feat: harden gateway with policy engine, secure tools, and governance docs

tests/conftest.py

@@ -1,13 +1,16 @@
 """Pytest configuration and fixtures."""
 
+from collections.abc import Generator
 from pathlib import Path
-from typing import Generator
 
 import pytest
 
 from aegis_gitea_mcp.audit import reset_audit_logger
 from aegis_gitea_mcp.auth import reset_validator
 from aegis_gitea_mcp.config import reset_settings
+from aegis_gitea_mcp.observability import reset_metrics_registry
+from aegis_gitea_mcp.policy import reset_policy_engine
+from aegis_gitea_mcp.rate_limit import reset_rate_limiter
 
 
 @pytest.fixture(autouse=True)
@@ -17,6 +20,9 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
     reset_settings()
     reset_audit_logger()
     reset_validator()
+    reset_policy_engine()
+    reset_rate_limiter()
+    reset_metrics_registry()
 
     # Use temporary directory for audit logs in tests
     audit_log_path = tmp_path / "audit.log"
@@ -28,6 +34,9 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
     reset_settings()
     reset_audit_logger()
     reset_validator()
+    reset_policy_engine()
+    reset_rate_limiter()
+    reset_metrics_registry()
 
 
 @pytest.fixture
@@ -35,6 +44,9 @@ def mock_env(monkeypatch: pytest.MonkeyPatch) -> None:
     """Set up mock environment variables for testing."""
     monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
     monkeypatch.setenv("GITEA_TOKEN", "test-token-12345")
-    monkeypatch.setenv("MCP_HOST", "0.0.0.0")
+    monkeypatch.setenv("ENVIRONMENT", "test")
+    monkeypatch.setenv("MCP_HOST", "127.0.0.1")
     monkeypatch.setenv("MCP_PORT", "8080")
     monkeypatch.setenv("LOG_LEVEL", "DEBUG")
+    monkeypatch.setenv("MCP_API_KEYS", "a" * 64)
+    monkeypatch.setenv("STARTUP_VALIDATE_GITEA", "false")