feat(security): add LAN IP allowlist and ingress guardrails

tests/test_ip_allowlist.py

@@ -0,0 +1,50 @@
+import os
+from pathlib import Path
+
+from fastapi.testclient import TestClient
+
+import app as app_module
+
+
+def make_client(tmp_path: Path) -> TestClient:
+    os.environ["JARVISCHAT_ADMIN_PIN"] = "1234"
+    app_module.DB_PATH = tmp_path / "jarvischat-ip.db"
+    app_module.SESSIONS.clear()
+    app_module.PIN_ATTEMPTS.clear()
+    app_module.RATE_EVENTS.clear()
+    app_module.init_db()
+    return TestClient(app_module.app)
+
+
+def test_ip_helper_allows_local_defaults():
+    assert app_module.is_ip_allowed("127.0.0.1")
+    assert app_module.is_ip_allowed("192.168.1.10")
+    assert app_module.is_ip_allowed("10.0.0.42")
+    assert app_module.is_ip_allowed("172.16.1.2")
+    assert app_module.is_ip_allowed("testclient")
+
+
+def test_ip_helper_blocks_public_ip():
+    assert not app_module.is_ip_allowed("8.8.8.8")
+
+
+def test_middleware_blocks_disallowed_ip(tmp_path: Path):
+    with make_client(tmp_path) as client:
+        original_get_client_ip = app_module.get_client_ip
+        try:
+            app_module.get_client_ip = lambda _req: "8.8.8.8"
+            resp = client.post("/api/auth/guest")
+            assert resp.status_code == 403
+        finally:
+            app_module.get_client_ip = original_get_client_ip
+
+
+def test_middleware_allows_local_ip(tmp_path: Path):
+    with make_client(tmp_path) as client:
+        original_get_client_ip = app_module.get_client_ip
+        try:
+            app_module.get_client_ip = lambda _req: "192.168.50.109"
+            resp = client.post("/api/auth/guest")
+            assert resp.status_code == 200
+        finally:
+            app_module.get_client_ip = original_get_client_ip