cloudwright-ai-web 1.2.2__tar.gz → 1.3.0__tar.gz

{cloudwright_ai_web-1.2.2 → cloudwright_ai_web-1.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cloudwright-ai-web
-Version: 1.2.2
+Version: 1.3.0
 Summary: Web UI for Cloudwright architecture intelligence
 Project-URL: Homepage, https://github.com/xmpuspus/cloudwright
 Project-URL: Repository, https://github.com/xmpuspus/cloudwright

{cloudwright_ai_web-1.2.2 → cloudwright_ai_web-1.3.0}/cloudwright_web/__init__.py

@@ -1,6 +1,6 @@
 """Cloudwright Web — FastAPI backend for architecture intelligence."""
 
-__version__ = "1.2.2"
+__version__ = "1.3.0"
 
 
 def __getattr__(name: str):

{cloudwright_ai_web-1.2.2 → cloudwright_ai_web-1.3.0}/cloudwright_web/app.py

@@ -14,6 +14,7 @@ from starlette.middleware.base import BaseHTTPMiddleware
 from cloudwright_web import __version__
 from cloudwright_web.middleware import (  # noqa: F401
     PathTraversalMiddleware,
+    RequestIdMiddleware,
     _rate_limiter,
     _RateLimiter,
     add_cors,
@@ -44,16 +45,37 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         return response
 
 
+def _docs_enabled() -> bool:
+    """Whether to expose /docs, /redoc, and /openapi.json.
+
+    Disabled by default in production (CLOUDWRIGHT_ENV=production) to reduce
+    reconnaissance surface. Override with CLOUDWRIGHT_DOCS_ENABLED=true.
+    """
+    explicit = os.environ.get("CLOUDWRIGHT_DOCS_ENABLED")
+    if explicit is not None:
+        return explicit.lower() == "true"
+    env = os.environ.get("CLOUDWRIGHT_ENV", "").lower()
+    return env != "production"
+
+
 def create_app() -> FastAPI:
+    docs_on = _docs_enabled()
     application = FastAPI(
         title="Cloudwright",
         version=__version__,
         description="Architecture intelligence for cloud engineers",
+        docs_url="/docs" if docs_on else None,
+        redoc_url="/redoc" if docs_on else None,
+        openapi_url="/openapi.json" if docs_on else None,
     )
 
+    # RequestIdMiddleware MUST be added LAST so Starlette dispatches it FIRST
+    # (Starlette runs middleware in reverse-add order). This way every later
+    # middleware's log lines carry the request_id.
     application.add_middleware(SecurityHeadersMiddleware)
     application.add_middleware(PathTraversalMiddleware)
     add_cors(application)
+    application.add_middleware(RequestIdMiddleware)
 
     application.include_router(health_router, prefix="/api")
     application.include_router(design_router, prefix="/api")

{cloudwright_ai_web-1.2.2 → cloudwright_ai_web-1.3.0}/cloudwright_web/middleware.py

@@ -2,12 +2,15 @@
 
 from __future__ import annotations
 
+import hmac
 import os
 import threading
 import time
+import uuid
 from collections import deque
 from urllib.parse import unquote
 
+import structlog
 from fastapi import HTTPException, Request
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
@@ -22,6 +25,32 @@ class PathTraversalMiddleware(BaseHTTPMiddleware):
         return await call_next(request)
 
 
+class RequestIdMiddleware(BaseHTTPMiddleware):
+    """Attach a request correlation ID to every request.
+
+    - Reads X-Request-Id from incoming headers, otherwise mints a UUID4 hex.
+    - Binds the value into structlog's contextvars for the duration of the
+      request so every log line carries it.
+    - Echoes the same value back as the X-Request-Id response header.
+    """
+
+    async def dispatch(self, request: Request, call_next):
+        incoming = request.headers.get("x-request-id", "").strip()
+        request_id = incoming or uuid.uuid4().hex
+
+        # Stash on request.state so handlers can read it if they need to.
+        request.state.request_id = request_id
+
+        structlog.contextvars.bind_contextvars(request_id=request_id)
+        try:
+            response = await call_next(request)
+        finally:
+            structlog.contextvars.unbind_contextvars("request_id")
+
+        response.headers["X-Request-Id"] = request_id
+        return response
+
+
 def add_cors(app):
     origins = os.environ.get("CLOUDWRIGHT_CORS_ORIGINS", "http://localhost:5173,http://localhost:3000").split(",")
     app.add_middleware(
@@ -38,10 +67,21 @@ _API_KEY = os.environ.get("CLOUDWRIGHT_API_KEY")
 
 
 def check_api_key(request: Request):
+    """Validate the X-API-Key header in constant time.
+
+    Using ``hmac.compare_digest`` prevents timing-based recovery of the
+    configured key. Both sides are encoded to bytes (utf-8); mismatched
+    lengths are rejected by ``compare_digest`` itself but we short-circuit
+    empty input first to avoid leaking even a length signal.
+    """
     if not _API_KEY:
         return None
     provided = request.headers.get("x-api-key", "")
-    if provided != _API_KEY:
+    if not provided:
+        raise HTTPException(status_code=401, detail="Invalid or missing API key")
+    expected_bytes = _API_KEY.encode("utf-8")
+    provided_bytes = provided.encode("utf-8")
+    if not hmac.compare_digest(provided_bytes, expected_bytes):
         raise HTTPException(status_code=401, detail="Invalid or missing API key")
     return None
 

{cloudwright_ai_web-1.2.2 → cloudwright_ai_web-1.3.0}/cloudwright_web/routers/design.py

@@ -52,7 +52,8 @@ async def design(req: DesignRequest, request: Request):
             spec = spec.model_copy(update={"cost_estimate": cost_estimate})
         except Exception:
             log.warning("Cost estimation failed in design endpoint", exc_info=True)
-        return {"spec": spec.model_dump(exclude_none=True), "yaml": spec.to_yaml()}
+        usage = getattr(architect, "last_usage", None) or {}
+        return {"spec": spec.model_dump(exclude_none=True), "yaml": spec.to_yaml(), "usage": usage}
     except RuntimeError as e:
         if "No LLM provider" in str(e):
             return error_response("missing_api_key", str(e), "Set an LLM provider API key in your environment", 503)
@@ -83,7 +84,8 @@ async def design_stream(req: DesignRequest, request: Request):
             yield sse_event("error", message=str(e))
             return
 
-        yield sse_event("generated", spec=spec.model_dump(exclude_none=True), yaml=spec.to_yaml())
+        usage = getattr(architect, "last_usage", None) or {}
+        yield sse_event("generated", spec=spec.model_dump(exclude_none=True), yaml=spec.to_yaml(), usage=usage)
 
         yield sse_event("costing", message="Estimating cost...")
         try:
@@ -107,7 +109,7 @@ async def design_stream(req: DesignRequest, request: Request):
             log.warning("Validation failed in design stream", exc_info=True)
             yield sse_event("validated", passed=None, total=None)
 
-        yield sse_event("done", spec=spec.model_dump(exclude_none=True), yaml=spec.to_yaml())
+        yield sse_event("done", spec=spec.model_dump(exclude_none=True), yaml=spec.to_yaml(), usage=usage)
 
     return StreamingResponse(event_generator(), media_type="text/event-stream")
 
@@ -124,7 +126,8 @@ async def modify(req: ModifyRequest, request: Request):
             updated = await asyncio.wait_for(asyncio.to_thread(architect.modify, spec, req.instruction), timeout=120)
         except asyncio.TimeoutError:
             return error_response("llm_timeout", "Request timed out", "Try a simpler architecture description", 504)
-        return {"spec": updated.model_dump(exclude_none=True), "yaml": updated.to_yaml()}
+        usage = getattr(architect, "last_usage", None) or {}
+        return {"spec": updated.model_dump(exclude_none=True), "yaml": updated.to_yaml(), "usage": usage}
     except Exception:
         log.exception("Modify endpoint failed")
         return error_response("internal_error", "Internal server error", "Check server logs for details", 500)
@@ -148,7 +151,8 @@ async def modify_stream(req: ModifyRequest, request: Request):
             yield sse_event("error", message=str(e))
             return
 
-        yield sse_event("modified", spec=updated.model_dump(exclude_none=True), yaml=updated.to_yaml())
+        usage = getattr(architect, "last_usage", None) or {}
+        yield sse_event("modified", spec=updated.model_dump(exclude_none=True), yaml=updated.to_yaml(), usage=usage)
 
         yield sse_event("costing", message="Estimating cost...")
         try:
@@ -159,6 +163,6 @@ async def modify_stream(req: ModifyRequest, request: Request):
             log.warning("Cost estimation failed in modify stream", exc_info=True)
             yield sse_event("costed", cost_estimate=None)
 
-        yield sse_event("done", spec=updated.model_dump(exclude_none=True), yaml=updated.to_yaml())
+        yield sse_event("done", spec=updated.model_dump(exclude_none=True), yaml=updated.to_yaml(), usage=usage)
 
     return StreamingResponse(event_generator(), media_type="text/event-stream")

cloudwright_ai_web-1.3.0/cloudwright_web/routers/health.py

@@ -0,0 +1,102 @@
+"""GET /api/health, /api/version, and static icon serving."""
+
+from __future__ import annotations
+
+import os
+import time
+from pathlib import Path
+
+from fastapi import APIRouter, HTTPException
+from fastapi.responses import FileResponse, JSONResponse
+
+import cloudwright_web.singletons as _singletons
+
+router = APIRouter()
+
+# Captured at module import for uptime reporting.
+_START_MONOTONIC = time.monotonic()
+
+
+def _llm_provider_and_model() -> tuple[str | None, str | None]:
+    """Return (provider, model_name) based on env, without instantiating clients."""
+    if os.environ.get("ANTHROPIC_API_KEY"):
+        from cloudwright.llm.anthropic import GENERATE_MODEL as ANTHROPIC_MODEL
+
+        return "anthropic", ANTHROPIC_MODEL
+    if os.environ.get("OPENAI_API_KEY"):
+        from cloudwright.llm.openai import GENERATE_MODEL as OPENAI_MODEL
+
+        return "openai", OPENAI_MODEL
+    return None, None
+
+
+def _version_payload() -> dict:
+    from cloudwright import __version__
+
+    provider, model = _llm_provider_and_model()
+    return {
+        "version": __version__,
+        "build_sha": os.environ.get("CLOUDWRIGHT_BUILD_SHA"),
+        "llm_provider": provider,
+        "llm_model": model,
+    }
+
+
+@router.get("/health")
+def health():
+    has_llm_key = bool(os.environ.get("ANTHROPIC_API_KEY") or os.environ.get("OPENAI_API_KEY"))
+    if not has_llm_key:
+        return JSONResponse(
+            status_code=503,
+            content={
+                "status": "degraded",
+                "reason": "No LLM API key configured (ANTHROPIC_API_KEY or OPENAI_API_KEY)",
+                **_version_payload(),
+                "catalog_loaded": False,
+                "catalog_size": 0,
+                "uptime_s": round(time.monotonic() - _START_MONOTONIC, 3),
+            },
+        )
+
+    catalog_loaded = False
+    catalog_size = 0
+    try:
+        catalog = _singletons.get_catalog()
+        # Try to size the catalog; fall back to a sample search if no len.
+        try:
+            catalog_size = len(catalog)  # type: ignore[arg-type]
+        except TypeError:
+            catalog_size = len(catalog.search(query="m5", limit=1))
+        catalog_loaded = True
+    except Exception:
+        catalog_loaded = False
+
+    body = {
+        "status": "ok" if catalog_loaded else "degraded",
+        **_version_payload(),
+        "catalog_loaded": catalog_loaded,
+        "catalog_size": catalog_size,
+        "uptime_s": round(time.monotonic() - _START_MONOTONIC, 3),
+    }
+    if not catalog_loaded:
+        # Readiness probes (Kubernetes) should treat catalog-load failure as Not Ready.
+        return JSONResponse(status_code=503, content=body)
+    return body
+
+
+@router.get("/version")
+def version():
+    return _version_payload()
+
+
+@router.get("/icons/{provider}/{service}.svg")
+def get_icon(provider: str, service: str):
+    import cloudwright
+
+    icons_dir = Path(cloudwright.__file__).parent / "data" / "icons"
+    icon_path = icons_dir / provider / f"{service}.svg"
+    if not icon_path.exists():
+        raise HTTPException(status_code=404, detail=f"Icon not found: {provider}/{service}")
+    if not icon_path.resolve().is_relative_to(icons_dir.resolve()):
+        raise HTTPException(status_code=404, detail="Invalid path")
+    return FileResponse(str(icon_path), media_type="image/svg+xml")

cloudwright_ai_web-1.3.0/tests/test_api_key_auth.py

@@ -0,0 +1,98 @@
+"""Tests for the constant-time API key check.
+
+The pre-v1.3 ``check_api_key`` used ``provided != _API_KEY`` which leaks the
+key length and (under some interpreters) prefix-match timing. v1.3 switches
+to ``hmac.compare_digest`` on bytes, plus an explicit empty-input short-circuit.
+
+Tests patch the module-level ``_API_KEY`` directly via monkeypatch and restore
+it on teardown — we avoid ``importlib.reload`` because reloading the
+middleware module wipes the singleton ``_rate_limiter`` and breaks
+unrelated tests that rely on the same instance.
+"""
+
+from __future__ import annotations
+
+import cloudwright_web.middleware as middleware
+import pytest
+from fastapi import HTTPException
+
+
+class _StubRequest:
+    """Just enough of starlette.Request to drive ``check_api_key``."""
+
+    def __init__(self, header_value: str | None):
+        self.headers = {"x-api-key": header_value} if header_value is not None else {}
+
+
+@pytest.fixture
+def with_key(monkeypatch):
+    """Set the configured API key for the duration of one test."""
+
+    def _set(value: str | None):
+        monkeypatch.setattr(middleware, "_API_KEY", value)
+
+    return _set
+
+
+def test_returns_none_when_no_api_key_configured(with_key):
+    with_key(None)
+    # Even an explicitly garbage header is allowed when no key is set.
+    assert middleware.check_api_key(_StubRequest("anything")) is None
+
+
+def test_correct_key_passes(with_key):
+    with_key("secret-token-abc123")
+    assert middleware.check_api_key(_StubRequest("secret-token-abc123")) is None
+
+
+def test_wrong_key_same_length_raises_401(with_key):
+    """Two equal-length keys must compare via hmac.compare_digest."""
+    with_key("secret-token-abc123")
+    with pytest.raises(HTTPException) as exc:
+        middleware.check_api_key(_StubRequest("secret-token-XYZ999"))
+    assert exc.value.status_code == 401
+
+
+def test_wrong_key_different_length_raises_401(with_key):
+    with_key("secret-token-abc123")
+    with pytest.raises(HTTPException) as exc:
+        middleware.check_api_key(_StubRequest("short"))
+    assert exc.value.status_code == 401
+
+
+def test_missing_header_raises_401(with_key):
+    with_key("secret-token-abc123")
+    with pytest.raises(HTTPException) as exc:
+        middleware.check_api_key(_StubRequest(None))
+    assert exc.value.status_code == 401
+
+
+def test_empty_header_raises_401(with_key):
+    with_key("secret-token-abc123")
+    with pytest.raises(HTTPException) as exc:
+        middleware.check_api_key(_StubRequest(""))
+    assert exc.value.status_code == 401
+
+
+def test_uses_hmac_compare_digest(with_key, monkeypatch):
+    """Sanity check: the implementation actually calls hmac.compare_digest.
+
+    We monkeypatch ``hmac.compare_digest`` and assert it is invoked with the
+    UTF-8 encoded bytes of both sides — this pins the constant-time semantic.
+    """
+    with_key("abc")
+    calls: list[tuple[bytes, bytes]] = []
+    real = middleware.hmac.compare_digest
+
+    def spy(a, b):
+        calls.append((a, b))
+        return real(a, b)
+
+    monkeypatch.setattr(middleware.hmac, "compare_digest", spy)
+    with pytest.raises(HTTPException):
+        middleware.check_api_key(_StubRequest("xyz"))
+    assert calls, "hmac.compare_digest should have been called"
+    a, b = calls[0]
+    assert isinstance(a, bytes) and isinstance(b, bytes)
+    assert a == b"xyz"
+    assert b == b"abc"

cloudwright_ai_web-1.3.0/tests/test_design_returns_usage.py

@@ -0,0 +1,108 @@
+"""/api/design and /api/modify must surface LLM usage in the response.
+
+Pre-fix: only /api/chat returned usage; design and modify dropped it. UI
+clients had no way to surface tokens or cost for those endpoints.
+"""
+
+from __future__ import annotations
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+@pytest.fixture
+def client():
+    from cloudwright_web.app import app
+
+    return TestClient(app)
+
+
+def _make_spec():
+    from cloudwright.spec import ArchSpec, Component, Connection
+
+    return ArchSpec(
+        name="Test App",
+        provider="aws",
+        region="us-east-1",
+        components=[
+            Component(id="web", service="ec2", provider="aws", label="Web", tier=2, config={}),
+            Component(id="db", service="rds", provider="aws", label="DB", tier=3, config={}),
+        ],
+        connections=[Connection(source="web", target="db", label="SQL")],
+    )
+
+
+class TestDesignReturnsUsage:
+    def test_design_response_includes_usage_field(self, client):
+        spec = _make_spec()
+        architect = MagicMock()
+        architect.design.return_value = spec
+        architect.last_usage = {
+            "model": "claude-sonnet-4-6",
+            "input_tokens": 500,
+            "output_tokens": 200,
+            "cached_tokens": 0,
+            "cost_usd": 0.0045,
+            "latency_ms": 1234,
+        }
+
+        with patch("cloudwright_web.singletons.get_architect", return_value=architect):
+            resp = client.post(
+                "/api/design",
+                json={"description": "3-tier web app on AWS", "provider": "aws", "region": "us-east-1"},
+            )
+
+        assert resp.status_code == 200, resp.text
+        data = resp.json()
+        assert "usage" in data
+        usage = data["usage"]
+        assert usage["model"] == "claude-sonnet-4-6"
+        assert usage["input_tokens"] == 500
+        assert usage["output_tokens"] == 200
+        assert usage["cost_usd"] == 0.0045
+
+    def test_modify_response_includes_usage_field(self, client):
+        original = _make_spec()
+        modified = original
+        architect = MagicMock()
+        architect.modify.return_value = modified
+        architect.last_usage = {
+            "model": "claude-haiku-4-5-20251001",
+            "input_tokens": 100,
+            "output_tokens": 50,
+            "cached_tokens": 80,
+            "cost_usd": 0.00028,
+            "latency_ms": 400,
+        }
+
+        with patch("cloudwright_web.singletons.get_architect", return_value=architect):
+            resp = client.post(
+                "/api/modify",
+                json={"spec": original.model_dump(exclude_none=True), "instruction": "add a cache layer"},
+            )
+
+        assert resp.status_code == 200, resp.text
+        data = resp.json()
+        assert "usage" in data
+        # Haiku model surfaces — and the cost is the cheap rate, not Sonnet's.
+        assert data["usage"]["model"].startswith("claude-haiku")
+        assert data["usage"]["cost_usd"] == 0.00028
+
+    def test_design_usage_empty_when_unavailable(self, client):
+        """Backwards-compat: if architect.last_usage is empty (e.g. template
+        match path), the response still includes the field but as {}."""
+        spec = _make_spec()
+        architect = MagicMock()
+        architect.design.return_value = spec
+        architect.last_usage = {}
+
+        with patch("cloudwright_web.singletons.get_architect", return_value=architect):
+            resp = client.post(
+                "/api/design",
+                json={"description": "3-tier web app on AWS", "provider": "aws", "region": "us-east-1"},
+            )
+
+        assert resp.status_code == 200
+        assert resp.json()["usage"] == {}

cloudwright_ai_web-1.3.0/tests/test_health_endpoint.py

@@ -0,0 +1,124 @@
+"""Tests for /api/health and /api/version (audit-fix v1.3)."""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+
+
+@pytest.fixture
+def client(monkeypatch):
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    return TestClient(create_app())
+
+
+def test_health_returns_version_and_uptime(client):
+    r = client.get("/api/health", headers={"X-API-Key": "test-key"})
+    # status code may be 200 or 503 depending on catalog load in test env
+    body = r.json()
+    assert "version" in body
+    assert isinstance(body["version"], str)
+    assert "uptime_s" in body
+    assert isinstance(body["uptime_s"], (int, float))
+    assert "catalog_loaded" in body
+    assert "catalog_size" in body
+    assert "llm_provider" in body
+    assert "llm_model" in body
+
+
+def test_health_503_when_catalog_fails(client):
+    """When catalog loading fails, health returns 503 (Kubernetes readiness)."""
+    with patch("cloudwright_web.singletons.get_catalog", side_effect=RuntimeError("catalog dead")):
+        r = client.get("/api/health", headers={"X-API-Key": "test-key"})
+    assert r.status_code == 503
+    body = r.json()
+    assert body["catalog_loaded"] is False
+    assert body["status"] == "degraded"
+
+
+def test_health_503_when_no_llm_key(monkeypatch):
+    monkeypatch.delenv("ANTHROPIC_API_KEY", raising=False)
+    monkeypatch.delenv("OPENAI_API_KEY", raising=False)
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    c = TestClient(create_app())
+    r = c.get("/api/health")
+    assert r.status_code == 503
+    body = r.json()
+    assert body["status"] == "degraded"
+    assert "version" in body
+
+
+def test_version_endpoint(client):
+    r = client.get("/api/version")
+    assert r.status_code == 200
+    body = r.json()
+    assert set(body.keys()) == {"version", "build_sha", "llm_provider", "llm_model"}
+    assert isinstance(body["version"], str)
+
+
+def test_version_includes_build_sha_from_env(monkeypatch):
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    monkeypatch.setenv("CLOUDWRIGHT_BUILD_SHA", "abc1234")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    c = TestClient(create_app())
+    r = c.get("/api/version")
+    assert r.json()["build_sha"] == "abc1234"
+
+
+def _is_openapi_json(response) -> bool:
+    """A real OpenAPI doc is JSON whose body starts with `{"openapi"`.
+
+    The SPA fallback (frontend index.html) returns 200 with text/html, which
+    we treat as "openapi disabled" — Swagger UI cannot render against it.
+    """
+    if response.status_code != 200:
+        return False
+    if "application/json" not in response.headers.get("content-type", ""):
+        return False
+    return response.text.lstrip().startswith('{"openapi"')
+
+
+def test_docs_disabled_in_production(monkeypatch):
+    monkeypatch.setenv("CLOUDWRIGHT_ENV", "production")
+    monkeypatch.delenv("CLOUDWRIGHT_DOCS_ENABLED", raising=False)
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    c = TestClient(create_app())
+    assert not _is_openapi_json(c.get("/openapi.json"))
+
+
+def test_docs_enabled_outside_production(monkeypatch):
+    monkeypatch.delenv("CLOUDWRIGHT_ENV", raising=False)
+    monkeypatch.delenv("CLOUDWRIGHT_DOCS_ENABLED", raising=False)
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    c = TestClient(create_app())
+    assert _is_openapi_json(c.get("/openapi.json"))
+
+
+def test_docs_enabled_override(monkeypatch):
+    monkeypatch.setenv("CLOUDWRIGHT_ENV", "production")
+    monkeypatch.setenv("CLOUDWRIGHT_DOCS_ENABLED", "true")
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    c = TestClient(create_app())
+    assert _is_openapi_json(c.get("/openapi.json"))

cloudwright_ai_web-1.3.0/tests/test_request_id.py

@@ -0,0 +1,51 @@
+"""Tests for RequestIdMiddleware (audit-fix v1.3)."""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import pytest
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+
+
+@pytest.fixture
+def client(monkeypatch):
+    monkeypatch.setenv("CLOUDWRIGHT_API_KEY", "test-key")
+    from cloudwright_web.app import create_app
+    from fastapi.testclient import TestClient
+
+    return TestClient(create_app())
+
+
+def test_request_id_minted_when_missing(client):
+    r = client.get("/api/version")
+    assert r.status_code == 200
+    rid = r.headers.get("X-Request-Id")
+    assert rid is not None
+    assert len(rid) >= 16
+
+
+def test_request_id_preserved_when_provided(client):
+    incoming = "deadbeefdeadbeefdeadbeefdeadbeef"
+    r = client.get("/api/version", headers={"X-Request-Id": incoming})
+    assert r.status_code == 200
+    assert r.headers["X-Request-Id"] == incoming
+
+
+def test_request_ids_are_unique_per_request(client):
+    rid1 = client.get("/api/version").headers["X-Request-Id"]
+    rid2 = client.get("/api/version").headers["X-Request-Id"]
+    assert rid1 != rid2
+
+
+def test_request_id_present_on_404(client):
+    r = client.get("/api/this-does-not-exist")
+    # path traversal middleware lets unknown routes through to 404 from FastAPI
+    assert "X-Request-Id" in r.headers
+
+
+def test_request_id_present_on_health(client):
+    r = client.get("/api/health", headers={"X-API-Key": "test-key"})
+    assert "X-Request-Id" in r.headers

cloudwright_ai_web-1.2.2/cloudwright_web/routers/health.py

@@ -1,43 +0,0 @@
-"""GET /api/health and static icon serving."""
-
-from __future__ import annotations
-
-import os
-from pathlib import Path
-
-from fastapi import APIRouter, HTTPException
-from fastapi.responses import FileResponse, JSONResponse
-
-import cloudwright_web.singletons as _singletons
-
-router = APIRouter()
-
-
-@router.get("/health")
-def health():
-    # Check LLM key presence
-    has_llm_key = bool(os.environ.get("ANTHROPIC_API_KEY") or os.environ.get("OPENAI_API_KEY"))
-    if not has_llm_key:
-        return JSONResponse(
-            status_code=503,
-            content={"status": "degraded", "reason": "No LLM API key configured (ANTHROPIC_API_KEY or OPENAI_API_KEY)"},
-        )
-    try:
-        catalog = _singletons.get_catalog()
-        results = catalog.search(query="m5", limit=1)
-        return {"status": "ok", "catalog_loaded": True, "sample_count": len(results)}
-    except Exception:
-        return {"status": "ok", "catalog_loaded": False}
-
-
-@router.get("/icons/{provider}/{service}.svg")
-def get_icon(provider: str, service: str):
-    import cloudwright
-
-    icons_dir = Path(cloudwright.__file__).parent / "data" / "icons"
-    icon_path = icons_dir / provider / f"{service}.svg"
-    if not icon_path.exists():
-        raise HTTPException(status_code=404, detail=f"Icon not found: {provider}/{service}")
-    if not icon_path.resolve().is_relative_to(icons_dir.resolve()):
-        raise HTTPException(status_code=404, detail="Invalid path")
-    return FileResponse(str(icon_path), media_type="image/svg+xml")