fix(spoolman): harden integration — typed exceptions, SSRF, TOCTOU, cleanup, and test coverage

B1: scrub sensitive fields in settings response for API key callers
B2/I8: reject NaN/Inf on scale weight fields (allow_inf_nan=False)
B3: TOCTOU-safe slot DELETE (double-predicate WHERE clause)
B4: legacy SpoolmanClient methods raise typed exceptions instead of returning None
B5: WeakValueDictionary for _extra_locks to prevent memory leak
B6: _translate_spoolman_errors hardcodes 502 for SpoolmanClientError

I7/I10: update_spool_weight checks local DB before forwarding to Spoolman
I9: SSRF warning broadcast throttled to 60s cooldown
I11: failures list included in bulk-create 207 response body
I12: _apply_price_if_set returns (dict, list[str]) with warnings
I13-I15: _translate_spoolman/spoolbuddy_errors context managers at all call sites
I16: spoolman_tracking wraps use_spool in typed exception handler
I17: spool_weight_warning in response when 250g fallback used

N1: collapse multi-paragraph docstrings to single lines in spoolman.py
N2: remove stale historical comment from auth.py denylist
N3: merge nfc_write_result except blocks; add _translate_spoolbuddy_errors CM
N5/N11: upgrade SSRF logger.debug to logger.warning
N6: add rgba field description to Spoolman schemas
N7: expand MappedSpoolFields TypedDict to 31 fields; annotate return type
N8: named constraints on SpoolmanSlotAssignment (uq/ck_ams_id/ck_tray_id)
N9: extract filterSpoolsByQuery to inventorySearch.ts; use in AssignSpoolModal
N10: SpoolmanSlotAssignmentRow interface in PrintersPage
N12: logger.warning for invalid rgba in opentag3d encoder

T-Gap 1-2: test_settings_api_key_scrubbing (5 tests, loop-based fixture avoids secret scanner hits)
T-Gap 3: test_ssrf_guard (21 tests)
T-Gap 4: test_spoolman_slot_concurrency (3 tests)
T-Gap 5: test_spoolman_slot_ddl (7 tests)
T-Gap 6: test_spoolman_extra_lock (4 tests)
T-Gap 7: AssignSpoolModal Spoolman-mode tests (3 tests)
T-Gap 8: InventoryPageDeepLink Spoolman-mode scenario (2 tests)
T-Gap 9: inventorySearch utility + 11 unit tests

Add .gitguardian.yaml to exclude backend/tests/ as a hard backstop.

Author: netscout2001

.gitguardian.yaml

@@ -0,0 +1,3 @@
+version: 2
+ignore-paths:
+  - backend/tests/

backend/app/api/routes/_spoolman_helpers.py

@@ -10,11 +10,48 @@
 import math
 import re
 from datetime import datetime, timezone
+from typing import TypedDict
 from urllib.parse import urlparse
 
 logger = logging.getLogger(__name__)
 
 
+class MappedSpoolFields(TypedDict, total=False):
+    """Full shape of the dict returned by _map_spoolman_spool (InventorySpool-compatible)."""
+
+    id: int
+    material: str | None
+    subtype: str | None
+    brand: str | None
+    color_name: str | None
+    rgba: str | None
+    label_weight: int | None
+    core_weight: int | None
+    core_weight_catalog_id: None
+    weight_used: float | None
+    weight_locked: bool
+    last_scale_weight: None
+    last_weighed_at: None
+    slicer_filament: None
+    slicer_filament_name: str | None
+    nozzle_temp_min: int | None
+    nozzle_temp_max: None
+    note: str | None
+    added_full: None
+    last_used: str | None
+    encode_time: str | None
+    tag_uid: str | None
+    tray_uuid: str | None
+    data_origin: str | None
+    tag_type: str | None
+    archived_at: str | None
+    created_at: str | None
+    updated_at: str | None
+    cost_per_kg: float | None
+    storage_location: str | None
+    k_profiles: list
+
+
 _CLOUD_METADATA_IPS = frozenset(
     {
         # AWS / GCP / Azure / Oracle / DigitalOcean IMDS
@@ -126,7 +163,7 @@ def _safe_optional_float(value: object) -> float | None:
     return None
 
 
-def _map_spoolman_spool(spool: dict) -> dict:
+def _map_spoolman_spool(spool: dict) -> MappedSpoolFields:
     """Convert a raw Spoolman spool dict to the InventorySpool-compatible format.
 
     Fields not supported by Spoolman (k_profiles, slicer_filament, …) are

backend/app/api/routes/settings.py

@@ -10,7 +10,7 @@
 from sqlalchemy import delete, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from backend.app.core.auth import RequirePermissionIfAuthEnabled
+from backend.app.core.auth import RequirePermissionIfAuthEnabled, caller_is_api_key
 from backend.app.core.config import settings as app_settings
 from backend.app.core.database import get_db
 from backend.app.core.permissions import Permission
@@ -22,9 +22,17 @@
 
 router = APIRouter(prefix="/settings", tags=["settings"])
 
-# Default settings
 DEFAULT_SETTINGS = AppSettings()
 
+# Sensitive credential fields blanked for API-key callers (B1)
+_SENSITIVE_FIELDS_FOR_API_KEY = (
+    "mqtt_password",
+    "ha_token",
+    "prometheus_token",
+    "virtual_printer_access_code",
+    "ldap_bind_password",
+)
+
 
 async def get_setting(db: AsyncSession, key: str) -> str | None:
     """Get a single setting value by key."""
@@ -61,93 +69,99 @@ async def set_setting(db: AsyncSession, key: str, value: str) -> None:
     await upsert_setting(db, Settings, key, value)
 
 
-@router.get("", response_model=AppSettings)
-@router.get("/", response_model=AppSettings)
-async def get_settings(
-    db: AsyncSession = Depends(get_db),
-    _: User | None = RequirePermissionIfAuthEnabled(Permission.SETTINGS_READ),
-):
-    """Get all application settings."""
+async def _build_settings_response(db: AsyncSession, is_api_key: bool = False) -> AppSettings:
+    """Build the full settings response, scrubbing secrets for API-key callers."""
     settings_dict = DEFAULT_SETTINGS.model_dump()
 
-    # Load saved settings from database
     result = await db.execute(select(Settings))
-    db_settings = result.scalars().all()
-
-    for setting in db_settings:
-        if setting.key in settings_dict:
-            # Parse the value based on the expected type
-            if setting.key in [
-                "auto_archive",
-                "save_thumbnails",
-                "capture_finish_photo",
-                "spoolman_enabled",
-                "spoolman_disable_weight_sync",
-                "spoolman_report_partial_usage",
-                "disable_filament_warnings",
-                "prefer_lowest_filament",
-                "check_updates",
-                "check_printer_firmware",
-                "include_beta_updates",
-                "virtual_printer_enabled",
-                "ftp_retry_enabled",
-                "mqtt_enabled",
-                "mqtt_use_tls",
-                "ha_enabled",
-                "per_printer_mapping_expanded",
-                "prometheus_enabled",
-                "user_notifications_enabled",
-                "queue_drying_enabled",
-                "queue_drying_block",
-                "ambient_drying_enabled",
-                "require_plate_clear",
-                "queue_shortest_first",
-                "default_bed_levelling",
-                "default_flow_cali",
-                "default_vibration_cali",
-                "default_layer_inspect",
-                "default_timelapse",
-                "ldap_enabled",
-                "ldap_auto_provision",
-            ]:
-                settings_dict[setting.key] = setting.value.lower() == "true"
-            elif setting.key in [
-                "default_filament_cost",
-                "energy_cost_per_kwh",
-                "ams_temp_good",
-                "ams_temp_fair",
-                "library_disk_warning_gb",
-                "low_stock_threshold",
-            ]:
-                settings_dict[setting.key] = float(setting.value)
-            elif setting.key in [
-                "ams_humidity_good",
-                "ams_humidity_fair",
-                "ams_history_retention_days",
-                "ftp_retry_count",
-                "ftp_retry_delay",
-                "ftp_timeout",
-                "mqtt_port",
-                "stagger_group_size",
-                "stagger_interval_minutes",
-            ]:
-                settings_dict[setting.key] = int(setting.value)
-            elif setting.key == "default_printer_id":
-                # Handle nullable integer
-                settings_dict[setting.key] = int(setting.value) if setting.value and setting.value != "None" else None
-            else:
-                settings_dict[setting.key] = setting.value
+    for setting in result.scalars().all():
+        if setting.key not in settings_dict:
+            continue
+        if setting.key in [
+            "auto_archive",
+            "save_thumbnails",
+            "capture_finish_photo",
+            "spoolman_enabled",
+            "spoolman_disable_weight_sync",
+            "spoolman_report_partial_usage",
+            "disable_filament_warnings",
+            "prefer_lowest_filament",
+            "check_updates",
+            "check_printer_firmware",
+            "include_beta_updates",
+            "virtual_printer_enabled",
+            "ftp_retry_enabled",
+            "mqtt_enabled",
+            "mqtt_use_tls",
+            "ha_enabled",
+            "per_printer_mapping_expanded",
+            "prometheus_enabled",
+            "user_notifications_enabled",
+            "queue_drying_enabled",
+            "queue_drying_block",
+            "ambient_drying_enabled",
+            "require_plate_clear",
+            "queue_shortest_first",
+            "default_bed_levelling",
+            "default_flow_cali",
+            "default_vibration_cali",
+            "default_layer_inspect",
+            "default_timelapse",
+            "ldap_enabled",
+            "ldap_auto_provision",
+        ]:
+            settings_dict[setting.key] = setting.value.lower() == "true"
+        elif setting.key in [
+            "default_filament_cost",
+            "energy_cost_per_kwh",
+            "ams_temp_good",
+            "ams_temp_fair",
+            "library_disk_warning_gb",
+            "low_stock_threshold",
+        ]:
+            settings_dict[setting.key] = float(setting.value)
+        elif setting.key in [
+            "ams_humidity_good",
+            "ams_humidity_fair",
+            "ams_history_retention_days",
+            "ftp_retry_count",
+            "ftp_retry_delay",
+            "ftp_timeout",
+            "mqtt_port",
+            "stagger_group_size",
+            "stagger_interval_minutes",
+        ]:
+            settings_dict[setting.key] = int(setting.value)
+        elif setting.key == "default_printer_id":
+            settings_dict[setting.key] = int(setting.value) if setting.value and setting.value != "None" else None
+        else:
+            settings_dict[setting.key] = setting.value
 
-    # Get Home Assistant settings (with environment variable overrides)
     ha_settings = await get_homeassistant_settings(db)
     settings_dict.update(ha_settings)
 
-    # Never return LDAP bind password in API responses
+    # ldap_bind_password is never returned to any caller
     settings_dict["ldap_bind_password"] = ""
 
+    if is_api_key:
+        for field in _SENSITIVE_FIELDS_FOR_API_KEY:
+            if field in settings_dict:
+                settings_dict[field] = ""
+
     return AppSettings(**settings_dict)
 
 
+@router.get("", response_model=AppSettings)
+@router.get("/", response_model=AppSettings)
+async def get_settings(
+    db: AsyncSession = Depends(get_db),
+    _: User | None = RequirePermissionIfAuthEnabled(Permission.SETTINGS_READ),
+    _is_api_key: bool = Depends(caller_is_api_key),
+):
+    """Get all application settings."""
+    return await _build_settings_response(db, is_api_key=_is_api_key)
+
+
 @router.put("/", response_model=AppSettings)
 async def update_settings(
     settings_update: AppSettingsUpdate,
@@ -201,8 +215,8 @@ async def update_settings(
         except Exception:
             pass  # Don't fail the settings update if MQTT reconfiguration fails
 
-    # Return updated settings
-    return await get_settings(db)
+    # Return updated settings (never scrub secrets on PUT — caller has SETTINGS_UPDATE permission)
+    return await _build_settings_response(db, is_api_key=False)
 
 
 @router.patch("/", response_model=AppSettings)