Fix yxlyx compatibility and async xfail issues

[justrach]

Summary

• fix the public turboapi.verify_password export so it matches turboapi.security.verify_password
• remove stale async-handler xfail markers that now pass on current main
• keep the one remaining async error-handling gap as an explicit strict xfail

Tests

• uv run --python 3.14t python -m pytest tests/test_async_handlers.py -p no:anchorpy -v
• uv run --python 3.14t python -m pytest tests/test_security_audit_fixes.py::test_top_level_verify_password_export_matches_security_module -p no:anchorpy --runxfail -vv
• uv run --python 3.14t python -m pytest tests/test_security_audit_fixes.py::test_get_password_hash_raises tests/test_fastapi_parity.py::TestSecurity::test_http_basic tests/test_fastapi_parity.py::TestAsyncHandlers::test_async_get_handler tests/test_fastapi_parity.py::TestAsyncHandlers::test_async_post_handler -p no:anchorpy -v

Triage

• closes compat: package-level turboapi.verify_password resolves to JWT helper instead of turboapi.security.verify_password #116
• closes tests: async handler suite still contains stale xfail markers on current main #117
• leaves zig runtime: real WebSocket support on current turboapi-core architecture #114 and zig runtime: HTTP/2 and TLS on current turboapi-core architecture #115 separate because they are larger runtime transport features, not narrow compatibility/test-bookkeeping fixes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c335bcdcd8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore functional top-level verify_password export

Importing verify_password from security makes turboapi.verify_password always raise NotImplementedError, while hash_password is still exported from jwt_auth as a working implementation. This creates a regression for existing code that uses from turboapi import hash_password, verify_password to hash and then verify credentials, because verification now fails for all inputs at runtime instead of returning a boolean.

Useful? React with 👍 / 👎.

[justrach]

Addressed the Codex review comment.

Update:

• top-level turboapi.hash_password and turboapi.verify_password now come from the same security implementation, so they remain a coherent pair
• kept the original export-consistency regression test
• added a new regression test that hashes via the top-level API and verifies via the top-level API

Re-validated after the change:

• tests/test_security_audit_fixes.py::test_get_password_hash_raises
• tests/test_security_audit_fixes.py::test_verify_password_raises
• tests/test_security_audit_fixes.py::test_top_level_verify_password_export_matches_security_module
• tests/test_security_audit_fixes.py::test_top_level_hash_and_verify_password_work_together
• tests/test_async_handlers.py -p no:anchorpy -q -> 6 passed, 1 xfailed
  @codex

[justrach]

@yxlyx CI is green and the PR is ready. The Codex review comment was addressed in the latest update as well.