test(stock-webai): edge cases — 401 no leak, 503 env missing, unknown date

Verifies auth failure responses contain no portfolio/sentiment data,
503 when WEBAI_API_KEY env unset (existing endpoints unaffected),
news-sentiment unknown date returns empty result.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stock/app/test_webai_endpoints.py

@@ -171,3 +171,39 @@ def test_webai_news_sentiment_items_sorted_by_score_desc(client):
     r = client.get("/api/webai/news-sentiment", headers=HEADERS_OK)
     items = r.json()["items"]
     assert [i["score"] for i in items] == [9.0, 5.0, 1.0]
+
+
+def test_webai_401_response_has_no_payload_leak(client):
+    """인증 실패 응답에는 portfolio/sentiment 데이터가 없어야 한다."""
+    _seed_portfolio()
+    r = client.get("/api/webai/portfolio")  # 헤더 없음
+    assert r.status_code == 401
+    body = r.json()
+    assert "holdings" not in body
+    assert "cash" not in body
+    assert "summary" not in body
+
+
+def test_webai_503_when_env_missing(client, monkeypatch):
+    """WEBAI_API_KEY env 미설정 시 503, 다른 endpoint 영향 없음."""
+    monkeypatch.delenv("WEBAI_API_KEY", raising=False)
+
+    r1 = client.get("/api/webai/portfolio", headers={"X-WebAI-Key": "anything"})
+    assert r1.status_code == 503
+
+    # 기존 endpoint 무영향 — /api/portfolio 는 200 (빈 portfolio)
+    r2 = client.get("/api/portfolio")
+    assert r2.status_code == 200
+
+
+def test_webai_wrong_key_returns_401(client):
+    r = client.get("/api/webai/portfolio", headers={"X-WebAI-Key": "wrong"})
+    assert r.status_code == 401
+
+
+def test_webai_news_sentiment_unknown_date_returns_empty(client):
+    r = client.get("/api/webai/news-sentiment?date=1999-01-01", headers=HEADERS_OK)
+    assert r.status_code == 200
+    body = r.json()
+    assert body["count"] == 0
+    assert body["items"] == []