create-workframe 0.1.0 → 0.1.2

package/workframe-api/time-bind-chat.py

@@ -1,99 +1,99 @@
-#!/usr/bin/env python3
-"""Time bind + credential lease on running workframe-api (docker exec)."""
-from __future__ import annotations
-
-import sqlite3
-import sys
-import time
-
-import server
-
-
-def main() -> int:
-    conn = sqlite3.connect(str(server.DATA_DIR / "workframe.db"))
-    conn.row_factory = sqlite3.Row
-    room = conn.execute(
-        """
-        SELECT r.id, r.workspace_id, r.agent_profile_id, ap.slug AS agent_slug
-        FROM rooms r
-        JOIN agent_profiles ap ON ap.id = r.agent_profile_id
-        JOIN room_memberships rm ON rm.room_id = r.id AND rm.status = 'active'
-        WHERE r.room_type = 'direct' AND r.deleted_at IS NULL
-          AND ap.slug = 'workframe-agent'
-        ORDER BY r.updated_at DESC
-        LIMIT 1
-        """,
-    ).fetchone()
-    if not room:
-        print("no workframe-agent room", file=sys.stderr)
-        return 1
-    user = conn.execute(
-        """
-        SELECT u.id FROM users u
-        JOIN room_memberships rm ON rm.user_id = u.id AND rm.room_id = ?
-        WHERE u.status = 'active'
-        LIMIT 1
-        """,
-        (str(room["id"]),),
-    ).fetchone()
-    conn.close()
-    if not room or not user:
-        print("no room/user", file=sys.stderr)
-        return 1
-
-    user_id = str(user["id"])
-    room_id = str(room["id"])
-    workspace_id = str(room["workspace_id"])
-    payload = {
-        "room_id": room_id,
-        "workspace_id": workspace_id,
-        "source_id": "timing",
-        "client_id": "timing",
-        "binding_version": 2,
-    }
-
-    t_rt = time.perf_counter()
-    prof = server._resolve_chat_hermes_profile("workframe-agent", user_id, room_id, workspace_id)
-    rt_ms = (time.perf_counter() - t_rt) * 1000
-    print(f"resolve_runtime_ms={rt_ms:.0f} profile={prof}")
-
-    provider = server._llm_billing_provider(prof)
-    t_api = time.perf_counter()
-    server.ensure_profile_api(prof, user_id, workspace_id)
-    api_ms = (time.perf_counter() - t_api) * 1000
-    t_llm = time.perf_counter()
-    server._overlay_chat_llm_env(prof, user_id, workspace_id, provider)
-    llm_ms = (time.perf_counter() - t_llm) * 1000
-    print(f"ensure_profile_api_ms={api_ms:.0f} overlay_llm_ms={llm_ms:.0f}")
-
-    t0 = time.perf_counter()
-    session = server.profile_chat_session("workframe-agent", payload, user_id=user_id)
-    session_ms = (time.perf_counter() - t0) * 1000
-    sid = str(session.get("session_id") or "")
-    print(f"session_ms={session_ms:.0f} session={sid[:40]}")
-
-    t_hist = time.perf_counter()
-    history = server.chat_messages(prof, sid)
-    hist_ms = (time.perf_counter() - t_hist) * 1000
-    print(f"history_ms={hist_ms:.0f} messages={len(history.get('messages') or [])}")
-
-    healthy = server._profile_api_healthy(prof)
-    print(f"profile_api_healthy={healthy} port={server._profile_api_port(prof)}")
-
-    run_a = "timing-run-a"
-    run_b = "timing-run-b"
-    t1 = time.perf_counter()
-    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_a)
-    lease1_ms = (time.perf_counter() - t1) * 1000
-    t2 = time.perf_counter()
-    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_b)
-    lease2_ms = (time.perf_counter() - t2) * 1000
-    print(f"lease_cold_ms={lease1_ms:.0f} lease_reuse_ms={lease2_ms:.0f} provider={provider}")
-
-    _, model = server._read_model_from_config(prof)
-    print(f"model={model}")
-    return 0
-
-
-if __name__ == "__main__":
-    raise SystemExit(main())
+#!/usr/bin/env python3
+"""Time bind + credential lease on running workframe-api (docker exec)."""
+from __future__ import annotations
+
+import sqlite3
+import sys
+import time
+
+import server
+
+
+def main() -> int:
+    conn = sqlite3.connect(str(server.DATA_DIR / "workframe.db"))
+    conn.row_factory = sqlite3.Row
+    room = conn.execute(
+        """
+        SELECT r.id, r.workspace_id, r.agent_profile_id, ap.slug AS agent_slug
+        FROM rooms r
+        JOIN agent_profiles ap ON ap.id = r.agent_profile_id
+        JOIN room_memberships rm ON rm.room_id = r.id AND rm.status = 'active'
+        WHERE r.room_type = 'direct' AND r.deleted_at IS NULL
+          AND ap.slug = 'workframe-agent'
+        ORDER BY r.updated_at DESC
+        LIMIT 1
+        """,
+    ).fetchone()
+    if not room:
+        print("no workframe-agent room", file=sys.stderr)
+        return 1
+    user = conn.execute(
+        """
+        SELECT u.id FROM users u
+        JOIN room_memberships rm ON rm.user_id = u.id AND rm.room_id = ?
+        WHERE u.status = 'active'
+        LIMIT 1
+        """,
+        (str(room["id"]),),
+    ).fetchone()
+    conn.close()
+    if not room or not user:
+        print("no room/user", file=sys.stderr)
+        return 1
+
+    user_id = str(user["id"])
+    room_id = str(room["id"])
+    workspace_id = str(room["workspace_id"])
+    payload = {
+        "room_id": room_id,
+        "workspace_id": workspace_id,
+        "source_id": "timing",
+        "client_id": "timing",
+        "binding_version": 2,
+    }
+
+    t_rt = time.perf_counter()
+    prof = server._resolve_chat_hermes_profile("workframe-agent", user_id, room_id, workspace_id)
+    rt_ms = (time.perf_counter() - t_rt) * 1000
+    print(f"resolve_runtime_ms={rt_ms:.0f} profile={prof}")
+
+    provider = server._llm_billing_provider(prof)
+    t_api = time.perf_counter()
+    server.ensure_profile_api(prof, user_id, workspace_id)
+    api_ms = (time.perf_counter() - t_api) * 1000
+    t_llm = time.perf_counter()
+    server._overlay_chat_llm_env(prof, user_id, workspace_id, provider)
+    llm_ms = (time.perf_counter() - t_llm) * 1000
+    print(f"ensure_profile_api_ms={api_ms:.0f} overlay_llm_ms={llm_ms:.0f}")
+
+    t0 = time.perf_counter()
+    session = server.profile_chat_session("workframe-agent", payload, user_id=user_id)
+    session_ms = (time.perf_counter() - t0) * 1000
+    sid = str(session.get("session_id") or "")
+    print(f"session_ms={session_ms:.0f} session={sid[:40]}")
+
+    t_hist = time.perf_counter()
+    history = server.chat_messages(prof, sid)
+    hist_ms = (time.perf_counter() - t_hist) * 1000
+    print(f"history_ms={hist_ms:.0f} messages={len(history.get('messages') or [])}")
+
+    healthy = server._profile_api_healthy(prof)
+    print(f"profile_api_healthy={healthy} port={server._profile_api_port(prof)}")
+
+    run_a = "timing-run-a"
+    run_b = "timing-run-b"
+    t1 = time.perf_counter()
+    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_a)
+    lease1_ms = (time.perf_counter() - t1) * 1000
+    t2 = time.perf_counter()
+    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_b)
+    lease2_ms = (time.perf_counter() - t2) * 1000
+    print(f"lease_cold_ms={lease1_ms:.0f} lease_reuse_ms={lease2_ms:.0f} provider={provider}")
+
+    _, model = server._read_model_from_config(prof)
+    print(f"model={model}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/workframe-api/turn_credentials.py

@@ -1,226 +1,226 @@
-"""Per-run credential leases — opaque tokens for Hermes; real secrets stay in API vault."""
-
-from __future__ import annotations
-
-import hashlib
-import os
-import secrets
-import sqlite3
-import time
-from datetime import datetime, timedelta, timezone
-from pathlib import Path
-from typing import Any
-
-import credential_vault
-
-DATA_DIR = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data"))
-WORKFRAME_DB = DATA_DIR / "workframe.db"
-LEASE_PREFIX = "wf_rt_"
-DEFAULT_TTL = int(os.environ.get("WORKFRAME_TURN_LEASE_TTL", "900"))
-
-
-def _connect() -> sqlite3.Connection:
-    conn = sqlite3.connect(str(WORKFRAME_DB), timeout=5.0)
-    conn.row_factory = sqlite3.Row
-    return conn
-
-
-# ponytail: schema DDL ran on every validate_lease/issue — ~38ms/call on bind-mounted
-# sqlite. Guard by DB path so it runs once per process (tests reassign WORKFRAME_DB → re-run).
-_SCHEMA_READY: set[str] = set()
-
-
-def ensure_schema() -> None:
-    credential_vault.ensure_schema()
-    key = str(WORKFRAME_DB)
-    if key in _SCHEMA_READY:
-        return
-    conn = _connect()
-    try:
-        conn.execute(
-            """
-            CREATE TABLE IF NOT EXISTS turn_credential_leases (
-                run_id TEXT PRIMARY KEY,
-                token_hash TEXT NOT NULL UNIQUE,
-                payer_user_id TEXT NOT NULL,
-                workspace_id TEXT NOT NULL,
-                provider TEXT NOT NULL,
-                credential_binding_id TEXT DEFAULT NULL,
-                profile_slug TEXT NOT NULL,
-                expires_at TEXT NOT NULL,
-                revoked_at TEXT DEFAULT NULL,
-                created_at TEXT NOT NULL
-            )
-            """
-        )
-        conn.execute(
-            "CREATE INDEX IF NOT EXISTS idx_turn_leases_token "
-            "ON turn_credential_leases(token_hash)"
-        )
-        conn.execute(
-            "CREATE INDEX IF NOT EXISTS idx_turn_leases_expiry "
-            "ON turn_credential_leases(expires_at)"
-        )
-        conn.commit()
-    finally:
-        conn.close()
-    _SCHEMA_READY.add(key)
-
-
-def _hash_token(token: str) -> str:
-    return hashlib.sha256(str(token or "").encode("utf-8")).hexdigest()
-
-
-def _expired(expires_at: str) -> bool:
-    value = str(expires_at or "").strip()
-    if not value:
-        return True
-    if value.isdigit():
-        return int(value) < int(time.time())
-    try:
-        return datetime.fromisoformat(value.replace("Z", "+00:00")) < datetime.now(timezone.utc)
-    except ValueError:
-        return True
-
-
-def issue_lease(
-    run_id: str,
-    payer_user_id: str,
-    workspace_id: str,
-    provider: str,
-    profile_slug: str,
-    credential_binding_id: str | None,
-    *,
-    ttl_seconds: int = DEFAULT_TTL,
-) -> str:
-    """Create lease; return full token value for profile env (wf_rt_…)."""
-    run_id = str(run_id or "").strip()
-    payer_user_id = str(payer_user_id or "").strip()
-    workspace_id = str(workspace_id or "").strip()
-    provider = str(provider or "openrouter").strip().lower()
-    profile_slug = str(profile_slug or "").strip()
-    if not run_id or not payer_user_id or not profile_slug:
-        raise ValueError("run_id, payer_user_id, and profile_slug required")
-    ttl = int(ttl_seconds or DEFAULT_TTL)
-    if ttl <= 0:
-        raise ValueError("ttl_seconds must be positive")
-
-    ensure_schema()
-    raw = secrets.token_hex(32)
-    token = f"{LEASE_PREFIX}{raw}"
-    now = datetime.now(timezone.utc)
-    expires_at = (now + timedelta(seconds=ttl)).isoformat()
-    created_at = now.isoformat()
-    conn = _connect()
-    try:
-        conn.execute(
-            """
-            INSERT INTO turn_credential_leases (
-                run_id, token_hash, payer_user_id, workspace_id, provider,
-                credential_binding_id, profile_slug, expires_at, created_at
-            ) VALUES (?,?,?,?,?,?,?,?,?)
-            ON CONFLICT(run_id) DO UPDATE SET
-                token_hash = excluded.token_hash,
-                payer_user_id = excluded.payer_user_id,
-                workspace_id = excluded.workspace_id,
-                provider = excluded.provider,
-                credential_binding_id = excluded.credential_binding_id,
-                profile_slug = excluded.profile_slug,
-                expires_at = excluded.expires_at,
-                revoked_at = NULL,
-                created_at = excluded.created_at
-            """,
-            (
-                run_id,
-                _hash_token(token),
-                payer_user_id,
-                workspace_id,
-                provider,
-                str(credential_binding_id or "") or None,
-                profile_slug,
-                expires_at,
-                created_at,
-            ),
-        )
-        conn.commit()
-    finally:
-        conn.close()
-    return token
-
-
-def parse_lease_token(value: str) -> str:
-    raw = str(value or "").strip()
-    if raw.startswith(LEASE_PREFIX):
-        return raw
-    if raw and not raw.startswith(LEASE_PREFIX):
-        return f"{LEASE_PREFIX}{raw}"
-    return ""
-
-
-def validate_lease(token: str) -> dict[str, Any] | None:
-    """Return lease metadata if token is active (not revoked/expired)."""
-    token = parse_lease_token(token)
-    if not token:
-        return None
-    ensure_schema()
-    conn = _connect()
-    try:
-        row = conn.execute(
-            """
-            SELECT run_id, payer_user_id, workspace_id, provider,
-                   credential_binding_id, profile_slug, expires_at, revoked_at
-            FROM turn_credential_leases
-            WHERE token_hash = ?
-            """,
-            (_hash_token(token),),
-        ).fetchone()
-    finally:
-        conn.close()
-    if not row or row["revoked_at"] or _expired(str(row["expires_at"] or "")):
-        return None
-    return {
-        "run_id": str(row["run_id"]),
-        "payer_user_id": str(row["payer_user_id"]),
-        "workspace_id": str(row["workspace_id"]),
-        "provider": str(row["provider"]),
-        "credential_binding_id": str(row["credential_binding_id"] or ""),
-        "profile_slug": str(row["profile_slug"]),
-    }
-
-
-def revoke_lease(run_id: str) -> None:
-    run_id = str(run_id or "").strip()
-    if not run_id:
-        return
-    ensure_schema()
-    now = datetime.now(timezone.utc).isoformat()
-    conn = _connect()
-    try:
-        conn.execute(
-            "UPDATE turn_credential_leases SET revoked_at = ? WHERE run_id = ? AND revoked_at IS NULL",
-            (now, run_id),
-        )
-        conn.commit()
-    finally:
-        conn.close()
-
-
-def resolve_lease_secret(lease: dict[str, Any], resolve_secret_fn) -> tuple[str, str]:
-    """resolve_secret_fn(user_id, workspace_id, provider, binding_id) -> (env_var, secret)."""
-    binding_id = str(lease.get("credential_binding_id") or "").strip()
-    provider = str(lease.get("provider") or "openrouter")
-    payer = str(lease.get("payer_user_id") or "")
-    workspace = str(lease.get("workspace_id") or "")
-    return resolve_secret_fn(payer, workspace, provider, binding_id)
-
-
-if __name__ == "__main__":
-    ensure_schema()
-    rid = "run-selfcheck"
-    tok = issue_lease(rid, "user-a", "ws-1", "openrouter", "u-user-a-architect", "bind-1")
-    assert tok.startswith(LEASE_PREFIX)
-    meta = validate_lease(tok)
-    assert meta and meta["run_id"] == rid
-    revoke_lease(rid)
-    assert validate_lease(tok) is None
-    print("turn_credentials ok")
+"""Per-run credential leases — opaque tokens for Hermes; real secrets stay in API vault."""
+
+from __future__ import annotations
+
+import hashlib
+import os
+import secrets
+import sqlite3
+import time
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any
+
+import credential_vault
+
+DATA_DIR = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data"))
+WORKFRAME_DB = DATA_DIR / "workframe.db"
+LEASE_PREFIX = "wf_rt_"
+DEFAULT_TTL = int(os.environ.get("WORKFRAME_TURN_LEASE_TTL", "900"))
+
+
+def _connect() -> sqlite3.Connection:
+    conn = sqlite3.connect(str(WORKFRAME_DB), timeout=5.0)
+    conn.row_factory = sqlite3.Row
+    return conn
+
+
+# ponytail: schema DDL ran on every validate_lease/issue — ~38ms/call on bind-mounted
+# sqlite. Guard by DB path so it runs once per process (tests reassign WORKFRAME_DB → re-run).
+_SCHEMA_READY: set[str] = set()
+
+
+def ensure_schema() -> None:
+    credential_vault.ensure_schema()
+    key = str(WORKFRAME_DB)
+    if key in _SCHEMA_READY:
+        return
+    conn = _connect()
+    try:
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS turn_credential_leases (
+                run_id TEXT PRIMARY KEY,
+                token_hash TEXT NOT NULL UNIQUE,
+                payer_user_id TEXT NOT NULL,
+                workspace_id TEXT NOT NULL,
+                provider TEXT NOT NULL,
+                credential_binding_id TEXT DEFAULT NULL,
+                profile_slug TEXT NOT NULL,
+                expires_at TEXT NOT NULL,
+                revoked_at TEXT DEFAULT NULL,
+                created_at TEXT NOT NULL
+            )
+            """
+        )
+        conn.execute(
+            "CREATE INDEX IF NOT EXISTS idx_turn_leases_token "
+            "ON turn_credential_leases(token_hash)"
+        )
+        conn.execute(
+            "CREATE INDEX IF NOT EXISTS idx_turn_leases_expiry "
+            "ON turn_credential_leases(expires_at)"
+        )
+        conn.commit()
+    finally:
+        conn.close()
+    _SCHEMA_READY.add(key)
+
+
+def _hash_token(token: str) -> str:
+    return hashlib.sha256(str(token or "").encode("utf-8")).hexdigest()
+
+
+def _expired(expires_at: str) -> bool:
+    value = str(expires_at or "").strip()
+    if not value:
+        return True
+    if value.isdigit():
+        return int(value) < int(time.time())
+    try:
+        return datetime.fromisoformat(value.replace("Z", "+00:00")) < datetime.now(timezone.utc)
+    except ValueError:
+        return True
+
+
+def issue_lease(
+    run_id: str,
+    payer_user_id: str,
+    workspace_id: str,
+    provider: str,
+    profile_slug: str,
+    credential_binding_id: str | None,
+    *,
+    ttl_seconds: int = DEFAULT_TTL,
+) -> str:
+    """Create lease; return full token value for profile env (wf_rt_…)."""
+    run_id = str(run_id or "").strip()
+    payer_user_id = str(payer_user_id or "").strip()
+    workspace_id = str(workspace_id or "").strip()
+    provider = str(provider or "openrouter").strip().lower()
+    profile_slug = str(profile_slug or "").strip()
+    if not run_id or not payer_user_id or not profile_slug:
+        raise ValueError("run_id, payer_user_id, and profile_slug required")
+    ttl = int(ttl_seconds or DEFAULT_TTL)
+    if ttl <= 0:
+        raise ValueError("ttl_seconds must be positive")
+
+    ensure_schema()
+    raw = secrets.token_hex(32)
+    token = f"{LEASE_PREFIX}{raw}"
+    now = datetime.now(timezone.utc)
+    expires_at = (now + timedelta(seconds=ttl)).isoformat()
+    created_at = now.isoformat()
+    conn = _connect()
+    try:
+        conn.execute(
+            """
+            INSERT INTO turn_credential_leases (
+                run_id, token_hash, payer_user_id, workspace_id, provider,
+                credential_binding_id, profile_slug, expires_at, created_at
+            ) VALUES (?,?,?,?,?,?,?,?,?)
+            ON CONFLICT(run_id) DO UPDATE SET
+                token_hash = excluded.token_hash,
+                payer_user_id = excluded.payer_user_id,
+                workspace_id = excluded.workspace_id,
+                provider = excluded.provider,
+                credential_binding_id = excluded.credential_binding_id,
+                profile_slug = excluded.profile_slug,
+                expires_at = excluded.expires_at,
+                revoked_at = NULL,
+                created_at = excluded.created_at
+            """,
+            (
+                run_id,
+                _hash_token(token),
+                payer_user_id,
+                workspace_id,
+                provider,
+                str(credential_binding_id or "") or None,
+                profile_slug,
+                expires_at,
+                created_at,
+            ),
+        )
+        conn.commit()
+    finally:
+        conn.close()
+    return token
+
+
+def parse_lease_token(value: str) -> str:
+    raw = str(value or "").strip()
+    if raw.startswith(LEASE_PREFIX):
+        return raw
+    if raw and not raw.startswith(LEASE_PREFIX):
+        return f"{LEASE_PREFIX}{raw}"
+    return ""
+
+
+def validate_lease(token: str) -> dict[str, Any] | None:
+    """Return lease metadata if token is active (not revoked/expired)."""
+    token = parse_lease_token(token)
+    if not token:
+        return None
+    ensure_schema()
+    conn = _connect()
+    try:
+        row = conn.execute(
+            """
+            SELECT run_id, payer_user_id, workspace_id, provider,
+                   credential_binding_id, profile_slug, expires_at, revoked_at
+            FROM turn_credential_leases
+            WHERE token_hash = ?
+            """,
+            (_hash_token(token),),
+        ).fetchone()
+    finally:
+        conn.close()
+    if not row or row["revoked_at"] or _expired(str(row["expires_at"] or "")):
+        return None
+    return {
+        "run_id": str(row["run_id"]),
+        "payer_user_id": str(row["payer_user_id"]),
+        "workspace_id": str(row["workspace_id"]),
+        "provider": str(row["provider"]),
+        "credential_binding_id": str(row["credential_binding_id"] or ""),
+        "profile_slug": str(row["profile_slug"]),
+    }
+
+
+def revoke_lease(run_id: str) -> None:
+    run_id = str(run_id or "").strip()
+    if not run_id:
+        return
+    ensure_schema()
+    now = datetime.now(timezone.utc).isoformat()
+    conn = _connect()
+    try:
+        conn.execute(
+            "UPDATE turn_credential_leases SET revoked_at = ? WHERE run_id = ? AND revoked_at IS NULL",
+            (now, run_id),
+        )
+        conn.commit()
+    finally:
+        conn.close()
+
+
+def resolve_lease_secret(lease: dict[str, Any], resolve_secret_fn) -> tuple[str, str]:
+    """resolve_secret_fn(user_id, workspace_id, provider, binding_id) -> (env_var, secret)."""
+    binding_id = str(lease.get("credential_binding_id") or "").strip()
+    provider = str(lease.get("provider") or "openrouter")
+    payer = str(lease.get("payer_user_id") or "")
+    workspace = str(lease.get("workspace_id") or "")
+    return resolve_secret_fn(payer, workspace, provider, binding_id)
+
+
+if __name__ == "__main__":
+    ensure_schema()
+    rid = "run-selfcheck"
+    tok = issue_lease(rid, "user-a", "ws-1", "openrouter", "u-user-a-architect", "bind-1")
+    assert tok.startswith(LEASE_PREFIX)
+    meta = validate_lease(tok)
+    assert meta and meta["run_id"] == rid
+    revoke_lease(rid)
+    assert validate_lease(tok) is None
+    print("turn_credentials ok")