feat(V2): build_app con swagger /apidocs + middleware + handlers

Aggiunge /docs e /redoc alla whitelist auth (path disabilitati, nessun rischio sicurezza).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/test_server.py

@@ -0,0 +1,62 @@
+from __future__ import annotations
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+@pytest.fixture
+def app():
+    from cerbero_mcp.server import build_app
+    return build_app(
+        testnet_token="tk_test",
+        mainnet_token="tk_live",
+        title="Test",
+        version="2.0.0",
+    )
+
+
+def test_apidocs_served(app):
+    c = TestClient(app)
+    r = c.get("/apidocs")
+    assert r.status_code == 200
+    assert "swagger" in r.text.lower()
+
+
+def test_openapi_json_served(app):
+    c = TestClient(app)
+    r = c.get("/openapi.json")
+    assert r.status_code == 200
+    spec = r.json()
+    assert spec["info"]["title"] == "Test"
+    # securityScheme BearerAuth presente
+    assert "BearerAuth" in spec["components"]["securitySchemes"]
+    assert spec["components"]["securitySchemes"]["BearerAuth"]["scheme"] == "bearer"
+
+
+def test_redoc_disabled(app):
+    c = TestClient(app)
+    r = c.get("/redoc")
+    assert r.status_code == 404
+
+
+def test_default_docs_path_disabled(app):
+    c = TestClient(app)
+    r = c.get("/docs")
+    assert r.status_code == 404
+
+
+def test_health_endpoint(app):
+    c = TestClient(app)
+    r = c.get("/health")
+    assert r.status_code == 200
+    j = r.json()
+    assert j["status"] == "healthy"
+    assert j["version"] == "2.0.0"
+    assert "uptime_seconds" in j
+    assert "data_timestamp" in j
+
+
+def test_x_duration_ms_header(app):
+    c = TestClient(app)
+    r = c.get("/health")
+    assert "X-Duration-Ms" in r.headers