test(api): update API endpoint integration tests

- Add comprehensive auth endpoint tests
- Add investigation endpoint tests
- Add analysis endpoint tests
- Add health and metrics tests
- Add report generation tests
- Test audit trail endpoints

tests/integration/test_api_endpoints.py

@@ -1,575 +1,487 @@
-"""
-Module: tests.integration.test_api_endpoints
-Description: Comprehensive integration tests for FastAPI endpoints
-Author: Anderson H. Silva
-Date: 2025-01-24
-License: Proprietary - All rights reserved
-"""
-
+"""Integration tests for API endpoints."""
 import pytest
-import asyncio
-from datetime import datetime
-from typing import Dict, Any
-from unittest.mock import AsyncMock, patch
-
 from fastapi.testclient import TestClient
-from httpx import AsyncClient
-
-from src.api.app import app
-from src.core import AgentStatus, ResponseStatus
-
-
-# Test client for synchronous tests
-client = TestClient(app)
-
+from unittest.mock import MagicMock, patch, AsyncMock
+import json
+from datetime import datetime
 
-@pytest.fixture
-async def async_client():
-    """Async test client for async endpoints."""
-    async with AsyncClient(app=app, base_url="http://test") as ac:
-        yield ac
+from src.api.app import create_app
+from src.models.user import User
+from src.models.investigation import Investigation, InvestigationStatus
+from src.core.config import get_settings
 
 
-@pytest.fixture
-def mock_transparency_api():
-    """Mock the transparency API client."""
-    with patch('src.tools.transparency_api.TransparencyAPIClient') as mock:
-        mock_instance = AsyncMock()
-        mock.__aenter__.return_value = mock_instance
-        mock_instance.get_contracts.return_value = AsyncMock(
-            data=[
-                {
-                    "id": "123",
-                    "objeto": "Test contract",
-                    "valorInicial": 100000.0,
-                    "fornecedor": {"nome": "Test Supplier"}
-                }
-            ]
+class TestAuthEndpoints:
+    """Test authentication endpoints."""
+    
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
+    
+    @pytest.fixture
+    def mock_user(self):
+        """Create mock user."""
+        return User(
+            id="test-user-id",
+            email="[email protected]",
+            hashed_password="$2b$12$hashed_password_here",
+            is_active=True,
+            role="user"
         )
-        yield mock_instance
-
-
-@pytest.fixture
-def mock_agents():
-    """Mock all agents for testing."""
-    with patch('src.agents.master_agent.MasterAgent') as mock_master, \
-         patch('src.agents.investigator_agent.InvestigatorAgent') as mock_investigator, \
-         patch('src.agents.analyst_agent.AnalystAgent') as mock_analyst, \
-         patch('src.agents.reporter_agent.ReporterAgent') as mock_reporter:
-        
-        # Configure mock responses
-        mock_master.return_value.investigate.return_value = {
-            "status": "completed",
-            "findings": ["Test finding"],
-            "anomalies": []
-        }
-        
-        mock_investigator.return_value.detect_anomalies.return_value = {
-            "anomalies": [],
-            "score": 0.1,
-            "explanation": "No anomalies detected"
-        }
-        
-        mock_analyst.return_value.analyze_patterns.return_value = {
-            "patterns": [],
-            "trends": [],
-            "correlations": []
-        }
-        
-        mock_reporter.return_value.generate_report.return_value = {
-            "content": "Test report content",
-            "format": "markdown"
-        }
-        
-        yield {
-            "master": mock_master,
-            "investigator": mock_investigator, 
-            "analyst": mock_analyst,
-            "reporter": mock_reporter
-        }
-
-
-class TestHealthEndpoints:
-    """Test health check endpoints."""
     
-    def test_basic_health_check(self):
-        """Test basic health endpoint."""
-        response = client.get("/health/")
+    def test_register_success(self, client, mock_db):
+        """Test successful user registration."""
+        with patch("src.api.routes.auth.get_db", return_value=mock_db):
+            response = client.post(
+                "/api/v1/auth/register",
+                json={
+                    "email": "[email protected]",
+                    "password": "SecurePassword123!",
+                    "full_name": "New User"
+                }
+            )
         
-        assert response.status_code == 200
+        assert response.status_code == 201
         data = response.json()
+        assert data["email"] == "[email protected]"
+        assert "id" in data
+        assert "password" not in data
+    
+    def test_register_duplicate_email(self, client, mock_db):
+        """Test registration with duplicate email."""
+        # Mock existing user
+        mock_db.execute.return_value.scalar_one_or_none.return_value = MagicMock()
+        
+        with patch("src.api.routes.auth.get_db", return_value=mock_db):
+            response = client.post(
+                "/api/v1/auth/register",
+                json={
+                    "email": "[email protected]",
+                    "password": "Password123!"
+                }
+            )
         
-        assert data["status"] in ["healthy", "degraded", "unhealthy"]
-        assert "timestamp" in data
-        assert "version" in data
-        assert "uptime" in data
-        assert "services" in data
+        assert response.status_code == 400
+        assert "already registered" in response.json()["detail"]
     
-    def test_detailed_health_check(self):
-        """Test detailed health endpoint."""
-        response = client.get("/health/detailed")
+    def test_login_success(self, client, mock_db, mock_user):
+        """Test successful login."""
+        # Mock authentication
+        with patch("src.api.auth.authenticate_user", return_value=mock_user):
+            response = client.post(
+                "/api/v1/auth/login",
+                data={
+                    "username": "[email protected]",
+                    "password": "correctpassword"
+                }
+            )
         
         assert response.status_code == 200
         data = response.json()
+        assert "access_token" in data
+        assert "refresh_token" in data
+        assert data["token_type"] == "bearer"
+    
+    def test_login_invalid_credentials(self, client, mock_db):
+        """Test login with invalid credentials."""
+        with patch("src.api.auth.authenticate_user", return_value=None):
+            response = client.post(
+                "/api/v1/auth/login",
+                data={
+                    "username": "[email protected]",
+                    "password": "wrongpassword"
+                }
+            )
         
-        assert "system" in data
-        assert "services" in data
-        assert "performance" in data
+        assert response.status_code == 401
+        assert "Invalid credentials" in response.json()["detail"]
     
-    def test_liveness_probe(self):
-        """Test Kubernetes liveness probe."""
-        response = client.get("/health/live")
+    def test_refresh_token_success(self, client, mock_db, mock_user):
+        """Test token refresh."""
+        # Create valid refresh token
+        with patch("src.api.auth.create_refresh_token") as mock_create_refresh:
+            mock_create_refresh.return_value = "valid_refresh_token"
+            
+            with patch("src.api.auth.verify_token") as mock_verify:
+                mock_verify.return_value = {"sub": mock_user.id, "type": "refresh"}
+                
+                with patch("src.api.routes.auth.get_db", return_value=mock_db):
+                    mock_db.execute.return_value.scalar_one_or_none.return_value = mock_user
+                    
+                    response = client.post(
+                        "/api/v1/auth/refresh",
+                        json={"refresh_token": "valid_refresh_token"}
+                    )
         
         assert response.status_code == 200
         data = response.json()
-        assert data["status"] == "alive"
+        assert "access_token" in data
+        assert "refresh_token" in data
     
-    def test_readiness_probe(self):
-        """Test Kubernetes readiness probe."""
-        response = client.get("/health/ready")
+    def test_logout_success(self, client, authenticated_headers):
+        """Test logout."""
+        response = client.post(
+            "/api/v1/auth/logout",
+            headers=authenticated_headers
+        )
         
-        # Could be 200 or 503 depending on dependencies
-        assert response.status_code in [200, 503]
+        assert response.status_code == 200
+        assert response.json()["message"] == "Logged out successfully"
+    
+    def test_change_password(self, client, authenticated_headers, mock_db, mock_user):
+        """Test password change."""
+        with patch("src.api.auth.verify_password", return_value=True):
+            with patch("src.api.routes.auth.get_current_user", return_value=mock_user):
+                response = client.post(
+                    "/api/v1/auth/change-password",
+                    headers=authenticated_headers,
+                    json={
+                        "old_password": "oldpassword",
+                        "new_password": "NewSecurePassword123!"
+                    }
+                )
         
-        data = response.json()
-        assert "status" in data
+        assert response.status_code == 200
+        assert "Password changed successfully" in response.json()["message"]
 
 
 class TestInvestigationEndpoints:
     """Test investigation endpoints."""
     
-    @pytest.mark.asyncio
-    async def test_start_investigation(self, async_client, mock_agents):
-        """Test starting a new investigation."""
-        investigation_data = {
-            "query": "Investigate contracts over 1M in Ministry of Health",
-            "priority": "high",
-            "data_sources": ["portal_transparencia"],
-            "parameters": {
-                "min_value": 1000000,
-                "organization": "26000"
-            }
-        }
-        
-        response = await async_client.post(
-            "/api/v1/investigations/start",
-            json=investigation_data
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
+    
+    @pytest.fixture
+    def mock_investigation(self):
+        """Create mock investigation."""
+        return Investigation(
+            id="inv-123",
+            user_id="user-123",
+            title="Test Investigation",
+            description="Testing anomaly detection",
+            target_entity="Ministry of Health",
+            status=InvestigationStatus.PENDING,
+            created_at=datetime.utcnow()
         )
-        
-        assert response.status_code == 202  # Accepted for async processing
+    
+    def test_create_investigation(self, client, authenticated_headers, mock_db):
+        """Test creating new investigation."""
+        with patch("src.api.routes.investigations.get_db", return_value=mock_db):
+            # Mock the agent execution
+            with patch("src.agents.abaporu.MasterAgent.execute") as mock_execute:
+                mock_execute.return_value = AsyncMock(
+                    status="completed",
+                    results={"anomalies": [], "summary": "No anomalies found"}
+                )
+                
+                response = client.post(
+                    "/api/v1/investigations",
+                    headers=authenticated_headers,
+                    json={
+                        "title": "Contract Analysis",
+                        "description": "Analyze contracts for Ministry of Health",
+                        "target_entity": "Ministry of Health",
+                        "parameters": {
+                            "year": 2024,
+                            "min_value": 100000
+                        }
+                    }
+                )
+        
+        assert response.status_code == 201
         data = response.json()
-        
-        assert data["status"] == "accepted"
-        assert "investigation_id" in data
-        assert "message" in data
-    
-    @pytest.mark.asyncio
-    async def test_get_investigation_status(self, async_client):
-        """Test getting investigation status."""
-        investigation_id = "test-investigation-123"
-        
-        response = await async_client.get(
-            f"/api/v1/investigations/{investigation_id}/status"
-        )
-        
-        # Should handle non-existent investigations gracefully
-        assert response.status_code in [200, 404]
+        assert data["title"] == "Contract Analysis"
+        assert "id" in data
+        assert data["status"] == "pending"
     
-    @pytest.mark.asyncio
-    async def test_list_investigations(self, async_client):
+    def test_list_investigations(self, client, authenticated_headers, mock_db):
         """Test listing investigations."""
-        response = await async_client.get("/api/v1/investigations/")
+        # Mock investigations
+        mock_investigations = [
+            MagicMock(id="inv-1", title="Investigation 1"),
+            MagicMock(id="inv-2", title="Investigation 2")
+        ]
+        
+        mock_db.execute.return_value.scalars.return_value.all.return_value = mock_investigations
+        
+        with patch("src.api.routes.investigations.get_db", return_value=mock_db):
+            response = client.get(
+                "/api/v1/investigations",
+                headers=authenticated_headers
+            )
         
         assert response.status_code == 200
         data = response.json()
+        assert len(data) == 2
+        assert data[0]["title"] == "Investigation 1"
+    
+    def test_get_investigation_by_id(self, client, authenticated_headers, mock_db, mock_investigation):
+        """Test getting specific investigation."""
+        mock_db.execute.return_value.scalar_one_or_none.return_value = mock_investigation
+        
+        with patch("src.api.routes.investigations.get_db", return_value=mock_db):
+            response = client.get(
+                f"/api/v1/investigations/{mock_investigation.id}",
+                headers=authenticated_headers
+            )
         
-        assert "investigations" in data
-        assert "total" in data
-        assert "page" in data
-        assert "per_page" in data
-    
-    @pytest.mark.asyncio
-    async def test_investigation_streaming(self, async_client):
-        """Test real-time investigation streaming."""
-        investigation_id = "test-investigation-123"
-        
-        # Test SSE endpoint exists
-        response = await async_client.get(
-            f"/api/v1/investigations/{investigation_id}/stream",
-            headers={"Accept": "text/event-stream"}
-        )
-        
-        # Should handle streaming endpoint
-        assert response.status_code in [200, 404, 501]  # 501 if not implemented yet
-    
-    def test_investigation_validation(self):
-        """Test investigation request validation."""
-        # Test empty request
-        response = client.post("/api/v1/investigations/start", json={})
-        assert response.status_code == 422  # Validation error
+        assert response.status_code == 200
+        data = response.json()
+        assert data["id"] == mock_investigation.id
+        assert data["title"] == mock_investigation.title
+    
+    def test_get_investigation_not_found(self, client, authenticated_headers, mock_db):
+        """Test getting non-existent investigation."""
+        mock_db.execute.return_value.scalar_one_or_none.return_value = None
+        
+        with patch("src.api.routes.investigations.get_db", return_value=mock_db):
+            response = client.get(
+                "/api/v1/investigations/non-existent-id",
+                headers=authenticated_headers
+            )
         
-        # Test invalid priority
-        invalid_data = {
-            "query": "Test query",
-            "priority": "invalid_priority"
-        }
-        response = client.post("/api/v1/investigations/start", json=invalid_data)
-        assert response.status_code == 422
+        assert response.status_code == 404
+        assert "Investigation not found" in response.json()["detail"]
+    
+    def test_investigation_websocket(self, client, authenticated_headers):
+        """Test investigation real-time updates via WebSocket."""
+        with client.websocket_connect(
+            "/api/v1/investigations/ws/inv-123",
+            headers=authenticated_headers
+        ) as websocket:
+            # Send initial message
+            websocket.send_json({"type": "subscribe"})
+            
+            # Receive acknowledgment
+            data = websocket.receive_json()
+            assert data["type"] == "connected"
+            assert data["investigation_id"] == "inv-123"
 
 
 class TestAnalysisEndpoints:
     """Test analysis endpoints."""
     
-    @pytest.mark.asyncio
-    async def test_spending_trends_analysis(self, async_client, mock_agents):
-        """Test spending trends analysis."""
-        analysis_data = {
-            "type": "spending_trends",
-            "organization": "26000",
-            "time_period": {
-                "start_date": "2024-01-01",
-                "end_date": "2024-12-31"
-            }
-        }
-        
-        response = await async_client.post(
-            "/api/v1/analysis/trends",
-            json=analysis_data
-        )
-        
-        assert response.status_code in [200, 202]
-        
-        if response.status_code == 200:
-            data = response.json()
-            assert "trends" in data
-            assert "analysis_type" in data
-    
-    @pytest.mark.asyncio
-    async def test_vendor_analysis(self, async_client, mock_agents):
-        """Test vendor pattern analysis."""
-        analysis_data = {
-            "vendor_id": "12345678000100",
-            "analysis_type": "pattern_detection"
-        }
-        
-        response = await async_client.post(
-            "/api/v1/analysis/vendors",
-            json=analysis_data
-        )
-        
-        assert response.status_code in [200, 202]
-    
-    @pytest.mark.asyncio
-    async def test_correlation_analysis(self, async_client, mock_agents):
-        """Test correlation analysis."""
-        analysis_data = {
-            "variables": ["spending_amount", "contract_duration"],
-            "organization": "26000",
-            "timeframe": "2024"
-        }
-        
-        response = await async_client.post(
-            "/api/v1/analysis/correlations",
-            json=analysis_data
-        )
-        
-        assert response.status_code in [200, 202]
-
-
-class TestReportEndpoints:
-    """Test report generation endpoints."""
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
     
-    @pytest.mark.asyncio
-    async def test_generate_executive_report(self, async_client, mock_agents):
-        """Test executive report generation."""
-        report_data = {
-            "type": "executive",
-            "investigation_id": "test-investigation-123",
-            "format": "markdown",
-            "include_charts": True
-        }
-        
-        response = await async_client.post(
-            "/api/v1/reports/generate",
-            json=report_data
-        )
+    def test_analyze_contracts(self, client, authenticated_headers):
+        """Test contract analysis endpoint."""
+        with patch("src.services.analysis_service.AnalysisService.analyze_contracts") as mock_analyze:
+            mock_analyze.return_value = {
+                "total_contracts": 100,
+                "anomalies_detected": 5,
+                "total_value": 10000000,
+                "risk_score": 0.7
+            }
+            
+            response = client.post(
+                "/api/v1/analysis/contracts",
+                headers=authenticated_headers,
+                json={
+                    "entity_code": "26000",
+                    "year": 2024,
+                    "min_value": 100000
+                }
+            )
         
-        assert response.status_code in [200, 202]
+        assert response.status_code == 200
+        data = response.json()
+        assert data["total_contracts"] == 100
+        assert data["anomalies_detected"] == 5
     
-    @pytest.mark.asyncio
-    async def test_get_report_formats(self, async_client):
-        """Test getting available report formats."""
-        response = await async_client.get("/api/v1/reports/formats")
+    def test_analyze_spending_patterns(self, client, authenticated_headers):
+        """Test spending pattern analysis."""
+        with patch("src.services.analysis_service.AnalysisService.analyze_spending") as mock_analyze:
+            mock_analyze.return_value = {
+                "patterns": [
+                    {
+                        "type": "seasonal",
+                        "description": "High spending in Q4",
+                        "confidence": 0.85
+                    }
+                ],
+                "anomalies": []
+            }
+            
+            response = client.post(
+                "/api/v1/analysis/spending-patterns",
+                headers=authenticated_headers,
+                json={
+                    "entity_code": "26000",
+                    "start_date": "2024-01-01",
+                    "end_date": "2024-12-31"
+                }
+            )
         
         assert response.status_code == 200
         data = response.json()
-        
-        assert "formats" in data
-        assert isinstance(data["formats"], list)
-        assert "markdown" in data["formats"]
-    
-    @pytest.mark.asyncio
-    async def test_download_report(self, async_client):
-        """Test report download."""
-        report_id = "test-report-123"
-        
-        response = await async_client.get(
-            f"/api/v1/reports/{report_id}/download"
-        )
-        
-        # Should handle non-existent reports
-        assert response.status_code in [200, 404]
+        assert len(data["patterns"]) == 1
+        assert data["patterns"][0]["type"] == "seasonal"
     
-    @pytest.mark.asyncio
-    async def test_report_list(self, async_client):
-        """Test listing generated reports."""
-        response = await async_client.get("/api/v1/reports/")
+    def test_vendor_concentration_analysis(self, client, authenticated_headers):
+        """Test vendor concentration analysis."""
+        response = client.post(
+            "/api/v1/analysis/vendor-concentration",
+            headers=authenticated_headers,
+            json={
+                "entity_code": "26000",
+                "year": 2024,
+                "concentration_threshold": 0.7
+            }
+        )
         
         assert response.status_code == 200
         data = response.json()
-        
-        assert "reports" in data
-        assert "total" in data
+        assert "concentration_index" in data
+        assert "top_vendors" in data
 
 
-class TestAuthenticationEndpoints:
-    """Test authentication endpoints (if implemented)."""
-    
-    def test_login_endpoint_exists(self):
-        """Test that login endpoint exists and handles requests."""
-        login_data = {
-            "username": "test_user",
-            "password": "test_password"
-        }
-        
-        response = client.post("/api/v1/auth/login", json=login_data)
-        
-        # Should at least handle the request (even if returns 501)
-        assert response.status_code in [200, 401, 422, 501]
+class TestHealthEndpoints:
+    """Test health and monitoring endpoints."""
     
-    def test_token_validation(self):
-        """Test token validation endpoint."""
-        headers = {"Authorization": "Bearer fake_token"}
-        
-        response = client.get("/api/v1/auth/validate", headers=headers)
-        
-        # Should handle token validation
-        assert response.status_code in [200, 401, 422, 501]
-
-
-class TestAPIInformation:
-    """Test API information endpoints."""
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
     
-    def test_root_endpoint(self):
-        """Test root API endpoint."""
-        response = client.get("/")
+    def test_health_check(self, client):
+        """Test basic health check."""
+        response = client.get("/health")
         
         assert response.status_code == 200
         data = response.json()
-        
-        assert "message" in data
-        assert "version" in data
-        assert "description" in data
+        assert data["status"] == "healthy"
+        assert "timestamp" in data
     
-    def test_api_info_endpoint(self):
-        """Test API information endpoint."""
-        response = client.get("/api/v1/info")
+    def test_detailed_health_check(self, client):
+        """Test detailed health check."""
+        response = client.get("/health/detailed")
         
         assert response.status_code == 200
         data = response.json()
-        
-        assert "api" in data
+        assert "database" in data
+        assert "redis" in data
         assert "agents" in data
-        assert "data_sources" in data
-        assert "formats" in data
-        
-        # Verify agent information
-        agents = data["agents"]
-        assert "investigator" in agents
-        assert "analyst" in agents
-        assert "reporter" in agents
-    
-    def test_openapi_schema(self):
-        """Test OpenAPI schema generation."""
-        response = client.get("/openapi.json")
+    
+    def test_metrics_endpoint(self, client):
+        """Test Prometheus metrics endpoint."""
+        response = client.get("/health/metrics")
         
         assert response.status_code == 200
-        schema = response.json()
-        
-        assert "openapi" in schema
-        assert "info" in schema
-        assert "paths" in schema
-        assert "components" in schema
-
-
-class TestErrorHandling:
-    """Test API error handling."""
+        assert response.headers["content-type"] == "text/plain; version=0.0.4; charset=utf-8"
+        assert "cidadao_ai_requests_total" in response.text
     
-    def test_404_handling(self):
-        """Test 404 error handling."""
-        response = client.get("/api/v1/nonexistent-endpoint")
+    def test_metrics_json_endpoint(self, client):
+        """Test JSON metrics endpoint."""
+        response = client.get("/health/metrics/json")
         
-        assert response.status_code == 404
+        assert response.status_code == 200
         data = response.json()
-        
-        assert "status" in data
-        assert data["status"] == "error"
-    
-    def test_method_not_allowed(self):
-        """Test 405 method not allowed."""
-        response = client.patch("/health/")  # Wrong method
-        
-        assert response.status_code == 405
-    
-    def test_large_payload_handling(self):
-        """Test handling of large payloads."""
-        large_data = {"data": "x" * 10000}  # 10KB payload
-        
-        response = client.post("/api/v1/investigations/start", json=large_data)
-        
-        # Should handle gracefully (422 for validation, 413 for too large)
-        assert response.status_code in [413, 422]
+        assert "requests" in data
+        assert "agents" in data
+        assert "anomalies" in data
 
 
-class TestCORSHandling:
-    """Test CORS configuration."""
-    
-    def test_cors_preflight(self):
-        """Test CORS preflight request."""
-        headers = {
-            "Origin": "http://localhost:3000",
-            "Access-Control-Request-Method": "POST",
-            "Access-Control-Request-Headers": "Content-Type"
-        }
-        
-        response = client.options("/api/v1/investigations/start", headers=headers)
-        
-        # Should handle CORS preflight
-        assert response.status_code in [200, 204]
+class TestReportEndpoints:
+    """Test report generation endpoints."""
+    
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
     
-    def test_cors_headers_present(self):
-        """Test that CORS headers are present in responses."""
-        headers = {"Origin": "http://localhost:3000"}
+    def test_generate_investigation_report(self, client, authenticated_headers):
+        """Test report generation for investigation."""
+        with patch("src.agents.tiradentes.ReporterAgent.generate_report") as mock_generate:
+            mock_generate.return_value = {
+                "title": "Investigation Report",
+                "summary": "5 anomalies detected",
+                "sections": [
+                    {
+                        "title": "Price Anomalies",
+                        "content": "Found 3 contracts with unusual pricing"
+                    }
+                ],
+                "recommendations": ["Review contract approval process"]
+            }
+            
+            response = client.post(
+                "/api/v1/reports/investigation/inv-123",
+                headers=authenticated_headers,
+                json={
+                    "format": "markdown",
+                    "include_evidence": True
+                }
+            )
         
-        response = client.get("/health/", headers=headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert data["title"] == "Investigation Report"
+        assert len(data["sections"]) == 1
+    
+    def test_export_report_pdf(self, client, authenticated_headers):
+        """Test PDF report export."""
+        with patch("src.services.report_service.ReportService.export_pdf") as mock_export:
+            mock_export.return_value = b"PDF content here"
+            
+            response = client.get(
+                "/api/v1/reports/investigation/inv-123/export?format=pdf",
+                headers=authenticated_headers
+            )
         
-        # Check for CORS headers (may not be present in test environment)
         assert response.status_code == 200
+        assert response.headers["content-type"] == "application/pdf"
+        assert response.headers["content-disposition"] == 'attachment; filename="investigation_inv-123.pdf"'
 
 
-class TestSecurityHeaders:
-    """Test security headers and middleware."""
+class TestAuditEndpoints:
+    """Test audit trail endpoints."""
     
-    def test_security_headers_present(self):
-        """Test that security headers are present."""
-        response = client.get("/")
-        
-        # Common security headers that should be present
-        headers = response.headers
-        
-        # These might be added by middleware
-        # assert "X-Content-Type-Options" in headers
-        # assert "X-Frame-Options" in headers
-        
-        # At minimum, should have content-type
-        assert "content-type" in headers
+    @pytest.fixture
+    def client(self):
+        """Create test client."""
+        app = create_app()
+        return TestClient(app)
     
-    def test_trusted_host_validation(self):
-        """Test trusted host middleware."""
-        headers = {"Host": "malicious.example.com"}
-        
-        # Should be handled by TrustedHostMiddleware
-        response = client.get("/", headers=headers)
-        
-        # Should either accept or reject based on configuration
-        assert response.status_code in [200, 400, 403]
-
-
-@pytest.mark.integration
-class TestFullAPIWorkflow:
-    """Test complete API workflows."""
-    
-    @pytest.mark.asyncio
-    async def test_investigation_to_report_workflow(self, async_client, mock_agents):
-        """Test complete workflow from investigation to report."""
-        # Step 1: Start investigation
-        investigation_data = {
-            "query": "Test investigation workflow",
-            "priority": "medium"
-        }
-        
-        response = await async_client.post(
-            "/api/v1/investigations/start",
-            json=investigation_data
+    def test_get_audit_logs(self, client, admin_headers):
+        """Test retrieving audit logs (admin only)."""
+        response = client.get(
+            "/api/v1/audit/logs?limit=50",
+            headers=admin_headers
         )
         
-        if response.status_code == 202:
-            data = response.json()
-            investigation_id = data.get("investigation_id", "test-123")
-            
-            # Step 2: Check status (simulate)
-            status_response = await async_client.get(
-                f"/api/v1/investigations/{investigation_id}/status"
-            )
-            
-            # Step 3: Generate report
-            report_data = {
-                "type": "investigation",
-                "investigation_id": investigation_id,
-                "format": "markdown"
-            }
-            
-            report_response = await async_client.post(
-                "/api/v1/reports/generate",
-                json=report_data
-            )
-            
-            # Should complete workflow successfully
-            assert report_response.status_code in [200, 202]
-
-
-class TestPerformanceAndLimits:
-    """Test API performance and limits."""
+        assert response.status_code == 200
+        data = response.json()
+        assert isinstance(data, list)
+        assert len(data) <= 50
     
-    def test_concurrent_requests(self):
-        """Test handling of concurrent requests."""
-        import threading
-        import time
-        
-        results = []
-        
-        def make_request():
-            response = client.get("/health/")
-            results.append(response.status_code)
-        
-        # Create 5 concurrent requests
-        threads = []
-        for _ in range(5):
-            thread = threading.Thread(target=make_request)
-            threads.append(thread)
-            thread.start()
-        
-        # Wait for all to complete
-        for thread in threads:
-            thread.join()
+    def test_get_audit_logs_unauthorized(self, client, authenticated_headers):
+        """Test audit logs require admin role."""
+        response = client.get(
+            "/api/v1/audit/logs",
+            headers=authenticated_headers
+        )
         
-        # All should succeed
-        assert all(status == 200 for status in results)
-        assert len(results) == 5
+        assert response.status_code == 403
+        assert "Insufficient permissions" in response.json()["detail"]
     
-    def test_response_time_reasonable(self):
-        """Test that response times are reasonable."""
-        import time
-        
-        start_time = time.time()
-        response = client.get("/health/")
-        end_time = time.time()
-        
-        response_time = end_time - start_time
+    def test_export_audit_logs(self, client, admin_headers):
+        """Test exporting audit logs."""
+        response = client.get(
+            "/api/v1/audit/export?format=csv&start_date=2024-01-01",
+            headers=admin_headers
+        )
         
         assert response.status_code == 200
-        assert response_time < 2.0  # Should respond within 2 seconds
-
-
-if __name__ == "__main__":
-    pytest.main([__file__, "-v"])
+        assert response.headers["content-type"] == "text/csv"
+        assert "attachment" in response.headers["content-disposition"]