fix(auth): address SonarCloud cognitive complexity and string duplication

Extract cookie auth field validation into _validate_cookie_auth helper to
reduce validate_auth_dependencies cognitive complexity from 17 to 4.
Extract repeated _fetch_jwks patch path into _FETCH_JWKS_PATH constant.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: arne-aignx

src/aignostics_foundry_core/api/auth.py

@@ -97,36 +97,45 @@ def __init__(self, **kwargs: Any) -> None:  # noqa: ANN401
         ctx = get_context()
         super().__init__(_env_prefix=f"{ctx.env_prefix}AUTH_", _env_file=ctx.env_file, **kwargs)  # pyright: ignore[reportCallIssue]
 
-    @model_validator(mode="after")
-    def validate_auth_dependencies(self) -> "AuthSettings":
-        """Validate cross-field auth dependencies.
-
-        Returns:
-            AuthSettings: The validated settings instance.
+    def _validate_cookie_auth(self) -> None:
+        """Validate cookie auth required fields when cookie auth is active.
 
         Raises:
-            ValueError: If any cross-field dependency is violated.
+            ValueError: If any required cookie auth field is missing or invalid.
         """
         cookie_active = self.cookie_enabled or self.enabled
-
-        if cookie_active and self.session_secret is None:
+        if not cookie_active:
+            return
+        if self.session_secret is None:
             msg = "AUTH_SESSION_SECRET must not be None when cookie auth is enabled"
             raise ValueError(msg)
-        if cookie_active and self.client_secret is None:
+        if self.client_secret is None:
             msg = "AUTH_CLIENT_SECRET must not be None when cookie auth is enabled"
             raise ValueError(msg)
-        if cookie_active and not self.domain:
+        if not self.domain:
             msg = "AUTH_DOMAIN must not be empty when cookie auth is enabled"
             raise ValueError(msg)
-        if cookie_active and not self.client_id:
+        if not self.client_id:
             msg = "AUTH_CLIENT_ID must not be empty when cookie auth is enabled"
             raise ValueError(msg)
-        if cookie_active and not self.internal_org_id:
+        if not self.internal_org_id:
             msg = "AUTH_INTERNAL_ORG_ID must not be empty when cookie auth is enabled"
             raise ValueError(msg)
-        if cookie_active and not self.role_claim:
+        if not self.role_claim:
             msg = "AUTH_ROLE_CLAIM must not be empty when cookie auth is enabled"
             raise ValueError(msg)
+
+    @model_validator(mode="after")
+    def validate_auth_dependencies(self) -> "AuthSettings":
+        """Validate cross-field auth dependencies.
+
+        Returns:
+            AuthSettings: The validated settings instance.
+
+        Raises:
+            ValueError: If any cross-field dependency is violated.
+        """
+        self._validate_cookie_auth()
         if self.jwt_enabled and not self.domain:
             msg = "AUTH_DOMAIN must not be empty when AUTH_JWT_ENABLED is True"
             raise ValueError(msg)

tests/aignostics_foundry_core/api/auth_test.py

@@ -42,6 +42,7 @@
 _TEST_JWT_AUDIENCE = "https://api.example.com"
 _TEST_BEARER_TOKEN = "eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3QifQ.test.test"  # noqa: S105
 _TEST_KID = "test-kid"
+_FETCH_JWKS_PATH = "aignostics_foundry_core.api.auth._fetch_jwks"
 
 
 @pytest.mark.unit
@@ -397,7 +398,7 @@ async def test_validate_jwt_returns_none_when_kid_not_in_jwks(self) -> None:
         jwks_without_kid: dict = {"keys": []}
         settings = AuthSettings(jwt_enabled=True, domain=_TEST_DOMAIN, jwt_audience=_TEST_JWT_AUDIENCE)
 
-        with patch("aignostics_foundry_core.api.auth._fetch_jwks", AsyncMock(return_value=jwks_without_kid)):
+        with patch(_FETCH_JWKS_PATH, AsyncMock(return_value=jwks_without_kid)):
             import jwt
 
             with patch.object(jwt, "get_unverified_header", return_value={"kid": _TEST_KID, "alg": "RS256"}):
@@ -409,9 +410,7 @@ async def test_validate_jwt_returns_none_on_fetch_failure(self) -> None:
         """_validate_jwt returns None when JWKS fetch raises an exception."""
         settings = AuthSettings(jwt_enabled=True, domain=_TEST_DOMAIN, jwt_audience=_TEST_JWT_AUDIENCE)
 
-        with patch(
-            "aignostics_foundry_core.api.auth._fetch_jwks", AsyncMock(side_effect=RuntimeError("network error"))
-        ):
+        with patch(_FETCH_JWKS_PATH, AsyncMock(side_effect=RuntimeError("network error"))):
             result = await _validate_jwt(_TEST_BEARER_TOKEN, settings)
 
         assert result is None
@@ -424,7 +423,7 @@ async def test_validate_jwt_returns_none_for_invalid_token(self, mock_jwks: dict
         settings = AuthSettings(jwt_enabled=True, domain=_TEST_DOMAIN, jwt_audience=_TEST_JWT_AUDIENCE)
 
         with (
-            patch("aignostics_foundry_core.api.auth._fetch_jwks", AsyncMock(return_value=mock_jwks)),
+            patch(_FETCH_JWKS_PATH, AsyncMock(return_value=mock_jwks)),
             patch.object(jwt, "get_unverified_header", return_value={"kid": _TEST_KID, "alg": "RS256"}),
             patch.object(RSAAlgorithm, "from_jwk", return_value=MagicMock()),
             patch.object(jwt, "decode", side_effect=jwt.ExpiredSignatureError("expired")),
@@ -442,7 +441,7 @@ async def test_validate_jwt_returns_payload_for_valid_token(self, mock_jwks: dic
         settings = AuthSettings(jwt_enabled=True, domain=_TEST_DOMAIN, jwt_audience=_TEST_JWT_AUDIENCE)
 
         with (
-            patch("aignostics_foundry_core.api.auth._fetch_jwks", AsyncMock(return_value=mock_jwks)),
+            patch(_FETCH_JWKS_PATH, AsyncMock(return_value=mock_jwks)),
             patch.object(jwt, "get_unverified_header", return_value={"kid": _TEST_KID, "alg": "RS256"}),
             patch.object(RSAAlgorithm, "from_jwk", return_value=MagicMock()),
             patch.object(jwt, "decode", return_value=expected_payload),