chat_audience", ""):
+        r = await client.post("/channels/google-chat", json={
+            "chat": {
+                "messagePayload": {
+                    "message": {"text": "Exploit"},
+                    "space": {"name": "spaces/x", "type": "DM"},
+                },
+                "user": {"displayName": "Attacker"},
+            }
+        })
+    # This currently succeeds — it should not when audience is unconfigured
+    assert r.status_code == 200  # documents the gap