docauto-mcp 0.2.0__tar.gz

docauto_mcp-0.2.0/.gitignore

@@ -0,0 +1,66 @@
+# Kubernetes secrets e valores Helm com credenciais — NUNCA commitar
+k8s/secrets.yaml
+k8s/keycloak/secrets.yaml
+k8s/prometheus-values.yaml
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.venv/
+dist/
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+htmlcov/
+.coverage
+
+# Env
+.env
+.env.local
+
+# Node
+node_modules/
+.next/
+out/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Docker volumes
+postgres_data/
+minio_data/
+
+# Use-case test outputs (keep script, template, csv and results.md)
+use-case-tests/output/
+
+# References mvp_docauto.md and guide_claude_code_docauto.pdf
+references/
+
+#Visual Studio Code
+.vscode/
+
+#Claude Settings
+.claude/settings.local.json
+
+# AI agent local tooling configs (not project instructions)
+.playwright-mcp/
+.mcp.json
+
+# Claude Code skill run artifacts (ephemeral results — not project state)
+.claude/skills/**/*_RESULTS.md
+.claude/skills/**/RESULTS/
+
+# Frontend test artifacts
+frontend/test-results/
+frontend/playwright-report/
+
+# Git worktrees
+.worktrees/
+
+# Secrets / environment mapping — never commit
+ENVIRONMENTS.md
+
+# Local planning and roadmap notes — never commit
+FEATURES.md

docauto_mcp-0.2.0/Dockerfile

@@ -0,0 +1,24 @@
+# Hosted DocAuto MCP server (Streamable HTTP). Built for linux/arm64 (Oracle ARM).
+# Build context is this directory (mcp/).
+FROM python:3.13-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+# Install the package (and its deps: mcp, httpx, uvicorn) from its own metadata.
+COPY pyproject.toml README.md ./
+COPY docauto_mcp/ docauto_mcp/
+RUN pip install --no-cache-dir .
+
+RUN adduser --disabled-password --gecos "" appuser
+USER appuser
+
+EXPOSE 8000
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/healthz')" || exit 1
+
+CMD ["uvicorn", "docauto_mcp.server_http:http_app", "--factory", \
+     "--host", "0.0.0.0", "--port", "8000"]

docauto_mcp-0.2.0/PKG-INFO

@@ -0,0 +1,161 @@
+Metadata-Version: 2.4
+Name: docauto-mcp
+Version: 0.2.0
+Summary: Model Context Protocol server for the DocAuto document-generation API.
+Project-URL: Homepage, https://docauto.com.br
+Project-URL: Documentation, https://docauto.com.br/docs/mcp
+Project-URL: Repository, https://github.com/gzucob/docauto
+Author: DocAuto
+License-Expression: MIT
+Keywords: ai,docauto,documents,mcp,model-context-protocol
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Office/Business
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.11
+Requires-Dist: httpx>=0.27
+Requires-Dist: mcp<2,>=1.12
+Requires-Dist: uvicorn>=0.30
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
+Requires-Dist: pytest>=8; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# DocAuto MCP server
+
+A [Model Context Protocol](https://modelcontextprotocol.io) server that exposes
+the DocAuto document-generation workflow to AI assistants. It is a thin client
+over the public `/api/v1` surface — it holds no secrets and enforces no
+business logic; multi-tenancy and validation live in the backend.
+
+- **Transport:** stdio (local) and a hosted Streamable-HTTP server at
+  `https://mcp.docauto.com.br/mcp` (add it as a remote connector — no install).
+- **Auth (local):** OAuth 2.0 Device Authorization Grant against the Keycloak
+  `docauto-cli` public client. You sign in once in your browser; tokens are
+  cached at `~/.docauto/mcp-tokens.json` (0600) and refreshed automatically.
+
+## Install
+
+The server is a standalone Python package (it is **not** part of the backend).
+Requires Python ≥ 3.11.
+
+```bash
+# run on demand, no install:
+uvx docauto-mcp
+# or install it:
+pipx install docauto-mcp
+```
+
+From a checkout (dev): `pip install ./mcp`.
+
+## Configure your MCP client
+
+### Claude Desktop — automatic
+
+The package ships a setup helper that writes `claude_desktop_config.json` for
+you (handling the Windows Store/MSIX config-path quirk):
+
+```bash
+docauto-mcp-install            # register the installed `docauto-mcp` command
+docauto-mcp-install --command uvx   # zero-install: run via `uvx docauto-mcp`
+docauto-mcp-install --print    # print the JSON block instead of writing it
+```
+
+### Claude Desktop — manual
+
+```json
+{
+  "mcpServers": {
+    "docauto": {
+      "command": "docauto-mcp"
+    }
+  }
+}
+```
+
+If `docauto-mcp` is not on your PATH, use the `uvx` form
+(`"command": "uvx", "args": ["docauto-mcp"]`) or point `command` at the script
+inside your virtualenv.
+
+### Claude Code (CLI)
+
+```bash
+claude mcp add docauto -- uvx docauto-mcp
+```
+
+### Cursor / VS Code / other clients
+
+These accept a remote MCP server by URL — see the **hosted** server below
+(`https://mcp.docauto.com.br/mcp`), which needs no local install.
+
+### Environment overrides (optional)
+
+Defaults target production; override only for local dev:
+
+| Variable | Default |
+|---|---|
+| `DOCAUTO_MCP_ISSUER` | `https://auth.docauto.com.br/realms/docauto` |
+| `DOCAUTO_MCP_API_BASE` | `https://api.docauto.com.br` (server-to-server; set to the internal service in-cluster) |
+| `DOCAUTO_MCP_PUBLIC_API_BASE` | `https://api.docauto.com.br` (public base for user-facing links, e.g. signed download URLs) |
+| `DOCAUTO_MCP_PUBLIC_APP_BASE` | `https://docauto.com.br` (public frontend base for the upload page link) |
+| `DOCAUTO_MCP_CLIENT_ID` | `docauto-cli` |
+| `DOCAUTO_MCP_HOME` | `~/.docauto` (token cache location) |
+
+## Logging in
+
+You sign in with your normal DocAuto account (the MCP server does not create a
+different kind of account):
+
+1. Call **`login_start`** — it returns a verification URL and a short code.
+2. Open the URL, sign in (email/password or Google), and approve.
+3. Call **`login_finish`** — it completes the login and caches your tokens.
+
+After that the assistant can use the tools below; tokens refresh silently until
+the session expires.
+
+## Prompts
+
+- **`generate_documents`** (argument: `output_format` = `pdf` | `docx`) — a
+  guided template that drives the whole batch-generation flow. Available in any
+  client that surfaces MCP prompts, over both transports.
+
+## Tools
+
+- **Session:** `login_start`, `login_finish`, `logout`, `whoami`, `doctor`,
+  `workflow_guide` — `doctor` reports the version, the configured endpoints, API
+  reachability, and sign-in state (no secrets)
+- **Templates:** `list_templates`, `get_template`, `upload_template`, `delete_template`
+- **Datasets:** `list_datasets`, `get_dataset`, `preview_dataset`, `upload_dataset`, `delete_dataset`
+- **Generation:** `validate_mapping`, `create_generation_job`, `get_job`, `list_jobs`, `cancel_job`, `delete_job`, `list_job_documents`
+- **Downloads:** `download_document`, `download_job_zip` — over stdio these save
+  to the user's local Downloads folder; over the hosted HTTP transport
+  `download_job_zip` returns a short-lived signed URL the user opens in a browser
+  (the ZIP is never streamed through the model, so there is no size cap)
+- **Uploads (hosted HTTP only):** over stdio `upload_template`/`upload_dataset`
+  read a local path; over the hosted transport they take only a `filename` and
+  return an `upload_url` the user opens to send the file (the bytes never pass
+  through the model), plus an `upload_ref` to poll with `check_upload` until the
+  result is `ready`
+
+## Typical flow
+
+`login_start` → `login_finish` → `whoami` → `upload_template(path)` →
+`upload_dataset(path)` → `validate_mapping(...)` →
+`create_generation_job(...)` → poll `get_job(job_id)` →
+`download_job_zip(job_id, dest)`.
+
+The `field_mapping` maps each template variable to a dataset column, e.g.
+`{"nome_cliente": "nome_cliente", "cpf": "cpf"}`. `output_format` is `pdf`
+(default) or `docx`.
+
+## Development
+
+```bash
+# unit tests (no MCP SDK needed — auth/client/tools are isolated)
+python -m pytest tests
+```

docauto_mcp-0.2.0/README.md

@@ -0,0 +1,133 @@
+# DocAuto MCP server
+
+A [Model Context Protocol](https://modelcontextprotocol.io) server that exposes
+the DocAuto document-generation workflow to AI assistants. It is a thin client
+over the public `/api/v1` surface — it holds no secrets and enforces no
+business logic; multi-tenancy and validation live in the backend.
+
+- **Transport:** stdio (local) and a hosted Streamable-HTTP server at
+  `https://mcp.docauto.com.br/mcp` (add it as a remote connector — no install).
+- **Auth (local):** OAuth 2.0 Device Authorization Grant against the Keycloak
+  `docauto-cli` public client. You sign in once in your browser; tokens are
+  cached at `~/.docauto/mcp-tokens.json` (0600) and refreshed automatically.
+
+## Install
+
+The server is a standalone Python package (it is **not** part of the backend).
+Requires Python ≥ 3.11.
+
+```bash
+# run on demand, no install:
+uvx docauto-mcp
+# or install it:
+pipx install docauto-mcp
+```
+
+From a checkout (dev): `pip install ./mcp`.
+
+## Configure your MCP client
+
+### Claude Desktop — automatic
+
+The package ships a setup helper that writes `claude_desktop_config.json` for
+you (handling the Windows Store/MSIX config-path quirk):
+
+```bash
+docauto-mcp-install            # register the installed `docauto-mcp` command
+docauto-mcp-install --command uvx   # zero-install: run via `uvx docauto-mcp`
+docauto-mcp-install --print    # print the JSON block instead of writing it
+```
+
+### Claude Desktop — manual
+
+```json
+{
+  "mcpServers": {
+    "docauto": {
+      "command": "docauto-mcp"
+    }
+  }
+}
+```
+
+If `docauto-mcp` is not on your PATH, use the `uvx` form
+(`"command": "uvx", "args": ["docauto-mcp"]`) or point `command` at the script
+inside your virtualenv.
+
+### Claude Code (CLI)
+
+```bash
+claude mcp add docauto -- uvx docauto-mcp
+```
+
+### Cursor / VS Code / other clients
+
+These accept a remote MCP server by URL — see the **hosted** server below
+(`https://mcp.docauto.com.br/mcp`), which needs no local install.
+
+### Environment overrides (optional)
+
+Defaults target production; override only for local dev:
+
+| Variable | Default |
+|---|---|
+| `DOCAUTO_MCP_ISSUER` | `https://auth.docauto.com.br/realms/docauto` |
+| `DOCAUTO_MCP_API_BASE` | `https://api.docauto.com.br` (server-to-server; set to the internal service in-cluster) |
+| `DOCAUTO_MCP_PUBLIC_API_BASE` | `https://api.docauto.com.br` (public base for user-facing links, e.g. signed download URLs) |
+| `DOCAUTO_MCP_PUBLIC_APP_BASE` | `https://docauto.com.br` (public frontend base for the upload page link) |
+| `DOCAUTO_MCP_CLIENT_ID` | `docauto-cli` |
+| `DOCAUTO_MCP_HOME` | `~/.docauto` (token cache location) |
+
+## Logging in
+
+You sign in with your normal DocAuto account (the MCP server does not create a
+different kind of account):
+
+1. Call **`login_start`** — it returns a verification URL and a short code.
+2. Open the URL, sign in (email/password or Google), and approve.
+3. Call **`login_finish`** — it completes the login and caches your tokens.
+
+After that the assistant can use the tools below; tokens refresh silently until
+the session expires.
+
+## Prompts
+
+- **`generate_documents`** (argument: `output_format` = `pdf` | `docx`) — a
+  guided template that drives the whole batch-generation flow. Available in any
+  client that surfaces MCP prompts, over both transports.
+
+## Tools
+
+- **Session:** `login_start`, `login_finish`, `logout`, `whoami`, `doctor`,
+  `workflow_guide` — `doctor` reports the version, the configured endpoints, API
+  reachability, and sign-in state (no secrets)
+- **Templates:** `list_templates`, `get_template`, `upload_template`, `delete_template`
+- **Datasets:** `list_datasets`, `get_dataset`, `preview_dataset`, `upload_dataset`, `delete_dataset`
+- **Generation:** `validate_mapping`, `create_generation_job`, `get_job`, `list_jobs`, `cancel_job`, `delete_job`, `list_job_documents`
+- **Downloads:** `download_document`, `download_job_zip` — over stdio these save
+  to the user's local Downloads folder; over the hosted HTTP transport
+  `download_job_zip` returns a short-lived signed URL the user opens in a browser
+  (the ZIP is never streamed through the model, so there is no size cap)
+- **Uploads (hosted HTTP only):** over stdio `upload_template`/`upload_dataset`
+  read a local path; over the hosted transport they take only a `filename` and
+  return an `upload_url` the user opens to send the file (the bytes never pass
+  through the model), plus an `upload_ref` to poll with `check_upload` until the
+  result is `ready`
+
+## Typical flow
+
+`login_start` → `login_finish` → `whoami` → `upload_template(path)` →
+`upload_dataset(path)` → `validate_mapping(...)` →
+`create_generation_job(...)` → poll `get_job(job_id)` →
+`download_job_zip(job_id, dest)`.
+
+The `field_mapping` maps each template variable to a dataset column, e.g.
+`{"nome_cliente": "nome_cliente", "cpf": "cpf"}`. `output_format` is `pdf`
+(default) or `docx`.
+
+## Development
+
+```bash
+# unit tests (no MCP SDK needed — auth/client/tools are isolated)
+python -m pytest tests
+```

docauto_mcp-0.2.0/docauto_mcp/__init__.py

@@ -0,0 +1,10 @@
+"""DocAuto MCP server — a thin Model Context Protocol server over the DocAuto API.
+
+The package is a standalone deployable (not part of the FastAPI monolith): it
+talks to the public ``/api/v1`` surface over HTTP and authenticates as the user
+via the Keycloak ``docauto-cli`` public client (OAuth 2.0 Device Authorization
+Grant). Multi-tenancy is enforced server-side, so the MCP server holds no
+secrets and never sees another tenant's data.
+"""
+
+__version__ = "0.2.0"

docauto_mcp-0.2.0/docauto_mcp/auth.py

@@ -0,0 +1,288 @@
+"""OAuth 2.0 Device Authorization Grant for the DocAuto MCP server.
+
+The MCP server authenticates the user as the Keycloak ``docauto-cli`` public
+client using the device flow (RFC 8628): no redirect URI, no local web server —
+the user opens a verification URL, approves, and the server polls for the token.
+Tokens are cached on disk and silently refreshed; only the first login (or an
+expired refresh token) requires the interactive step.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import os
+import secrets
+import stat
+import time
+from collections.abc import Callable
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+import httpx
+
+from .config import Settings
+from .errors import AuthError, NotAuthenticatedError
+
+_EXPIRY_SKEW_SECONDS = 30
+_DEFAULT_INTERVAL_SECONDS = 5
+_DEFAULT_DEVICE_TIMEOUT_SECONDS = 600
+
+
+def _generate_pkce_pair() -> tuple[str, str]:
+    """Return an (S256) ``(code_verifier, code_challenge)`` PKCE pair.
+
+    The ``docauto-cli`` client enforces PKCE, and Keycloak applies it to the
+    device flow too: the device authorization request must carry the challenge
+    and the token poll must carry the verifier.
+    """
+    verifier = base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b"=").decode()
+    digest = hashlib.sha256(verifier.encode("ascii")).digest()
+    challenge = base64.urlsafe_b64encode(digest).rstrip(b"=").decode()
+    return verifier, challenge
+
+
+@dataclass(frozen=True)
+class TokenSet:
+    """A cached set of OAuth tokens."""
+
+    access_token: str
+    refresh_token: str | None
+    expires_at: float
+
+    def is_expired(self, now: float) -> bool:
+        """Return whether the access token is expired (with a safety skew)."""
+        return now >= self.expires_at - _EXPIRY_SKEW_SECONDS
+
+
+class TokenStore:
+    """Persists a :class:`TokenSet` to a 0600 file on disk."""
+
+    def __init__(self, path: Path) -> None:
+        """Store the on-disk path for the token cache."""
+        self._path = path
+
+    def load(self) -> TokenSet | None:
+        """Return the cached token set, or ``None`` if absent or unreadable."""
+        try:
+            data = json.loads(self._path.read_text(encoding="utf-8"))
+        except (OSError, ValueError):
+            return None
+        try:
+            return TokenSet(
+                access_token=str(data["access_token"]),
+                refresh_token=(
+                    str(data["refresh_token"]) if data.get("refresh_token") else None
+                ),
+                expires_at=float(data["expires_at"]),
+            )
+        except (KeyError, TypeError, ValueError):
+            return None
+
+    def save(self, tokens: TokenSet) -> None:
+        """Write the token set to disk with owner-only permissions."""
+        self._path.parent.mkdir(parents=True, exist_ok=True)
+        self._path.write_text(
+            json.dumps(
+                {
+                    "access_token": tokens.access_token,
+                    "refresh_token": tokens.refresh_token,
+                    "expires_at": tokens.expires_at,
+                }
+            ),
+            encoding="utf-8",
+        )
+        try:
+            os.chmod(self._path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            # Best-effort on platforms without POSIX permissions (e.g. Windows).
+            pass
+
+    def clear(self) -> None:
+        """Delete the cached tokens, if any."""
+        try:
+            self._path.unlink()
+        except FileNotFoundError:
+            pass
+
+
+class DeviceFlowAuthenticator:
+    """Obtains and refreshes access tokens via the OAuth device flow."""
+
+    def __init__(
+        self,
+        settings: Settings,
+        store: TokenStore,
+        *,
+        http: httpx.Client | None = None,
+        sleep: Callable[[float], None] = time.sleep,
+        now: Callable[[], float] = time.time,
+    ) -> None:
+        """Wire the authenticator to its settings, token store, and clock."""
+        self._settings = settings
+        self._store = store
+        self._http = http or httpx.Client(timeout=30.0)
+        self._sleep = sleep
+        self._now = now
+        self._pending: dict[str, Any] | None = None
+
+    # -- non-interactive ----------------------------------------------------
+
+    def get_access_token(self) -> str:
+        """Return a valid access token without prompting.
+
+        Uses the cached token, transparently refreshing with the refresh token
+        when expired.
+
+        Raises:
+            NotAuthenticatedError: If there is no usable token — the caller
+                should ask the user to run the login tool.
+        """
+        tokens = self._store.load()
+        if tokens and not tokens.is_expired(self._now()):
+            return tokens.access_token
+        if tokens and tokens.refresh_token:
+            refreshed = self._refresh(tokens.refresh_token)
+            if refreshed is not None:
+                self._store.save(refreshed)
+                return refreshed.access_token
+        raise NotAuthenticatedError(
+            "Not authenticated. Run the 'login_start' tool, approve in the "
+            "browser, then run 'login_finish'."
+        )
+
+    def is_authenticated(self) -> bool:
+        """Return whether a valid (or refreshable) token is available."""
+        try:
+            self.get_access_token()
+        except NotAuthenticatedError:
+            return False
+        return True
+
+    def logout(self) -> None:
+        """Clear cached tokens and any pending device authorization."""
+        self._pending = None
+        self._store.clear()
+
+    # -- interactive device flow -------------------------------------------
+
+    def start_device_flow(self) -> dict[str, Any]:
+        """Begin device authorization and return the user-facing instructions.
+
+        Returns:
+            A mapping with ``verification_uri``, ``verification_uri_complete``
+            (when provided), ``user_code``, and ``expires_in``.
+        """
+        verifier, challenge = _generate_pkce_pair()
+        resp = self._http.post(
+            self._settings.device_auth_url,
+            data={
+                "client_id": self._settings.client_id,
+                "scope": self._settings.scope,
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        if resp.status_code != 200:
+            raise AuthError(
+                f"Device authorization request failed ({resp.status_code})."
+            )
+        data = resp.json()
+        interval = int(data.get("interval", _DEFAULT_INTERVAL_SECONDS))
+        expires_in = int(data.get("expires_in", _DEFAULT_DEVICE_TIMEOUT_SECONDS))
+        self._pending = {
+            "device_code": data["device_code"],
+            "interval": interval,
+            "deadline": self._now() + expires_in,
+            "code_verifier": verifier,
+        }
+        return {
+            "verification_uri": data.get("verification_uri"),
+            "verification_uri_complete": data.get("verification_uri_complete"),
+            "user_code": data.get("user_code"),
+            "expires_in": expires_in,
+            "message": (
+                "Open the verification URL, sign in, and approve. Then run "
+                "'login_finish' to complete."
+            ),
+        }
+
+    def finish_device_flow(self) -> str:
+        """Poll the token endpoint until the user approves (or it times out).
+
+        Returns:
+            A short success message.
+
+        Raises:
+            AuthError: If no device flow is pending, or it is denied/expired.
+        """
+        if self._pending is None:
+            raise AuthError("No login in progress. Run 'login_start' first.")
+        device_code = str(self._pending["device_code"])
+        interval = int(self._pending["interval"])
+        deadline = float(self._pending["deadline"])
+        code_verifier = str(self._pending["code_verifier"])
+
+        while self._now() < deadline:
+            self._sleep(interval)
+            resp = self._http.post(
+                self._settings.token_url,
+                data={
+                    "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                    "client_id": self._settings.client_id,
+                    "device_code": device_code,
+                    "code_verifier": code_verifier,
+                },
+            )
+            if resp.status_code == 200:
+                self._store.save(self._token_set_from_response(resp.json()))
+                self._pending = None
+                return "Login successful."
+            error = self._error_code(resp)
+            if error == "authorization_pending":
+                continue
+            if error == "slow_down":
+                interval += 5
+                continue
+            self._pending = None
+            raise AuthError(f"Device authorization failed: {error}.")
+
+        self._pending = None
+        raise AuthError("Device authorization timed out before approval.")
+
+    # -- internals ----------------------------------------------------------
+
+    def _refresh(self, refresh_token: str) -> TokenSet | None:
+        """Exchange a refresh token for a new token set, or ``None`` on failure."""
+        resp = self._http.post(
+            self._settings.token_url,
+            data={
+                "grant_type": "refresh_token",
+                "client_id": self._settings.client_id,
+                "refresh_token": refresh_token,
+            },
+        )
+        if resp.status_code != 200:
+            return None
+        return self._token_set_from_response(resp.json())
+
+    def _token_set_from_response(self, data: dict[str, Any]) -> TokenSet:
+        """Build a :class:`TokenSet` from a token-endpoint JSON response."""
+        expires_in = float(data.get("expires_in", 300))
+        return TokenSet(
+            access_token=str(data["access_token"]),
+            refresh_token=(
+                str(data["refresh_token"]) if data.get("refresh_token") else None
+            ),
+            expires_at=self._now() + expires_in,
+        )
+
+    @staticmethod
+    def _error_code(resp: httpx.Response) -> str:
+        """Extract the OAuth ``error`` code from a non-200 token response."""
+        try:
+            return str(resp.json().get("error", "unknown_error"))
+        except ValueError:
+            return "unknown_error"