Feat/camera proxy

[fe51]

Summary

This PR introduces camera device proxy endpoints.
It secures api camera interaction, by using same right as in the API, and forwwarding request to devices via the VPN.

• Add proxy endpoints to forward PTZ camera control commands from pyro-api to the physical device API, without ever exposing internal network addresses (device_ip, camera_ip) to clients
• Add admin-only configuration endpoint to store device connection details per camera
• Add a thin async HTTP client wrapping the camera device API

Changes

New files

• src/app/services/camera_client.py — async httpx client for the device API (health, cameras, control, focus, patrol, stream); maps device errors to 504/502/forwarded status codes; handles JPEG binary responses separately from JSON
• src/app/api/api_v1/endpoints/camera_proxy.py — 20 proxy routes under /cameras/{camera_id}/...; two dependency helpers enforcing read (ADMIN/AGENT/USER) and write (ADMIN/AGENT) access with org isolation; raises 409 if the camera has no device config

Modified files

• src/app/models.py — added device_ip and camera_ip nullable fields to Camera (DB-only, never serialized in public responses)
• src/app/schemas/cameras.py — added CameraDeviceConfig (admin input only); split the response schema into CameraOut (mutation endpoints — matches pre-PR shape) and CameraRead(CameraOut) (read endpoints — adds last_image_url and poses)
• src/app/crud/crud_camera.py — added CameraDeviceConfig to the update union
• src/app/api/api_v1/endpoints/cameras.py — added PATCH /{camera_id}/device_config (ADMIN only); mutation endpoints now return CameraOut instead of the raw ORM model to prevent device_ip/camera_ip leakage
• src/app/api/api_v1/router.py — registered camera_proxy.router under /cameras
  pyproject.toml — suppressed ANN401 for camera_client.py and camera_proxy.py; these functions return opaque third-party JSON, so Any is correct by design, not a laziness

Tests

• src/tests/endpoints/test_camera_proxy.py — auth/org isolation, 409 on unconfigured device (all routes), device error forwarding (502/504), JPEG binary responses, 204 no-content passthrough, device_ip/camera_ip leak prevention
• src/tests/endpoints/test_cameras.py — updated assertions to align with the new CameraOut response shape on mutation endpoints

Design decisions

• device_ip/camera_ip are absent from CameraCreate and CameraRead — they cannot appear in any public response by construction, even if camera_ip appears in some device API responses
• All device API POST endpoints use query params (not body); capture and latest_image return raw JPEG bytes
• stop_stream and stream_status are device-global (no camera_ip forwarded); camera_id in the path is used for auth/routing only
• Port 8081 is hardcoded as DEVICE_PORT constant in camera_client.py for now

Happy to discuss it

[codecov]

Codecov Report

❌ Patch coverage is 96.29630% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.89%. Comparing base (2e33027) to head (3cceaec).

Files with missing lines	Patch %	Lines
src/app/api/api_v1/endpoints/cameras.py	46.66%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #548      +/-   ##
==========================================
+ Coverage   88.14%   88.89%   +0.75%     
==========================================
  Files          50       52       +2     
  Lines        1990     2197     +207     
==========================================
+ Hits         1754     1953     +199     
- Misses        236      244       +8     

Flag	Coverage Δ
backend	88.95% <96.29%> (+0.79%)	⬆️
client	87.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fe51]

@MateoLostanlen can you review and test it ?
Stills last some coverage issue but only about "complexity". Happy to discuss it because I have no real clue to solve it and still not a big issue. Hope will be able to merge quickly to unblock livestream features