feat(api): codify pydantic strict-mode policy as pytest invariant

[w7-mgfcode]

Context

PR #115 (closing #109) and PR #119 (closing #117) shipped the same bug class twice in 14 days: a Pydantic v2 `ConfigDict(strict=True)` request model with a JSON-non-native field type (`date`/`datetime`/`time`/`UUID`/`Decimal`) and no `Field(strict=False, ...)` override → every HTTP caller returns 422 with a `*_type` error.

The fix is mechanical (one-line `Field` override), but until now the policy was only enforced by a human reviewer reading `docs/_base/SECURITY.md` → "Pydantic v2 strict mode on FastAPI request bodies".

Goal

Codify the policy as a load-bearing pytest invariant (mirrors the `app/features/featuresets/tests/test_leakage.py` precedent) so the third instance of this regression class fails CI before it leaves a contributor's machine.

Scope

Per `PRPs/PRP-14-strict-mode-policy-linter.md`:

• NEW `app/core/tests/test_strict_mode_policy.py` — single ~80-LOC AST-walker module (zero new deps; stdlib `ast` only)
• M `docs/_base/SECURITY.md` — one-line "Enforced by:" cross-reference

Out of scope: `app/shared/seeder/config.py` (not request bodies — no `ConfigDict(strict=True)` anywhere), `app/features/agents/tools/*` (PydanticAI `@agent.tool` decorators, not `BaseModel`), response models, auto-fix mode, pre-commit hook variant.

Acceptance

• The 4 existing strict-mode request models pass on commit one (no schema churn in the landing PR diff)
  • `featuresets/schemas.py::ComputeFeaturesRequest::cutoff_date`
  • `featuresets/schemas.py::PreviewFeaturesRequest::cutoff_date`
  • `forecasting/schemas.py::TrainRequest::train_start_date`
  • `forecasting/schemas.py::TrainRequest::train_end_date`
• Baseline-guard test asserts the walker discovered all 4 expected models (defends against silent-pass on collection-zero)
• Negative-fixture self-test reports a synthetic offending model (proves the walker)
• `docs/_base/SECURITY.md` "Pydantic v2 strict mode on FastAPI request bodies" subsection ends with `Enforced by: \`app/core/tests/test_strict_mode_policy.py\``
• All 5 blocking CI jobs green (Lint & Format, Type Check, Test, Migration Check, Schema Validation if applicable)

Precedent

• PR feat(features,docs): land phase 2 e2e integration and docs (#109) #115 (closing feat(features): wire phase 2 seeder columns into time-safe featuresets #109): `ComputeFeaturesRequest.cutoff_date`, `PreviewFeaturesRequest.cutoff_date`
• PR fix(forecast,features): apply strict-mode JSON date policy to request bodies (#117) #119 (closing fix(api,features): audit strict=True request models for FastAPI validate_python date/datetime gotcha #117): `TrainRequest.train_start_date`, `TrainRequest.train_end_date`
• Policy text: `docs/_base/SECURITY.md` → "Pydantic v2 strict mode on FastAPI request bodies"
• Test idiom precedent: `app/features/featuresets/tests/test_leakage.py` (cited as load-bearing in `docs/_base/RULES.md`)

Effort

4–6 focused hours per PRP §12 — one file, ~80 LOC, two test functions + one baseline guard.

[w7-mgfcode]

Closed by PR #121 (merged 2026-05-14). AST-walker invariant at app/core/tests/test_strict_mode_policy.py now flags any ConfigDict(strict=True) request model with date | datetime | time | UUID | Decimal fields missing the Field(strict=False, ...) override.