fixtureqa 0.1.8__tar.gz → 0.3.0__tar.gz

{fixtureqa-0.1.8/fixtureqa.egg-info → fixtureqa-0.3.0}/PKG-INFO

@@ -1,10 +1,10 @@
 Metadata-Version: 2.4
 Name: fixtureqa
-Version: 0.1.8
+Version: 0.3.0
 Summary: FIXture — FIX Protocol Testing Tool
 Requires-Python: >=3.10
 License-File: LICENSE
-Requires-Dist: fixcore-engine
+Requires-Dist: fixcore-engine==0.5.0
 Requires-Dist: fastapi>=0.111.0
 Requires-Dist: uvicorn[standard]>=0.29.0
 Requires-Dist: websockets>=12.0

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/__main__.py

@@ -31,13 +31,20 @@ def _configure_logging(level_name: str, log_file: str | None = None) -> None:
     root = logging.getLogger()
     root.setLevel(level)
 
-    # Stdout handler
+    # Stdout handler. When a log file is also configured, keep the console at
+    # WARNING+ so high-rate perf runs (and chatty per-message engine logging)
+    # don't flood the terminal — the file still captures everything at `level`.
     sh = logging.StreamHandler()
     sh.setFormatter(formatter)
+    if log_file:
+        sh.setLevel(logging.WARNING)
     root.addHandler(sh)
 
     # Optional rotating file handler
     if log_file:
+        log_dir = os.path.dirname(log_file)
+        if log_dir:
+            os.makedirs(log_dir, exist_ok=True)
         fh = logging.handlers.RotatingFileHandler(
             log_file, maxBytes=10 * 1024 * 1024, backupCount=5, encoding="utf-8"
         )

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/api/app.py

@@ -1,3 +1,4 @@
+import asyncio
 import os
 from contextlib import asynccontextmanager
 
@@ -14,19 +15,37 @@ from ..core.spec_overlay_store import SpecOverlayStore
 from ..core.template_store import TemplateStore
 from ..core.user_store import UserStore
 from .connection_manager import ConnectionManager
-from .routers import sessions, messages, ws, auth, setup, admin, fix_spec, templates, scenarios, branding, custom_tags, spec_overlay
+from ..core.perf_engine import RunRegistry
+from ..core.perf_writer import PerfWriter
+from ..core.perf_store import PerfStore
+from .routers import sessions, messages, ws, auth, setup, admin, fix_spec, templates, scenarios, branding, custom_tags, spec_overlay, perf
 
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
+    # Capture the running event loop so worker threads (scenarios, and later
+    # the perf injector) can submit coroutines back to it via
+    # run_coroutine_threadsafe. get_event_loop() does not work from a worker
+    # thread on Python 3.12.
+    loop = asyncio.get_running_loop()
+    app.state.loop = loop
+    app.state.scenario_runner.set_loop(loop)
     # Register event bridge with SessionManager
     sm: SessionManager = app.state.session_manager
     cm: ConnectionManager = app.state.connection_manager
     sm.subscribe(cm.sync_event_handler)
+    # Periodic WS message-rate aggregator (emits message_agg under high load)
+    agg_task = asyncio.create_task(cm.run_aggregator())
     # Start background housekeeping thread
     app.state.housekeeping.start()
     yield
+    agg_task.cancel()
     sm.unsubscribe(cm.sync_event_handler)
+    # Stop active perf runs before tearing down sessions, then flush perf writer
+    try:
+        await app.state.perf_registry.shutdown()
+    except Exception:
+        pass
     # Force-stop all running sessions so their asyncio tasks can be cancelled cleanly
     for sid in list(sm._sessions.keys()):
         try:
@@ -34,6 +53,7 @@ async def lifespan(app: FastAPI):
         except Exception:
             pass
     sm.close()  # flush SQLite writer
+    app.state.perf_writer.close()  # flush perf.db writer
 
 
 def create_app(
@@ -50,16 +70,30 @@ def create_app(
         lifespan=lifespan,
     )
 
+    # Resolve a stable JWT signing key (persists under data_dir if no env var)
+    from ..core.auth import init_secret_key
+    init_secret_key(data_dir)
+
     # Store singletons on app state (injected via Depends)
     app.state.session_manager = session_manager
     app.state.connection_manager = ConnectionManager()
     user_store = UserStore(db_path)
     app.state.user_store = user_store
-    app.state.housekeeping = HousekeepingService(msg_db_path, log_dir, user_store)
+    app.state.housekeeping = HousekeepingService(
+        msg_db_path, log_dir, user_store,
+        message_writer=session_manager.message_writer,
+    )
     app.state.template_store = TemplateStore(data_dir)
     app.state.scenario_store = ScenarioStore(data_dir)
     app.state.custom_tag_store = CustomTagStore(data_dir)
     app.state.spec_overlay_store = SpecOverlayStore(data_dir)
+    perf_writer = PerfWriter(os.path.join(data_dir, "perf.db"))
+    app.state.perf_writer = perf_writer
+    app.state.perf_registry = RunRegistry(perf_writer)
+    # Runs left non-terminal in perf.db were interrupted by a prior restart —
+    # mark them errored so History doesn't show zombie 'running' rows.
+    app.state.perf_registry.reconcile_interrupted()
+    app.state.perf_store = PerfStore(data_dir)
     conn_manager: ConnectionManager = app.state.connection_manager
     app.state.scenario_runner = ScenarioRunner(
         session_manager, app.state.template_store, conn_manager.broadcast_scenario_event
@@ -77,8 +111,15 @@ def create_app(
     app.include_router(branding.router, prefix="/api")
     app.include_router(custom_tags.router, prefix="/api/custom-tags")
     app.include_router(spec_overlay.router, prefix="/api/spec-overlay")
+    app.include_router(perf.router, prefix="/api/perf")
     app.include_router(ws.router)
 
+    # Unauthenticated liveness probe (used by the Docker HEALTHCHECK). Registered
+    # before the SPA catch-all below so it isn't shadowed by index.html.
+    @app.get("/api/health")
+    def health():
+        return {"status": "ok"}
+
     # Serve built React app from fixture/static/
     static_dir = os.path.join(os.path.dirname(__file__), "..", "static")
     static_dir = os.path.abspath(static_dir)

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/api/connection_manager.py

@@ -71,16 +71,41 @@ class ConnectionManager:
     Each connection carries a uid and is_admin flag for broadcast filtering.
     """
 
+    # Aggregation: stream per-message frames only up to PER_MSG_RATE_CAP msg/s
+    # per session; above that, suppress per-message and emit one periodic
+    # `message_agg` summary instead (the UI can't render thousands/sec anyway).
+    AGG_INTERVAL_S = 0.5
+    PER_MSG_RATE_CAP = 40  # msgs/sec/session below which per-message frames stream
+
     def __init__(self):
         self._clients: dict[str, dict[WebSocket, _ConnInfo]] = {}
+        # Hold strong references to in-flight broadcast tasks. asyncio only keeps
+        # a weak reference to tasks, so a fire-and-forget create_task() can be
+        # garbage-collected mid-execution, silently dropping a broadcast.
+        self._tasks: set[asyncio.Task] = set()
+        # Per-session message counters for the current aggregation window.
+        self._counters: dict[str, dict] = {}
+        self._per_window_cap = max(1, int(self.PER_MSG_RATE_CAP * self.AGG_INTERVAL_S))
+
+    def _has_clients(self) -> bool:
+        return any(self._clients.values())
+
+    def _spawn(self, coro) -> None:
+        """Schedule a broadcast coroutine, retaining a reference until it finishes."""
+        task = asyncio.create_task(coro)
+        self._tasks.add(task)
+        task.add_done_callback(self._tasks.discard)
 
     # ------------------------------------------------------------------
     # Called from async context (WS handler)
     # ------------------------------------------------------------------
 
     async def connect(self, websocket: WebSocket, session_id: str = "*",
-                      uid: str = "", is_admin: bool = False) -> None:
-        await websocket.accept()
+                      uid: str = "", is_admin: bool = False,
+                      subprotocol: str | None = None) -> None:
+        # Echo the negotiated subprotocol ("bearer") when the token came in via
+        # the Sec-WebSocket-Protocol header, so the handshake completes cleanly.
+        await websocket.accept(subprotocol=subprotocol)
         self._clients.setdefault(session_id, {})[websocket] = _ConnInfo(uid, is_admin)
 
     def disconnect(self, websocket: WebSocket, session_id: str = "*") -> None:
@@ -92,13 +117,77 @@ class ConnectionManager:
     # ------------------------------------------------------------------
 
     def sync_event_handler(self, event: SessionEvent) -> None:
-        """Registered with SessionManager.subscribe(). Called on the event loop."""
-        payload = _serialize_event(event)
-        asyncio.create_task(self._broadcast(event.session_id, payload, event.owner_uid))
+        """Registered with SessionManager.subscribe(). Called on the event loop.
+
+        Does nothing when no clients are connected (avoids per-message work at
+        high rate with nobody watching). Message events are rate-gated: streamed
+        per-message up to the cap, then suppressed in favour of periodic
+        `message_agg` summaries from run_aggregator().
+        """
+        if not self._has_clients():
+            return
+
+        et = event.event_type
+        if et in (EventType.MESSAGE_RECEIVED, EventType.MESSAGE_SENT):
+            sid = event.session_id
+            c = self._counters.get(sid)
+            if c is None:
+                c = {"count": 0, "in": 0, "out": 0, "last_seq": 0, "owner": event.owner_uid}
+                self._counters[sid] = c
+            c["count"] += 1
+            c["owner"] = event.owner_uid
+            if et == EventType.MESSAGE_RECEIVED:
+                c["in"] += 1
+            else:
+                c["out"] += 1
+            seq = event.payload.get("seq_num", 0)
+            if seq:
+                c["last_seq"] = seq
+            # Stream per-message only while under the per-window cap; beyond it
+            # the aggregator emits a summary instead (bounded task creation).
+            if c["count"] <= self._per_window_cap:
+                self._spawn(self._broadcast(sid, _serialize_event(event), event.owner_uid))
+        else:
+            # status / engine_error — always delivered immediately
+            self._spawn(self._broadcast(event.session_id, _serialize_event(event), event.owner_uid))
+
+    async def run_aggregator(self) -> None:
+        """Periodic task: emit a `message_agg` summary for any session whose
+        per-message frames were suppressed this window. Start in the app
+        lifespan; cancel on shutdown."""
+        try:
+            while True:
+                await asyncio.sleep(self.AGG_INTERVAL_S)
+                await self._emit_aggregates()
+        except asyncio.CancelledError:
+            pass
+
+    async def _emit_aggregates(self) -> None:
+        """Emit one message_agg per session whose per-message frames were
+        suppressed (high rate) this window. Resets the window counters."""
+        if not self._counters:
+            return
+        snapshot, self._counters = self._counters, {}
+        if not self._has_clients():
+            return
+        for sid, c in snapshot.items():
+            if c["count"] <= self._per_window_cap:
+                continue  # low rate — per-message frames already covered it
+            payload = {
+                "type": "message_agg",
+                "session_id": sid,
+                "rate": round(c["count"] / self.AGG_INTERVAL_S, 1),
+                "in": c["in"],
+                "out": c["out"],
+                "last_seq": c["last_seq"],
+                "window_ms": int(self.AGG_INTERVAL_S * 1000),
+                "ts": _now_iso(),
+            }
+            await self._broadcast(sid, payload, c["owner"])
 
     def broadcast_scenario_event(self, uid: str, data: dict) -> None:
         """Schedule delivery to all WS connections for uid."""
-        asyncio.create_task(self._broadcast_to_user(uid, data))
+        self._spawn(self._broadcast_to_user(uid, data))
 
     # ------------------------------------------------------------------
     # Internal async broadcast

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/api/deps.py

@@ -81,3 +81,15 @@ def get_custom_tag_store(request: HTTPConnection) -> CustomTagStore:
 
 def get_spec_overlay_store(request: HTTPConnection) -> SpecOverlayStore:
     return request.app.state.spec_overlay_store
+
+
+def get_perf_registry(request: HTTPConnection):
+    return request.app.state.perf_registry
+
+
+def get_perf_writer(request: HTTPConnection):
+    return request.app.state.perf_writer
+
+
+def get_perf_store(request: HTTPConnection):
+    return request.app.state.perf_store

fixtureqa-0.3.0/fixture/api/routers/perf.py

@@ -0,0 +1,245 @@
+"""
+Performance-testing REST + WebSocket API (admin-only).
+
+Stage 1a: run lifecycle (start/list/get/stop) + live snapshot WS. The WS uses a
+short-TTL single-use ticket (JWT never in the URL); the rest of the contract
+(messages/scenarios/export/configs) lands in later stages.
+"""
+import csv
+import io
+import logging
+import zipfile
+from typing import Annotated, Optional
+
+from fastapi import APIRouter, Depends, HTTPException, Query, WebSocket, WebSocketDisconnect
+from fastapi.responses import Response, StreamingResponse
+
+from ...core.models import SessionStatus
+from ...core.perf_models import RunConfig, RunStatus
+from ...core.perf_engine import RunRegistry
+from ...core.perf_payload import PerfConfigError
+from ...core.perf_store import PerfStore
+from ...core.perf_writer import PerfWriter
+from ...core.session_manager import SessionManager
+from ...core.template_store import TemplateStore
+from ...core.user_store import User
+from ..deps import (
+    get_session_manager, get_perf_registry, get_perf_writer, get_perf_store,
+    get_template_store, require_platform_admin,
+)
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(tags=["perf"])
+
+SM = Annotated[SessionManager, Depends(get_session_manager)]
+REG = Annotated[RunRegistry, Depends(get_perf_registry)]
+PW = Annotated[PerfWriter, Depends(get_perf_writer)]
+PS = Annotated[PerfStore, Depends(get_perf_store)]
+TS = Annotated[TemplateStore, Depends(get_template_store)]
+Admin = Annotated[User, Depends(require_platform_admin)]
+
+_TERMINAL = ("completed", "stopped", "error")
+
+
+def _require_started(sm: SessionManager, sid: str, label: str):
+    try:
+        state = sm.get_state(sid)
+    except KeyError:
+        raise HTTPException(status_code=409, detail=f"{label} session {sid!r} not found")
+    # The run drives load through the session but never starts/connects it — it
+    # must already be LOGGED_ON, or every send_message() silently returns False
+    # (orders all counted as rejected) and the run looks like it never started.
+    if state.status != SessionStatus.LOGGED_ON:
+        raise HTTPException(
+            status_code=409,
+            detail=(f"{label} session {sid!r} is not logged on "
+                    f"(status {state.status.name}); start it and wait for the "
+                    f"connection to establish before running a perf test"))
+    return state
+
+
+@router.post("/runs", status_code=201)
+async def create_run(body: RunConfig, sm: SM, reg: REG, ts: TS, admin: Admin):
+    # async so PerfRun.start()'s asyncio.create_task runs on the event loop
+    # (a sync def route runs in a threadpool with no running loop).
+    need_client = body.mode in ("loopback", "manager", "client")
+    need_venue = body.mode in ("loopback", "manager", "venue")
+    if need_client:
+        _require_started(sm, body.client_session_id, "client")
+    if need_venue:
+        _require_started(sm, body.venue_session_id, "venue")
+
+    # CompIDs from the driving (client, else venue) session — for template tokens.
+    drive_sid = body.client_session_id if need_client else body.venue_session_id
+    dcfg = sm.get_state(drive_sid).config
+    try:
+        run = reg.create(body, sm, template_store=ts, owner_uid=admin.uid,
+                         sender_comp_id=dcfg.sender_comp_id, target_comp_id=dcfg.target_comp_id)
+    except PerfConfigError as e:
+        raise HTTPException(status_code=422, detail=str(e))
+
+    # Soft perf warnings — don't block, but flag footguns.
+    checked = []
+    if need_client:
+        checked.append((body.client_session_id, "client"))
+    if need_venue:
+        checked.append((body.venue_session_id, "venue"))
+    for sid, label in checked:
+        cfg = sm.get_state(sid).config
+        if cfg.durable_seqnums:
+            run.warnings.append(f"{label} session has durable_seqnums=True — fsync per message caps throughput")
+        if cfg.log_messages:
+            run.warnings.append(f"{label} session has log_messages=True — persistence churn adds loop latency")
+    return {"run_id": run.run_id}
+
+
+@router.get("/runs", response_model=list[RunStatus])
+def list_runs(reg: REG, _admin: Admin):
+    # Live runs + historical runs from perf.db (survives a backend restart).
+    return reg.list_status()
+
+
+@router.get("/runs/{run_id}", response_model=RunStatus)
+def get_run(run_id: str, reg: REG, _admin: Admin):
+    status = reg.get_status(run_id)
+    if status is None:
+        raise HTTPException(status_code=404, detail="Run not found")
+    return status
+
+
+@router.delete("/runs/{run_id}", response_model=RunStatus)
+async def stop_run(run_id: str, reg: REG, _admin: Admin):
+    run = await reg.stop(run_id)
+    if run is not None:
+        return run.status_response()
+    # Not live — a historical/terminal run can't be stopped, but report its status.
+    status = reg.get_status(run_id)
+    if status is None:
+        raise HTTPException(status_code=404, detail="Run not found")
+    return status
+
+
+@router.get("/runs/{run_id}/messages")
+def run_messages(run_id: str, reg: REG, pw: PW, _admin: Admin,
+                 limit: int = Query(200, ge=1, le=5000), offset: int = Query(0, ge=0)):
+    if not reg.exists(run_id):
+        raise HTTPException(status_code=404, detail="Run not found")
+    return pw.read_messages(run_id, limit, offset)
+
+
+@router.get("/runs/{run_id}/scenarios")
+def run_scenarios(run_id: str, reg: REG, pw: PW, _admin: Admin,
+                  limit: int = Query(200, ge=1, le=5000), offset: int = Query(0, ge=0)):
+    if not reg.exists(run_id):
+        raise HTTPException(status_code=404, detail="Run not found")
+    return pw.read_scenarios(run_id, limit, offset)
+
+
+def _csv_stream(pw: PerfWriter, table: str, cols: tuple, run_id: str):
+    buf = io.StringIO()
+    w = csv.writer(buf)
+    w.writerow(cols)
+    yield buf.getvalue()
+    buf.seek(0); buf.truncate(0)
+    for row in pw.iter_rows(table, cols, run_id):
+        w.writerow(row)
+        yield buf.getvalue()
+        buf.seek(0); buf.truncate(0)
+
+
+def _csv_text(pw: PerfWriter, table: str, cols: tuple, run_id: str) -> str:
+    out = io.StringIO()
+    w = csv.writer(out)
+    w.writerow(cols)
+    for row in pw.iter_rows(table, cols, run_id):
+        w.writerow(row)
+    return out.getvalue()
+
+
+@router.get("/runs/{run_id}/export")
+def run_export(run_id: str, reg: REG, pw: PW, _admin: Admin,
+               kind: str = Query("messages")):
+    if not reg.exists(run_id):
+        raise HTTPException(status_code=404, detail="Run not found")
+    if kind == "messages":
+        return StreamingResponse(
+            _csv_stream(pw, "perf_messages", pw.message_columns(), run_id),
+            media_type="text/csv",
+            headers={"Content-Disposition": f'attachment; filename="{run_id}_messages.csv"'})
+    if kind == "scenarios":
+        return StreamingResponse(
+            _csv_stream(pw, "perf_scenarios", pw.scenario_columns(), run_id),
+            media_type="text/csv",
+            headers={"Content-Disposition": f'attachment; filename="{run_id}_scenarios.csv"'})
+    if kind == "both":
+        buf = io.BytesIO()
+        with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as z:
+            z.writestr(f"{run_id}_messages.csv",
+                       _csv_text(pw, "perf_messages", pw.message_columns(), run_id))
+            z.writestr(f"{run_id}_scenarios.csv",
+                       _csv_text(pw, "perf_scenarios", pw.scenario_columns(), run_id))
+        return Response(buf.getvalue(), media_type="application/zip",
+                        headers={"Content-Disposition": f'attachment; filename="{run_id}.zip"'})
+    raise HTTPException(status_code=422, detail="kind must be messages|scenarios|both")
+
+
+# --- saved configs --------------------------------------------------------
+
+@router.get("/configs")
+def list_configs(store: PS, _admin: Admin):
+    return store.list()
+
+
+@router.post("/configs", status_code=201)
+def save_config(body: RunConfig, store: PS, _admin: Admin):
+    return {"config_id": store.save(body.model_dump())}
+
+
+@router.get("/configs/{config_id}", response_model=RunConfig)
+def get_config(config_id: str, store: PS, _admin: Admin):
+    cfg = store.get(config_id)
+    if cfg is None:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return cfg
+
+
+@router.delete("/configs/{config_id}", status_code=204)
+def delete_config(config_id: str, store: PS, _admin: Admin):
+    if not store.delete(config_id):
+        raise HTTPException(status_code=404, detail="Config not found")
+
+
+@router.post("/runs/{run_id}/ticket", status_code=201)
+def ws_ticket(run_id: str, reg: REG, _admin: Admin):
+    if reg.get(run_id) is None:
+        raise HTTPException(status_code=404, detail="Run not found")
+    ticket, ttl = reg.issue_ticket(run_id)
+    return {"ticket": ticket, "expires_in": ttl}
+
+
+@router.websocket("/runs/{run_id}/live")
+async def live(websocket: WebSocket, run_id: str, ticket: Optional[str] = Query(default=None)):
+    reg: RunRegistry = websocket.app.state.perf_registry
+    if not ticket or reg.redeem_ticket(ticket) != run_id:
+        await websocket.close(code=4003, reason="Invalid or expired ticket")
+        return
+    run = reg.get(run_id)
+    if run is None:
+        await websocket.close(code=4004, reason="Run not found")
+        return
+
+    await websocket.accept()
+    q = run.add_watcher()
+    try:
+        while True:
+            snap = await q.get()
+            await websocket.send_json(snap)
+            if snap.get("status") in _TERMINAL:
+                break
+    except WebSocketDisconnect:
+        pass
+    except Exception:
+        pass
+    finally:
+        run.remove_watcher(q)

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/api/routers/sessions.py

@@ -41,6 +41,9 @@ def _session_response(sm: SessionManager, session_id: str, us: Optional[UserStor
         end_time=cfg.end_time,
         reset_on_logon=cfg.reset_on_logon,
         reset_on_logout=cfg.reset_on_logout,
+        durable_seqnums=cfg.durable_seqnums,
+        log_messages=cfg.log_messages,
+        validate_inbound=cfg.validate_inbound,
         session_role=cfg.session_role.value,
         auto_ack=cfg.auto_ack,
         auto_ack_delay_ms=cfg.auto_ack_delay_ms,
@@ -102,6 +105,9 @@ async def create_session(body: SessionConfigRequest, sm: SM, user: CurrentUser):
         end_time=body.end_time,
         reset_on_logon=body.reset_on_logon,
         reset_on_logout=body.reset_on_logout,
+        durable_seqnums=body.durable_seqnums,
+        log_messages=body.log_messages,
+        validate_inbound=body.validate_inbound,
         session_role=role,
         auto_ack=body.auto_ack,
         auto_ack_delay_ms=body.auto_ack_delay_ms,
@@ -152,6 +158,9 @@ def import_sessions(body: list[SessionConfigRequest], sm: SM, user: CurrentUser)
                 end_time=item.end_time,
                 reset_on_logon=item.reset_on_logon,
                 reset_on_logout=item.reset_on_logout,
+                durable_seqnums=item.durable_seqnums,
+                log_messages=item.log_messages,
+                validate_inbound=item.validate_inbound,
                 session_role=role,
                 auto_ack=item.auto_ack,
                 auto_ack_delay_ms=item.auto_ack_delay_ms,
@@ -218,31 +227,16 @@ async def stop_session(
 @router.post("/{session_id}/send")
 async def send_message(session_id: str, body: SendMessageRequest, sm: SM, user: CurrentUser):
     _check_ownership(sm, session_id, user)
-    from ...core.fix_parser import parse_raw
-    from fixcore.message.message import Message
+    from ...core.fix_builder import build_message_from_raw
     from datetime import datetime, timezone
 
-    raw = body.raw
-    if "\x01" not in raw:
-        raw = raw.replace("|", "\x01")
-
-    fields = parse_raw(raw)  # {tag_int: value_str}
-    msg_type = fields.get(35)
-    if not msg_type:
-        raise HTTPException(status_code=422, detail="Missing MsgType (tag 35)")
-
-    if not body.no_auto_ts and 60 not in fields:
-        fields[60] = datetime.now(timezone.utc).strftime("%Y%m%d-%H:%M:%S")
-
-    SKIP = {8, 9, 10, 34, 35, 49, 52, 56}
-    msg = Message()
-    msg.header.set(35, msg_type)
-    for tag, value in fields.items():
-        if tag not in SKIP:
-            try:
-                msg.set_field(int(tag), str(value))
-            except Exception:
-                pass
+    # Build group-aware using the session's DataDictionary so repeating groups
+    # (e.g. NoAllocs rows) survive instead of collapsing to their last instance.
+    ts = None if body.no_auto_ts else datetime.now(timezone.utc).strftime("%Y%m%d-%H:%M:%S")
+    try:
+        msg = build_message_from_raw(body.raw, sm.get_data_dictionary(session_id), transact_time=ts)
+    except ValueError as e:
+        raise HTTPException(status_code=422, detail=str(e))
 
     ok = await sm.send_message(session_id, msg)
     if not ok:

{fixtureqa-0.1.8 → fixtureqa-0.3.0}/fixture/api/routers/ws.py

@@ -40,19 +40,35 @@ async def _send_snapshot(websocket: WebSocket, sm: SessionManager, uid: str, is_
         })
 
 
-def _authenticate_ws(websocket: WebSocket, token: Optional[str]) -> tuple[str, bool]:
-    """Validate JWT token from query param. Returns (uid, is_admin) or closes with 403."""
+def _token_from_ws(websocket: WebSocket, query_token: Optional[str]) -> tuple[Optional[str], Optional[str]]:
+    """Resolve the JWT, preferring the Sec-WebSocket-Protocol header so the
+    token never appears in the URL (and thus not in access/proxy logs or
+    browser history). The browser sends ["bearer", "<jwt>"]; we echo "bearer"
+    as the negotiated subprotocol. Falls back to the legacy query param.
+
+    Returns (token, subprotocol_to_echo).
+    """
+    raw = websocket.headers.get("sec-websocket-protocol", "")
+    parts = [p.strip() for p in raw.split(",") if p.strip()]
+    if len(parts) >= 2 and parts[0] == "bearer":
+        return parts[1], "bearer"
+    return query_token, None
+
+
+def _authenticate_ws(websocket: WebSocket, token: Optional[str]) -> tuple[Optional[str], bool, Optional[str]]:
+    """Validate the JWT. Returns (uid, is_admin, subprotocol) or (None, False, None)."""
+    token, subprotocol = _token_from_ws(websocket, token)
     if not token:
-        return None, False
+        return None, False, None
     try:
         payload = decode_token(token)
         uid = payload.get("sub", "")
         role = payload.get("role", "")
         if not uid:
-            return None, False
-        return uid, role == "platform_admin"
+            return None, False, None
+        return uid, role == "platform_admin", subprotocol
     except JWTError:
-        return None, False
+        return None, False, None
 
 
 @router.websocket("/ws")
@@ -63,7 +79,7 @@ async def ws_all_sessions(
     token: Optional[str] = Query(default=None),
 ):
     """Subscribe to events from all sessions."""
-    uid, is_admin = _authenticate_ws(websocket, token)
+    uid, is_admin, subprotocol = _authenticate_ws(websocket, token)
     if not uid:
         logger.warning("WS /ws: auth failed (no token or invalid JWT)")
         await websocket.close(code=4003, reason="Unauthorized")
@@ -78,7 +94,8 @@ async def ws_all_sessions(
         return
 
     logger.info("WS /ws: client connected uid=%s is_admin=%s", uid, is_admin)
-    await conn_mgr.connect(websocket, session_id="*", uid=uid, is_admin=is_admin)
+    await conn_mgr.connect(websocket, session_id="*", uid=uid, is_admin=is_admin,
+                           subprotocol=subprotocol)
     try:
         await _send_snapshot(websocket, sm, uid, is_admin)
         while True:
@@ -103,7 +120,7 @@ async def ws_single_session(
     token: Optional[str] = Query(default=None),
 ):
     """Subscribe to events from a single session."""
-    uid, is_admin = _authenticate_ws(websocket, token)
+    uid, is_admin, subprotocol = _authenticate_ws(websocket, token)
     if not uid:
         logger.warning("WS /ws/%s: auth failed (no token or invalid JWT)", session_id)
         await websocket.close(code=4003, reason="Unauthorized")
@@ -125,7 +142,8 @@ async def ws_single_session(
         return
 
     logger.info("WS /ws/%s: client connected uid=%s is_admin=%s", session_id, uid, is_admin)
-    await conn_mgr.connect(websocket, session_id=session_id, uid=uid, is_admin=is_admin)
+    await conn_mgr.connect(websocket, session_id=session_id, uid=uid, is_admin=is_admin,
+                           subprotocol=subprotocol)
     try:
         await _send_snapshot(websocket, sm, uid, is_admin, session_id=session_id)
         while True: