Validate connection port is within valid TCP/UDP range (1-65535)

[Aydeing]

closes: #68382

Airflow stores a port field on connections but never validates that the value is a valid TCP/UDP port number. This adds port range validation (1–65535) on write paths only, so existing persisted connections with now-invalid port values continue to load via the ORM without errors — addressing the maintainer review concern about not breaking existing installations.

Where validation is enforced (create/update paths)

• Core connection model (airflow.models.connection) — _validate_port() static method called in __init__ and from_json(). SQLAlchemy's @reconstructor does not call __init__, so DB loads are unaffected.
• Task SDK connection definition (airflow.sdk.definitions.connection) — attrs @port.validator + from_json() validation.
• Public REST API request schema (ConnectionBody) — Pydantic Field(ge=1, le=65535).
• CLI (--conn-port) — changed type=str → type=int for argparse type checking; range validated by the model constructor.

What is intentionally NOT validated (read/response paths)

To avoid breaking existing installations that may have persisted invalid port values:

• Execution API ConnectionResponse — unchanged.
• Core API ConnectionResponse — unchanged.
• Generated SDK datamodels (_generated.py) — unchanged.
• JSON schema (schema.json) — unchanged.

Port 0 is rejected

Per maintainer feedback on the issue: since port is optional (None = no port), port 0 has no valid use case and is rejected. Range is 1–65535.

Tests added

File	Tests
airflow-core/tests/unit/models/test_connection.py	test_port_within_valid_range_is_accepted (1, 22, 5432, 65535) · test_port_none_is_accepted · test_port_out_of_range_is_rejected (0, -1, 65536, 99999) · test_from_json_rejects_out_of_range_port · test_orm_load_tolerates_legacy_invalid_port
task-sdk/tests/task_sdk/definitions/test_connection.py	Same matrix for the SDK Connection (constructor + from_json)
airflow-core/tests/unit/api_fastapi/core_api/routes/public/test_connections.py	test_post_should_respond_422_for_out_of_range_port (0, -1, 65536, 99999)
airflow-core/tests/unit/cli/commands/test_connection_command.py	test_cli_connections_add_rejects_out_of_range_port · test_cli_connections_add_rejects_non_integer_port

Test plan

• Standalone validator harness exercising each enforcement layer: 30/30 checks pass — confirms None/1/22/5432/65535 accepted, 0/-1/65536/99999 rejected, response schemas tolerate legacy invalid values, from_json accepts "5432" and rejects out-of-range strings.
• All seven modified source files parse with ast.parse.
• schema.json parses with json.loads.
• All four modified test files parse with ast.parse.
• ORM-load path verified: Connection.__new__(Connection); conn.port = 99999; conn.on_db_load() does not raise (legacy data still loads).
• Full breeze testing core-tests run — requires breeze + Docker, not run locally; will run in CI on this PR.
• prek run --from-ref main static checks — requires prek hooks installed, will run in CI.

Notes for reviewers

• ARG_CONN_PORT type changed from str to int: argparse now rejects non-integer strings at parse time with a clearer error than the downstream ValueError from Connection(...). The model still validates the range.
• A newsfragment (e.g. <pr_number>.bugfix.rst) will be added in a follow-up commit once this PR number is assigned, per the PR template guidance.

---

Was generative AI tooling used to co-author this PR?

• Yes (Claude Code / Anthropic Claude Sonnet 4.6)

Generated-by: Claude Sonnet 4.6 following the guidelines

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack