test: fix 3 stale test files drifted from security hardening (21 failures)

[Scottcjn]

Fixes 3 stale test files (21 failures) on red main — all test-only, production code unchanged:

1. test_tx_handler_limits (16): /tx/pending + /wallet//history admin-gated since fix: require admin auth on tx handler GET endpoints #6295 → anonymous calls 401. Fixture now sets RC_ADMIN_KEY (monkeypatch) + sends X-Admin-Key.
2. test_wallet_network_utils (4): _fetch_with_retry now allow_redirects=False + resp.is_redirect (SSRF guard); MagicMock is_redirect is truthy. Mocks set is_redirect=False.
3. test_utxo_security_audit::test_genesis_rerun_blocked (1): check_existing_genesis keys off tx_type='genesis'; test inserted mining_reward at height 0. Now inserts real genesis-typed tx.

52/52 pass in these files (was 21 failing), verified against current main, self-contained.

Remaining ~31 failures triaged separately (mostly same auth-drift pattern + a stale miners/checksums.sha256 for the linux miner that affects real installer integrity).

🤖 Generated with Claude Code

[github-actions]

✅ BCOS v2 Scan Results

Metric	Value
Trust Score	60/100
Certificate ID	BCOS-f7c323f8
Tier	L1 (met)

What does this mean?

The BCOS (Beacon Certified Open Source) engine scans for:

• SPDX license header compliance
• Known CVE vulnerabilities (OSV database)
• Static analysis findings (Semgrep)
• SBOM completeness
• Dependency freshness
• Test infrastructure evidence
• Review attestation tier

Full report | What is BCOS?

---

BCOS v2 Engine - Free & Open Source (MIT) - Elyan Labs

[darlina-bounty-codex]

I reviewed the three touched test files against the current route/helper behavior.

Local validation:

• py_compile passed for tests/test_tx_handler_limits.py, tests/test_wallet_network_utils.py, and tests/test_utxo_security_audit.py using the bundled Python runtime.
• git diff --check origin/main...HEAD -- tests/test_tx_handler_limits.py tests/test_wallet_network_utils.py tests/test_utxo_security_audit.py passed for the touched files.
• I could not run the pytest target set in this environment because pytest is not installed in the bundled Python runtime.

Technical observations:

1. The test_tx_handler_limits fixture change is directionally correct: these endpoints are now admin-gated by require_admin(), which reads X-Admin-Key and RC_ADMIN_KEY. Setting client.environ_base["HTTP_X_ADMIN_KEY"] exercises the intended limit/validation paths instead of failing early at the auth gate, while monkeypatch keeps the key scoped to the test.
2. Setting MagicMock.is_redirect = False in the wallet network tests is needed after the redirect guard because unspecified MagicMock attributes are truthy. Without the explicit false value, these success-path mocks can accidentally simulate a redirect and test the wrong branch.
3. The genesis rerun test correction matches the actual invariant better: check_existing_genesis is keyed to tx_type='genesis', so inserting a real genesis transaction is a more direct regression test than using a mining_reward transaction at height 0. It also lines up with the later rollback/remigrate setup pattern.

I do not see a blocker in the touched test changes. If maintainers want tighter follow-up coverage later, a focused negative test for wrong/missing X-Admin-Key on one of these GET routes would document the auth gate separately, but that is outside this stale-test-fix PR.

I received RTC compensation for this review.