fix: resolve all critical runtime errors and bugs from audit

- Add COMPLETIONS_API_KEY to config.py (env var + auto-generated fallback)
- Fix perplexity auto-search: upstream sends logprobs=true, parse_llama_stream_chunk
  extracts per-token logprobs, all_logprobs populated during streaming
- Fix all /api/models endpoints to target LLAMA_SERVER_BASE (port 8081) not OLLAMA_BASE
- Fix RAG embedding endpoint URL from port 11434 (Ollama) to 8081 (llama-server)
- Correct misleading error messages: 'inference server' not 'Ollama'
- Remove raw_results leak from SSE event stream in /api/search
- Fix weather query extractor: pattern-match instead of unconditional suffix append
- Escape FTS5 operator keywords (AND/OR/NOT/NEAR) in memory search
- Move auth.py BODY_LIMIT_DEFAULT_BYTES imports to module level
- Change RAG injection log level from warning to info
- Fix all 8 test files after modular refactor (rewire imports from correct modules)
- Update AGENTS.md and README.md to reflect v1.8.0 changes

tests/test_rate_and_payload_guardrails.py

@@ -4,24 +4,28 @@ from pathlib import Path
 
 from fastapi.testclient import TestClient
 
-import app as app_module
+import app
+import config
+import db
+import security
+from security import SESSIONS, PIN_ATTEMPTS, RATE_EVENTS
 
 
 def make_client(tmp_path: Path) -> TestClient:
     os.environ["JARVISCHAT_ADMIN_PIN"] = "1234"
-    app_module.DB_PATH = tmp_path / "jarvischat-rate.db"
-    app_module.SESSIONS.clear()
-    app_module.PIN_ATTEMPTS.clear()
-    app_module.RATE_EVENTS.clear()
-    app_module.init_db()
-    return TestClient(app_module.app)
+    db.DB_PATH = tmp_path / "jarvischat-rate.db"
+    SESSIONS.clear()
+    PIN_ATTEMPTS.clear()
+    RATE_EVENTS.clear()
+    db.init_db()
+    return TestClient(app.app)
 
 
 def test_stats_rate_limit_hits_429(tmp_path: Path):
-    old_limit = app_module.RL_STATS_PER_WINDOW
-    old_window = app_module.RATE_WINDOW_SECONDS
-    app_module.RL_STATS_PER_WINDOW = 2
-    app_module.RATE_WINDOW_SECONDS = 60
+    old_limit = security.RL_STATS_PER_WINDOW
+    old_window = app.RATE_WINDOW_SECONDS
+    security.RL_STATS_PER_WINDOW = 2
+    app.RATE_WINDOW_SECONDS = 60
     try:
         with make_client(tmp_path) as client:
             sid = client.post("/api/auth/guest").json()["session_id"]
@@ -35,13 +39,13 @@ def test_stats_rate_limit_hits_429(tmp_path: Path):
             assert r2.status_code == 200
             assert r3.status_code == 429
     finally:
-        app_module.RL_STATS_PER_WINDOW = old_limit
-        app_module.RATE_WINDOW_SECONDS = old_window
+        security.RL_STATS_PER_WINDOW = old_limit
+        app.RATE_WINDOW_SECONDS = old_window
 
 
 def test_large_login_payload_rejected_413(tmp_path: Path):
     with make_client(tmp_path) as client:
-        huge_pin = "1" * (app_module.BODY_LIMIT_DEFAULT_BYTES + 100)
+        huge_pin = "1" * (config.BODY_LIMIT_DEFAULT_BYTES + 100)
         resp = client.post(
             "/api/auth/login",
             data=json.dumps({"pin": huge_pin}),
@@ -54,10 +58,10 @@ def test_chat_message_length_rejected_413(tmp_path: Path):
     with make_client(tmp_path) as client:
         sid = client.post("/api/auth/guest").json()["session_id"]
         headers = {"X-Session-ID": sid, "Origin": "http://testserver"}
-        message = "x" * (app_module.MAX_CHAT_MESSAGE_CHARS + 1)
+        message = "x" * (config.MAX_CHAT_MESSAGE_CHARS + 1)
         resp = client.post(
             "/api/chat",
-            json={"message": message, "model": app_module.DEFAULT_MODEL},
+            json={"message": message, "model": config.DEFAULT_MODEL},
             headers=headers,
         )
         assert resp.status_code == 413
@@ -67,10 +71,10 @@ def test_search_query_length_rejected_413(tmp_path: Path):
     with make_client(tmp_path) as client:
         sid = client.post("/api/auth/guest").json()["session_id"]
         headers = {"X-Session-ID": sid, "Origin": "http://testserver"}
-        query = "q" * (app_module.MAX_SEARCH_QUERY_CHARS + 1)
+        query = "q" * (config.MAX_SEARCH_QUERY_CHARS + 1)
         resp = client.post(
             "/api/search",
-            json={"query": query, "model": app_module.DEFAULT_MODEL},
+            json={"query": query, "model": config.DEFAULT_MODEL},
             headers=headers,
         )
         assert resp.status_code == 413