Harden auth, redaction, upload size checks, and compose token requirements

backend/app/schemas/processing_logs.py

@@ -1,13 +1,16 @@
 """Pydantic schemas for processing pipeline log API payloads."""
 
 from datetime import datetime
+from typing import Any
 from uuid import UUID
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, field_validator
+
+from app.models.processing_log import sanitize_processing_log_payload_value, sanitize_processing_log_text
 
 
 class ProcessingLogEntryResponse(BaseModel):
-    """Represents one persisted processing log event returned by API endpoints."""
+    """Represents one persisted processing log event with already-redacted sensitive fields."""
 
     id: int
     created_at: datetime
@@ -20,7 +23,26 @@ class ProcessingLogEntryResponse(BaseModel):
     model_name: str | None
     prompt_text: str | None
     response_text: str | None
-    payload_json: dict
+    payload_json: dict[str, Any]
+
+    @field_validator("prompt_text", "response_text", mode="before")
+    @classmethod
+    def _sanitize_text_fields(cls, value: Any) -> str | None:
+        """Ensures log text fields are redacted in API responses."""
+
+        if value is None:
+            return None
+        return sanitize_processing_log_text(str(value))
+
+    @field_validator("payload_json", mode="before")
+    @classmethod
+    def _sanitize_payload_field(cls, value: Any) -> dict[str, Any]:
+        """Ensures payload fields are redacted in API responses."""
+
+        if not isinstance(value, dict):
+            return {}
+        sanitized = sanitize_processing_log_payload_value(value)
+        return sanitized if isinstance(sanitized, dict) else {}
 
     class Config:
         """Enables ORM object parsing for SQLAlchemy model instances."""