fix: Comprehensive test fixes after PYTHONPATH removal from Makefile (#506)

* refactor: Move Poetry configuration to project root for cleaner monorepo structure

## Summary
Move pyproject.toml and poetry.lock from backend/ to project root to centralize
Python dependency management and fix virtual environment accessibility issues.

## Changes

### Poetry Configuration (Moved)
- backend/pyproject.toml → pyproject.toml
- backend/poetry.lock → poetry.lock

### Makefile (100+ lines across 20+ targets)
- Changed VENV_DIR from backend/.venv to .venv
- Updated all Poetry commands to run from project root with PYTHONPATH=backend
- Added venv dependency to local-dev-backend and local-dev-all targets
- Updated build targets to use project root as Docker build context
- Updated all test targets (atomic, unit, integration, e2e)
- Updated code quality targets (lint, format, security-check, coverage)
- Fixed clean target to reference root-level paths

### CI/CD Workflows (5 files)
- poetry-lock-check.yml: Updated paths and removed cd backend commands
- 01-lint.yml: Removed working-directory, updated all tool paths
- 04-pytest.yml: Updated cache keys and test commands
- 05-ci.yml: Updated dependency installation commands
- makefile-testing.yml: Updated test execution paths

### Docker Configuration
- backend/Dockerfile.backend: Updated COPY commands for new build context
- docker-compose.dev.yml: Changed context from ./backend to . + fixed indentation

## Benefits
- Single source of truth for Python dependencies at project root
- Simplified virtual environment management (.venv/ at root)
- Consistent build context across all tools (Makefile, docker-compose, CI/CD)
- Better monorepo structure for future frontend/backend separation
- Fixes dependency accessibility issues (e.g., docling import errors)

## Breaking Changes
Developers need to:
1. Remove old venv: rm -rf backend/.venv
2. Create new venv: make venv
3. Update IDE Python interpreter from backend/.venv to .venv

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): add cache-bust ARG to invalidate stale Docker layers

When poetry files were moved from backend/ to project root, Docker cached
layers still referenced the old file structure. Adding an ARG before the
COPY command forces Docker to invalidate the cache at this layer.

Fixes CI build failure in PR #501.

* fix(docker): Update Dockerfiles and workflows for Poetry root migration

Fixes #502 - Update all Docker and CI/CD references after moving Poetry
config from backend/ to project root (Issue #501).

Changes:
1. **Dockerfiles** (backend/Dockerfile.backend, Dockerfile.codeengine):
   - Add POETRY_ROOT_MIGRATION cache-bust ARG to both stages
   - Update COPY commands to reference pyproject.toml and poetry.lock from project root
   - Move poetry.lock copy alongside pyproject.toml for consistency
   - Add explanatory comments about Issue #501 migration

2. **GitHub Actions Workflows**:
   - Update 05-ci.yml: Fix poetry cache key to use 'poetry.lock' instead of 'backend/poetry.lock'
   - Update 03-build-secure.yml: Change backend context from 'backend' to '.' for correct file resolution

3. **PyTorch Version Update**:
   - Upgrade torch from 2.5.0+cpu to 2.6.0+cpu
   - Upgrade torchvision from 0.20.0+cpu to 0.21.0+cpu
   - Reason: 2.5.0+cpu not available for ARM64 architecture
   - New versions are compatible with both ARM64 and x86_64

4. **Secret Management**:
   - Add pragma: allowlist secret comments to test secrets in 05-ci.yml
   - Prevents false positives in detect-secrets pre-commit hook

Impact:
- Fixes failing CI/CD test: TestMakefileTargetsDirect.test_make_build_backend_minimal
- Docker builds now correctly find pyproject.toml and poetry.lock at project root
- Maintains compatibility with both local development (ARM64) and CI (x86_64)
- GitHub Actions workflows correctly cache Poetry dependencies

Testing:
- Docker build context validated
- All references to backend/pyproject.toml and backend/poetry.lock removed
- Cache keys updated to match new file locations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Comprehensive test fixes after PYTHONPATH removal from Makefile

This commit addresses all test failures that occurred after removing PYTHONPATH
from the Makefile, ensuring clean separation between backend and root directories.

Test Results: 1,508 unit + 177 atomic + 126 integration = 1,811 passing tests

Changes:
- Import path fixes (relative imports after PYTHONPATH removal)
- Test logic fixes (3 files updated to match service behavior)
- Pydantic V2 migration (removed deprecated json_encoders)
- Atomic test configuration (pytest-atomic.ini moved to root)
- Integration test fixes (removed backend. prefix from patches)
- Configuration updates (pre-commit, markdownlint, secrets baseline)

Related: Poetry root migration (branch: refactor/poetry-to-root-clean)

* fix(ci): Exclude playwright tests from pytest collection

Playwright tests require the playwright package which is not in project dependencies.
Added norecursedirs to exclude tests/playwright from test collection.

This fixes CI failure: ModuleNotFoundError: No module named 'playwright'

* fix(tests): Fix 5 failing unit tests in CI

Fixed test issues after PYTHONPATH removal:

1. test_audio_storage.py - Removed Path mocking, test actual behavior
   - Test now verifies default path creation instead of mock interaction

2-5. test_conversation_message_repository.py - Fixed schema mocking
   - Patched from_db_message at schema module level, not repository
   - Added proper refresh mock to set required fields (id, created_at)
   - All 4 failing tests now pass

Tests passing locally:
- test_initialization_with_default_path
- test_create_message_success
- test_create_message_integrity_error
- test_get_by_id_success
- test_get_by_id_not_found

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(tests): Fix Docker build test after Poetry root migration

Updated test to copy pyproject.toml and poetry.lock from project root
instead of backend/ directory.

Changes:
- Added pyproject.toml and poetry.lock to root files_to_copy list
- Removed these files from backend_files list
- Added comment explaining Poetry root migration (Issue #501)

This fixes the Docker build failure:
  ERROR: failed to compute cache key: "/pyproject.toml": not found

Root cause: Makefile test was copying Poetry files from backend/ but
they've been moved to project root in the Poetry migration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Comprehensive CI/CD fixes for PR #506

- Remove PYTHONPATH from GitHub Actions workflows (pyproject.toml handles it)
- Fix pytest collection to use tests/unit/ instead of marker filtering (1508 tests)
- Fix Dockerfile torchvision installation (use PyPI version, not +cpu)
- Install PyTorch CPU wheels BEFORE Poetry to prevent CUDA builds (saves 6GB disk space)
- Normalize import paths in vectordb stores and service layer
- Remove obsolete test_docling_processor.py (644 lines deleted)
- Update tests to use correct package paths

Fixes:
- GitHub Actions pytest workflow now runs all 1508 unit tests
- Docker build no longer runs out of disk space
- Makefile direct tests pass
- All local tests pass (verified with poetry run pytest)

* fix(docker): Update Dockerfile comments for clarity

Updated comments in Dockerfile to better explain the PyTorch CPU-only
installation process. No functional changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): Use Docling's approach for CPU-only PyTorch installation

Simplified PyTorch CPU-only installation by using PIP_EXTRA_INDEX_URL
environment variable, matching Docling's official Docker approach.

Changes:
- Removed complex multi-step PyTorch installation
- Use PIP_EXTRA_INDEX_URL=https://download.pytorch.org/whl/cpu
- Single Poetry install command installs all deps with CPU-only PyTorch
- Saves ~6GB vs CUDA version

This approach is officially recommended by Docling project:
https://github.com/docling-project/docling/blob/main/Dockerfile

Root cause: poetry.lock has PyTorch 2.8.0 (CUDA). Setting extra-index-url
during poetry install ensures CPU-only wheels are used instead.

Fixes: https://github.com/manavgup/rag_modulo/actions/runs/18861121839
Issue: #506

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): Bust Docker cache to force CPU-only PyTorch rebuild

Updated CACHE_BUST ARG from 20251027 to 20251028 to invalidate Docker
layer cache and force rebuild with PIP_EXTRA_INDEX_URL for CPU-only PyTorch.

Issue: Even though Dockerfile was fixed to use CPU-only PyTorch, Docker
was using cached layers from previous builds that had CUDA PyTorch.

Solution: Change CACHE_BUST ARG value to force all layers after it to
rebuild, ensuring the poetry install step uses the CPU-only index.

Related: #506

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): Actually use CACHE_BUST ARG to invalidate cache

Added RUN command that references CACHE_BUST ARG to force Docker to
invalidate cache and rebuild subsequent layers.

Issue: ARG was declared but never used, so Docker continued using
cached layers with CUDA PyTorch.

Fix: Added 'RUN echo "Cache bust: $CACHE_BUST"' which forces Docker
to execute this layer whenever CACHE_BUST value changes, invalidating
all subsequent cached layers including poetry install.

Related: #506

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): Use pip with CPU-only PyTorch index to bypass poetry.lock

**Problem**: PR #506 CI failing with "no space left on device" due to
NVIDIA CUDA libraries (~6-8GB) being installed from poetry.lock.

**Root Cause**: poetry.lock has torch==2.8.0 (CUDA version) with NVIDIA
dependencies as transitive deps for Linux systems. Even with
PIP_EXTRA_INDEX_URL set, `poetry install` installs exactly what's in
poetry.lock, ignoring the extra index.

**Solution**: Use pip install directly to bypass poetry.lock and install
dependencies from pyproject.toml with CPU-only PyTorch index. This matches
Docling's official Docker approach.

**Changes**:
- Copy backend/ directory before pip install (needed for -e .)
- Use pip install -e . with --extra-index-url for CPU-only PyTorch
- Bypasses poetry.lock entirely, resolving deps from pyproject.toml
- Reduces image size by ~6-8GB (NVIDIA libs not installed)

**Testing**: Will validate in CI that NVIDIA libraries are not installed.

Related: #506, #507

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(docker): Install dependencies from pyproject.toml bypassing poetry.lock

**Problem**: Previous fix failed because pyproject.toml has package-mode=false,
which prevents editable install with `pip install -e .`.

**Solution**: Extract dependencies from pyproject.toml and install them directly
with pip using CPU-only PyTorch index. This approach:
- Bypasses poetry.lock completely
- Installs CPU-only PyTorch from https://download.pytorch.org/whl/cpu
- Works with package-mode=false
- Matches Docling's Docker approach

**Changes**:
- Extract dependencies using tomllib from pyproject.toml
- Install each dependency with pip --extra-index-url
- Removed editable install (-e .) which doesn't work with package-mode=false

Related: #506

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: manavgup <manavg@gmail.com>

* fix(docker): Normalize dependency strings to handle spaces and parentheses

**Problem**: Dependencies like "psutil (>=7.0.0,<8.0.0)" were being split by
xargs into separate arguments, causing pip to fail with "Invalid requirement".

**Root Cause**: pyproject.toml uses format with spaces before parentheses
(e.g., "psutil (>=7.0.0,<8.0.0)"). When piped through xargs, the space
causes splitting into "psutil" and "(>=7.0.0,<8.0.0)", which pip treats
as invalid.

**Solution**: Normalize dependency strings by removing spaces and parentheses:
- "psutil (>=7.0.0,<8.0.0)" -> "psutil>=7.0.0,<8.0.0"
- "docling (>=2.0.0)" -> "docling>=2.0.0"

**Benefits**:
- Maintains all version constraints correctly
- Works with xargs without quoting issues
- Still bypasses poetry.lock for CPU-only PyTorch

Related: #506

Signed-off-by: Manav Gupta <manavgup@ca.ibm.com>

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Signed-off-by: manavgup <manavg@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: manavgup

.github/workflows/01-lint.yml

@@ -1,6 +1,6 @@
 name: Lint & Static Analysis
 
-# This workflow uses tool versions and configurations from backend/pyproject.toml
+# This workflow uses tool versions and configurations from pyproject.toml (project root)
 # All linting tools (Ruff, MyPy, Pylint, Pydocstyle) reference pyproject.toml as single source of truth
 # Tool versions: Ruff ^0.14.0, MyPy ^1.15.0, Pylint ^3.3.8, Pydocstyle ^6.3.0
 
@@ -119,48 +119,44 @@ jobs:
             blocking: true
             cmd: |
               pip install toml
-              python -c "import toml; toml.load(open('backend/pyproject.toml'))"
+              python -c "import toml; toml.load(open('pyproject.toml'))"
 
           # Python backend linting (blocking) - Check ALL backend Python files
           - id: ruff
             name: "Ruff (Lint + Format)"
-            working-directory: backend
             blocking: true
             cmd: |
               pip install poetry
               poetry install --only dev
               echo "Running Ruff linting..."
-              poetry run ruff check . --config pyproject.toml
+              poetry run ruff check backend --config pyproject.toml
               echo "Running Ruff formatting check..."
-              poetry run ruff format --check . --config pyproject.toml
+              poetry run ruff format --check backend --config pyproject.toml
 
           # Python type/quality checking (non-blocking / informational)
           - id: mypy
             name: "MyPy Type Check (Informational)"
-            working-directory: backend
             blocking: false
             cmd: |
               pip install poetry
               poetry install --only dev
-              poetry run mypy . --config-file pyproject.toml --ignore-missing-imports --show-error-codes || true
+              poetry run mypy backend --config-file pyproject.toml --ignore-missing-imports --show-error-codes || true
 
           - id: pylint
             name: "Pylint Quality (Informational)"
-            working-directory: backend
             blocking: false
             cmd: |
               pip install poetry
               poetry install --only dev
-              poetry run pylint rag_solution/ vectordbs/ core/ auth/ --rcfile=pyproject.toml || true
+              poetry run pylint backend/rag_solution/ backend/vectordbs/ backend/core/ backend/auth/ --rcfile=pyproject.toml || true
 
           - id: pydocstyle
             name: "Docstring Style (Informational)"
-            working-directory: backend
             blocking: false
             cmd: |
               pip install poetry
               poetry install --only dev
-              poetry run pydocstyle rag_solution/ vectordbs/ core/ auth/ --config=pyproject.toml --count || true
+              poetry run pydocstyle backend/rag_solution/ backend/vectordbs/ backend/core/ backend/auth/ --config=pyproject.toml --count || true
 
     name: ${{ matrix.name }}
 

.github/workflows/03-build-secure.yml

@@ -34,7 +34,7 @@ jobs:
         include:
           - service: backend
             dockerfile: backend/Dockerfile.backend
-            context: backend
+            context: .
             image_name: rag-modulo-backend
             ghcr_image: ghcr.io/manavgup/rag_modulo/backend
           - service: frontend

.github/workflows/04-pytest.yml

@@ -77,20 +77,20 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cache/pypoetry
-          key: ${{ runner.os }}-poetry-${{ hashFiles('backend/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }}
           restore-keys: |
             ${{ runner.os }}-poetry-
 
       # 5️⃣ Install Python dependencies
       - name: 📥 Install dependencies
-        run: cd backend && poetry install --with dev,test
+        run: poetry install --with dev,test
 
       # 6️⃣ Run unit/atomic tests with coverage
       - name: 🧪 Run unit tests with coverage
         run: |
-          # Run from backend directory using poetry, but test from project root
-          cd backend && poetry run pytest ../tests/ -m "unit or atomic" \
-            --cov=rag_solution \
+          # Run from project root using poetry
+          poetry run pytest tests/unit/ \
+            --cov=backend/rag_solution \
             --cov-report=term-missing \
             --cov-report=html \
             --tb=short \

.github/workflows/05-ci.yml

@@ -49,7 +49,7 @@ jobs:
           timeout_minutes: 10
           max_attempts: 3
           retry_wait_seconds: 30
-          command: cd backend && poetry install --with dev,test
+          command: poetry install --with dev,test
 
       - name: Run test isolation checker
         run: |
@@ -72,10 +72,10 @@ jobs:
     env:
       # Essential environment variables for current atomic tests
       # TODO: Remove these once issue #172 (test isolation) is fixed
-      JWT_SECRET_KEY: test-secret-key-for-ci
+      JWT_SECRET_KEY: test-secret-key-for-ci  # pragma: allowlist secret
       RAG_LLM: openai
       WATSONX_INSTANCE_ID: test-instance-id
-      WATSONX_APIKEY: test-api-key
+      WATSONX_APIKEY: test-api-key  # pragma: allowlist secret
       WATSONX_URL: https://test.watsonx.com
       # Additional variables needed by tests
       VECTOR_DB: milvus
@@ -97,7 +97,7 @@ jobs:
           path: |
             ~/.cache/pypoetry
             backend/.venv
-          key: ${{ runner.os }}-poetry-${{ hashFiles('backend/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }}
           restore-keys: |
             ${{ runner.os }}-poetry-
 
@@ -108,7 +108,6 @@ jobs:
           max_attempts: 3
           retry_wait_seconds: 30
           command: |
-            cd backend
             pip install poetry
             poetry config virtualenvs.in-project true
             # Regenerate lock file to ensure sync

.github/workflows/makefile-testing.yml

@@ -32,7 +32,6 @@ jobs:
 
       - name: Install dependencies
         run: |
-          cd backend
           poetry install --with test
 
       - name: Set up Docker Buildx
@@ -41,7 +40,7 @@ jobs:
       - name: Test Makefile targets directly
         run: |
           echo "Running direct Makefile tests..."
-          cd backend && poetry run pytest ../tests/test_makefile_targets_direct.py -v
+          poetry run pytest tests/test_makefile_targets_direct.py -v
 
       - name: Test make help
         run: |

.github/workflows/poetry-lock-check.yml

@@ -6,13 +6,13 @@ name: Poetry Lock Validation
 on:
   pull_request:
     paths:
-      - 'backend/pyproject.toml'
-      - 'backend/poetry.lock'
+      - 'pyproject.toml'
+      - 'poetry.lock'
   push:
     branches: [main, develop]
     paths:
-      - 'backend/pyproject.toml'
-      - 'backend/poetry.lock'
+      - 'pyproject.toml'
+      - 'poetry.lock'
 
 permissions:
   contents: read
@@ -37,7 +37,6 @@ jobs:
 
       - name: Validate poetry.lock is in sync
         run: |
-          cd backend
           echo "🔍 Checking if poetry.lock is in sync with pyproject.toml..."
 
           if poetry check --lock; then
@@ -50,18 +49,16 @@ jobs:
             echo "but poetry.lock was not regenerated."
             echo ""
             echo "To fix this:"
-            echo "  1. cd backend"
-            echo "  2. poetry lock"
-            echo "  3. git add poetry.lock"
-            echo "  4. git commit -m 'chore: update poetry.lock'"
-            echo "  5. git push"
+            echo "  1. poetry lock"
+            echo "  2. git add poetry.lock"
+            echo "  3. git commit -m 'chore: update poetry.lock'"
+            echo "  4. git push"
             echo ""
             exit 1
           fi
 
       - name: Check for dependency conflicts
         run: |
-          cd backend
           echo "🔍 Checking for dependency conflicts..."
           poetry check
           echo "✅ No dependency conflicts detected"

.markdownlint.json

@@ -0,0 +1,15 @@
+{
+  "default": true,
+  "MD013": {
+    "line_length": 120,
+    "code_blocks": false,
+    "tables": false
+  },
+  "MD024": {
+    "siblings_only": true
+  },
+  "MD025": false,
+  "MD033": false,
+  "MD036": false,
+  "MD040": false
+}

.pre-commit-config.yaml

@@ -52,28 +52,31 @@ repos:
         args: [--baseline .secrets.baseline]
 
   # Python hooks - must match CI configuration exactly
-  # CI runs from backend/ with: poetry run ruff check . --config pyproject.toml
-  # CI runs from backend/ with: poetry run ruff format --check . --config pyproject.toml
+  # Poetry moved to root (October 2025) - pyproject.toml now at root level
+  # CI runs from root with: poetry run ruff check backend/ --config pyproject.toml
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.14.0
     hooks:
       - id: ruff
         name: Ruff linting (matches CI)
         files: ^backend/
-        args: [--fix, --config=backend/pyproject.toml]
+        args: [--fix, --config=pyproject.toml]
       - id: ruff-format
         name: Ruff formatting (matches CI)
         files: ^backend/
-        args: [--config=backend/pyproject.toml]
+        args: [--config=pyproject.toml]
 
-  # Poetry lock file validation
+  # Poetry lock file validation (Poetry moved to root in October 2025)
   - repo: local
     hooks:
       - id: poetry-lock-check
         name: Check poetry.lock is in sync with pyproject.toml
-        entry: bash -c 'cd backend && poetry check --lock || (echo "❌ poetry.lock is out of sync. Run - cd backend && poetry lock" && exit 1)'
+        entry: bash
+        args:
+          - -c
+          - "poetry check --lock || (echo 'poetry.lock is out of sync. Run: poetry lock' && exit 1)"
         language: system
-        files: ^backend/(pyproject\.toml|poetry\.lock)$
+        files: ^(pyproject\.toml|poetry\.lock)$
         pass_filenames: false
 
   # Python test hooks (run on push for velocity optimization)
@@ -110,7 +113,7 @@ repos:
     rev: v0.35.0
     hooks:
       - id: markdownlint
-        args: [--fix]
+        args: [--fix, --config, .markdownlint.json]
 
   # Commit message hooks
   - repo: https://github.com/commitizen-tools/commitizen