fix(api.auth): pass ctx.env_file to AuthSettings

[olivermeyer]

Passing the context's env_file to the AuthSettings so it can use env files.

[claude]

Claude finished @olivermeyer's task in 2m 19s —— View job

---

Code Review Complete ✓

Reviewing PR #51: fix(api.auth): pass ctx.env_file to AuthSettings

---

Summary

This PR correctly implements env file support for AuthSettings by passing ctx.env_file from the active FoundryContext to the parent OpaqueSettings constructor. The change is well-implemented with appropriate test coverage.

Review Findings

✅ Approvals

Code Quality

• Clean implementation that avoids calling get_context() twice
• Type-safe: ctx.env_file (list[Path]) is compatible with pydantic-settings _env_file parameter
• No breaking changes - purely additive functionality
• Follows project code style and conventions

Testing

• ✅ Proper test marker (@pytest.mark.integration)
• ✅ 100% coverage on new code (verified by SonarQube)
• ✅ Test properly isolates state using tmp_path and monkeypatch
• ✅ Test follows AAA pattern and has clear docstring

Documentation

• AGENTS.md updated to reflect the change
• Docstring updated to mention env files

Security & Performance

• No security concerns
• Minimal performance impact
• No new external dependencies

Commit Message

• Follows conventional commits format: fix(api.auth): ...

💡 Suggestions (Optional Improvements)

1. Docstring Enhancement

Consider expanding the docstring to clarify the precedence order:

Location: src/aignostics_foundry_core/api/auth.py:34-42

Current:

"""Auth settings whose env prefix and env files are derived from the active FoundryContext.

The effective prefix is ``{FoundryContext.env_prefix}AUTH_`` and the env files are
``FoundryContext.env_file``, both resolved at instantiation time via
:func:`aignostics_foundry_core.foundry.get_context`.

Both ``internal_org_id`` and ``auth0_role_claim`` are required — they must be
provided via environment variables or ``.env`` files (no defaults).
"""

Suggestion: Add a note about precedence:

"""Auth settings whose env prefix and env files are derived from the active FoundryContext.

The effective prefix is ``{FoundryContext.env_prefix}AUTH_`` and the env files are
``FoundryContext.env_file``, both resolved at instantiation time via
:func:`aignostics_foundry_core.foundry.get_context`.

Both ``internal_org_id`` and ``auth0_role_claim`` are required — they must be
provided via environment variables or ``.env`` files (no defaults).

Note:
    Environment variables take precedence over values in ``.env`` files
    (standard pydantic-settings behavior).
"""

Why: Makes the configuration precedence explicit for users.

---

Conclusion

Recommendation: ✅ Approve and merge

This is a clean, well-tested implementation that adds env file support to AuthSettings without breaking existing functionality. The code follows all project standards:

• ✅ SonarQube quality gate passed
• ✅ 100% test coverage on new code
• ✅ Proper test markers (integration)
• ✅ No security issues
• ✅ Conventional commit message
• ✅ Documentation updated

The optional docstring suggestion is a minor enhancement that can be addressed in a follow-up if desired, but is not blocking.

Note: I cannot run mise run lint or tests myself due to permissions, but based on the SonarQube report showing all checks passed, the code meets quality standards. The author should verify that mise run lint && mise run test_unit && mise run test_integration all pass locally before merging.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines	Coverage Δ
src/aignostics_foundry_core/api/auth.py	100.00% <100.00%> (ø)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud