feat: BreakPilot PWA - Full codebase (clean push without large binaries)

All services: admin-v2, studio-v2, website, ai-compliance-sdk,
consent-service, klausur-service, voice-service, and infrastructure.
Large PDFs and compiled binaries excluded via .gitignore.

voice-service/tests/test_encryption.py

@@ -0,0 +1,111 @@
+"""
+Tests for Encryption Service
+"""
+import pytest
+from services.encryption_service import EncryptionService
+
+
+class TestEncryptionService:
+    """Tests for encryption functionality."""
+
+    @pytest.fixture
+    def service(self):
+        """Create encryption service instance."""
+        return EncryptionService()
+
+    def test_verify_key_hash_valid(self, service):
+        """Test validating a correctly formatted key hash."""
+        # SHA-256 produces 32 bytes = 44 chars in base64 (with padding)
+        valid_hash = "sha256:eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg="  # 32 bytes base64
+        assert service.verify_key_hash(valid_hash) is True
+
+    def test_verify_key_hash_invalid_prefix(self, service):
+        """Test rejecting hash with wrong prefix."""
+        invalid_hash = "md5:dGVzdGtleWhhc2g="
+        assert service.verify_key_hash(invalid_hash) is False
+
+    def test_verify_key_hash_empty(self, service):
+        """Test rejecting empty hash."""
+        assert service.verify_key_hash("") is False
+        assert service.verify_key_hash(None) is False
+
+    def test_verify_key_hash_invalid_base64(self, service):
+        """Test rejecting invalid base64."""
+        invalid_hash = "sha256:not-valid-base64!!!"
+        assert service.verify_key_hash(invalid_hash) is False
+
+    def test_encrypt_decrypt_roundtrip(self, service):
+        """Test that encryption and decryption work correctly."""
+        plaintext = "Notiz zu Max: heute wiederholt gestoert"
+        namespace_id = "test-ns-12345678"
+
+        # Encrypt
+        encrypted = service.encrypt_content(plaintext, namespace_id)
+        assert encrypted.startswith("encrypted:")
+        assert encrypted != plaintext
+
+        # Decrypt
+        decrypted = service.decrypt_content(encrypted, namespace_id)
+        assert decrypted == plaintext
+
+    def test_encrypt_different_namespaces(self, service):
+        """Test that different namespaces produce different ciphertexts."""
+        plaintext = "Same content"
+
+        encrypted1 = service.encrypt_content(plaintext, "namespace-1")
+        encrypted2 = service.encrypt_content(plaintext, "namespace-2")
+
+        assert encrypted1 != encrypted2
+
+    def test_decrypt_wrong_namespace_fails(self, service):
+        """Test that decryption with wrong namespace fails."""
+        plaintext = "Secret content"
+        encrypted = service.encrypt_content(plaintext, "correct-namespace")
+
+        with pytest.raises(Exception):
+            service.decrypt_content(encrypted, "wrong-namespace")
+
+    def test_decrypt_unencrypted_content(self, service):
+        """Test that unencrypted content is returned as-is."""
+        plaintext = "Not encrypted"
+        result = service.decrypt_content(plaintext, "any-namespace")
+        assert result == plaintext
+
+    def test_register_namespace_key(self, service):
+        """Test registering a namespace key hash."""
+        valid_hash = "sha256:eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg="
+        assert service.register_namespace_key("test-ns", valid_hash) is True
+
+    def test_register_namespace_key_invalid(self, service):
+        """Test registering invalid key hash."""
+        invalid_hash = "invalid"
+        assert service.register_namespace_key("test-ns", invalid_hash) is False
+
+    def test_generate_key_hash(self):
+        """Test key hash generation."""
+        key = b"test-key-32-bytes-long-exactly!!"  # 32 bytes
+        hash_result = EncryptionService.generate_key_hash(key)
+        assert hash_result.startswith("sha256:")
+        assert len(hash_result) > 10
+
+    def test_generate_namespace_id(self):
+        """Test namespace ID generation."""
+        ns_id = EncryptionService.generate_namespace_id()
+        assert ns_id.startswith("ns-")
+        assert len(ns_id) == 3 + 32  # "ns-" + 32 hex chars
+
+    def test_encryption_special_characters(self, service):
+        """Test encryption of content with special characters."""
+        plaintext = "Schüler mit Umlauten: äöüß 日本語 🎓"
+        namespace_id = "test-ns"
+
+        encrypted = service.encrypt_content(plaintext, namespace_id)
+        decrypted = service.decrypt_content(encrypted, namespace_id)
+
+        assert decrypted == plaintext
+
+    def test_encryption_empty_string(self, service):
+        """Test encryption of empty string."""
+        encrypted = service.encrypt_content("", "test-ns")
+        decrypted = service.decrypt_content(encrypted, "test-ns")
+        assert decrypted == ""