PyPI - kailash - Versions diffs - 0.6.1__py3-none-any.whl → 0.6.3__py3-none-any.whl - Mend

kailash 0.6.1py3-none-any.whl → 0.6.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

kailash/__init__.py +1 -1
kailash/core/actors/connection_actor.py +3 -3
kailash/gateway/api.py +7 -5
kailash/gateway/enhanced_gateway.py +1 -1
kailash/{mcp → mcp_server}/__init__.py +12 -7
kailash/{mcp → mcp_server}/ai_registry_server.py +2 -2
kailash/{mcp/server_enhanced.py → mcp_server/server.py} +231 -48
kailash/{mcp → mcp_server}/servers/ai_registry.py +2 -2
kailash/{mcp → mcp_server}/utils/__init__.py +1 -6
kailash/middleware/auth/access_control.py +5 -5
kailash/middleware/gateway/checkpoint_manager.py +45 -8
kailash/middleware/mcp/client_integration.py +1 -1
kailash/middleware/mcp/enhanced_server.py +2 -2
kailash/nodes/admin/permission_check.py +110 -30
kailash/nodes/admin/schema.sql +387 -0
kailash/nodes/admin/tenant_isolation.py +249 -0
kailash/nodes/admin/transaction_utils.py +244 -0
kailash/nodes/admin/user_management.py +37 -9
kailash/nodes/ai/ai_providers.py +55 -3
kailash/nodes/ai/iterative_llm_agent.py +1 -1
kailash/nodes/ai/llm_agent.py +118 -16
kailash/nodes/data/sql.py +24 -0
kailash/resources/registry.py +6 -0
kailash/runtime/async_local.py +7 -0
kailash/utils/export.py +152 -0
kailash/workflow/builder.py +42 -0
kailash/workflow/graph.py +86 -17
kailash/workflow/templates.py +4 -9
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/METADATA +3 -2
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/RECORD +40 -38
kailash/mcp/server.py +0 -292
/kailash/{mcp → mcp_server}/client.py +0 -0
/kailash/{mcp → mcp_server}/client_new.py +0 -0
/kailash/{mcp → mcp_server}/utils/cache.py +0 -0
/kailash/{mcp → mcp_server}/utils/config.py +0 -0
/kailash/{mcp → mcp_server}/utils/formatters.py +0 -0
/kailash/{mcp → mcp_server}/utils/metrics.py +0 -0
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/WHEEL +0 -0
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/entry_points.txt +0 -0
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/licenses/LICENSE +0 -0
{kailash-0.6.1.dist-info → kailash-0.6.3.dist-info}/top_level.txt +0 -0

kailash/nodes/admin/permission_check.py CHANGED Viewed

@@ -721,36 +721,67 @@ class PermissionCheckNode(Node):
         }
     def _get_user_context(self, user_id: str, tenant_id: str) -> Optional[UserContext]:
-        """Get user context for permission evaluation."""
-        # Query user data from unified admin schema
-        query = """
-        SELECT user_id, email, roles, attributes, status, tenant_id
+        """Get user context for permission evaluation with strict tenant isolation."""
+        # Query user data and assigned roles from unified admin schema
+        user_query = """
+        SELECT user_id, email, attributes, status, tenant_id
         FROM users
         WHERE user_id = $1 AND tenant_id = $2 AND status = 'active'
         """
+        # Get assigned roles from user_role_assignments table with strict tenant isolation
+        roles_query = """
+        SELECT role_id
+        FROM user_role_assignments
+        WHERE user_id = $1 AND tenant_id = $2 AND is_active = true
+        """
         try:
-            result = self._db_node.run(
-                query=query, parameters=[user_id, tenant_id], result_format="dict"
+            # Get user data - strict tenant check
+            user_result = self._db_node.run(
+                query=user_query, parameters=[user_id, tenant_id], result_format="dict"
             )
-            # Handle the corrected result structure
-            user_rows = result.get("data", [])
+            user_rows = user_result.get("data", [])
             if not user_rows:
+                # User not found in this tenant - strict tenant isolation
+                self.logger.debug(f"User {user_id} not found in tenant {tenant_id}")
                 return None
             user_data = user_rows[0]
+            # Verify tenant isolation - ensure user belongs to the requested tenant
+            if user_data.get("tenant_id") != tenant_id:
+                self.logger.warning(
+                    f"Tenant isolation violation: User {user_id} belongs to {user_data.get('tenant_id')} but permission check requested for {tenant_id}"
+                )
+                return None
+            # Get assigned roles - also with strict tenant isolation
+            roles_result = self._db_node.run(
+                query=roles_query, parameters=[user_id, tenant_id], result_format="dict"
+            )
+            role_rows = roles_result.get("data", [])
+            assigned_roles = [row["role_id"] for row in role_rows]
+            # Log for debugging tenant isolation
+            self.logger.debug(
+                f"User {user_id} in tenant {tenant_id} has roles: {assigned_roles}"
+            )
             return UserContext(
                 user_id=user_data["user_id"],
                 tenant_id=user_data["tenant_id"],
                 email=user_data["email"],
-                roles=user_data.get("roles", []),
+                roles=assigned_roles,
                 attributes=user_data.get("attributes", {}),
             )
         except Exception as e:
             # Log the error and return None to indicate user not found
-            self.logger.warning(f"Failed to get user context for {user_id}: {e}")
+            self.logger.warning(
+                f"Failed to get user context for {user_id} in tenant {tenant_id}: {e}"
+            )
             return None
     def _check_rbac_permission(
@@ -826,39 +857,57 @@ class PermissionCheckNode(Node):
         return permissions
     def _get_role_permissions(self, role_id: str, tenant_id: str) -> Set[str]:
-        """Get permissions for a specific role including inherited permissions."""
-        # Query role and its hierarchy
+        """Get permissions for a specific role including inherited permissions with strict tenant isolation."""
+        # Query role and its hierarchy with strict tenant boundaries
         query = """
         WITH RECURSIVE role_hierarchy AS (
-            SELECT role_id, permissions, parent_roles
+            SELECT role_id, permissions, parent_roles, tenant_id
             FROM roles
             WHERE role_id = $1 AND tenant_id = $2 AND is_active = true
             UNION ALL
-            SELECT r.role_id, r.permissions, r.parent_roles
+            SELECT r.role_id, r.permissions, r.parent_roles, r.tenant_id
             FROM roles r
             JOIN role_hierarchy rh ON r.role_id = ANY(
                 SELECT jsonb_array_elements_text(rh.parent_roles)
             )
-            WHERE r.tenant_id = $2 AND r.is_active = true
+            WHERE r.tenant_id = $3 AND r.is_active = true
         )
         SELECT DISTINCT unnest(
             CASE
                 WHEN jsonb_typeof(permissions) = 'array'
                 THEN ARRAY(SELECT jsonb_array_elements_text(permissions))
+                WHEN permissions IS NOT NULL AND permissions::text != 'null'
+                THEN ARRAY[permissions::text]
                 ELSE ARRAY[]::text[]
             END
         ) as permission
         FROM role_hierarchy
+        WHERE tenant_id = $4
         """
-        result = self._db_node.run(
-            query=query, parameters=[role_id, tenant_id], result_format="dict"
-        )
-        permission_rows = result.get("data", [])
+        try:
+            result = self._db_node.run(
+                query=query,
+                parameters=[role_id, tenant_id, tenant_id, tenant_id],
+                result_format="dict",
+            )
+            permission_rows = result.get("data", [])
-        return {row["permission"] for row in permission_rows}
+            permissions = {
+                row["permission"] for row in permission_rows if row["permission"]
+            }
+            self.logger.debug(
+                f"Role {role_id} in tenant {tenant_id} has permissions: {permissions}"
+            )
+            return permissions
+        except Exception as e:
+            self.logger.warning(
+                f"Failed to get permissions for role {role_id} in tenant {tenant_id}: {e}"
+            )
+            return set()
     def _build_permission_explanation(
         self,
@@ -1189,23 +1238,54 @@ class PermissionCheckNode(Node):
         }
     def _get_role_direct_permissions(self, role_id: str, tenant_id: str) -> Set[str]:
-        """Get direct permissions for a role (no inheritance)."""
+        """Get direct permissions for a role (no inheritance) with proper format handling."""
         query = """
         SELECT permissions
         FROM roles
         WHERE role_id = $1 AND tenant_id = $2 AND is_active = true
         """
-        result = self._db_node.run(
-            query=query, parameters=[role_id, tenant_id], result_format="dict"
-        )
-        role_rows = result.get("data", [])
-        role_data = role_rows[0] if role_rows else None
+        try:
+            result = self._db_node.run(
+                query=query, parameters=[role_id, tenant_id], result_format="dict"
+            )
+            role_rows = result.get("data", [])
+            role_data = role_rows[0] if role_rows else None
-        if not role_data:
-            return set()
+            if not role_data:
+                self.logger.debug(f"Role {role_id} not found in tenant {tenant_id}")
+                return set()
-        return set(role_data.get("permissions", []))
+            permissions_data = role_data.get("permissions", [])
+            # Handle different permission storage formats
+            if isinstance(permissions_data, list):
+                permissions = set(permissions_data)
+            elif isinstance(permissions_data, str):
+                try:
+                    # Try to parse as JSON array
+                    import json
+                    parsed = json.loads(permissions_data)
+                    permissions = (
+                        set(parsed) if isinstance(parsed, list) else {permissions_data}
+                    )
+                except (json.JSONDecodeError, TypeError):
+                    # Treat as single permission string
+                    permissions = {permissions_data} if permissions_data else set()
+            else:
+                permissions = set()
+            self.logger.debug(
+                f"Role {role_id} direct permissions in tenant {tenant_id}: {permissions}"
+            )
+            return permissions
+        except Exception as e:
+            self.logger.warning(
+                f"Failed to get direct permissions for role {role_id} in tenant {tenant_id}: {e}"
+            )
+            return set()
     def _explain_permission(self, inputs: Dict[str, Any]) -> Dict[str, Any]:
         """Provide detailed explanation of permission logic."""
@@ -1625,7 +1705,7 @@ class PermissionCheckNode(Node):
             audit_query = """
             INSERT INTO admin_audit_log (
                 user_id, action, resource_type, resource_id,
-                operation, details, success, tenant_id, created_at
+                operation, context, success, tenant_id, created_at
             ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
             """

kailash/nodes/admin/schema.sql ADDED Viewed

@@ -0,0 +1,387 @@
+-- Unified Admin Node Database Schema
+-- Complete RBAC/ABAC system with user management and permission checking
+-- Production-ready schema for Kailash Admin Nodes
+-- =====================================================
+-- Core User Management
+-- =====================================================
+-- Users table - Central user registry
+CREATE TABLE IF NOT EXISTS users (
+    user_id VARCHAR(255) PRIMARY KEY,
+    email VARCHAR(255) UNIQUE NOT NULL,
+    username VARCHAR(255),
+    password_hash VARCHAR(255), -- Optional, for local auth
+    first_name VARCHAR(255),
+    last_name VARCHAR(255),
+    display_name VARCHAR(255),
+    -- Admin node compatibility fields
+    roles JSONB DEFAULT '[]', -- For compatibility with PermissionCheckNode
+    attributes JSONB DEFAULT '{}', -- User attributes for ABAC
+    -- Status and lifecycle
+    status VARCHAR(50) DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended', 'pending', 'deleted')),
+    is_active BOOLEAN DEFAULT TRUE,
+    is_system_user BOOLEAN DEFAULT FALSE,
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+    -- External auth integration
+    external_auth_id VARCHAR(255), -- For SSO integration
+    auth_provider VARCHAR(100), -- 'local', 'oauth2', 'saml', etc.
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+    last_login_at TIMESTAMP WITH TIME ZONE,
+    -- Constraints
+    UNIQUE(email, tenant_id),
+    UNIQUE(username, tenant_id) -- Allow same username across tenants
+);
+-- =====================================================
+-- Role-Based Access Control (RBAC)
+-- =====================================================
+-- Roles table - Hierarchical role definitions
+CREATE TABLE IF NOT EXISTS roles (
+    role_id VARCHAR(255) PRIMARY KEY,
+    name VARCHAR(255) NOT NULL,
+    description TEXT,
+    role_type VARCHAR(50) DEFAULT 'custom' CHECK (role_type IN ('system', 'custom', 'template', 'temporary')),
+    -- RBAC permissions and hierarchy
+    permissions JSONB DEFAULT '[]', -- Direct permissions
+    parent_roles JSONB DEFAULT '[]', -- Role inheritance
+    child_roles JSONB DEFAULT '[]', -- Derived roles (maintained automatically)
+    -- ABAC attributes and conditions
+    attributes JSONB DEFAULT '{}', -- Role attributes
+    conditions JSONB DEFAULT '{}', -- Dynamic conditions for role activation
+    -- Lifecycle and constraints
+    is_active BOOLEAN DEFAULT TRUE,
+    is_system_role BOOLEAN DEFAULT FALSE,
+    expires_at TIMESTAMP WITH TIME ZONE, -- For temporary roles
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+    -- Constraints
+    UNIQUE(name, tenant_id)
+);
+-- User Role Assignments - Many-to-many with metadata
+CREATE TABLE IF NOT EXISTS user_role_assignments (
+    id SERIAL PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    role_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Assignment metadata
+    assigned_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    assigned_by VARCHAR(255) DEFAULT 'system',
+    expires_at TIMESTAMP WITH TIME ZONE, -- For temporary assignments
+    -- Conditional assignments (ABAC)
+    conditions JSONB DEFAULT '{}', -- When this assignment is active
+    context_requirements JSONB DEFAULT '{}', -- Required context for activation
+    -- Status
+    is_active BOOLEAN DEFAULT TRUE,
+    is_inherited BOOLEAN DEFAULT FALSE, -- True if inherited from group/org
+    -- Constraints
+    UNIQUE(user_id, role_id, tenant_id),
+    -- Foreign keys (enforced at application level for flexibility)
+    CONSTRAINT fk_user_role_user CHECK (user_id IS NOT NULL),
+    CONSTRAINT fk_user_role_role CHECK (role_id IS NOT NULL)
+);
+-- =====================================================
+-- Permission Management and Caching
+-- =====================================================
+-- Permission definitions - Centralized permission registry
+CREATE TABLE IF NOT EXISTS permissions (
+    permission_id VARCHAR(255) PRIMARY KEY,
+    name VARCHAR(255) NOT NULL,
+    description TEXT,
+    resource_type VARCHAR(100) NOT NULL, -- 'workflow', 'node', 'data', etc.
+    action VARCHAR(100) NOT NULL, -- 'read', 'write', 'execute', etc.
+    -- Permission metadata
+    scope VARCHAR(100) DEFAULT 'tenant', -- 'global', 'tenant', 'user'
+    is_system_permission BOOLEAN DEFAULT FALSE,
+    -- ABAC conditions
+    default_conditions JSONB DEFAULT '{}', -- Default conditions for this permission
+    required_attributes JSONB DEFAULT '{}', -- Required user/resource attributes
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    -- Constraints
+    UNIQUE(name, resource_type, action, tenant_id)
+);
+-- Permission Cache - High-performance permission checking
+CREATE TABLE IF NOT EXISTS permission_cache (
+    cache_key VARCHAR(512) PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    resource VARCHAR(255) NOT NULL,
+    permission VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Cache result
+    result BOOLEAN NOT NULL,
+    decision_path JSONB, -- How the decision was made (for auditing)
+    context_hash VARCHAR(64), -- Hash of context used for decision
+    -- Cache metadata
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    hit_count INTEGER DEFAULT 0,
+    last_accessed TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    -- Indexes will be created separately
+    CHECK (expires_at > created_at)
+);
+-- =====================================================
+-- Attribute-Based Access Control (ABAC)
+-- =====================================================
+-- User Attributes - Dynamic user properties for ABAC
+CREATE TABLE IF NOT EXISTS user_attributes (
+    id SERIAL PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Attribute definition
+    attribute_name VARCHAR(255) NOT NULL,
+    attribute_value JSONB NOT NULL,
+    attribute_type VARCHAR(50) DEFAULT 'string', -- 'string', 'number', 'boolean', 'array', 'object'
+    -- Attribute metadata
+    is_computed BOOLEAN DEFAULT FALSE, -- True if computed from other attributes
+    computation_rule JSONB, -- How to compute this attribute
+    source VARCHAR(100) DEFAULT 'manual', -- 'manual', 'computed', 'imported', 'inherited'
+    -- Lifecycle
+    is_active BOOLEAN DEFAULT TRUE,
+    expires_at TIMESTAMP WITH TIME ZONE,
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+    -- Constraints
+    UNIQUE(user_id, attribute_name, tenant_id)
+);
+-- Resource Attributes - Dynamic resource properties for ABAC
+CREATE TABLE IF NOT EXISTS resource_attributes (
+    id SERIAL PRIMARY KEY,
+    resource_id VARCHAR(255) NOT NULL,
+    resource_type VARCHAR(100) NOT NULL, -- 'workflow', 'node', 'data', etc.
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Attribute definition
+    attribute_name VARCHAR(255) NOT NULL,
+    attribute_value JSONB NOT NULL,
+    attribute_type VARCHAR(50) DEFAULT 'string',
+    -- Attribute metadata
+    is_computed BOOLEAN DEFAULT FALSE,
+    computation_rule JSONB,
+    source VARCHAR(100) DEFAULT 'manual',
+    -- Lifecycle
+    is_active BOOLEAN DEFAULT TRUE,
+    expires_at TIMESTAMP WITH TIME ZONE,
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+    -- Constraints
+    UNIQUE(resource_id, attribute_name, tenant_id)
+);
+-- =====================================================
+-- Sessions and Security
+-- =====================================================
+-- User Sessions - Track active user sessions
+CREATE TABLE IF NOT EXISTS user_sessions (
+    session_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+    -- Session data
+    session_token_hash VARCHAR(255) UNIQUE NOT NULL,
+    refresh_token_hash VARCHAR(255),
+    device_info JSONB DEFAULT '{}',
+    ip_address INET,
+    user_agent TEXT,
+    -- Session lifecycle
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    last_accessed TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
+    is_active BOOLEAN DEFAULT TRUE,
+    -- Security
+    failed_attempts INTEGER DEFAULT 0,
+    locked_until TIMESTAMP WITH TIME ZONE,
+    CHECK (expires_at > created_at)
+);
+-- =====================================================
+-- Audit and Compliance
+-- =====================================================
+-- Admin Audit Log - Comprehensive audit trail
+CREATE TABLE IF NOT EXISTS admin_audit_log (
+    id SERIAL PRIMARY KEY,
+    -- Who, What, When, Where
+    user_id VARCHAR(255),
+    tenant_id VARCHAR(255) NOT NULL,
+    action VARCHAR(100) NOT NULL,
+    resource_type VARCHAR(100) NOT NULL,
+    resource_id VARCHAR(255),
+    -- Action details
+    operation VARCHAR(100), -- 'create', 'read', 'update', 'delete', 'execute'
+    old_values JSONB, -- Before state
+    new_values JSONB, -- After state
+    context JSONB DEFAULT '{}', -- Request context
+    -- Result
+    success BOOLEAN NOT NULL,
+    error_message TEXT,
+    duration_ms INTEGER,
+    -- Request metadata
+    ip_address INET,
+    user_agent TEXT,
+    session_id UUID,
+    request_id VARCHAR(255),
+    -- Timestamp
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+-- =====================================================
+-- Performance Indexes
+-- =====================================================
+-- User indexes
+CREATE INDEX IF NOT EXISTS idx_users_tenant_status ON users(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_external_auth ON users(external_auth_id, auth_provider);
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON users(last_login_at);
+-- Role indexes
+CREATE INDEX IF NOT EXISTS idx_roles_tenant_active ON roles(tenant_id, is_active);
+CREATE INDEX IF NOT EXISTS idx_roles_type ON roles(role_type);
+CREATE INDEX IF NOT EXISTS idx_roles_parent_roles ON roles USING GIN(parent_roles);
+CREATE INDEX IF NOT EXISTS idx_roles_permissions ON roles USING GIN(permissions);
+-- Assignment indexes
+CREATE INDEX IF NOT EXISTS idx_user_roles_user ON user_role_assignments(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_role ON user_role_assignments(role_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_active ON user_role_assignments(is_active, expires_at);
+-- Permission cache indexes
+CREATE INDEX IF NOT EXISTS idx_permission_cache_user ON permission_cache(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_permission_cache_expires ON permission_cache(expires_at);
+CREATE INDEX IF NOT EXISTS idx_permission_cache_resource ON permission_cache(resource, permission);
+-- Attribute indexes
+CREATE INDEX IF NOT EXISTS idx_user_attributes_user ON user_attributes(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_attributes_name ON user_attributes(attribute_name, is_active);
+CREATE INDEX IF NOT EXISTS idx_resource_attributes_resource ON resource_attributes(resource_id, resource_type);
+-- Session indexes
+CREATE INDEX IF NOT EXISTS idx_sessions_user ON user_sessions(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_token ON user_sessions(session_token_hash);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON user_sessions(expires_at, is_active);
+-- Audit indexes
+CREATE INDEX IF NOT EXISTS idx_audit_user ON admin_audit_log(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_audit_resource ON admin_audit_log(resource_type, resource_id);
+CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON admin_audit_log(created_at);
+CREATE INDEX IF NOT EXISTS idx_audit_action ON admin_audit_log(action, operation);
+-- =====================================================
+-- Data Integrity and Maintenance
+-- =====================================================
+-- Auto-update timestamps trigger function
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = CURRENT_TIMESTAMP;
+    RETURN NEW;
+END;
+$$ language 'plpgsql';
+-- Apply auto-update triggers
+CREATE TRIGGER update_users_updated_at BEFORE UPDATE ON users
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+CREATE TRIGGER update_roles_updated_at BEFORE UPDATE ON roles
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+CREATE TRIGGER update_permissions_updated_at BEFORE UPDATE ON permissions
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+CREATE TRIGGER update_user_attributes_updated_at BEFORE UPDATE ON user_attributes
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+CREATE TRIGGER update_resource_attributes_updated_at BEFORE UPDATE ON resource_attributes
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+-- Cache cleanup function
+CREATE OR REPLACE FUNCTION cleanup_expired_cache()
+RETURNS INTEGER AS $$
+DECLARE
+    deleted_count INTEGER;
+BEGIN
+    DELETE FROM permission_cache WHERE expires_at < CURRENT_TIMESTAMP;
+    GET DIAGNOSTICS deleted_count = ROW_COUNT;
+    RETURN deleted_count;
+END;
+$$ LANGUAGE plpgsql;
+-- Session cleanup function
+CREATE OR REPLACE FUNCTION cleanup_expired_sessions()
+RETURNS INTEGER AS $$
+DECLARE
+    deleted_count INTEGER;
+BEGIN
+    DELETE FROM user_sessions WHERE expires_at < CURRENT_TIMESTAMP;
+    GET DIAGNOSTICS deleted_count = ROW_COUNT;
+    RETURN deleted_count;
+END;
+$$ LANGUAGE plpgsql;

kailash 0.6.1__py3-none-any.whl → 0.6.3__py3-none-any.whl

kailash 0.6.1py3-none-any.whl → 0.6.3py3-none-any.whl