Merge branch 'main' into tp

2026-05-15 22:00:13 -04:00 · 2026-04-27 10:20:08 +08:00
parent 9ad5d89b07 2d6eaf69f9
commit bdecea34a3
316 changed files with 12484 additions and 7806 deletions
--- a/api/tests/unit_tests/controllers/console/app/test_annotation_security.py
+++ b/api/tests/unit_tests/controllers/console/app/test_annotation_security.py
@@ -208,8 +208,6 @@ class TestAnnotationImportServiceValidation:

        file = FileStorage(stream=io.BytesIO(csv_content.encode()), filename="test.csv", content_type="text/csv")

-        mock_db_session.query.return_value.where.return_value.first.return_value = mock_app
-
        with patch("services.annotation_service.current_account_with_tenant") as mock_auth:
            mock_auth.return_value = (MagicMock(id="user_id"), "tenant_id")

@@ -230,8 +228,6 @@ class TestAnnotationImportServiceValidation:

        file = FileStorage(stream=io.BytesIO(csv_content.encode()), filename="test.csv", content_type="text/csv")

-        mock_db_session.query.return_value.where.return_value.first.return_value = mock_app
-
        with patch("services.annotation_service.current_account_with_tenant") as mock_auth:
            mock_auth.return_value = (MagicMock(id="user_id"), "tenant_id")

@@ -248,8 +244,6 @@ class TestAnnotationImportServiceValidation:
        csv_content = 'invalid,csv,format\nwith,unbalanced,quotes,and"stuff'
        file = FileStorage(stream=io.BytesIO(csv_content.encode()), filename="test.csv", content_type="text/csv")

-        mock_db_session.query.return_value.where.return_value.first.return_value = mock_app
-
        with (
            patch("services.annotation_service.current_account_with_tenant") as mock_auth,
            patch("services.annotation_service.pd.read_csv", side_effect=ParserError("malformed CSV")),
@@ -269,8 +263,6 @@ class TestAnnotationImportServiceValidation:

        file = FileStorage(stream=io.BytesIO(csv_content.encode()), filename="test.csv", content_type="text/csv")

-        mock_db_session.query.return_value.where.return_value.first.return_value = mock_app
-
        with patch("services.annotation_service.current_account_with_tenant") as mock_auth:
            mock_auth.return_value = (MagicMock(id="user_id"), "tenant_id")

--- a/api/tests/unit_tests/controllers/console/auth/test_authentication_security.py
+++ b/api/tests/unit_tests/controllers/console/auth/test_authentication_security.py
@@ -43,7 +43,6 @@ class TestAuthenticationSecurity:
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = services.errors.account.AccountPasswordError("Invalid email or password.")
-        mock_db.session.query.return_value.first.return_value = MagicMock()  # Mock setup exists
        mock_features.return_value.is_allow_register = True

        # Act
@@ -76,7 +75,6 @@ class TestAuthenticationSecurity:
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = services.errors.account.AccountPasswordError("Wrong password")
-        mock_db.session.query.return_value.first.return_value = MagicMock()  # Mock setup exists

        # Act
        with self.app.test_request_context(
@@ -109,7 +107,6 @@ class TestAuthenticationSecurity:
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = services.errors.account.AccountPasswordError("Invalid email or password.")
-        mock_db.session.query.return_value.first.return_value = MagicMock()  # Mock setup exists
        mock_features.return_value.is_allow_register = False

        # Act
@@ -135,7 +132,6 @@ class TestAuthenticationSecurity:
    def test_reset_password_with_existing_account(self, mock_send_email, mock_get_user, mock_features, mock_db):
        """Test that reset password returns success with token for existing accounts."""
        # Mock the setup check
-        mock_db.session.query.return_value.first.return_value = MagicMock()  # Mock setup exists

        # Test with existing account
        mock_get_user.return_value = MagicMock(email="existing@example.com")
--- a/api/tests/unit_tests/controllers/console/auth/test_email_verification.py
+++ b/api/tests/unit_tests/controllers/console/auth/test_email_verification.py
@@ -65,7 +65,6 @@ class TestEmailCodeLoginSendEmailApi:
        - IP rate limiting is checked
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = False
        mock_get_user.return_value = mock_account
        mock_send_email.return_value = "email_token_123"
@@ -98,7 +97,6 @@ class TestEmailCodeLoginSendEmailApi:
        - Registration is allowed by system features
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = False
        mock_get_user.return_value = None
        mock_get_features.return_value.is_allow_register = True
@@ -130,7 +128,6 @@ class TestEmailCodeLoginSendEmailApi:
        - Registration is blocked by system features
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = False
        mock_get_user.return_value = None
        mock_get_features.return_value.is_allow_register = False
@@ -152,7 +149,6 @@ class TestEmailCodeLoginSendEmailApi:
        - Prevents spam and abuse
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = True

        # Act & Assert
@@ -172,7 +168,6 @@ class TestEmailCodeLoginSendEmailApi:
        - AccountInFreezeError is raised for frozen accounts
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = False
        mock_get_user.side_effect = AccountRegisterError("Account frozen")

@@ -213,7 +208,6 @@ class TestEmailCodeLoginSendEmailApi:
        - Defaults to en-US when not specified
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_ip_limit.return_value = False
        mock_get_user.return_value = mock_account
        mock_send_email.return_value = "token"
@@ -286,7 +280,6 @@ class TestEmailCodeLoginApi:
        - User is logged in with token pair
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "test@example.com", "code": "123456"}
        mock_get_user.return_value = mock_account
        mock_get_tenants.return_value = [MagicMock()]
@@ -335,7 +328,6 @@ class TestEmailCodeLoginApi:
        - User is logged in after account creation
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "newuser@example.com", "code": "123456"}
        mock_get_user.return_value = None
        mock_create_account.return_value = mock_account
@@ -369,7 +361,6 @@ class TestEmailCodeLoginApi:
        - InvalidTokenError is raised for invalid/expired tokens
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = None

        # Act & Assert
@@ -392,7 +383,6 @@ class TestEmailCodeLoginApi:
        - InvalidEmailError is raised when email doesn't match token
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "original@example.com", "code": "123456"}

        # Act & Assert
@@ -415,7 +405,6 @@ class TestEmailCodeLoginApi:
        - EmailCodeError is raised for wrong verification code
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "test@example.com", "code": "123456"}

        # Act & Assert
@@ -453,7 +442,6 @@ class TestEmailCodeLoginApi:
        - User is added as owner of new workspace
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "test@example.com", "code": "123456"}
        mock_get_user.return_value = mock_account
        mock_get_tenants.return_value = []
@@ -496,7 +484,6 @@ class TestEmailCodeLoginApi:
        - WorkspacesLimitExceeded is raised when limit reached
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "test@example.com", "code": "123456"}
        mock_get_user.return_value = mock_account
        mock_get_tenants.return_value = []
@@ -538,7 +525,6 @@ class TestEmailCodeLoginApi:
        - NotAllowedCreateWorkspace is raised when creation disabled
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_data.return_value = {"email": "test@example.com", "code": "123456"}
        mock_get_user.return_value = mock_account
        mock_get_tenants.return_value = []
--- a/api/tests/unit_tests/controllers/console/auth/test_login_logout.py
+++ b/api/tests/unit_tests/controllers/console/auth/test_login_logout.py
@@ -110,7 +110,6 @@ class TestLoginApi:
        - Rate limit is reset after successful login
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.return_value = mock_account
@@ -162,7 +161,6 @@ class TestLoginApi:
        - Authentication proceeds with invitation token
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = {"data": {"email": "test@example.com"}}
        mock_authenticate.return_value = mock_account
@@ -199,7 +197,6 @@ class TestLoginApi:
        - EmailPasswordLoginLimitError is raised when limit exceeded
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = True
        mock_get_invitation.return_value = None

@@ -228,7 +225,6 @@ class TestLoginApi:
        - AccountInFreezeError is raised for frozen accounts
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_frozen.return_value = True

        # Act & Assert
@@ -268,7 +264,6 @@ class TestLoginApi:
        - Generic error message prevents user enumeration
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = AccountPasswordError("Invalid password")
@@ -305,7 +300,6 @@ class TestLoginApi:
        - Login is prevented even with valid credentials
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = AccountLoginError("Account is banned")
@@ -351,7 +345,6 @@ class TestLoginApi:
        - User cannot login without an assigned workspace
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.return_value = mock_account
@@ -383,7 +376,6 @@ class TestLoginApi:
        - Security check prevents invitation token abuse
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = {"data": {"email": "invited@example.com"}}

@@ -425,7 +417,6 @@ class TestLoginApi:
        mock_token_pair,
    ):
        """Test that login retries with lowercase email when uppercase lookup fails."""
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_is_rate_limit.return_value = False
        mock_get_invitation.return_value = None
        mock_authenticate.side_effect = [AccountPasswordError("Invalid"), mock_account]
@@ -459,7 +450,6 @@ class TestLoginApi:
        mock_db,
        app,
    ):
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_get_token_data.return_value = {"email": "User@Example.com", "code": "123456"}
        mock_get_account.side_effect = Unauthorized("Account is banned.")

@@ -513,7 +503,6 @@ class TestLogoutApi:
        - Success response is returned
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        mock_current_account.return_value = (mock_account, MagicMock())

        # Act
@@ -539,7 +528,6 @@ class TestLogoutApi:
        - Success response is returned
        """
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()
        # Create a mock anonymous user that will pass isinstance check
        anonymous_user = MagicMock()
        mock_flask_login.AnonymousUserMixin = type("AnonymousUserMixin", (), {})
--- a/api/tests/unit_tests/controllers/console/billing/test_billing.py
+++ b/api/tests/unit_tests/controllers/console/billing/test_billing.py
@@ -46,7 +46,6 @@ class TestPartnerTenants:
            patch("libs.login.dify_config.LOGIN_DISABLED", False),
            patch("libs.login.check_csrf_token") as mock_csrf,
        ):
-            mock_db.session.query.return_value.first.return_value = MagicMock()  # Mock setup exists
            mock_csrf.return_value = None
            yield {"db": mock_db, "csrf": mock_csrf}

--- a/api/tests/unit_tests/controllers/console/tag/test_tags.py
+++ b/api/tests/unit_tests/controllers/console/tag/test_tags.py
@@ -8,8 +8,10 @@ from werkzeug.exceptions import Forbidden
 import controllers.console.tag.tags as module
 from controllers.console import console_ns
 from controllers.console.tag.tags import (
-    TagBindingCreateApi,
-    TagBindingDeleteApi,
+    DeprecatedTagBindingCreateApi,
+    DeprecatedTagBindingRemoveApi,
+    TagBindingCollectionApi,
+    TagBindingItemApi,
    TagListApi,
    TagUpdateDeleteApi,
 )
@@ -205,9 +207,9 @@ class TestTagUpdateDeleteApi:
        assert status == 204


-class TestTagBindingCreateApi:
+class TestTagBindingCollectionApi:
    def test_create_success(self, app, admin_user, payload_patch):
-        api = TagBindingCreateApi()
+        api = TagBindingCollectionApi()
        method = unwrap(api.post)

        payload = {
@@ -232,7 +234,7 @@ class TestTagBindingCreateApi:
        assert result["result"] == "success"

    def test_create_forbidden(self, app, readonly_user, payload_patch):
-        api = TagBindingCreateApi()
+        api = TagBindingCollectionApi()
        method = unwrap(api.post)

        with app.test_request_context("/", json={}):
@@ -247,9 +249,78 @@ class TestTagBindingCreateApi:
                    method(api)


-class TestTagBindingDeleteApi:
+class TestDeprecatedTagBindingCreateApi:
+    def test_create_success(self, app, admin_user, payload_patch):
+        api = DeprecatedTagBindingCreateApi()
+        method = unwrap(api.post)
+
+        payload = {
+            "tag_ids": ["tag-1"],
+            "target_id": "target-1",
+            "type": "knowledge",
+        }
+
+        with app.test_request_context("/", json=payload):
+            with (
+                patch(
+                    "controllers.console.tag.tags.current_account_with_tenant",
+                    return_value=(admin_user, None),
+                ),
+                payload_patch(payload),
+                patch("controllers.console.tag.tags.TagService.save_tag_binding") as save_mock,
+            ):
+                result, status = method(api)
+
+        save_mock.assert_called_once()
+        assert status == 200
+        assert result["result"] == "success"
+
+
+class TestTagBindingItemApi:
+    def test_delete_success(self, app, admin_user, payload_patch):
+        api = TagBindingItemApi()
+        method = unwrap(api.delete)
+
+        payload = {
+            "target_id": "target-1",
+            "type": "knowledge",
+        }
+
+        with app.test_request_context("/", json=payload):
+            with (
+                patch(
+                    "controllers.console.tag.tags.current_account_with_tenant",
+                    return_value=(admin_user, None),
+                ),
+                payload_patch(payload),
+                patch("controllers.console.tag.tags.TagService.delete_tag_binding") as delete_mock,
+            ):
+                result, status = method(api, "tag-1")
+
+        delete_mock.assert_called_once()
+        delete_payload = delete_mock.call_args.args[0]
+        assert delete_payload.tag_id == "tag-1"
+        assert delete_payload.target_id == "target-1"
+        assert delete_payload.type == TagType.KNOWLEDGE
+        assert status == 200
+        assert result["result"] == "success"
+
+    def test_delete_forbidden(self, app, readonly_user):
+        api = TagBindingItemApi()
+        method = unwrap(api.delete)
+
+        with app.test_request_context("/"):
+            with patch(
+                "controllers.console.tag.tags.current_account_with_tenant",
+                return_value=(readonly_user, None),
+            ):
+                with pytest.raises(Forbidden):
+                    method(api, "tag-1")
+
+
+class TestDeprecatedTagBindingRemoveApi:
    def test_remove_success(self, app, admin_user, payload_patch):
-        api = TagBindingDeleteApi()
+        api = DeprecatedTagBindingRemoveApi()
        method = unwrap(api.post)

        payload = {
@@ -274,7 +345,7 @@ class TestTagBindingDeleteApi:
        assert result["result"] == "success"

    def test_remove_forbidden(self, app, readonly_user, payload_patch):
-        api = TagBindingDeleteApi()
+        api = DeprecatedTagBindingRemoveApi()
        method = unwrap(api.post)

        with app.test_request_context("/", json={}):
@@ -297,3 +368,35 @@ class TestTagResponseModel:

        assert payload["type"] == "knowledge"
        assert payload["binding_count"] == "1"
+
+
+class TestTagBindingRouteMetadata:
+    def test_legacy_write_routes_are_marked_deprecated(self):
+        assert DeprecatedTagBindingCreateApi.post.__apidoc__["deprecated"] is True
+        assert DeprecatedTagBindingRemoveApi.post.__apidoc__["deprecated"] is True
+        assert TagBindingCollectionApi.post.__apidoc__.get("deprecated") is not True
+        assert TagBindingItemApi.delete.__apidoc__.get("deprecated") is not True
+
+    def test_write_routes_have_stable_operation_ids(self):
+        assert TagBindingCollectionApi.post.__apidoc__["id"] == "create_tag_binding"
+        assert TagBindingItemApi.delete.__apidoc__["id"] == "delete_tag_binding"
+        assert DeprecatedTagBindingCreateApi.post.__apidoc__["id"] == "create_tag_binding_deprecated"
+        assert DeprecatedTagBindingRemoveApi.post.__apidoc__["id"] == "delete_tag_binding_deprecated"
+
+    def test_canonical_and_legacy_write_routes_are_registered(self):
+        route_map = {
+            resource.__name__: urls
+            for resource, urls, _route_doc, _kwargs in console_ns.resources
+            if resource.__name__
+            in {
+                "TagBindingCollectionApi",
+                "TagBindingItemApi",
+                "DeprecatedTagBindingCreateApi",
+                "DeprecatedTagBindingRemoveApi",
+            }
+        }
+
+        assert route_map["TagBindingCollectionApi"] == ("/tag-bindings",)
+        assert route_map["TagBindingItemApi"] == ("/tag-bindings/<uuid:id>",)
+        assert route_map["DeprecatedTagBindingCreateApi"] == ("/tag-bindings/create",)
+        assert route_map["DeprecatedTagBindingRemoveApi"] == ("/tag-bindings/remove",)
--- a/api/tests/unit_tests/controllers/console/test_human_input_form.py
+++ b/api/tests/unit_tests/controllers/console/test_human_input_form.py
@@ -122,6 +122,35 @@ def test_post_form_invalid_recipient_type(app, monkeypatch: pytest.MonkeyPatch)
            handler(api, form_token="token")


+def test_post_form_rejects_webapp_recipient_type(app, monkeypatch: pytest.MonkeyPatch) -> None:
+    form = SimpleNamespace(tenant_id="tenant-1", recipient_type=RecipientType.STANDALONE_WEB_APP)
+
+    class _ServiceStub:
+        def __init__(self, *_args, **_kwargs):
+            pass
+
+        def get_form_by_token(self, _token):
+            return form
+
+    monkeypatch.setattr("controllers.console.human_input_form.HumanInputService", _ServiceStub)
+    monkeypatch.setattr(
+        "controllers.console.human_input_form.current_account_with_tenant",
+        lambda: (SimpleNamespace(id="user-1"), "tenant-1"),
+    )
+    monkeypatch.setattr("controllers.console.human_input_form.db", SimpleNamespace(engine=object()))
+
+    api = ConsoleHumanInputFormApi()
+    handler = _unwrap(api.post)
+
+    with app.test_request_context(
+        "/console/api/form/human_input/token",
+        method="POST",
+        json={"inputs": {"content": "ok"}, "action": "approve"},
+    ):
+        with pytest.raises(NotFoundError):
+            handler(api, form_token="token")
+
+
 def test_post_form_success(app, monkeypatch: pytest.MonkeyPatch) -> None:
    submit_mock = Mock()
    form = SimpleNamespace(tenant_id="tenant-1", recipient_type=RecipientType.CONSOLE)
--- a/api/tests/unit_tests/controllers/console/test_workspace_account.py
+++ b/api/tests/unit_tests/controllers/console/test_workspace_account.py
@@ -24,10 +24,6 @@ def app():
    return app


-def _mock_wraps_db(mock_db):
-    mock_db.session.query.return_value.first.return_value = MagicMock()
-
-
 def _build_account(email: str, account_id: str = "acc", tenant: object | None = None) -> Account:
    tenant_obj = tenant if tenant is not None else SimpleNamespace(id="tenant-id")
    account = Account(name=account_id, email=email)
@@ -64,7 +60,6 @@ class TestChangeEmailSend:
        mock_db,
        app,
    ):
-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_account = _build_account("current@example.com", "acc1")
        mock_current_account.return_value = (mock_account, None)
@@ -117,7 +112,6 @@ class TestChangeEmailSend:
        """GHSA-4q3w-q5mc-45rq: a phase-1 token must not unlock the new-email send step."""
        from controllers.console.auth.error import InvalidTokenError

-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_account = _build_account("current@example.com", "acc1")
        mock_current_account.return_value = (mock_account, None)
@@ -163,7 +157,6 @@ class TestChangeEmailValidity:
        mock_db,
        app,
    ):
-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_account = _build_account("user@example.com", "acc2")
        mock_current_account.return_value = (mock_account, None)
@@ -223,7 +216,6 @@ class TestChangeEmailValidity:
        mock_db,
        app,
    ):
-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_current_account.return_value = (_build_account("old@example.com", "acc"), None)
        mock_is_rate_limit.return_value = False
@@ -280,7 +272,6 @@ class TestChangeEmailValidity:
        """A token whose phase marker is a string but not a known transition must be rejected."""
        from controllers.console.auth.error import InvalidTokenError

-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_current_account.return_value = (_build_account("old@example.com", "acc"), None)
        mock_is_rate_limit.return_value = False
@@ -330,7 +321,6 @@ class TestChangeEmailValidity:
        """A token minted without a phase marker (e.g. a hand-crafted token) must not validate."""
        from controllers.console.auth.error import InvalidTokenError

-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        mock_current_account.return_value = (_build_account("old@example.com", "acc"), None)
        mock_is_rate_limit.return_value = False
@@ -378,7 +368,6 @@ class TestChangeEmailReset:
        mock_db,
        app,
    ):
-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        current_user = _build_account("old@example.com", "acc3")
        mock_current_account.return_value = (current_user, None)
@@ -434,7 +423,6 @@ class TestChangeEmailReset:
        """GHSA-4q3w-q5mc-45rq PoC: phase-1 token must not be usable against /reset."""
        from controllers.console.auth.error import InvalidTokenError

-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        current_user = _build_account("old@example.com", "acc3")
        mock_current_account.return_value = (current_user, None)
@@ -488,7 +476,6 @@ class TestChangeEmailReset:
        """A verified token for address A must not be replayed to change to address B."""
        from controllers.console.auth.error import InvalidTokenError

-        _mock_wraps_db(mock_db)
        mock_features.return_value = SimpleNamespace(enable_change_email=True)
        current_user = _build_account("old@example.com", "acc3")
        mock_current_account.return_value = (current_user, None)
@@ -561,7 +548,6 @@ class TestAccountDeletionFeedback:
    @patch("controllers.console.wraps.db")
    @patch("controllers.console.workspace.account.BillingService.update_account_deletion_feedback")
    def test_should_normalize_feedback_email(self, mock_update, mock_db, app):
-        _mock_wraps_db(mock_db)
        with app.test_request_context(
            "/account/delete/feedback",
            method="POST",
@@ -578,7 +564,6 @@ class TestCheckEmailUnique:
    @patch("controllers.console.workspace.account.AccountService.check_email_unique")
    @patch("controllers.console.workspace.account.AccountService.is_account_in_freeze")
    def test_should_normalize_email(self, mock_is_freeze, mock_check_unique, mock_db, app):
-        _mock_wraps_db(mock_db)
        mock_is_freeze.return_value = False
        mock_check_unique.return_value = True

--- a/api/tests/unit_tests/controllers/console/test_workspace_members.py
+++ b/api/tests/unit_tests/controllers/console/test_workspace_members.py
@@ -1,5 +1,5 @@
 from types import SimpleNamespace
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch

 import pytest
 from flask import Flask, g
@@ -16,10 +16,6 @@ def app():
    return flask_app


-def _mock_wraps_db(mock_db):
-    mock_db.session.query.return_value.first.return_value = MagicMock()
-
-
 def _build_feature_flags():
    placeholder_quota = SimpleNamespace(limit=0, size=0)
    workspace_members = SimpleNamespace(is_available=lambda count: True)
@@ -49,7 +45,6 @@ class TestMemberInviteEmailApi:
        mock_get_features,
        app,
    ):
-        _mock_wraps_db(mock_db)
        mock_get_features.return_value = _build_feature_flags()
        mock_invite_member.return_value = "token-abc"

--- a/api/tests/unit_tests/controllers/console/test_wraps.py
+++ b/api/tests/unit_tests/controllers/console/test_wraps.py
@@ -310,7 +310,6 @@ class TestSystemSetup:
    def test_should_allow_when_setup_complete(self, mock_db):
        """Test that requests are allowed when setup is complete"""
        # Arrange
-        mock_db.session.query.return_value.first.return_value = MagicMock()  # Setup exists

        @setup_required
        def admin_view():
--- a/api/tests/unit_tests/controllers/console/workspace/test_tool_providers.py
+++ b/api/tests/unit_tests/controllers/console/workspace/test_tool_providers.py
@@ -22,7 +22,7 @@ _WRAPS_MODULE: ModuleType | None = None

@contextmanager
 def _mock_db():
-    mock_session = SimpleNamespace(query=lambda *args, **kwargs: SimpleNamespace(first=lambda: True))
+    mock_session = SimpleNamespace(scalar=lambda *args, **kwargs: True)
    with patch("extensions.ext_database.db.session", mock_session):
        yield