Update dependencies and update code to work with new dependencies

[ondrejvala2]

Summary

• Update all Python dependencies to their latest compatible versions (connexion 2.15.1, Flask 3.x/Werkzeug 3.x, cryptography 46.x, SQLAlchemy 2.0.46, pyjwt 2.11, httpx 0.28.1, pydantic 2.12.5, and others)
• Remove unused keycloak-client and Flask (explicit pin) dependencies — Flask is now pulled in transitively via connexion
• Migrate JSON encoder from deprecated FlaskJSONEncoder to Flask 3.x DefaultJSONProvider (JSONEncoder → CustomJSONProvider)
• Adapt set_cookie calls across all tests to match the Werkzeug 3.x API (removed the deprecated domain first argument)

Summary by CodeRabbit

• Chores

  • Updated dependencies and bumped project version to 4.1.4.
  • Switched to a new JSON serialization provider.

• Bug Fixes

  • Broadened tenant/API-key handling to accept missing/null keys and handle them gracefully.

• Tests

  • Adjusted tenant cookie setup and scoping in test clients.
  • Improved test resource paths and test cleanup for script-related tests.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Replaced the Flask JSON encoder with a DefaultJSONProvider-based provider, initialized the app JSON provider, made tenant-related API key parameters nullable (str | None), standardized test cookie set_cookie usage to omit explicit domain, updated dependencies, and bumped the project version.

Changes

Cohort / File(s)	Summary
JSON Provider Migration fleet_management_api/app.py, fleet_management_api/encoder.py	Replaced JSONEncoder with CustomJSONProvider (subclassing DefaultJSONProvider), switched app config to json_provider_class and initialized app.app.json; provider default now unconditionally skips None for Model instances and delegates to super().default for others.
Tenant handling (signatures & flow) fleet_management_api/api_impl/tenants.py	Updated constructor/function signatures to accept `str
Test cookie updates tests/_utils/setup_utils.py, tests/controllers/.../test_car_action_controller.py, tests/controllers/.../test_car_controller.py, tests/controllers/.../test_car_state_controller.py, tests/controllers/.../test_order_state_controller.py, tests/controllers/.../test_route_controller.py, tests/controllers/.../test_stop_controller.py, tests/controllers/tenant/test_tenant.py, tests/security/test_tenants_from_jwt.py	Standardized test client cookie usage by replacing three-argument set_cookie(domain, name, value) calls (commonly "localhost") with two-argument set_cookie(name, value) calls across tests and helpers, changing cookie scope in tests.
Dependencies & project metadata requirements.txt, pyproject.toml	Updated dependency pins (bumped connexion[swagger-ui], cryptography, constrained swagger-ui-bundle, added/adjusted werkzeug, removed explicit Flask and keycloak-client entries) and bumped project version from 4.1.3 to 4.1.4.
Test script & args tests/script_args/test_args.py	Centralized test paths and DB_FILE constant, added setUp/tearDown cleanup for the DB file, and switched subprocess calls to use capture_output.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• Baip 244/implement tenants #27: Overlaps on app/json provider changes and test-client tenant cookie handling.
• Baip 306/post tenant #30: Related changes to test app initialization and tenant/cookie handling in tests.
• Baip 310/fix oauth login #31: Related modifications to tenant extraction and API key handling signatures.

Suggested labels

enhancement

Suggested reviewers

• MarioIvancik
• jiristrouhal

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.71% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: updating dependencies and adapting code to work with new versions, which is reflected across all file changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BAF-1260/update-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the project to work with newer Flask/Werkzeug/Connexion-era dependencies by modernizing JSON serialization and aligning test cookie handling with the updated Werkzeug test client API.

Changes:

• Updated requirements.txt dependency versions and removed explicit Flask / unused Keycloak dependency pins.
• Migrated JSON encoding from deprecated FlaskJSONEncoder to Flask 3.x DefaultJSONProvider.
• Updated test set_cookie calls to match the Werkzeug 3.x signature.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
requirements.txt	Bumps key dependency versions and adjusts swagger UI dependency constraint.
fleet_management_api/encoder.py	Replaces deprecated JSON encoder with a Flask 3.x JSON provider.
fleet_management_api/app.py	Wires the new JSON provider into the Connexion/Flask app; updates internal test client cookie setting.
tests/security/test_tenants_from_jwt.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/tenant/test_tenant.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/route/test_stop_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/route/test_route_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/order/test_order_state_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/car/test_car_state_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/car/test_car_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/controllers/car/test_car_action_controller.py	Updates cookie-setting calls to new Werkzeug API.
tests/_utils/setup_utils.py	Updates cookie-setting calls to new Werkzeug API.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

fleet_management_api/api_impl/tenants.py:67

• The key parameter was changed from an empty string default to None, but the docstring still says "If left empty". Update the docstring to reflect the new None sentinel (and ideally mention that whitespace-only strings are treated as missing too).

        key: str | None = None,
        audience: str = "account",
        ignore_cookie: bool = False,
    ) -> None:
        """
        Optional arguments include:
        - `key` - a public key used for decoding a JWT token. If left empty, the public key is read using
        the `get_public_key` function from the `auth_controller` module.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

tests/script_args/test_args.py (1)

30-30: Suppress the false-positive S603 warning with an inline noqa.

Ruff S603 flags this subprocess.run call, but RUN_CONTENT is a module-level list composed entirely of controlled constants (sys.executable, resolved file paths, fixed string literals) with shell=False (the default). There is no untrusted input path here. Add a noqa comment to suppress the noise:

🔇 Proposed inline suppression

-        process = subprocess.run(RUN_CONTENT, capture_output=True)
+        process = subprocess.run(RUN_CONTENT, capture_output=True)  # noqa: S603

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/script_args/test_args.py` at line 30, Add an inline Ruff S603
suppression to the subprocess.run call so the false-positive is ignored: update
the call to subprocess.run(...) (the line using subprocess.run with RUN_CONTENT)
by appending a `# noqa: S603` comment to that line, keeping the existing
arguments (capture_output=True) and preserving that RUN_CONTENT is a
module-level constant list.

requirements.txt (1)

2-2: Cap the swagger-ui-bundle constraint to avoid silent uptake of a future breaking major version.

Switching from == 0.0.9 to an unbounded >= 1.1.0 means any future 2.x or 3.x release will be installed automatically, potentially introducing breaking API changes without a deliberate review step.

♻️ Proposed tightening

-swagger-ui-bundle >= 1.1.0
+swagger-ui-bundle >= 1.1.0,<2.0.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 2, Update the swagger-ui-bundle requirement to
prevent automatic installation of future breaking major versions by changing the
constraint in requirements.txt from "swagger-ui-bundle >= 1.1.0" to a capped
range such as "swagger-ui-bundle >=1.1.0,<2.0.0" (or alternatively pin to a
specific 1.x series like "~=1.1.0"); modify the line referencing
swagger-ui-bundle so dependency tools will not pull a 2.x+ release without an
explicit deliberate change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements.txt`:
- Line 10: The requirements entry pins cryptography to 44.0.1 which is
vulnerable; update the dependency line for "cryptography" in requirements.txt to
require version >= 46.0.5 (for example "cryptography>=46.0.5,<47") so the
CVE-2026-26007 fix is included, then run your dependency install/lock step and
CI tests to ensure compatibility with the new cryptography release.
- Line 1: The requirements entry pinning "connexion[swagger-ui] == 2.15.1"
conflicts with the pinned Werkzeug 3.1.4; update requirements to resolve the
constraint by either downgrading Werkzeug to the 2.x line (e.g., change the
werkzeug pin to "werkzeug < 3") or upgrading Flask/Connexion so Flask is >=
3.1.0 (for example replace or update "connexion[swagger-ui] == 2.15.1" with a
Connexion version that depends on Flask >= 3.1.0 or explicitly pin "flask >=
3.1.0"); choose one approach and make the corresponding change in
requirements.txt so that Connexion, Flask, and Werkzeug version bounds are
mutually compatible.

---

Nitpick comments:
In `@requirements.txt`:
- Line 2: Update the swagger-ui-bundle requirement to prevent automatic
installation of future breaking major versions by changing the constraint in
requirements.txt from "swagger-ui-bundle >= 1.1.0" to a capped range such as
"swagger-ui-bundle >=1.1.0,<2.0.0" (or alternatively pin to a specific 1.x
series like "~=1.1.0"); modify the line referencing swagger-ui-bundle so
dependency tools will not pull a 2.x+ release without an explicit deliberate
change.

In `@tests/script_args/test_args.py`:
- Line 30: Add an inline Ruff S603 suppression to the subprocess.run call so the
false-positive is ignored: update the call to subprocess.run(...) (the line
using subprocess.run with RUN_CONTENT) by appending a `# noqa: S603` comment to
that line, keeping the existing arguments (capture_output=True) and preserving
that RUN_CONTENT is a module-level constant list.

[sonarqubecloud]

Quality Gate failed

Failed conditions
8.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (2)

requirements.txt (2)

2-2: Consider pinning swagger-ui-bundle to an exact version for reproducible installs.

The change from == 0.0.9 to >= 1.1.0 leaves the upper bound open. Future 1.x or 2.x releases could introduce breaking changes to the serving interface that connexion 2.x uses. Pin to the tested version to avoid silent regressions across environments.

♻️ Proposed fix

-swagger-ui-bundle >= 1.1.0
+swagger-ui-bundle == 1.1.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 2, Replace the open-ended dependency for
swagger-ui-bundle with a pinned, tested version to ensure reproducible installs
and avoid silent regressions; update the entry for swagger-ui-bundle from ">=
1.1.0" to an exact version (e.g., "==1.1.0" or the previously validated
"==0.0.9") in requirements.txt so the environment installs a known-compatible
release.

---

16-16: werkzeug 3.1.5 is already available — consider updating the pin.

The latest Werkzeug release is werkzeug 3.1.5 (released January 8, 2026); pinning to 3.1.4 means any bug fixes included in the patch release are not picked up.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 16, Update the pinned Werkzeug version in
requirements.txt from "werkzeug == 3.1.4" to "werkzeug == 3.1.5"; after changing
the line, run the project's dependency install and test suite (or
pip-compile/pip-sync if you use a lock/compile workflow) to ensure compatibility
and update any lockfiles accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@requirements.txt`:
- Line 2: Replace the open-ended dependency for swagger-ui-bundle with a pinned,
tested version to ensure reproducible installs and avoid silent regressions;
update the entry for swagger-ui-bundle from ">= 1.1.0" to an exact version
(e.g., "==1.1.0" or the previously validated "==0.0.9") in requirements.txt so
the environment installs a known-compatible release.
- Line 16: Update the pinned Werkzeug version in requirements.txt from "werkzeug
== 3.1.4" to "werkzeug == 3.1.5"; after changing the line, run the project's
dependency install and test suite (or pip-compile/pip-sync if you use a
lock/compile workflow) to ensure compatibility and update any lockfiles
accordingly.