@heytherevibin/skillforge 0.2.1 → 0.7.0

package/python/app/redaction.py

@@ -0,0 +1,128 @@
+"""Best-effort redaction of secrets and user home paths in exported context (defense in depth)."""
+from __future__ import annotations
+
+import os
+import re
+from pathlib import Path
+
+_HOME_RESOLVED: str | None = None
+
+
+def redaction_enabled() -> bool:
+    return os.getenv("SKILLFORGE_REDACT_CONTEXT", "1").strip().lower() not in ("0", "false", "no", "")
+
+
+def redact_home_in_paths_enabled() -> bool:
+    return os.getenv("SKILLFORGE_REDACT_HOME_IN_PATHS", "1").strip().lower() not in ("0", "false", "no", "")
+
+
+def _home_prefix() -> str | None:
+    global _HOME_RESOLVED
+    if _HOME_RESOLVED is not None:
+        return _HOME_RESOLVED or None
+    try:
+        _HOME_RESOLVED = str(Path.home().resolve())
+    except Exception:
+        _HOME_RESOLVED = ""
+    return _HOME_RESOLVED or None
+
+
+COMPILED: list[tuple[re.Pattern[str], str]] = [
+    (re.compile(r"sk-ant-api\d\d-[A-Za-z0-9_\-]{20,}"), "[REDACTED_ANTHROPIC_KEY]"),
+    (re.compile(r"\bAIza[0-9A-Za-z\-_]{35}\b"), "[REDACTED_GOOGLE_API_KEY]"),
+    (re.compile(r"xox[baprs]-[0-9A-Za-z\-]{10,}"), "[REDACTED_SLACK_TOKEN]"),
+    (re.compile(r"gh[pP]_[0-9A-Za-z]{36,}"), "[REDACTED_GITHUB_TOKEN]"),
+    (re.compile(r"github_pat_[0-9A-Za-z_]{20,}"), "[REDACTED_GITHUB_PAT]"),
+    (re.compile(
+        r"-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----",
+        re.MULTILINE,
+    ), "[REDACTED_PRIVATE_KEY]"),
+    (re.compile(r"\bAKIA[0-9A-Z]{16}\b"), "[REDACTED_AWS_ACCESS_KEY_ID]"),
+    (re.compile(r"\bASIA[0-9A-Z]{16}\b"), "[REDACTED_AWS_TEMP_KEY_ID]"),
+    # OAuth / Bearer-style (avoid eating normal words — require length)
+    (re.compile(r"\bBearer\s+[A-Za-z0-9\-._~+/]{16,}={0,2}\b", re.IGNORECASE), "Bearer [REDACTED]"),
+    (re.compile(r"\bBasic\s+[A-Za-z0-9+/]{16,}={0,2}\b", re.IGNORECASE), "Basic [REDACTED]"),
+    # Env assignment leaks in pasted logs
+    (re.compile(
+        r"\b(ANTHROPIC_API_KEY|OPENAI_API_KEY|"
+        r"AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|GITHUB_TOKEN|"
+        r"HF_TOKEN|HUGGINGFACE_TOKEN|SLACK_BOT_TOKEN|DATABASE_URL|"
+        r"SUPABASE_SERVICE_ROLE_KEY|SUPABASE_JWT_SECRET)\s*=\s*(\S+)",
+        re.IGNORECASE,
+    ), r"\1=[REDACTED]"),
+]
+
+
+def redact_secret_patterns(text: str) -> tuple[str, int]:
+    """Replace known secret shapes; returns ``(new_text, number_of_pattern_matches)``."""
+    if not text:
+        return text, 0
+    hits = 0
+    out = text
+    for pat, repl in COMPILED:
+        found = pat.findall(out)
+        if found:
+            hits += len(found)
+            out = pat.sub(repl, out)
+    return out, hits
+
+
+def redact_home_path_prefix(path: str) -> tuple[str, int]:
+    """If ``path`` starts with the resolved home directory, replace that prefix with ``[HOME]``."""
+    if not path or not redact_home_in_paths_enabled():
+        return path, 0
+    home = _home_prefix()
+    if not home:
+        return path, 0
+    # Normalize slashes for comparison
+    norm = path.replace("\\", "/")
+    home_n = home.replace("\\", "/")
+    if norm == home_n or norm.rstrip("/") == home_n.rstrip("/"):
+        return "[HOME]", 1
+    if norm.startswith(home_n + "/") or norm.startswith(home_n + "\\"):
+        rest = path[len(home) :].lstrip("/\\")
+        return "[HOME]/" + rest.replace("\\", "/"), 1
+    # Windows-style profile (best effort when HOME is /Users/x but path is C:\Users\x)
+    if len(path) > 3 and path[1] == ":":
+        try:
+            from os.path import expanduser
+
+            eu = expanduser("~")
+            if eu and path.lower().startswith(eu.lower().replace("/", "\\")):
+                return "[HOME]/" + path[len(eu) :].lstrip("\\/").replace("\\", "/"), 1
+        except Exception:
+            pass
+    return path, 0
+
+
+def redact_context_path_field(path: str | None) -> tuple[str | None, int]:
+    if not path:
+        return path, 0
+    s, n = redact_home_path_prefix(path)
+    return s, n
+
+
+def sanitize_context_items(items: list[dict]) -> tuple[int, int]:
+    """Mutate each item's ``text`` / ``path`` in place. Returns ``(secret_hits, path_hits)``."""
+    sh = ph = 0
+    for c in items:
+        t = c.get("text") or ""
+        nt, h = redact_secret_patterns(t)
+        if h:
+            sh += h
+            c["text"] = nt
+        p = c.get("path")
+        if p is not None:
+            np, h2 = redact_context_path_field(str(p))
+            if h2:
+                ph += h2
+                c["path"] = np
+    return sh, ph
+
+
+def redact_display_path(p: str | Path) -> str:
+    """Single path string safe for logs / ``_meta`` (home prefix only + pattern redaction)."""
+    s = str(p)
+    s, _ = redact_home_path_prefix(s)
+    s, _ = redact_secret_patterns(s)
+    return s

package/python/app/route_cli.py

@@ -9,7 +9,14 @@ import time
 from pathlib import Path
 
 from app.db_paths import resolve_orchestrator_db
-from app.main import build_router_and_skills, init_db, run_route_turn
+from app.main import (
+    build_router_and_skills,
+    format_context_items_markdown,
+    init_db,
+    run_route_turn,
+)
+from app.mcp_contract import MCP_RESPONSE_SCHEMA_VERSION, build_route_skills_meta
+from app.redaction import redaction_enabled, redact_display_path
 
 
 def _parse_args(argv: list[str] | None) -> argparse.Namespace:
@@ -28,6 +35,11 @@ def _parse_args(argv: list[str] | None) -> argparse.Namespace:
     p.add_argument("--session-id", default="", help="Stable session id (reuse across turns for reroute stats).")
     p.add_argument("--user-id", default="", help="Logical user id for weights/sessions/events.")
     p.add_argument("--json-meta", action="store_true", help="Print routing metadata as JSON on stderr after output.")
+    p.add_argument(
+        "--include-project-rag",
+        action="store_true",
+        help="Append chunks from `skillforge index` (same DB as --project-root). Requires --project-root.",
+    )
     return p.parse_args(argv)
 
 
@@ -38,6 +50,9 @@ async def _run(args: argparse.Namespace) -> int:
         return 2
 
     pr = (args.project_root or "").strip() or None
+    if args.include_project_rag and not pr:
+        print("skillforge route: --include-project-rag requires --project-root.", file=sys.stderr)
+        return 2
     db_path = resolve_orchestrator_db(pr)
     con = init_db(db_path)
 
@@ -53,6 +68,8 @@ async def _run(args: argparse.Namespace) -> int:
             conversation=[],
             user_id=user_id,
             session_id=session_id,
+            project_root=pr,
+            include_project_rag=bool(args.include_project_rag),
         )
     finally:
         con.close()
@@ -60,6 +77,7 @@ async def _run(args: argparse.Namespace) -> int:
     picked_names = result["picked_names"]
     reasoning = result["reasoning"]
     sid = result["session_id"]
+    context_items = result.get("context_items") or []
 
     if pr:
         try:
@@ -73,36 +91,41 @@ async def _run(args: argparse.Namespace) -> int:
                 "route_ms": round(result["route_ms"], 1),
                 "user_id": user_id,
                 "source": "cli_route",
+                "schema_version": MCP_RESPONSE_SCHEMA_VERSION,
+                "context_mode": router.context_mode,
+                "context_items_count": len(context_items),
+                "project_rag_items_count": (result.get("event") or {}).get("project_rag_items_count", 0),
             }
             (d / "last_route.json").write_text(json.dumps(snap, indent=2), encoding="utf-8")
         except OSError:
             pass
 
+    db_disp = redact_display_path(db_path) if redaction_enabled() else str(db_path)
     blocks = [
-        f"# Skillforge — routed {len(picked_names)} skill(s)",
-        f"_DB:_ `{db_path}`",
+        f"# Skillforge — routed {len(picked_names)} skill(s); context=`{router.context_mode}`",
+        f"_DB:_ `{db_disp}`",
         f"_Reasoning: {reasoning}_" if reasoning else "",
         "",
     ]
-    for n in picked_names:
-        s = skills.get(n)
-        if s:
-            blocks.append(f"---\n## Skill: {s.name}\n\n{s.body}\n")
-    if not picked_names:
+    if context_items:
+        blocks.append(format_context_items_markdown(context_items))
+    elif not picked_names:
         blocks.append("_No skills matched this prompt closely enough to load._")
-    print("\n".join(b for b in blocks if b is not None))
+    response_text = "\n".join(b for b in blocks if b is not None)
+    print(response_text)
 
     if args.json_meta:
-        meta = {
-            "picked": picked_names,
-            "reasoning": reasoning,
-            "session_id": sid,
-            "user_id": user_id,
-            "rerouted": result["rerouted"],
-            "change_pct": round(result["change"] * 100, 1),
-            "route_ms": round(result["route_ms"], 1),
-            "orchestrator_db": str(db_path),
-        }
+        meta = build_route_skills_meta(
+            result=result,
+            picked_names=picked_names,
+            user_id=user_id,
+            db_path=db_path,
+            skills_map=skills,
+            response_text=response_text,
+            context_items=context_items,
+            fusion=(result.get("event") or {}).get("context_fusion"),
+            context_redaction=(result.get("event") or {}).get("context_redaction"),
+        )
         print(json.dumps(meta, indent=2), file=sys.stderr)
 
     return 0

package/python/requirements.txt

@@ -1,7 +1,3 @@
-fastapi>=0.110
-uvicorn[standard]>=0.27
 anthropic>=0.39
 sentence-transformers>=2.7
 numpy>=1.26
-pydantic>=2.6
-httpx>=0.27

package/python/tests/test_chunking.py

@@ -0,0 +1,34 @@
+"""Unit tests for skill body chunking (no ML)."""
+from __future__ import annotations
+
+from app.chunking import chunk_raw_document, chunk_skill_body
+
+
+def test_chunk_respects_headings() -> None:
+    body = "# Title\n\nintro\n\n## A\n\none\n\n## B\n\ntwo three"
+    chunks = chunk_skill_body(body, max_chars=500, overlap=50)
+    assert len(chunks) >= 2
+    names = [c.text for c in chunks]
+    assert any("one" in t for t in names)
+    assert any("two three" in t for t in names)
+
+
+def test_chunk_line_numbers_monotonic() -> None:
+    body = "a\nb\nc\nd"
+    chunks = chunk_skill_body(body, max_chars=5, overlap=0)
+    assert chunks
+    for c in chunks:
+        assert c.line_start <= c.line_end
+        assert c.line_start >= 1
+
+
+def test_empty_body() -> None:
+    assert chunk_skill_body("", max_chars=100, overlap=0) == []
+
+
+def test_chunk_raw_document_small_file() -> None:
+    body = "line1\nline2\nline3"
+    chunks = chunk_raw_document(body, max_chars=100, overlap=0)
+    assert len(chunks) == 1
+    assert chunks[0].line_start == 1
+    assert "line1" in chunks[0].text

package/python/tests/test_context_fusion.py

@@ -0,0 +1,45 @@
+"""Tests for MMR context fusion (numpy only)."""
+from __future__ import annotations
+
+import numpy as np
+
+from app.context_fusion import mmr_select
+
+
+def test_mmr_prefers_diverse_second_item() -> None:
+    """Two near-duplicate high-rel docs: second pick should favor the orthogonal one when lambda < 1."""
+    # query-aligned
+    e0 = np.array([1.0, 0.0, 0.0], dtype=np.float32)
+    e1 = np.array([0.99, 0.14, 0.0], dtype=np.float32)  # almost same as e0
+    e2 = np.array([0.0, 1.0, 0.0], dtype=np.float32)  # different direction
+    emb = np.stack([e0, e1, e2], axis=0)
+    rel = np.array([1.0, 0.98, 0.5], dtype=np.float64)
+    lens = np.array([10, 10, 10], dtype=np.int64)
+    ovh = np.full(3, 8, dtype=np.int64)
+    order, trace = mmr_select(
+        emb,
+        rel,
+        lens,
+        char_budget=500,
+        overhead_per_chunk=ovh,
+        lambda_mult=0.5,
+    )
+    assert order[0] == 0
+    assert order[1] == 2
+    assert len(trace) == len(order)
+
+
+def test_mmr_respects_char_budget() -> None:
+    emb = np.eye(3, dtype=np.float32)
+    rel = np.array([1.0, 0.9, 0.8])
+    lens = np.array([100, 100, 100], dtype=np.int64)
+    ovh = np.array([10, 10, 10], dtype=np.int64)
+    order, _ = mmr_select(
+        emb,
+        rel,
+        lens,
+        char_budget=150,
+        overhead_per_chunk=ovh,
+        lambda_mult=1.0,
+    )
+    assert len(order) == 1

package/python/tests/test_mcp_contract.py

@@ -0,0 +1,137 @@
+"""Tests for MCP Phase 0 response contract (no heavy deps)."""
+from __future__ import annotations
+
+from types import SimpleNamespace
+
+from app.mcp_contract import MCP_RESPONSE_SCHEMA_VERSION, build_route_skills_meta
+
+
+def test_build_route_skills_meta_basic() -> None:
+    sk_a = SimpleNamespace(name="skill-a", body="alpha" * 100)
+    sk_b = SimpleNamespace(name="skill-b", body="beta")
+    skills_map = {"skill-a": sk_a, "skill-b": sk_b}
+    cand_skill = SimpleNamespace(name="skill-a")
+    result = {
+        "candidates": [(cand_skill, 0.91), (sk_b, 0.5)],
+        "reasoning": "test",
+        "session_id": "sid-1",
+        "rerouted": False,
+        "change": 0.2,
+        "route_ms": 12.3,
+    }
+    text = "# header\n\nbody"
+    meta = build_route_skills_meta(
+        result=result,
+        picked_names=["skill-a"],
+        user_id="u1",
+        db_path="/tmp/db.sqlite",
+        skills_map=skills_map,
+        response_text=text,
+    )
+    assert meta["schema_version"] == MCP_RESPONSE_SCHEMA_VERSION
+    assert "fusion" not in meta
+    assert meta["context_items_count"] == 0
+    assert meta["budget"]["chars_project_chunks"] == 0
+    assert meta["budget"]["chars_context_items_total"] == meta["budget"]["chars_skill_bodies"]
+    assert meta["sources"] == [
+        {"kind": "skill", "ref": "skill-a", "line_start": None, "line_end": None, "score": None},
+    ]
+    assert meta["budget"]["chars_skill_bodies"] == 100 * len("alpha")
+    assert meta["budget"]["chars_response_total"] == len(text)
+    assert meta["picked"] == ["skill-a"]
+    assert len(meta["candidates_preview"]) >= 1
+    assert meta["candidates_preview"][0]["name"] == "skill-a"
+
+
+def test_build_route_skills_meta_with_context_items() -> None:
+    sk = __import__("types").SimpleNamespace(name="skill-a", body="full")
+    skills_map = {"skill-a": sk}
+    result = {"candidates": [], "reasoning": "r", "session_id": "s", "rerouted": False, "change": 0.0, "route_ms": 1.0}
+    items = [
+        {"skill": "skill-a", "path": None, "line_start": 1, "line_end": 5, "text": "chunktext", "score": 0.88},
+    ]
+    meta = build_route_skills_meta(
+        result=result,
+        picked_names=["skill-a"],
+        user_id="u",
+        db_path="db.sqlite",
+        skills_map=skills_map,
+        response_text="out",
+        context_items=items,
+    )
+    assert meta["schema_version"] == MCP_RESPONSE_SCHEMA_VERSION
+    assert meta["context_items_count"] == 1
+    assert meta["sources"][0]["line_start"] == 1
+    assert meta["sources"][0]["line_end"] == 5
+    assert meta["budget"]["chars_skill_bodies"] == len("chunktext")
+    assert meta["budget"]["chars_project_chunks"] == 0
+    assert meta["budget"]["chars_context_items_total"] == len("chunktext")
+
+
+def test_build_route_skills_meta_mixed_skill_and_file() -> None:
+    skills_map = {}
+    result = {"candidates": [], "session_id": "s", "rerouted": False, "change": 0.0, "route_ms": 1.0}
+    items = [
+        {"skill": "sk", "path": None, "line_start": 1, "line_end": 2, "text": "AA", "score": 0.9},
+        {"skill": None, "path": "lib/x.py", "line_start": 10, "line_end": 12, "text": "BB", "score": 0.8},
+    ]
+    meta = build_route_skills_meta(
+        result=result,
+        picked_names=["sk"],
+        user_id="u",
+        db_path="db.sqlite",
+        skills_map=skills_map,
+        response_text="o",
+        context_items=items,
+    )
+    assert meta["sources"][0]["kind"] == "skill"
+    assert meta["sources"][1]["kind"] == "file"
+    assert meta["sources"][1]["ref"] == "lib/x.py"
+    assert meta["budget"]["chars_skill_bodies"] == 2
+    assert meta["budget"]["chars_project_chunks"] == 2
+    assert meta["budget"]["chars_context_items_total"] == 4
+
+
+def test_build_route_skills_meta_includes_fusion() -> None:
+    items = [
+        {"skill": "sk", "path": None, "line_start": 1, "line_end": 2, "text": "a", "score": 0.9, "mmr_rank": 1},
+    ]
+    meta = build_route_skills_meta(
+        result={"candidates": [], "session_id": "s", "rerouted": False, "change": 0.0, "route_ms": 1.0},
+        picked_names=["sk"],
+        user_id="u",
+        db_path="db.sqlite",
+        skills_map={},
+        response_text="o",
+        context_items=items,
+        fusion={"enabled": True, "lambda": 0.7, "selected_count": 1},
+    )
+    assert meta["fusion"]["enabled"] is True
+    assert meta["sources"][0].get("mmr_rank") == 1
+
+
+def test_build_route_skills_meta_includes_context_redaction() -> None:
+    meta = build_route_skills_meta(
+        result={"candidates": [], "session_id": "s", "rerouted": False, "change": 0.0, "route_ms": 1.0},
+        picked_names=[],
+        user_id="u",
+        db_path="db.sqlite",
+        skills_map={},
+        response_text="x",
+        context_redaction={"enabled": True, "secret_hits": 2, "path_hits": 1},
+    )
+    assert meta["context_redaction"]["secret_hits"] == 2
+
+
+def test_build_route_skills_meta_error_field() -> None:
+    meta = build_route_skills_meta(
+        result={"candidates": []},
+        picked_names=[],
+        user_id="",
+        db_path="x.db",
+        skills_map={},
+        response_text="err",
+        error="empty_prompt",
+    )
+    assert meta["error"] == "empty_prompt"
+    assert meta["sources"] == []

package/python/tests/test_project_index.py

@@ -0,0 +1,76 @@
+"""Project index: DB + retrieval (lightweight fake embedder)."""
+from __future__ import annotations
+
+import sqlite3
+from pathlib import Path
+
+import numpy as np
+
+from app.project_index import (
+    ensure_project_index_schema,
+    index_project,
+    is_indexable_file,
+    retrieve_project_context_items,
+    should_skip_dir,
+)
+
+
+class _FakeEmbed:
+    dim = 16
+
+    def encode(self, texts, **kwargs):
+        if isinstance(texts, str):
+            texts = [texts]
+        out = []
+        for t in texts:
+            seed = sum(ord(c) for c in t[:120]) % (2**31)
+            rng = np.random.RandomState(seed)
+            v = rng.randn(self.dim).astype(np.float32)
+            nrm = float(np.linalg.norm(v)) or 1.0
+            v /= nrm
+            out.append(v)
+        return np.stack(out, axis=0)
+
+    def get_sentence_embedding_dimension(self):
+        return self.dim
+
+
+def test_should_skip_dir() -> None:
+    assert should_skip_dir("node_modules")
+    assert not should_skip_dir("src")
+
+
+def test_is_indexable_file() -> None:
+    assert is_indexable_file(Path("foo.py"))
+    assert not is_indexable_file(Path("image.png"))
+
+
+def test_index_and_retrieve_roundtrip(tmp_path, monkeypatch) -> None:
+    monkeypatch.setenv("SKILLFORGE_EMBED_MODEL", "fake-for-test")
+    monkeypatch.setenv("SKILLFORGE_PROJECT_RAG_MAX_CHARS", "8000")
+
+    root = tmp_path / "proj"
+    root.mkdir()
+    (root / "src").mkdir()
+    (root / "src" / "hello.py").write_text(
+        "def hello():\n    return 42\n\n# explanation\n",
+        encoding="utf-8",
+    )
+
+    db_path = tmp_path / "orchestrator.db"
+    con = sqlite3.connect(str(db_path))
+    ensure_project_index_schema(con)
+    try:
+        fake = _FakeEmbed()
+        stats = index_project(con, root, fake, reset=True)
+        assert stats["chunks_written"] >= 1
+        cur = con.execute("SELECT COUNT(*) FROM project_chunks")
+        assert int(cur.fetchone()[0]) >= 1
+
+        items = retrieve_project_context_items(con, fake, "hello function return", max_total_chars=5000)
+        assert items
+        assert items[0]["path"] == "src/hello.py"
+        assert items[0]["line_start"] >= 1
+        assert "42" in items[0]["text"] or "hello" in items[0]["text"]
+    finally:
+        con.close()

package/python/tests/test_redaction.py

@@ -0,0 +1,51 @@
+"""Tests for context redaction (stdlib)."""
+from __future__ import annotations
+
+import app.redaction as R
+from app.redaction import (
+    redact_context_path_field,
+    redact_home_path_prefix,
+    redact_secret_patterns,
+    sanitize_context_items,
+)
+
+
+def test_redact_anthropic_key_shape() -> None:
+    t, n = redact_secret_patterns(
+        "token sk-ant-api03-ABCDEFGHIJKLMNOPQRSTUVWXYZ123456"
+    )
+    assert n >= 1
+    assert "sk-ant-api" not in t
+    assert "[REDACTED_ANTHROPIC_KEY]" in t
+
+
+def test_redact_assignment_line() -> None:
+    t, n = redact_secret_patterns("export ANTHROPIC_API_KEY=sk-not-real-value-here")
+    assert n >= 1
+    assert "sk-not-real" not in t
+
+
+def test_redact_home_path_prefix() -> None:
+    R._HOME_RESOLVED = "/Users/testuser"
+    s, n = redact_home_path_prefix("/Users/testuser/repos/app/main.py")
+    assert n == 1
+    assert s == "[HOME]/repos/app/main.py"
+    R._HOME_RESOLVED = None  # reset for other tests
+
+
+def test_sanitize_context_mutates_text_and_path() -> None:
+    R._HOME_RESOLVED = "/Users/x"
+    items = [
+        {"skill": "s", "path": "/Users/x/p/a.py", "text": "k sk-ant-api03-AAAAAAAAAAAAAAAAAAAAAAAAAAAA", "line_start": 1, "line_end": 2},
+    ]
+    sh, ph = sanitize_context_items(items)
+    assert sh >= 1
+    assert ph >= 1
+    assert "sk-ant" not in items[0]["text"]
+    assert str(items[0]["path"]).startswith("[HOME]/")
+    R._HOME_RESOLVED = None
+
+
+def test_redact_context_path_none() -> None:
+    s, n = redact_context_path_field(None)
+    assert s is None and n == 0

package/python/app/auth.py

@@ -1,63 +0,0 @@
-"""
-Bearer-token auth and per-user namespacing.
-
-Single-user mode (default): no token required, all state goes to user_id=''.
-Multi-user mode: set SKILLFORGE_AUTH_TOKENS env var to a JSON map of
-{"token-value": "user-id"}. Requests must send Authorization: Bearer <token>.
-The resolved user_id is then used to scope sessions, weights, and events.
-
-This keeps the architecture single-process (one SQLite, one router instance)
-while letting each user have isolated learning state.
-"""
-from __future__ import annotations
-
-import json
-import os
-from typing import Optional
-
-from fastapi import HTTPException, Request
-
-
-# ---- Token registry ----
-
-def _load_tokens() -> dict[str, str]:
-    """Read SKILLFORGE_AUTH_TOKENS env (JSON: {token: user_id})."""
-    raw = os.getenv("SKILLFORGE_AUTH_TOKENS", "").strip()
-    if not raw:
-        return {}
-    try:
-        m = json.loads(raw)
-        if not isinstance(m, dict):
-            print("[skillforge] SKILLFORGE_AUTH_TOKENS must be a JSON object")
-            return {}
-        return {str(k): str(v) for k, v in m.items()}
-    except json.JSONDecodeError:
-        print("[skillforge] SKILLFORGE_AUTH_TOKENS is not valid JSON, ignoring")
-        return {}
-
-
-_TOKENS = _load_tokens()
-_AUTH_REQUIRED = bool(_TOKENS)
-
-
-def auth_enabled() -> bool:
-    return _AUTH_REQUIRED
-
-
-def resolve_user(request: Request) -> str:
-    """Get user_id from a request.
-
-    - If auth is not configured (single-user mode): returns ''.
-    - If auth is configured: extracts bearer token, returns mapped user_id,
-      or raises 401.
-    """
-    if not _AUTH_REQUIRED:
-        return ""
-    header = request.headers.get("authorization", "")
-    if not header.lower().startswith("bearer "):
-        raise HTTPException(status_code=401, detail="Missing bearer token")
-    token = header[7:].strip()
-    user_id = _TOKENS.get(token)
-    if not user_id:
-        raise HTTPException(status_code=401, detail="Invalid token")
-    return user_id