arize-phoenix 11.23.1__py3-none-any.whl → 12.28.1__py3-none-any.whl

phoenix/server/app.py

@@ -4,7 +4,6 @@ import importlib
 import json
 import logging
 import os
-from collections.abc import AsyncIterator, Awaitable, Callable, Iterable, Sequence
 from contextlib import AbstractAsyncContextManager, AsyncExitStack
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta, timezone
@@ -14,9 +13,14 @@ from types import MethodType
 from typing import (
     TYPE_CHECKING,
     Any,
+    AsyncIterator,
+    Awaitable,
+    Callable,
+    Iterable,
     NamedTuple,
     Optional,
     Protocol,
+    Sequence,
     TypedDict,
     Union,
     cast,
@@ -41,7 +45,6 @@ from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoin
 from starlette.requests import Request
 from starlette.responses import JSONResponse, PlainTextResponse, RedirectResponse, Response
 from starlette.staticfiles import StaticFiles
-from starlette.status import HTTP_401_UNAUTHORIZED
 from starlette.templating import Jinja2Templates
 from starlette.types import Scope, StatefulLifespan
 from strawberry.extensions import SchemaExtension
@@ -63,7 +66,7 @@ from phoenix.config import (
     get_env_gql_extension_paths,
     get_env_grpc_interceptor_paths,
     get_env_host,
-    get_env_host_root_path,
+    get_env_max_spans_queue_size,
     get_env_port,
     get_env_support_email,
     server_instrumentation_is_enabled,
@@ -77,21 +80,30 @@ from phoenix.db.facilitator import Facilitator
 from phoenix.db.helpers import SupportedSQLDialect
 from phoenix.exceptions import PhoenixMigrationError
 from phoenix.pointcloud.umap_parameters import UMAPParameters
+from phoenix.server.api.auth_messages import AUTH_ERROR_MESSAGES, AuthErrorCode
 from phoenix.server.api.context import Context, DataLoaders
 from phoenix.server.api.dataloaders import (
     AnnotationConfigsByProjectDataLoader,
     AnnotationSummaryDataLoader,
+    AverageExperimentRepeatedRunGroupLatencyDataLoader,
     AverageExperimentRunLatencyDataLoader,
     CacheForDataLoaders,
+    DatasetDatasetSplitsDataLoader,
     DatasetExampleRevisionsDataLoader,
+    DatasetExamplesAndVersionsByExperimentRunDataLoader,
     DatasetExampleSpansDataLoader,
+    DatasetExampleSplitsDataLoader,
     DocumentEvaluationsDataLoader,
     DocumentEvaluationSummaryDataLoader,
     DocumentRetrievalMetricsDataLoader,
     ExperimentAnnotationSummaryDataLoader,
+    ExperimentDatasetSplitsDataLoader,
     ExperimentErrorRatesDataLoader,
+    ExperimentRepeatedRunGroupAnnotationSummariesDataLoader,
+    ExperimentRepeatedRunGroupsDataLoader,
     ExperimentRunAnnotations,
     ExperimentRunCountsDataLoader,
+    ExperimentRunsByExperimentAndExampleDataLoader,
     ExperimentSequenceNumberDataLoader,
     LastUsedTimesByGenerativeModelIdDataLoader,
     LatencyMsQuantileDataLoader,
@@ -102,6 +114,7 @@ from phoenix.server.api.dataloaders import (
     ProjectIdsByTraceRetentionPolicyIdDataLoader,
     PromptVersionSequenceNumberDataLoader,
     RecordCountDataLoader,
+    SessionAnnotationsBySessionDataLoader,
     SessionIODataLoader,
     SessionNumTracesDataLoader,
     SessionNumTracesWithErrorDataLoader,
@@ -116,6 +129,7 @@ from phoenix.server.api.dataloaders import (
     SpanCostDetailSummaryEntriesBySpanDataLoader,
     SpanCostDetailSummaryEntriesByTraceDataLoader,
     SpanCostSummaryByExperimentDataLoader,
+    SpanCostSummaryByExperimentRepeatedRunGroupDataLoader,
     SpanCostSummaryByExperimentRunDataLoader,
     SpanCostSummaryByGenerativeModelDataLoader,
     SpanCostSummaryByProjectDataLoader,
@@ -126,14 +140,17 @@ from phoenix.server.api.dataloaders import (
     SpanProjectsDataLoader,
     TableFieldsDataLoader,
     TokenCountDataLoader,
+    TokenPricesByModelDataLoader,
+    TraceAnnotationsByTraceDataLoader,
     TraceByTraceIdsDataLoader,
     TraceRetentionPolicyIdByProjectIdDataLoader,
     TraceRootSpansDataLoader,
     UserRolesDataLoader,
     UsersDataLoader,
 )
+from phoenix.server.api.dataloaders.dataset_labels import DatasetLabelsDataLoader
 from phoenix.server.api.routers import (
-    auth_router,
+    create_auth_router,
     create_embeddings_router,
     create_v1_router,
     oauth2_router,
@@ -151,6 +168,7 @@ from phoenix.server.grpc_server import GrpcServer
 from phoenix.server.jwt_store import JwtStore
 from phoenix.server.middleware.gzip import GZipMiddleware
 from phoenix.server.oauth2 import OAuth2Clients
+from phoenix.server.prometheus import SPAN_QUEUE_REJECTIONS
 from phoenix.server.retention import TraceDataSweeper
 from phoenix.server.telemetry import initialize_opentelemetry_tracer_provider
 from phoenix.server.types import (
@@ -161,6 +179,7 @@ from phoenix.server.types import (
     LastUpdatedAt,
     TokenStore,
 )
+from phoenix.server.utils import get_root_path, prepend_root_path
 from phoenix.settings import Settings
 from phoenix.trace.fixtures import (
     TracesFixture,
@@ -179,6 +198,8 @@ from phoenix.version import __version__ as phoenix_version
 if TYPE_CHECKING:
     from opentelemetry.trace import TracerProvider
 
+    from phoenix.config import LDAPConfig
+
 logger = logging.getLogger(__name__)
 
 router = APIRouter(include_in_schema=False)
@@ -235,11 +256,19 @@ class AppConfig(NamedTuple):
     web_manifest_path: Path
     authentication_enabled: bool
     """ Whether authentication is enabled """
+    auth_error_messages: dict[AuthErrorCode, str]
+    """ Mapping of auth error codes to user-friendly messages """
     oauth2_idps: Sequence[OAuth2Idp]
     basic_auth_disabled: bool = False
+    ldap_enabled: bool = False
+    """ Whether LDAP authentication is configured """
+    ldap_manual_user_creation_enabled: bool = False
+    """ Whether manual LDAP user creation is allowed (False when LDAP disabled or no email attr) """
     auto_login_idp_name: Optional[str] = None
     fullstory_org: Optional[str] = None
     """ FullStory organization ID for web analytics tracking """
+    scarf_sh_pixel_id: Optional[str] = None
+    """ Scarf.sh pixel ID for open-source analytics and usage """
     management_url: Optional[str] = None
     """ URL for a phoenix management interface, only visible to management users """
     support_email: Optional[str] = None
@@ -269,9 +298,6 @@ class Static(StaticFiles):
                 return {}
             raise e
 
-    def _sanitize_basename(self, basename: str) -> str:
-        return basename[:-1] if basename.endswith("/") else basename
-
     async def get_response(self, path: str, scope: Scope) -> Response:
         # Redirect to the oauth2 login page if basic auth is disabled and auto_login is enabled
         # TODO: this needs to be refactored to be cleaner
@@ -280,14 +306,10 @@ class Static(StaticFiles):
             and self._app_config.basic_auth_disabled
             and self._app_config.auto_login_idp_name
         ):
-            request = Request(scope)
-            url = URL(
-                str(
-                    Path(get_env_host_root_path())
-                    / f"oauth2/{self._app_config.auto_login_idp_name}/login"
-                )
+            redirect_path = prepend_root_path(
+                scope, f"oauth2/{self._app_config.auto_login_idp_name}/login"
             )
-            url = url.include_query_params(**request.query_params)
+            url = URL(redirect_path).include_query_params(**Request(scope).query_params)
             return RedirectResponse(url=url)
         try:
             response = await super().get_response(path, scope)
@@ -304,7 +326,7 @@ class Static(StaticFiles):
                     "min_dist": self._app_config.min_dist,
                     "n_neighbors": self._app_config.n_neighbors,
                     "n_samples": self._app_config.n_samples,
-                    "basename": self._sanitize_basename(request.scope.get("root_path", "")),
+                    "basename": get_root_path(scope),
                     "platform_version": phoenix_version,
                     "request": request,
                     "is_development": self._app_config.is_development,
@@ -312,12 +334,16 @@ class Static(StaticFiles):
                     "authentication_enabled": self._app_config.authentication_enabled,
                     "oauth2_idps": self._app_config.oauth2_idps,
                     "basic_auth_disabled": self._app_config.basic_auth_disabled,
+                    "ldap_enabled": self._app_config.ldap_enabled,
+                    "ldap_manual_user_creation_enabled": self._app_config.ldap_manual_user_creation_enabled,  # noqa: E501
                     "auto_login_idp_name": self._app_config.auto_login_idp_name,
                     "fullstory_org": self._app_config.fullstory_org,
+                    "scarf_sh_pixel_id": self._app_config.scarf_sh_pixel_id,
                     "management_url": self._app_config.management_url,
                     "support_email": self._app_config.support_email,
                     "has_db_threshold": self._app_config.has_db_threshold,
                     "allow_external_resources": self._app_config.allow_external_resources,
+                    "auth_error_messages": self._app_config.auth_error_messages,
                 },
             )
         except Exception as e:
@@ -340,7 +366,7 @@ class RequestOriginHostnameValidator(BaseHTTPMiddleware):
             if not (url := headers.get(key)):
                 continue
             if urlparse(url).hostname not in self._trusted_hostnames:
-                return Response(f"untrusted {key}", status_code=HTTP_401_UNAUTHORIZED)
+                return Response(f"untrusted {key}", status_code=401)
         return await call_next(request)
 
 
@@ -427,13 +453,13 @@ class Scaffolder(DaemonTask):
     def __init__(
         self,
         config: ScaffolderConfig,
-        queue_span: Callable[[Span, ProjectName], Awaitable[None]],
-        queue_evaluation: Callable[[pb.Evaluation], Awaitable[None]],
+        enqueue_span: Callable[[Span, ProjectName], Awaitable[None]],
+        enqueue_evaluation: Callable[[pb.Evaluation], Awaitable[None]],
     ) -> None:
         super().__init__()
         self._db = config.db
-        self._queue_span = queue_span
-        self._queue_evaluation = queue_evaluation
+        self._enqueue_span = enqueue_span
+        self._enqueue_evaluation = enqueue_evaluation
         self._tracing_fixtures = [
             get_trace_fixture_by_name(name) for name in set(config.tracing_fixture_names)
         ]
@@ -504,9 +530,9 @@ class Scaffolder(DaemonTask):
                 project_name = fixture.project_name or fixture.name
                 logger.info(f"Loading '{project_name}' fixtures...")
                 for span in fixture_spans:
-                    await self._queue_span(span, project_name)
+                    await self._enqueue_span(span, project_name)
                 for evaluation in fixture_evals:
-                    await self._queue_evaluation(evaluation)
+                    await self._enqueue_evaluation(evaluation)
 
             except FileNotFoundError:
                 logger.warning(f"Fixture file not found for '{fixture.name}'")
@@ -529,6 +555,32 @@ class Scaffolder(DaemonTask):
             logger.error(f"Error processing dataset fixture: {e}")
 
 
+class _CapacityIndicator(Protocol):
+    @property
+    def is_full(self) -> bool: ...
+
+
+class CapacityInterceptor(AsyncServerInterceptor):
+    def __init__(self, indicator: _CapacityIndicator):
+        self._indicator = indicator
+
+    @override
+    async def intercept(
+        self,
+        method: Callable[[Any, grpc.aio.ServicerContext], Awaitable[Any]],
+        request_or_iterator: Any,
+        context: grpc.aio.ServicerContext,
+        method_name: str,
+    ) -> Any:
+        if self._indicator.is_full:
+            SPAN_QUEUE_REJECTIONS.inc()
+            context.set_code(grpc.StatusCode.RESOURCE_EXHAUSTED)
+            context.set_details("Server is at capacity and cannot process more requests")
+            return
+
+        return await method(request_or_iterator, context)
+
+
 def _lifespan(
     *,
     db: DbSessionFactory,
@@ -555,18 +607,23 @@ def _lifespan(
         db.lock = asyncio.Lock() if db.dialect is SupportedSQLDialect.SQLITE else None
         async with AsyncExitStack() as stack:
             (
-                enqueue,
-                queue_span,
-                queue_evaluation,
+                enqueue_annotations,
+                enqueue_span,
+                enqueue_evaluation,
                 enqueue_operation,
             ) = await stack.enter_async_context(bulk_inserter)
+            interceptors = [
+                CapacityInterceptor(bulk_inserter),
+                *user_grpc_interceptors(),
+                *grpc_interceptors,
+            ]
             grpc_server = GrpcServer(
-                queue_span,
+                enqueue_span,
                 disabled=read_only,
                 tracer_provider=tracer_provider,
                 enable_prometheus=enable_prometheus,
                 token_store=token_store,
-                interceptors=user_grpc_interceptors() + list(grpc_interceptors),
+                interceptors=interceptors,
             )
             await stack.enter_async_context(grpc_server)
             await stack.enter_async_context(dml_event_handler)
@@ -578,17 +635,17 @@ def _lifespan(
             if scaffolder_config:
                 scaffolder = Scaffolder(
                     config=scaffolder_config,
-                    queue_span=queue_span,
-                    queue_evaluation=queue_evaluation,
+                    enqueue_span=enqueue_span,
+                    enqueue_evaluation=enqueue_evaluation,
                 )
                 await stack.enter_async_context(scaffolder)
             if isinstance(token_store, AbstractAsyncContextManager):
                 await stack.enter_async_context(token_store)
             yield {
                 "event_queue": dml_event_handler,
-                "enqueue": enqueue,
-                "queue_span_for_bulk_insert": queue_span,
-                "queue_evaluation_for_bulk_insert": queue_evaluation,
+                "enqueue_annotations": enqueue_annotations,
+                "enqueue_span": enqueue_span,
+                "enqueue_evaluation": enqueue_evaluation,
                 "enqueue_operation": enqueue_operation,
             }
         for callback in shutdown_callbacks:
@@ -663,9 +720,23 @@ def create_graphql_router(
             event_queue=event_queue,
             data_loaders=DataLoaders(
                 annotation_configs_by_project=AnnotationConfigsByProjectDataLoader(db),
+                average_experiment_repeated_run_group_latency=AverageExperimentRepeatedRunGroupLatencyDataLoader(
+                    db
+                ),
                 average_experiment_run_latency=AverageExperimentRunLatencyDataLoader(db),
+                dataset_dataset_splits=DatasetDatasetSplitsDataLoader(db),
+                dataset_example_fields=TableFieldsDataLoader(db, models.DatasetExample),
                 dataset_example_revisions=DatasetExampleRevisionsDataLoader(db),
                 dataset_example_spans=DatasetExampleSpansDataLoader(db),
+                dataset_examples_and_versions_by_experiment_run=DatasetExamplesAndVersionsByExperimentRunDataLoader(
+                    db
+                ),
+                dataset_example_splits=DatasetExampleSplitsDataLoader(db),
+                dataset_fields=TableFieldsDataLoader(db, models.Dataset),
+                dataset_split_fields=TableFieldsDataLoader(db, models.DatasetSplit),
+                dataset_version_fields=TableFieldsDataLoader(db, models.DatasetVersion),
+                dataset_labels=DatasetLabelsDataLoader(db),
+                dataset_label_fields=TableFieldsDataLoader(db, models.DatasetLabel),
                 document_evaluation_summaries=DocumentEvaluationSummaryDataLoader(
                     db,
                     cache_map=(
@@ -674,6 +745,7 @@ def create_graphql_router(
                         else None
                     ),
                 ),
+                document_annotation_fields=TableFieldsDataLoader(db, models.DocumentAnnotation),
                 document_evaluations=DocumentEvaluationsDataLoader(db),
                 document_retrieval_metrics=DocumentRetrievalMetricsDataLoader(db),
                 annotation_summaries=AnnotationSummaryDataLoader(
@@ -683,10 +755,24 @@ def create_graphql_router(
                     ),
                 ),
                 experiment_annotation_summaries=ExperimentAnnotationSummaryDataLoader(db),
+                experiment_dataset_splits=ExperimentDatasetSplitsDataLoader(db),
                 experiment_error_rates=ExperimentErrorRatesDataLoader(db),
+                experiment_fields=TableFieldsDataLoader(db, models.Experiment),
+                experiment_repeated_run_group_annotation_summaries=ExperimentRepeatedRunGroupAnnotationSummariesDataLoader(
+                    db
+                ),
+                experiment_repeated_run_groups=ExperimentRepeatedRunGroupsDataLoader(db),
+                experiment_run_annotation_fields=TableFieldsDataLoader(
+                    db, models.ExperimentRunAnnotation
+                ),
                 experiment_run_annotations=ExperimentRunAnnotations(db),
                 experiment_run_counts=ExperimentRunCountsDataLoader(db),
+                experiment_run_fields=TableFieldsDataLoader(db, models.ExperimentRun),
+                experiment_runs_by_experiment_and_example=ExperimentRunsByExperimentAndExampleDataLoader(
+                    db
+                ),
                 experiment_sequence_number=ExperimentSequenceNumberDataLoader(db),
+                generative_model_fields=TableFieldsDataLoader(db, models.GenerativeModel),
                 last_used_times_by_generative_model_id=LastUsedTimesByGenerativeModelIdDataLoader(
                     db
                 ),
@@ -710,17 +796,26 @@ def create_graphql_router(
                 projects_by_trace_retention_policy_id=ProjectIdsByTraceRetentionPolicyIdDataLoader(
                     db
                 ),
+                prompt_fields=TableFieldsDataLoader(db, models.Prompt),
+                prompt_label_fields=TableFieldsDataLoader(db, models.PromptLabel),
                 prompt_version_sequence_number=PromptVersionSequenceNumberDataLoader(db),
+                prompt_version_tag_fields=TableFieldsDataLoader(db, models.PromptVersionTag),
+                project_session_annotation_fields=TableFieldsDataLoader(
+                    db, models.ProjectSessionAnnotation
+                ),
+                project_session_fields=TableFieldsDataLoader(db, models.ProjectSession),
                 record_counts=RecordCountDataLoader(
                     db,
                     cache_map=cache_for_dataloaders.record_count if cache_for_dataloaders else None,
                 ),
+                session_annotations_by_session=SessionAnnotationsBySessionDataLoader(db),
                 session_first_inputs=SessionIODataLoader(db, "first_input"),
                 session_last_outputs=SessionIODataLoader(db, "last_output"),
                 session_num_traces=SessionNumTracesDataLoader(db),
                 session_num_traces_with_error=SessionNumTracesWithErrorDataLoader(db),
                 session_token_usages=SessionTokenUsagesDataLoader(db),
                 session_trace_latency_ms_quantile=SessionTraceLatencyMsQuantileDataLoader(db),
+                span_annotation_fields=TableFieldsDataLoader(db, models.SpanAnnotation),
                 span_annotations=SpanAnnotationsDataLoader(db),
                 span_fields=TableFieldsDataLoader(db, models.Span),
                 span_by_id=SpanByIdDataLoader(db),
@@ -740,6 +835,11 @@ def create_graphql_router(
                 span_cost_details_by_span_cost=SpanCostDetailsBySpanCostDataLoader(db),
                 span_cost_detail_fields=TableFieldsDataLoader(db, models.SpanCostDetail),
                 span_cost_fields=TableFieldsDataLoader(db, models.SpanCost),
+                span_cost_summary_by_experiment=SpanCostSummaryByExperimentDataLoader(db),
+                span_cost_summary_by_experiment_repeated_run_group=SpanCostSummaryByExperimentRepeatedRunGroupDataLoader(
+                    db
+                ),
+                span_cost_summary_by_experiment_run=SpanCostSummaryByExperimentRunDataLoader(db),
                 span_cost_summary_by_generative_model=SpanCostSummaryByGenerativeModelDataLoader(
                     db
                 ),
@@ -756,6 +856,9 @@ def create_graphql_router(
                     db,
                     cache_map=cache_for_dataloaders.token_count if cache_for_dataloaders else None,
                 ),
+                token_prices_by_model=TokenPricesByModelDataLoader(db),
+                trace_annotation_fields=TableFieldsDataLoader(db, models.TraceAnnotation),
+                trace_annotations_by_trace=TraceAnnotationsByTraceDataLoader(db),
                 trace_by_trace_ids=TraceByTraceIdsDataLoader(db),
                 trace_fields=TableFieldsDataLoader(db, models.Trace),
                 trace_retention_policy_id_by_project_id=TraceRetentionPolicyIdByProjectIdDataLoader(
@@ -767,9 +870,9 @@ def create_graphql_router(
                 trace_root_spans=TraceRootSpansDataLoader(db),
                 project_by_name=ProjectByNameDataLoader(db),
                 users=UsersDataLoader(db),
+                user_api_key_fields=TableFieldsDataLoader(db, models.ApiKey),
+                user_fields=TableFieldsDataLoader(db, models.User),
                 user_roles=UserRolesDataLoader(db),
-                span_cost_summary_by_experiment=SpanCostSummaryByExperimentDataLoader(db),
-                span_cost_summary_by_experiment_run=SpanCostSummaryByExperimentRunDataLoader(db),
             ),
             cache_for_dataloaders=cache_for_dataloaders,
             read_only=read_only,
@@ -896,6 +999,7 @@ def create_app(
     scaffolder_config: Optional[ScaffolderConfig] = None,
     email_sender: Optional[EmailSender] = None,
     oauth2_client_configs: Optional[list[OAuth2ClientConfig]] = None,
+    ldap_config: Optional["LDAPConfig"] = None,
     basic_auth_disabled: bool = False,
     bulk_inserter_factory: Optional[Callable[..., BulkInserter]] = None,
     allowed_origins: Optional[list[str]] = None,
@@ -969,11 +1073,11 @@ def create_app(
     span_cost_calculator = SpanCostCalculator(db, generative_model_store)
     bulk_inserter = bulk_inserter_factory(
         db,
-        enable_prometheus=enable_prometheus,
         span_cost_calculator=span_cost_calculator,
         event_queue=dml_event_handler,
         initial_batch_of_spans=initial_batch_of_spans,
         initial_batch_of_evaluations=initial_batch_of_evaluations,
+        max_spans_queue_size=get_env_max_spans_queue_size(),
     )
     tracer_provider = None
     graphql_schema_extensions: list[Union[type[SchemaExtension], SchemaExtension]] = []
@@ -1054,7 +1158,8 @@ def create_app(
     app.include_router(router)
     app.include_router(graphql_router)
     if authentication_enabled:
-        app.include_router(auth_router)
+        # Only register LDAP endpoint if LDAP is configured
+        app.include_router(create_auth_router(ldap_enabled=ldap_config is not None))
         app.include_router(oauth2_router)
     app.add_middleware(GZipMiddleware)
     web_manifest_path = SERVER_DIR / "static" / ".vite" / "manifest.json"
@@ -1081,8 +1186,14 @@ def create_app(
                     web_manifest_path=web_manifest_path,
                     oauth2_idps=oauth2_idps,
                     basic_auth_disabled=basic_auth_disabled,
+                    ldap_enabled=ldap_config is not None,
+                    # Disable manual user creation when LDAP disabled or no email attr
+                    ldap_manual_user_creation_enabled=(
+                        ldap_config.attr_email is not None if ldap_config else False
+                    ),
                     auto_login_idp_name=auto_login_idp_name,
                     fullstory_org=Settings.fullstory_org,
+                    scarf_sh_pixel_id=Settings.scarf_sh_pixel_id,
                     management_url=management_url,
                     support_email=get_env_support_email(),
                     has_db_threshold=bool(
@@ -1090,6 +1201,7 @@ def create_app(
                         and get_env_database_usage_insertion_blocking_threshold_percentage()
                     ),
                     allow_external_resources=get_env_allow_external_resources(),
+                    auth_error_messages=dict(AUTH_ERROR_MESSAGES) if authentication_enabled else {},
                 ),
             ),
             name="static",
@@ -1101,9 +1213,15 @@ def create_app(
     app.state.access_token_expiry = access_token_expiry
     app.state.refresh_token_expiry = refresh_token_expiry
     app.state.oauth2_clients = OAuth2Clients.from_configs(oauth2_client_configs or [])
+    # Cache LDAPAuthenticator to avoid re-parsing TLS config on every login
+    if ldap_config:
+        from phoenix.server.ldap import LDAPAuthenticator
+
+        app.state.ldap_authenticator = LDAPAuthenticator(ldap_config)
     app.state.db = db
     app.state.email_sender = email_sender
     app.state.span_cost_calculator = span_cost_calculator
+    app.state.span_queue_is_full = lambda: bulk_inserter.is_full
     app = _add_get_secret_method(app=app, secret=secret)
     app = _add_get_token_store_method(app=app, token_store=token_store)
     if tracer_provider:

phoenix/server/authorization.py

@@ -23,7 +23,6 @@ Usage:
 """
 
 from fastapi import HTTPException, Request
-from fastapi import status as fastapi_status
 
 from phoenix.config import get_env_support_email
 from phoenix.server.bearer_auth import PhoenixUser
@@ -43,13 +42,15 @@ def require_admin(request: Request) -> None:
     Behavior:
         - Allows access if the authenticated user is an admin or a system user.
         - Raises HTTP 403 Forbidden if the user is not authorized.
-        - Expects authentication to be enabled and request.user to be set by the authentication.
+        - Allows access if authentication is not enabled.
     """
+    if not request.app.state.authentication_enabled:
+        return
     user = getattr(request, "user", None)
     # System users have all privileges
     if not (isinstance(user, PhoenixUser) and user.is_admin):
         raise HTTPException(
-            status_code=fastapi_status.HTTP_403_FORBIDDEN,
+            status_code=403,
             detail="Only admin or system users can perform this action.",
         )
 
@@ -82,6 +83,6 @@ def is_not_locked(request: Request) -> None:
         if support_email := get_env_support_email():
             detail += f" Need help? Contact us at {support_email}"
         raise HTTPException(
-            status_code=fastapi_status.HTTP_507_INSUFFICIENT_STORAGE,
+            status_code=507,
             detail=detail,
         )

phoenix/server/bearer_auth.py

@@ -9,7 +9,6 @@ from fastapi import HTTPException, Request, WebSocket, WebSocketException
 from grpc_interceptor import AsyncServerInterceptor
 from starlette.authentication import AuthCredentials, AuthenticationBackend, BaseUser
 from starlette.requests import HTTPConnection
-from starlette.status import HTTP_401_UNAUTHORIZED
 from typing_extensions import override
 
 from phoenix import config
@@ -76,11 +75,18 @@ class PhoenixUser(BaseUser):
         self._is_admin = (
             claims.status is ClaimSetStatus.VALID and claims.attributes.user_role == "ADMIN"
         )
+        self._is_viewer = (
+            claims.status is ClaimSetStatus.VALID and claims.attributes.user_role == "VIEWER"
+        )
 
     @cached_property
     def is_admin(self) -> bool:
         return self._is_admin
 
+    @cached_property
+    def is_viewer(self) -> bool:
+        return self._is_viewer
+
     @cached_property
     def identity(self) -> UserId:
         return self._user_id
@@ -93,6 +99,8 @@ class PhoenixUser(BaseUser):
 class PhoenixSystemUser(PhoenixUser):
     def __init__(self, user_id: UserId) -> None:
         self._user_id = user_id
+        self._is_admin = True  # System users have admin privileges
+        self._is_viewer = False  # System users are not viewers
 
     @property
     def is_admin(self) -> bool:
@@ -144,16 +152,16 @@ async def is_authenticated(
     """
     assert request or websocket
     if request and not isinstance((user := request.user), PhoenixUser):
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")
     if websocket and not isinstance((user := websocket.user), PhoenixUser):
-        raise WebSocketException(code=HTTP_401_UNAUTHORIZED, reason="Invalid token")
+        raise WebSocketException(code=401, reason="Invalid token")
     if isinstance(user, PhoenixSystemUser):
         return
     claims = user.claims
     if claims.status is ClaimSetStatus.EXPIRED:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Expired token")
+        raise HTTPException(status_code=401, detail="Expired token")
     if claims.status is not ClaimSetStatus.VALID:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")
 
 
 async def create_access_and_refresh_tokens(

phoenix/server/cost_tracking/cost_model_lookup.py

@@ -1,4 +1,3 @@
-import re
 from datetime import datetime
 from typing import Any, Iterable, Mapping, Optional
 
@@ -20,24 +19,53 @@ class CostModelLookup:
         self,
         generative_models: Iterable[models.GenerativeModel] = (),
     ) -> None:
-        self._models = tuple(generative_models)
+        self._models_by_id: dict[int, models.GenerativeModel] = {}
         self._model_priority: dict[
             int, tuple[_RegexSpecificityScore, float, _TieBreakerId]
         ] = {}  # higher is better
-        self._regex_specificity_score: dict[re.Pattern[str], _RegexSpecificityScore] = {}
 
-        for m in self._models:
-            self._regex_specificity_score[m.name_pattern] = regex_specificity.score(m.name_pattern)
+        for m in generative_models:
+            self._add_or_update_model(m)
 
-            # For built-in models, use negative ID so that earlier IDs win
-            # For user-defined models, use positive ID so later IDs win
-            tie_breaker = -m.id if m.is_built_in else m.id
+    def _add_or_update_model(self, model: models.GenerativeModel) -> None:
+        """Add or update a single model in the lookup."""
+        self._models_by_id[model.id] = model
 
-            self._model_priority[m.id] = (
-                self._regex_specificity_score[m.name_pattern],
-                m.start_time.timestamp() if m.start_time else 0.0,
-                tie_breaker,
-            )
+        specificity_score = regex_specificity.score(model.name_pattern)
+
+        # For built-in models, use negative ID so that earlier IDs win
+        # For user-defined models, use positive ID so later IDs win
+        tie_breaker = -model.id if model.is_built_in else model.id
+
+        self._model_priority[model.id] = (
+            specificity_score,
+            model.start_time.timestamp() if model.start_time else 0.0,
+            tie_breaker,
+        )
+
+    def _remove_model(self, model_id: int) -> None:
+        """Remove a model from the lookup."""
+        if model_id in self._models_by_id:
+            del self._models_by_id[model_id]
+        if model_id in self._model_priority:
+            del self._model_priority[model_id]
+
+    def merge(self, models: Iterable[models.GenerativeModel]) -> None:
+        """
+        Merge a collection of models into the existing lookup.
+
+        For each model:
+        - If deleted_at is set, remove it from the lookup
+        - Otherwise, add or update it in the lookup
+
+        Args:
+            models: An iterable of GenerativeModel objects to merge
+        """
+        for model in models:
+            if model.deleted_at is not None:
+                self._remove_model(model.id)
+            else:
+                self._add_or_update_model(model)
 
     def find_model(
         self,
@@ -107,7 +135,7 @@ class CostModelLookup:
         # 2. only include models that are active and match the regex pattern
         candidates = [
             model
-            for model in self._models
+            for model in self._models_by_id.values()
             if (not model.start_time or model.start_time <= start_time)
             and model.name_pattern.search(model_name)
         ]