jac-scale 0.1.1__py3-none-any.whl → 0.1.4__py3-none-any.whl

jac_scale/impl/user_manager.impl.jac

@@ -0,0 +1,349 @@
+impl JacScaleUserManager.postinit -> None {
+    super.postinit();
+    # Create SSO accounts table for tracking linked external identities
+    self._ensure_connection();
+    self._conn.execute(
+        """
+        CREATE TABLE IF NOT EXISTS sso_accounts (
+            user_id TEXT NOT NULL,
+            platform TEXT NOT NULL,
+            external_id TEXT NOT NULL,
+            email TEXT,
+            linked_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            PRIMARY KEY (platform, external_id),
+            FOREIGN KEY (user_id) REFERENCES users(username) ON DELETE CASCADE
+        )
+        """
+    );
+    # Create index for faster lookups by user_id
+    self._conn.execute(
+        "CREATE INDEX IF NOT EXISTS idx_sso_accounts_user_id ON sso_accounts(user_id)"
+    );
+    self._conn.commit();
+    # Load SSO config
+    sso_config = get_scale_config().get_sso_config();
+    for platform in Platforms {
+        key = platform.lower();
+        platform_config = sso_config.get(key, {});
+
+        client_id = platform_config.get('client_id', '');
+        client_secret = platform_config.get('client_secret', '');
+
+        if not client_id or not client_secret {
+            continue;
+        }
+
+        self.SUPPORTED_PLATFORMS[platform.value] = {
+            "client_id": client_id,
+            "client_secret": client_secret
+        };
+    }
+}
+
+impl JacScaleUserManager.create_jwt_token(username: str) -> str {
+    now = datetime.now(UTC);
+    payload: dict[(str, Any)] = {
+        'username': username,
+        'exp': (now + timedelta(days=JWT_EXP_DELTA_DAYS)),
+        'iat': now.timestamp()
+    };
+    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM);
+}
+
+impl JacScaleUserManager.validate_jwt_token(token: str) -> (str | None) {
+    try {
+        decoded = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM]);
+        return decoded['username'];
+    } except Exception {
+        return None;
+    }
+}
+
+impl JacScaleUserManager.refresh_jwt_token(token: str) -> (str | None) {
+    try {
+        decoded = jwt.decode(
+            token, JWT_SECRET, algorithms=[JWT_ALGORITHM], options={"verify_exp": True}
+        );
+        username = decoded.get('username');
+
+        if not username {
+            return None;
+        }
+
+        return self.create_jwt_token(username);
+    } except Exception {
+        return None;
+    }
+}
+
+impl JacScaleUserManager.validate_token(token: str) -> (str | None) {
+    return self.validate_jwt_token(token);
+}
+
+impl JacScaleUserManager.get_sso(platform: str, operation: str) -> (SSOProvider | None) {
+    if (platform not in self.SUPPORTED_PLATFORMS) {
+        return None;
+    }
+    credentials = self.SUPPORTED_PLATFORMS[platform];
+    redirect_uri = f"{SSO_HOST}/{platform}/{operation}/callback";
+    if (platform == Platforms.GOOGLE.value) {
+        import from jac_scale.google_sso_provider { GoogleSSOProvider }
+        return GoogleSSOProvider(
+            client_id=credentials['client_id'],
+            client_secret=credentials['client_secret'],
+            redirect_uri=redirect_uri,
+            allow_insecure_http=True
+        );
+    }
+    return None;
+}
+
+impl JacScaleUserManager.sso_initiate(
+    platform: str, operation: str
+) -> (Response | TransportResponse) {
+    import from jaclang.runtimelib.server { JsonValue }
+    if (platform not in [p.value for p in Platforms]) {
+        return TransportResponse.fail(
+            code='INVALID_PLATFORM',
+            message=f"Invalid platform '{platform}'. Supported platforms: {', '.join(
+                [p.value for p in Platforms]
+            )}",
+            meta=Meta(extra={'http_status': 400})
+        );
+    }
+    if (platform not in self.SUPPORTED_PLATFORMS) {
+        return TransportResponse.fail(
+            code='SSO_NOT_CONFIGURED',
+            message=f"SSO for platform '{platform}' is not configured. Please set SSO_{platform.upper()}_CLIENT_ID and SSO_{platform.upper()}_CLIENT_SECRET environment variables.",
+            meta=Meta(extra={'http_status': 501})
+        );
+    }
+    if (operation not in [o.value for o in Operations]) {
+        return TransportResponse.fail(
+            code='INVALID_OPERATION',
+            message=f"Invalid operation '{operation}'. Must be 'login' or 'register'",
+            meta=Meta(extra={'http_status': 400})
+        );
+    }
+    sso = self.get_sso(platform, operation);
+    if not sso {
+        return TransportResponse.fail(
+            code='SSO_INIT_FAILED',
+            message=f"Failed to initialize SSO for platform '{platform}'",
+            meta=Meta(extra={'http_status': 500})
+        );
+    }
+    return await sso.initiate_auth(operation);
+}
+
+impl JacScaleUserManager.sso_callback(
+    request: Request, platform: str, operation: str
+) -> TransportResponse {
+    import from jaclang.runtimelib.server { JsonValue }
+    if (platform not in [p.value for p in Platforms]) {
+        return TransportResponse.fail(
+            code='INVALID_PLATFORM',
+            message=f"Invalid platform '{platform}'. Supported platforms: {', '.join(
+                [p.value for p in Platforms]
+            )}",
+            meta=Meta(extra={'http_status': 400})
+        );
+    }
+    if (platform not in self.SUPPORTED_PLATFORMS) {
+        return TransportResponse.fail(
+            code='SSO_NOT_CONFIGURED',
+            message=f"SSO for platform '{platform}' is not configured. Please set SSO_{platform.upper()}_CLIENT_ID and SSO_{platform.upper()}_CLIENT_SECRET environment variables.",
+            meta=Meta(extra={'http_status': 501})
+        );
+    }
+    if (operation not in [o.value for o in Operations]) {
+        return TransportResponse.fail(
+            code='INVALID_OPERATION',
+            message=f"Invalid operation '{operation}'. Must be 'login' or 'register'",
+            meta=Meta(extra={'http_status': 400})
+        );
+    }
+    sso = self.get_sso(platform, operation);
+    if not sso {
+        return TransportResponse.fail(
+            code='SSO_INIT_FAILED',
+            message=f"Failed to initialize SSO for platform '{platform}'",
+            meta=Meta(extra={'http_status': 500})
+        );
+    }
+    try {
+        user_info = await sso.handle_callback(request);
+        email = user_info.email;
+        if not email {
+            return TransportResponse.fail(
+                code='EMAIL_MISSING',
+                message=f"Email not provided by {platform}",
+                meta=Meta(extra={'http_status': 400})
+            );
+        }
+        if (operation == Operations.LOGIN.value) {
+            user = self.get_user(email);
+            if not user {
+                return TransportResponse.fail(
+                    code='USER_NOT_FOUND',
+                    message='User not found. Please register first.',
+                    meta=Meta(extra={'http_status': 404})
+                );
+            }
+            token = self.create_jwt_token(email);
+            return TransportResponse.success(
+                data={
+                    'message': 'Login successful',
+                    'email': email,
+                    'token': token,
+                    'platform': platform,
+                    'user': dict[(str, JsonValue)](user)
+                },
+                meta=Meta(extra={'http_status': 200})
+            );
+        } elif (operation == Operations.REGISTER.value) {
+            existing_user = self.get_user(email);
+            if existing_user {
+                return TransportResponse.fail(
+                    code='USER_EXISTS',
+                    message='User already exists. Please login instead.',
+                    meta=Meta(extra={'http_status': 400})
+                );
+            }
+            random_password = generate_random_password();
+            result = self.create_user(email, random_password);
+            if ('error' in result) {
+                return TransportResponse.fail(
+                    code='USER_CREATION_FAILED',
+                    message=result.get('error', 'User creation failed'),
+                    meta=Meta(extra={'http_status': 400})
+                );
+            }
+            token = self.create_jwt_token(email);
+            result['token'] = token;
+            result['platform'] = platform;
+            return TransportResponse.success(
+                data=result, meta=Meta(extra={'http_status': 201})
+            );
+        }
+    } except Exception as e {
+        return TransportResponse.fail(
+            code='AUTHENTICATION_FAILED',
+            message=f"Authentication failed: {str(e)}",
+            meta=Meta(extra={'http_status': 500})
+        );
+    }
+    return TransportResponse.fail(
+        code='UNKNOWN_ERROR',
+        message='An unknown error occurred',
+        meta=Meta(extra={'http_status': 500})
+    );
+}
+
+# SSO Account Linking Methods
+"""Link an SSO account to a user.
+
+This allows users to have multiple SSO providers linked to their account.
+"""
+impl JacScaleUserManager.link_sso_account(
+    user_id: str, platform: str, external_id: str, email: str
+) -> dict[str, str] {
+    self._ensure_connection();
+    # Check if this SSO account is already linked to another user
+    cursor = self._conn.execute(
+        "SELECT user_id FROM sso_accounts WHERE platform = ? AND external_id = ?",
+        (platform, external_id)
+    );
+    existing = cursor.fetchone();
+    if existing {
+        if existing[0] == user_id {
+            return {'message': 'SSO account already linked to this user'};
+        }
+        return {'error': 'This SSO account is already linked to another user'};
+    }
+    # Link the SSO account
+    self._conn.execute(
+        """
+        INSERT INTO sso_accounts (user_id, platform, external_id, email)
+        VALUES (?, ?, ?, ?)
+        """,
+        (user_id, platform, external_id, email)
+    );
+    self._conn.commit();
+    return {
+        'message': 'SSO account linked successfully',
+        'user_id': user_id,
+        'platform': platform
+    };
+}
+
+"""Unlink an SSO account from a user."""
+impl JacScaleUserManager.unlink_sso_account(
+    user_id: str, platform: str
+) -> dict[str, str] {
+    self._ensure_connection();
+    cursor = self._conn.execute(
+        "DELETE FROM sso_accounts WHERE user_id = ? AND platform = ?",
+        (user_id, platform)
+    );
+    self._conn.commit();
+    if cursor.rowcount == 0 {
+        return {'error': 'SSO account not found'};
+    }
+    return {
+        'message': 'SSO account unlinked successfully',
+        'user_id': user_id,
+        'platform': platform
+    };
+}
+
+"""Get all SSO accounts linked to a user."""
+impl JacScaleUserManager.get_sso_accounts(user_id: str) -> list[dict[str, str]] {
+    self._ensure_connection();
+    cursor = self._conn.execute(
+        """
+        SELECT platform, external_id, email, linked_at
+        FROM sso_accounts
+        WHERE user_id = ?
+        ORDER BY linked_at DESC
+        """,
+        (user_id, )
+    );
+    accounts = [];
+    for row in cursor.fetchall() {
+        accounts.append(
+            {
+                'platform': row[0],
+                'external_id': row[1],
+                'email': row[2],
+                'linked_at': row[3]
+            }
+        );
+    }
+    return accounts;
+}
+
+"""Find a user by their SSO account credentials.
+
+This is used during SSO login to find the user associated with
+an external SSO identity.
+"""
+impl JacScaleUserManager.get_user_by_sso(
+    platform: str, external_id: str
+) -> (dict[str, str] | None) {
+    self._ensure_connection();
+    cursor = self._conn.execute(
+        """
+        SELECT sa.user_id, u.token, u.root_id
+        FROM sso_accounts sa
+        JOIN users u ON sa.user_id = u.username
+        WHERE sa.platform = ? AND sa.external_id = ?
+        """,
+        (platform, external_id)
+    );
+    row = cursor.fetchone();
+    if not row {
+        return None;
+    }
+    return {'email': row[0], 'token': row[1], 'root_id': row[2]};
+}

jac_scale/impl/webhook.impl.jac

@@ -0,0 +1,212 @@
+"""Implementation of Webhook utilities for Jac Scale.
+
+This module implements HMAC-SHA256 signature generation/verification
+and API key management for webhook authentication.
+"""
+import hmac;
+import hashlib;
+import secrets;
+import jwt;
+import from datetime { UTC, datetime, timedelta }
+import from typing { Any }
+import from jaclang.runtimelib.transport { TransportResponse, Meta }
+import from jac_scale.config_loader { get_scale_config }
+
+# Load JWT config for signing API keys
+glob _jwt_config = get_scale_config().get_jwt_config(),
+     JWT_SECRET = _jwt_config['secret'],
+     JWT_ALGORITHM = _jwt_config['algorithm'];
+
+"""Generate HMAC-SHA256 signature for webhook payload."""
+impl WebhookUtils.generate_signature(payload: bytes, secret: str) -> str {
+    return hmac.new(secret.encode('utf-8'), payload, hashlib.sha256).hexdigest();
+}
+
+"""Verify HMAC-SHA256 signature for webhook payload."""
+impl WebhookUtils.verify_signature(payload: bytes, signature: str, secret: str) -> bool {
+    expected_signature = WebhookUtils.generate_signature(payload, secret);
+    # Use constant-time comparison to prevent timing attacks
+    return hmac.compare_digest(signature.lower(), expected_signature.lower());
+}
+
+"""Generate a cryptographically secure API key."""
+impl WebhookUtils.generate_api_key -> str {
+    return secrets.token_hex(32);
+}
+
+"""Create a JWT-wrapped API key token."""
+impl WebhookUtils.create_api_key_token(
+    api_key_id: str, username: str, name: str, expiry_days: int | None = None
+) -> str {
+    _webhook_config = get_scale_config().get_webhook_config();
+    default_expiry = _webhook_config.get('api_key_expiry_days', 365);
+    payload: dict[str, Any] = {
+        'type': 'api_key',
+        'api_key_id': api_key_id,
+        'sub': username,
+        'name': name,
+        'iat': datetime.now(UTC)
+    };
+    # Add expiry if specified
+    if expiry_days is not None {
+        payload['exp'] = datetime.now(UTC) + timedelta(days=expiry_days);
+    } elif default_expiry > 0 {
+        payload['exp'] = datetime.now(UTC) + timedelta(days=default_expiry);
+    }
+    # If expiry_days is 0 or negative, no expiry is set (permanent key)
+    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM);
+}
+
+"""Validate an API key token and extract user information."""
+impl WebhookUtils.validate_api_key(api_key: str) -> dict[str, str] | None {
+    try {
+        payload = jwt.decode(api_key, JWT_SECRET, algorithms=[JWT_ALGORITHM]);
+
+        # Verify this is an API key token
+        if payload.get('type') != 'api_key' {
+            return None;
+        }
+
+        return {
+            'username': payload.get('sub', ''),
+            'api_key_id': payload.get('api_key_id', ''),
+            'name': payload.get('name', '')
+        };
+    } except jwt.ExpiredSignatureError {
+        return None;
+    } except jwt.InvalidTokenError {
+        return None;
+    }
+}
+
+"""Extract signature from request header value."""
+impl WebhookUtils.extract_signature(header_value: str) -> str {
+    # Handle prefixed signatures like "sha256=abc123..."
+    if '=' in header_value {
+        parts = header_value.split('=', 1);
+        if len(parts) == 2 {
+            return parts[1];
+        }
+    }
+    return header_value;
+}
+
+"""Create a new API key for a user."""
+impl ApiKeyManager.create_api_key(
+    username: str, name: str, expiry_days: int | None = None
+) -> TransportResponse {
+    # Generate unique API key ID
+    api_key_id = secrets.token_hex(16);
+    # Create the JWT-wrapped API key
+    api_key = WebhookUtils.create_api_key_token(
+        api_key_id=api_key_id, username=username, name=name, expiry_days=expiry_days
+    );
+    created_at = datetime.now(UTC);
+    expires_at: datetime | None = None;
+    _webhook_config = get_scale_config().get_webhook_config();
+    default_expiry = _webhook_config.get('api_key_expiry_days', 365);
+    if expiry_days is not None and expiry_days > 0 {
+        expires_at = created_at + timedelta(days=expiry_days);
+    } elif default_expiry > 0 {
+        expires_at = created_at + timedelta(days=default_expiry);
+    }
+    # Store key metadata (not the key itself for security)
+    self._api_keys[api_key_id] = {
+        'username': username,
+        'name': name,
+        'created_at': created_at.isoformat(),
+        'expires_at': expires_at.isoformat() if expires_at else None,
+        'revoked': False
+    };
+    # Track keys by user
+    if username not in self._user_keys {
+        self._user_keys[username] = [];
+    }
+    self._user_keys[username].append(api_key_id);
+    return TransportResponse.success(
+        data={
+            'api_key': api_key,
+            'api_key_id': api_key_id,
+            'name': name,
+            'created_at': created_at.isoformat(),
+            'expires_at': expires_at.isoformat() if expires_at else None
+        },
+        meta=Meta(extra={'http_status': 201})
+    );
+}
+
+"""List all API keys for a user (metadata only, not the keys)."""
+impl ApiKeyManager.list_api_keys(username: str) -> TransportResponse {
+    user_key_ids = self._user_keys.get(username, []);
+    keys: list[dict[str, Any]] = [];
+    for key_id in user_key_ids {
+        key_info = self._api_keys.get(key_id);
+        if key_info and not key_info.get('revoked', False) {
+            keys.append(
+                {
+                    'api_key_id': key_id,
+                    'name': key_info.get('name', ''),
+                    'created_at': key_info.get('created_at'),
+                    'expires_at': key_info.get('expires_at'),
+                    'active': True
+                }
+            );
+        }
+    }
+    return TransportResponse.success(
+        data={'api_keys': keys}, meta=Meta(extra={'http_status': 200})
+    );
+}
+
+"""Revoke an API key."""
+impl ApiKeyManager.revoke_api_key(username: str, api_key_id: str) -> TransportResponse {
+    # Check if key exists
+    if api_key_id not in self._api_keys {
+        return TransportResponse.fail(
+            code='NOT_FOUND',
+            message=f"API key '{api_key_id}' not found",
+            meta=Meta(extra={'http_status': 404})
+        );
+    }
+    # Check if key belongs to user
+    key_info = self._api_keys[api_key_id];
+    if key_info.get('username') != username {
+        return TransportResponse.fail(
+            code='FORBIDDEN',
+            message='Cannot revoke API key owned by another user',
+            meta=Meta(extra={'http_status': 403})
+        );
+    }
+    # Mark as revoked
+    self._api_keys[api_key_id]['revoked'] = True;
+    return TransportResponse.success(
+        data={'message': f"API key '{api_key_id}' has been revoked"},
+        meta=Meta(extra={'http_status': 200})
+    );
+}
+
+"""Validate an API key and return the associated username."""
+impl ApiKeyManager.validate_api_key(api_key: str) -> str | None {
+    # Decode the JWT to get key info
+    key_info = WebhookUtils.validate_api_key(api_key);
+    if not key_info {
+        return None;
+    }
+    api_key_id = key_info.get('api_key_id', '');
+    # Check if key is still active (not revoked)
+    if not self.is_key_active(api_key_id) {
+        return None;
+    }
+    return key_info.get('username');
+}
+
+"""Check if an API key ID exists and is not revoked."""
+impl ApiKeyManager.is_key_active(api_key_id: str) -> bool {
+    key_info = self._api_keys.get(api_key_id);
+    if not key_info {
+        # Key not in our store - could be from before server restart
+        # Allow it if JWT is valid (handled by validate_api_key)
+        return True;
+    }
+    return not key_info.get('revoked', False);
+}

jac_scale/jserver/impl/jfast_api.impl.jac

@@ -379,6 +379,10 @@ impl JFastApiServer._create_endpoint_function(
     if accepts_kwargs {
         param_strs.append('request: Request');
         param_mapping['__request__'] = 'request';
+        # If the callback also explicitly accepts a request parameter, map it
+        if needs_request {
+            param_mapping['request'] = 'request';
+        }
     } elif needs_request {
         param_strs.append('request: Request');
         param_mapping['request'] = 'request';

jac_scale/memory_hierarchy.jac

@@ -74,7 +74,9 @@ MongoDB persistence backend - implements PersistentMemory for durable L3 storage
 Replaces SqliteMemory when MongoDB is available.
 """
 obj MongoBackend(PersistentMemory) {
-    has client: (MongoClient | None) = None,
+    has client: MongoClient | None = None,
+        db: Any by postinit,
+        collection: Any by postinit,
         db_name: str = 'jac_db',
         collection_name: str = 'anchors',
         mongo_url: str = _db_config['mongodb_uri'];

jac_scale/plugin.jac

@@ -4,6 +4,7 @@ import pathlib;
 import from dotenv { load_dotenv }
 import from jaclang.cli.registry { get_registry }
 import from jaclang.cli.command { Arg, ArgKind, CommandPriority, HookContext }
+import from jaclang.cli.console { console }
 import from jaclang.pycore.runtime { hookimpl, plugin_manager }
 import from jaclang.runtimelib.context { ExecutionContext }
 import from jaclang.runtimelib.server { JacAPIServer as JacServer }
@@ -15,6 +16,9 @@ import from .factories.deployment_factory { DeploymentTargetFactory }
 import from .factories.registry_factory { ImageRegistryFactory }
 import from .factories.utility_factory { UtilityFactory }
 import from .abstractions.config.app_config { AppConfig }
+import from .user_manager { JacScaleUserManager }
+import from jaclang.runtimelib.server { UserManager }
+import from jaclang.runtimelib.storage { Storage }
 
 """Pre-hook for jac start command to handle --scale flag."""
 def _scale_pre_hook(context: HookContext) -> None {
@@ -23,6 +27,7 @@ def _scale_pre_hook(context: HookContext) -> None {
         # Handle deployment instead of local server
         filename = context.get_arg("filename");
         build = context.get_arg("build", False);
+        experimental = context.get_arg("experimental", False);
         target = context.get_arg("target", "kubernetes");
         registry = context.get_arg("registry", "dockerhub");
         if not os.path.exists(filename) {
@@ -57,15 +62,27 @@ def _scale_pre_hook(context: HookContext) -> None {
         }
         # Create app config
         app_config = AppConfig(
-            code_folder=code_folder, file_name=base_file_path, build=build
+            code_folder=code_folder,
+            file_name=base_file_path,
+            build=build,
+            experimental=experimental
         );
+        if experimental {
+            console.print(
+                "Installing Jaseci packages from repository (experimental mode)..."
+            );
+        } else {
+            console.print("Installing Jaseci packages from PyPI...");
+        }
         # Deploy
         result = deployment_target.deploy(app_config);
         if not result.success {
             raise RuntimeError(result.message or "Deployment failed") ;
         }
         if result.service_url {
-            print(f"Deployment complete! Service available at: {result.service_url}");
+            console.print(
+                f"Deployment complete! Service available at: {result.service_url}"
+            );
         }
         # Cancel normal start execution since we handled it
         context.set_data("cancel_execution", True);
@@ -99,6 +116,13 @@ class JacCmd {
                     help="Build and push Docker image (with --scale)",
                     short="b"
                 ),
+                Arg.create(
+                    "experimental",
+                    typ=bool,
+                    default=False,
+                    help="Use experimental mode (install from repo instead of PyPI)",
+                    short="e"
+                ),
                 Arg.create(
                     "target",
                     typ=str,
@@ -166,7 +190,9 @@ class JacCmd {
             app_name = os.getenv('APP_NAME') or target_config.get('app_name', 'jaseci');
             deployment_target.destroy(app_name);
 
-            print(f"Successfully destroyed deployment '{app_name}' from {target}");
+            console.print(
+                f"Successfully destroyed deployment '{app_name}' from {target}"
+            );
             return 0;
         }
     }
@@ -197,6 +223,23 @@ class JacScalePlugin {
     static def get_api_server_class -> type {
         return JacAPIServer;
     }
+
+    """Provide jac-scale's UserManager."""
+    @hookimpl
+    static def get_user_manager(base_path: str) -> UserManager {
+        return JacScaleUserManager(base_path=base_path);
+    }
+
+    """Provide jac-scale's storage backend.
+
+    This overrides the core store() to use jac-scale's StorageFactory,
+    which supports cloud backends (S3, GCS, Azure) via configuration.
+    """
+    @hookimpl
+    static def store(base_path: str = "./storage", create_dirs: bool = True) -> Storage {
+        import from .factories.storage_factory { StorageFactory }
+        return StorageFactory.get_default(base_path, create_dirs);
+    }
 }
 
 # Pluggy's varnames() puts parameters with defaults into kwargnames, not argnames.