lambda-erp 0.1.0__py3-none-any.whl

api/demo_limits.py

@@ -0,0 +1,400 @@
+"""Token-spend rate limiting for the public demo.
+
+Two sliding 1-hour windows guard the demo budget:
+  * global — caps total USD spend across all visitors per hour
+  * per-IP — caps a single client IP per hour
+
+Default thresholds: $10/hr global ($240/day). The per-IP cap defaults
+to ~$0.52/hr (the previous absolute cap, i.e. 25% of the old $50/day
+budget) and is also clamped to at most 25% of the global cap so one
+actor cannot monopolize it.
+
+Only `public_manager` traffic counts against the global cap (that's
+demo traffic); admin/manager sessions are still logged but exempt.
+
+Every LLM call is persisted to the `Demo Spend Log` table so admins can
+see per-window breakdowns (1h/2h/4h/12h/24h/7d) via
+/api/admin/demo-spend. Single-replica deploy is the hard prerequisite
+for this design — the in-process SQLite file is the single source of
+truth. If the container ever scales horizontally, swap the store.
+
+Pricing lives in `api.providers`; this module only owns persistence and
+limit checks.
+"""
+
+from __future__ import annotations
+
+import os
+import threading
+import time
+from dataclasses import dataclass
+from typing import Optional
+
+from lambda_erp.database import get_db
+
+
+_WINDOW_SECONDS = 3600  # 1 hour
+
+# Upper bound on how long a reservation may hold budget before it's
+# considered stale and ignored. Must exceed the longest provider call
+# timeout (OpenAI/Anthropic clients use 120s) plus a fudge for the
+# event-loop latency between the SDK call returning and settle() firing.
+# Defence-in-depth against cancellation leaks that slip past try/finally.
+_RESERVATION_TTL_SECONDS = 180
+
+
+_SCHEMA_SQL = """
+CREATE TABLE IF NOT EXISTS "Demo Spend Log" (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    ts REAL NOT NULL,
+    ip TEXT,
+    role TEXT,
+    provider TEXT,
+    model TEXT,
+    prompt_tokens INTEGER DEFAULT 0,
+    completion_tokens INTEGER DEFAULT 0,
+    cost_usd REAL NOT NULL,
+    session_id TEXT
+);
+"""
+_INDEX_TS_SQL = 'CREATE INDEX IF NOT EXISTS "idx_demo_spend_ts" ON "Demo Spend Log" (ts)'
+_INDEX_IP_TS_SQL = 'CREATE INDEX IF NOT EXISTS "idx_demo_spend_ip_ts" ON "Demo Spend Log" (ip, ts)'
+
+_schema_lock = threading.Lock()
+_schema_ready = False
+
+
+@dataclass
+class _Reservation:
+    ip: str
+    role: str
+    estimated_usd: float
+    created_at: float
+
+
+def init_schema() -> None:
+    """Create the spend-log table. Safe to call repeatedly; guarded by a
+    module-level flag so we don't re-issue DDL on every request."""
+    global _schema_ready
+    with _schema_lock:
+        if _schema_ready:
+            return
+        db = get_db()
+        db.conn.execute(_SCHEMA_SQL)
+        db.conn.execute(_INDEX_TS_SQL)
+        db.conn.execute(_INDEX_IP_TS_SQL)
+        db.conn.commit()
+        _schema_ready = True
+
+
+class DemoSpendLimiter:
+    """SQLite-backed spend tracker with sliding-window caps.
+
+    `check()` reads SUM(cost_usd) over the last hour for both the global
+    demo bucket (role=public_manager) and the caller's IP; `record()`
+    appends one row per LLM call for both limiting and analytics.
+    """
+
+    def __init__(self, global_hourly_usd: float, per_ip_hourly_usd: float):
+        self.global_hourly_usd = global_hourly_usd
+        self.per_ip_hourly_usd = per_ip_hourly_usd
+        self._reservation_lock = threading.Lock()
+        self._next_reservation_id = 1
+        self._reservations: dict[int, _Reservation] = {}
+
+    def _reserved_totals_unlocked(self, ip: str) -> tuple[float, float]:
+        # Opportunistically evict stale reservations. This is the only
+        # path that totals reservations, so piggy-backing the sweep keeps
+        # the lock count down without needing a separate background task.
+        now = time.time()
+        cutoff = now - _RESERVATION_TTL_SECONDS
+        stale = [rid for rid, row in self._reservations.items() if row.created_at < cutoff]
+        for rid in stale:
+            self._reservations.pop(rid, None)
+
+        global_reserved = 0.0
+        ip_reserved = 0.0
+        for row in self._reservations.values():
+            if row.role != "public_manager":
+                continue
+            global_reserved += row.estimated_usd
+            if row.ip == ip:
+                ip_reserved += row.estimated_usd
+        return global_reserved, ip_reserved
+
+    # ---- checks --------------------------------------------------------
+
+    def check(self, ip: str) -> Optional[str]:
+        """Return a human-readable reason if `ip` (or the global demo
+        bucket) has crossed its hourly cap, else None. Admin/manager
+        traffic is never blocked here — that decision is at the call
+        site via `is_demo_role(role)`."""
+        init_schema()
+        db = get_db()
+        cutoff = time.time() - _WINDOW_SECONDS
+
+        global_spend = db.conn.execute(
+            'SELECT COALESCE(SUM(cost_usd), 0) AS s FROM "Demo Spend Log" '
+            'WHERE ts > ? AND role = ?',
+            (cutoff, "public_manager"),
+        ).fetchone()["s"]
+        if global_spend >= self.global_hourly_usd:
+            return (
+                f"Demo budget exhausted for this hour "
+                f"(~${global_spend:.2f} / ${self.global_hourly_usd:.2f}). "
+                "Please try again later."
+            )
+
+        ip_spend = db.conn.execute(
+            'SELECT COALESCE(SUM(cost_usd), 0) AS s FROM "Demo Spend Log" '
+            'WHERE ts > ? AND ip = ? AND role = ?',
+            (cutoff, ip, "public_manager"),
+        ).fetchone()["s"]
+        if ip_spend >= self.per_ip_hourly_usd:
+            return (
+                f"You've reached the hourly demo limit for your IP "
+                f"(~${ip_spend:.2f} / ${self.per_ip_hourly_usd:.2f}). "
+                "Please try again later."
+            )
+        return None
+
+    def reserve(
+        self,
+        ip: str,
+        *,
+        estimated_usd: float,
+        role: str | None = None,
+    ) -> tuple[Optional[str], Optional[int]]:
+        """Atomically reserve budget before an outbound LLM call."""
+        amount = max(float(estimated_usd or 0.0), 0.0)
+        if amount <= 0:
+            return None, None
+        if role != "public_manager":
+            return None, None
+
+        init_schema()
+        db = get_db()
+        cutoff = time.time() - _WINDOW_SECONDS
+        with self._reservation_lock:
+            global_spend = db.conn.execute(
+                'SELECT COALESCE(SUM(cost_usd), 0) AS s FROM "Demo Spend Log" '
+                'WHERE ts > ? AND role = ?',
+                (cutoff, "public_manager"),
+            ).fetchone()["s"]
+            ip_spend = db.conn.execute(
+                'SELECT COALESCE(SUM(cost_usd), 0) AS s FROM "Demo Spend Log" '
+                'WHERE ts > ? AND ip = ? AND role = ?',
+                (cutoff, ip, "public_manager"),
+            ).fetchone()["s"]
+            reserved_global, reserved_ip = self._reserved_totals_unlocked(ip)
+
+            projected_global = float(global_spend) + reserved_global + amount
+            if projected_global > self.global_hourly_usd:
+                return (
+                    f"Demo budget exhausted for this hour "
+                    f"(~${global_spend + reserved_global:.2f} / ${self.global_hourly_usd:.2f}). "
+                    "Please try again later.",
+                    None,
+                )
+
+            projected_ip = float(ip_spend) + reserved_ip + amount
+            if projected_ip > self.per_ip_hourly_usd:
+                return (
+                    f"You've reached the hourly demo limit for your IP "
+                    f"(~${ip_spend + reserved_ip:.2f} / ${self.per_ip_hourly_usd:.2f}). "
+                    "Please try again later.",
+                    None,
+                )
+
+            reservation_id = self._next_reservation_id
+            self._next_reservation_id += 1
+            self._reservations[reservation_id] = _Reservation(
+                ip=ip,
+                role=role or "",
+                estimated_usd=amount,
+                created_at=time.time(),
+            )
+            return None, reservation_id
+
+    def release(self, reservation_id: int | None) -> None:
+        """Drop a reservation without recording spend (failed call path)."""
+        if reservation_id is None:
+            return
+        with self._reservation_lock:
+            self._reservations.pop(reservation_id, None)
+
+    def settle(
+        self,
+        reservation_id: int | None,
+        *,
+        actual_cost_usd: float,
+        ip: str,
+        role: str | None = None,
+        provider: str | None = None,
+        model: str | None = None,
+        prompt_tokens: int = 0,
+        completion_tokens: int = 0,
+        session_id: str | None = None,
+    ) -> None:
+        """Finalize a reservation and persist the actual spend row."""
+        if reservation_id is not None:
+            with self._reservation_lock:
+                self._reservations.pop(reservation_id, None)
+        self.record(
+            ip,
+            actual_cost_usd,
+            role=role,
+            provider=provider,
+            model=model,
+            prompt_tokens=prompt_tokens,
+            completion_tokens=completion_tokens,
+            session_id=session_id,
+        )
+
+    # ---- recording -----------------------------------------------------
+
+    def record(
+        self,
+        ip: str,
+        cost_usd: float,
+        *,
+        role: str | None = None,
+        provider: str | None = None,
+        model: str | None = None,
+        prompt_tokens: int = 0,
+        completion_tokens: int = 0,
+        session_id: str | None = None,
+    ) -> None:
+        if cost_usd <= 0:
+            return
+        init_schema()
+        db = get_db()
+        db.conn.execute(
+            'INSERT INTO "Demo Spend Log" '
+            '(ts, ip, role, provider, model, prompt_tokens, completion_tokens, cost_usd, session_id) '
+            'VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+            (
+                time.time(),
+                ip,
+                role,
+                provider,
+                model,
+                int(prompt_tokens or 0),
+                int(completion_tokens or 0),
+                float(cost_usd),
+                session_id,
+            ),
+        )
+        db.conn.commit()
+
+    # ---- reporting -----------------------------------------------------
+
+    def snapshot(self) -> dict:
+        """Lightweight health snapshot — for logs / live dashboards."""
+        init_schema()
+        db = get_db()
+        cutoff = time.time() - _WINDOW_SECONDS
+        row = db.conn.execute(
+            'SELECT COALESCE(SUM(cost_usd), 0) AS s, '
+            'COUNT(DISTINCT ip) AS ips '
+            'FROM "Demo Spend Log" WHERE ts > ? AND role = ?',
+            (cutoff, "public_manager"),
+        ).fetchone()
+        return {
+            "global_hourly_usd": round(row["s"], 4),
+            "global_hourly_cap": self.global_hourly_usd,
+            "per_ip_hourly_cap": self.per_ip_hourly_usd,
+            "active_ips": int(row["ips"] or 0),
+        }
+
+
+# ---------------------------------------------------------------------------
+# Process-wide singleton. Thresholds are read once at import time from env.
+# ---------------------------------------------------------------------------
+
+def _env_float(name: str, default: float) -> float:
+    raw = os.environ.get(name)
+    if raw is None or raw == "":
+        return default
+    try:
+        return float(raw)
+    except ValueError:
+        return default
+
+
+# $10/hr → $240/day cap.
+_GLOBAL_HOURLY_USD = _env_float("LAMBDA_ERP_DEMO_GLOBAL_HOURLY_USD", 10.0)
+# Pinned to the previous absolute default (25% of the old $50/day
+# global ≈ $0.521/hr) so raising the global cap does not also raise
+# what a single IP can spend.
+_PER_IP_HOURLY_USD = _env_float(
+    "LAMBDA_ERP_DEMO_PER_IP_HOURLY_USD",
+    (50.0 / 24.0) * 0.25,
+)
+_PER_IP_HOURLY_USD = min(_PER_IP_HOURLY_USD, _GLOBAL_HOURLY_USD * 0.25)
+
+limiter = DemoSpendLimiter(
+    global_hourly_usd=_GLOBAL_HOURLY_USD,
+    per_ip_hourly_usd=_PER_IP_HOURLY_USD,
+)
+
+
+def is_demo_role(role: Optional[str]) -> bool:
+    """Limits only apply to the shared demo account, not admins/managers."""
+    return role == "public_manager"
+
+
+def demo_max_completion_tokens(default: int = 4096) -> int:
+    """Env-overridable cap for `max_completion_tokens` on demo calls.
+
+    Defaults to 1024 — tight enough to bound worst-case turn cost but
+    generous enough for typical replies. Callers apply this only for
+    `public_manager`; logged-in managers/admins keep the original cap."""
+    raw = os.environ.get("LAMBDA_ERP_DEMO_MAX_COMPLETION_TOKENS")
+    if raw is None or raw == "":
+        return 1024
+    try:
+        return max(256, int(raw))
+    except ValueError:
+        return 1024
+
+
+def demo_call_reserve_usd() -> float:
+    """Conservative pre-call reservation for demo LLM requests."""
+    raw = os.environ.get("LAMBDA_ERP_DEMO_CALL_RESERVE_USD")
+    if raw is None or raw == "":
+        return 0.35
+    try:
+        return max(0.05, float(raw))
+    except ValueError:
+        return 0.35
+
+
+def demo_max_message_chars() -> int:
+    """Env-overridable cap on the length of a single chat message from a
+    public_manager session. Without this, a visitor could paste ~100k
+    characters and burn the global hourly budget in a single call even
+    though the per-call max_completion_tokens is tight — input tokens
+    aren't capped server-side otherwise."""
+    raw = os.environ.get("LAMBDA_ERP_DEMO_MAX_MESSAGE_CHARS")
+    if raw is None or raw == "":
+        return 300
+    try:
+        return max(50, int(raw))
+    except ValueError:
+        return 300
+
+
+def demo_max_attachment_bytes() -> int:
+    """Env-overridable cap on the size of a single chat attachment uploaded
+    from a public_manager session. Default 100 KiB. Images/PDFs are sent
+    to the LLM as base64 multimodal parts, so each uploaded byte becomes
+    ~1.33 bytes of prompt — a 10 MB file would otherwise blow the hourly
+    budget in one call."""
+    raw = os.environ.get("LAMBDA_ERP_DEMO_MAX_ATTACHMENT_BYTES")
+    if raw is None or raw == "":
+        return 100 * 1024
+    try:
+        return max(1024, int(raw))
+    except ValueError:
+        return 100 * 1024

api/deps.py

@@ -0,0 +1,7 @@
+"""FastAPI dependency injection."""
+
+from lambda_erp.database import get_db, Database
+
+
+def get_database() -> Database:
+    return get_db()

api/errors.py

@@ -0,0 +1,56 @@
+"""Map lambda_erp exceptions to HTTP responses."""
+
+from fastapi import FastAPI, Request
+from fastapi.responses import JSONResponse
+from lambda_erp.exceptions import (
+    ValidationError,
+    MandatoryError,
+    DocumentStatusError,
+    DebitCreditNotEqual,
+    NegativeStockError,
+    InvalidAccountError,
+    InvalidCurrency,
+    InsufficientFunds,
+)
+
+
+def register_exception_handlers(app: FastAPI):
+
+    @app.exception_handler(ValueError)
+    async def value_error(request: Request, exc: ValueError):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(DocumentStatusError)
+    async def document_status_error(request: Request, exc: DocumentStatusError):
+        return JSONResponse(status_code=409, content={"detail": str(exc)})
+
+    @app.exception_handler(ValidationError)
+    async def validation_error(request: Request, exc: ValidationError):
+        msg = str(exc)
+        if msg.endswith("not found"):
+            return JSONResponse(status_code=404, content={"detail": msg})
+        return JSONResponse(status_code=422, content={"detail": msg})
+
+    @app.exception_handler(MandatoryError)
+    async def mandatory_error(request: Request, exc: MandatoryError):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(DebitCreditNotEqual)
+    async def debit_credit_error(request: Request, exc: DebitCreditNotEqual):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(NegativeStockError)
+    async def negative_stock_error(request: Request, exc: NegativeStockError):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(InvalidAccountError)
+    async def invalid_account_error(request: Request, exc: InvalidAccountError):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(InvalidCurrency)
+    async def invalid_currency_error(request: Request, exc: InvalidCurrency):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})
+
+    @app.exception_handler(InsufficientFunds)
+    async def insufficient_funds_error(request: Request, exc: InsufficientFunds):
+        return JSONResponse(status_code=422, content={"detail": str(exc)})

api/main.py

@@ -0,0 +1,182 @@
+"""
+FastAPI application entry point.
+
+Run with: uvicorn api.main:app --reload --port 8000
+"""
+
+import os
+from contextlib import asynccontextmanager
+from fastapi import FastAPI, HTTPException, WebSocket
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import FileResponse
+from fastapi.staticfiles import StaticFiles
+
+from lambda_erp.database import setup
+
+from api.errors import register_exception_handlers
+from api.auth import router as auth_router, COOKIE_NAME, decode_token
+from api.attachments import router as attachments_router
+from api.chat import chat_websocket, router as chat_router
+from api.routers import admin, documents, masters, reports, setup as setup_router, bank_reconciliation, analytics, accounting
+
+
+def load_plugins() -> None:
+    """Import customer extension modules named in LAMBDA_ERP_PLUGINS and call
+    each module's register().
+
+    A customer deployment is a separate repo that depends on this core and
+    registers doctype overrides / lifecycle hooks (see
+    docs/core-extension-architecture.md). Set e.g. LAMBDA_ERP_PLUGINS=acme
+    (comma-separated for several). Runs after setup() and BEFORE any documents
+    are created, so overrides/hooks apply to seeded data too. Unset = no-op, so
+    the core runs unchanged. Fails fast on a broken plugin rather than booting
+    silently without the customer's customizations.
+    """
+    import importlib
+
+    names = [m.strip() for m in os.environ.get("LAMBDA_ERP_PLUGINS", "").split(",") if m.strip()]
+    for name in names:
+        print(f"[plugins] loading {name}", flush=True)
+        module = importlib.import_module(name)
+        register = getattr(module, "register", None)
+        if not callable(register):
+            raise RuntimeError(f"Plugin '{name}' has no callable register()")
+        register()
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Startup: initialize database
+    db_path = os.environ.get("LAMBDA_ERP_DB", "lambda_erp.db")
+    setup(db_path)
+
+    # Load customer extension plugins before anything creates documents.
+    load_plugins()
+
+    # Ensure the demo spend log table exists before any LLM call happens.
+    from api.demo_limits import init_schema as init_demo_spend_schema
+    init_demo_spend_schema()
+
+    # When packaged as a demo container, land visitors straight in demo mode.
+    if os.environ.get("LAMBDA_ERP_AUTO_DEMO") == "1":
+        from api.bootstrap import bootstrap_demo
+
+        bootstrap_demo()
+
+    yield
+    # Shutdown: nothing to clean up (SQLite handles it)
+
+
+app = FastAPI(
+    title="Lambda ERP",
+    version="0.1.0",
+    lifespan=lifespan,
+)
+
+# CORS for Vite dev server
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["http://localhost:5173"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Exception handlers
+register_exception_handlers(app)
+
+# Routers
+app.include_router(auth_router, prefix="/api")
+app.include_router(attachments_router, prefix="/api")
+app.include_router(documents.router, prefix="/api")
+app.include_router(masters.router, prefix="/api")
+app.include_router(reports.router, prefix="/api")
+app.include_router(analytics.router, prefix="/api")
+app.include_router(setup_router.router, prefix="/api")
+app.include_router(bank_reconciliation.router, prefix="/api")
+app.include_router(accounting.router, prefix="/api")
+app.include_router(admin.router, prefix="/api")
+app.include_router(chat_router, prefix="/api")
+
+
+@app.get("/api/health")
+def health():
+    return {"status": "ok"}
+
+
+@app.websocket("/ws/chat")
+async def ws_chat(websocket: WebSocket):
+    # Authenticate via cookie, fall back to public_manager for demo mode
+    from lambda_erp.database import get_db
+
+    token = websocket.cookies.get(COOKIE_NAME)
+    user_name = decode_token(token) if token else None
+    user = None
+
+    db = get_db()
+    if user_name:
+        user = db.get_value("User", user_name, ["name", "full_name", "role", "enabled"])
+        if user and not user.get("enabled"):
+            user = None
+
+    # Fall back to public manager
+    if not user:
+        pub = db.sql('SELECT name, full_name, role, enabled FROM "User" WHERE role = "public_manager" AND enabled = 1')
+        user = pub[0] if pub else None
+
+    if not user:
+        await websocket.accept()
+        await websocket.close(code=4001, reason="Not authenticated")
+        return
+
+    # Client IP for demo-spend rate limiting. Azure Container Apps ingress
+    # (and any sane reverse proxy) sets X-Forwarded-For with the original
+    # client as the leftmost entry; fall back to the socket peer for local
+    # dev where no proxy is in front.
+    xff = websocket.headers.get("x-forwarded-for", "")
+    if xff:
+        client_ip = xff.split(",")[0].strip()
+    else:
+        client_ip = websocket.client.host if websocket.client else "unknown"
+
+    await chat_websocket(websocket, user_info=dict(user), client_ip=client_ip)
+
+
+# Serve frontend build in production (if dist/ exists).
+#
+# In local dev the frontend runs on Vite's dev server (port 5173), which
+# has SPA fallback built in — any unknown route serves index.html so
+# React Router can take over. In the container, FastAPI serves the built
+# frontend itself, and StaticFiles(html=True) only serves index.html for
+# directory requests, not arbitrary paths. That made direct-URL visits
+# and reloads on routes like /chat/:id return `{"detail": "Not Found"}`
+# instead of the React app. The route below replicates Vite's fallback
+# semantics: real files (assets, favicon, logos) resolve as-is; anything
+# else falls through to index.html and React Router handles it
+# client-side. API and WebSocket paths keep returning their normal 404s.
+frontend_dist = os.path.join(os.path.dirname(__file__), "..", "frontend", "dist")
+if os.path.isdir(frontend_dist):
+    assets_dir = os.path.join(frontend_dist, "assets")
+    if os.path.isdir(assets_dir):
+        app.mount("/assets", StaticFiles(directory=assets_dir), name="assets")
+
+    frontend_root = os.path.realpath(frontend_dist)
+    index_html = os.path.join(frontend_root, "index.html")
+
+    @app.get("/{full_path:path}", include_in_schema=False)
+    async def spa_fallback(full_path: str):
+        # Let API/WS paths that didn't match a real route 404 as JSON,
+        # rather than accidentally returning the SPA shell HTML.
+        if full_path.startswith(("api/", "ws/")):
+            raise HTTPException(status_code=404, detail="Not Found")
+
+        # Real public files (favicon.ico, favicon.png, logo_*.png, etc.)
+        # should resolve to themselves. Guard against path traversal by
+        # re-anchoring to the resolved frontend_dist root.
+        if full_path:
+            candidate = os.path.realpath(os.path.join(frontend_root, full_path))
+            if candidate.startswith(frontend_root + os.sep) and os.path.isfile(candidate):
+                return FileResponse(candidate)
+
+        # SPA fallback — React Router takes over from here.
+        return FileResponse(index_html)