"""WP-A — fail-closed du mot de passe dashboard. Le dashboard ne doit plus démarrer avec un mot de passe par défaut connu : sans DASHBOARD_PASSWORD et hors mode dev explicite (DASHBOARD_AUTH_DISABLED), il doit refuser de démarrer. """ from __future__ import annotations import pytest from web_dashboard.app import _require_dashboard_password def test_secret_present_returns_it(): assert _require_dashboard_password("vrai-secret", False) == "vrai-secret" def test_auth_disabled_allows_empty(): # mode dev/test explicite : pas de secret requis assert _require_dashboard_password("", True) == "" def test_no_secret_no_dev_fails_closed(): # prod sans secret → fail-closed with pytest.raises(RuntimeError): _require_dashboard_password("", False) def test_explicit_secret_wins_over_disabled(): assert _require_dashboard_password("s", True) == "s" def test_no_default_password_constant_remains(): # garde-fou anti-régression : l'ancien défaut hardcodé ne doit plus exister import inspect import web_dashboard.app as dash src = inspect.getsource(dash) assert "changeme-dashboard-RpaVision2026!" not in src