morphdb 0.1.0__py3-none-any.whl

morphdb/routes.py

@@ -0,0 +1,254 @@
+"""HTTP route definitions. Pure glue between the router and the logic modules.
+
+Three surfaces:
+
+* **Apps** (one MorphDB instance, many independent websites):
+  POST ``/app`` to register, DELETE ``/app/{key}`` to delete (cascades). There
+  is deliberately no "list apps" endpoint — you only address an app you already
+  hold the key for.
+* **Schema** (the coding agent reshapes the data model):
+  GET/PUT/DELETE ``/schema`` and ``/schema/{type}``.
+* **Objects** (the frontend reads/writes data, including relations as fields):
+  ``/objects/{type}`` and ``/object/{guid}``.
+
+Every schema and object request must carry its app via the ``X-App-Key`` header;
+``apps.require_app`` resolves and validates it. Relations are not their own
+endpoints — they are declared inside a type's schema and read/written as fields
+on objects.
+"""
+
+from . import apps
+from . import objects as objs
+from . import schema as sch
+from .errors import bad_request
+from .router import Router
+
+router = Router()
+
+
+def _obj_body(req):
+    """Return the request body as a dict, or raise 400.
+
+    An empty/absent body is treated as ``{}`` (a valid empty write); a non-object
+    JSON value (list, string, number, ``null``) is rejected rather than silently
+    dropped.
+    """
+    b = req.body
+    if b is None or b == {}:
+        return {}
+    if not isinstance(b, dict):
+        raise bad_request("Request body must be a JSON object.")
+    return b
+
+
+# --- meta ---------------------------------------------------------------------
+
+
+@router.route("GET", "/")
+def root(req):
+    return {
+        "name": "MorphDB",
+        "version": __import__("morphdb").__version__,
+        "description": "Schema-fluid, API-stable database for AI-generated apps.",
+        "docs": "GET /help for the full endpoint reference.",
+    }
+
+
+@router.route("GET", "/health")
+def health(req):
+    return {"status": "ok"}
+
+
+@router.route("GET", "/help")
+def help_(req):
+    return {"endpoints": ENDPOINT_REFERENCE}
+
+
+# --- apps (register a website; delete one and everything under it) ------------
+
+
+@router.route("POST", "/app")
+def register_app(req):
+    body = _obj_body(req)
+    key = body.get("key")
+    if not key or not isinstance(key, str):
+        raise bad_request(
+            "Provide an app key: {\"key\": \"my-app\"}. Pick a unique, memorable "
+            "string and reuse it as the X-App-Key header on every request."
+        )
+    return 201, apps.register_app(key)
+
+
+@router.route("DELETE", "/app/{key}")
+def delete_app(req):
+    return apps.delete_app(req.params["key"])
+
+
+# --- schema (for the coding agent) --------------------------------------------
+
+
+@router.route("GET", "/schema")
+def full_schema(req):
+    app = apps.require_app(req)
+    return {"types": sch.list_type_docs(app)}
+
+
+@router.route("GET", "/schema/{type}")
+def get_type(req):
+    app = apps.require_app(req)
+    return sch.get_type_doc(app, req.params["type"], required=True)
+
+
+def _type_body(body):
+    """Parse a schema-write body into (fields, relations, merge).
+
+    Accepts a structured doc ``{fields?, relations?, merge?}`` or, as a
+    shorthand, a bare ``{name: type}`` field map. A ``None`` fields/relations
+    means "leave that part untouched".
+    """
+    if not isinstance(body, dict):
+        raise bad_request(
+            "Body must be a schema document {fields?, relations?, merge?} or a "
+            "bare field map."
+        )
+    if any(k in body for k in ("fields", "relations", "merge")):
+        fields = body.get("fields")
+        relations = body.get("relations")
+        if fields is not None and not isinstance(fields, dict):
+            raise bad_request("'fields' must be an object mapping name -> type.")
+        return fields, relations, bool(body.get("merge", False))
+    return body, None, False     # bare field map
+
+
+@router.route("PUT", "/schema/{type}")
+def put_type(req):
+    app = apps.require_app(req)
+    fields, relations, merge = _type_body(_obj_body(req))
+    return sch.upsert_type(app, req.params["type"], fields=fields,
+                           relations=relations, merge=merge)
+
+
+@router.route("DELETE", "/schema/{type}")
+def delete_type(req):
+    app = apps.require_app(req)
+    return sch.delete_type(app, req.params["type"])
+
+
+# --- objects (for the website) ------------------------------------------------
+
+
+@router.route("POST", "/objects/{type}")
+def create_object(req):
+    app = apps.require_app(req)
+    return 201, objs.create_object(app, req.params["type"], _obj_body(req))
+
+
+@router.route("GET", "/objects/{type}")
+def list_objects(req):
+    app = apps.require_app(req)
+    q = dict(req.query)
+    limit = q.pop("limit", objs.DEFAULT_LIMIT)
+    offset = q.pop("offset", 0)
+    sort = q.pop("sort", None)
+    order = q.pop("order", "asc")
+    # everything left in q is a field filter
+    return objs.list_objects(
+        app, req.params["type"], filters=q, limit=limit, offset=offset,
+        sort=sort, order=order,
+    )
+
+
+@router.route("GET", "/objects/{type}/{guid}")
+def get_object_typed(req):
+    app = apps.require_app(req)
+    return objs.get_object(app, req.params["guid"], object_type=req.params["type"])
+
+
+@router.route("PUT", "/objects/{type}/{guid}")
+def put_object(req):
+    app = apps.require_app(req)
+    return objs.upsert_object(app, req.params["type"], req.params["guid"],
+                              _obj_body(req), partial=False)
+
+
+@router.route("PATCH", "/objects/{type}/{guid}")
+def patch_object(req):
+    app = apps.require_app(req)
+    return objs.upsert_object(app, req.params["type"], req.params["guid"],
+                              _obj_body(req), partial=True)
+
+
+@router.route("DELETE", "/objects/{type}/{guid}")
+def delete_object(req):
+    app = apps.require_app(req)
+    return objs.delete_object(app, req.params["guid"])
+
+
+@router.route("GET", "/object/{guid}")
+def get_object_by_guid(req):
+    app = apps.require_app(req)
+    return objs.get_object(app, req.params["guid"])
+
+
+# --- self-documenting reference (served at GET /help) -------------------------
+
+ENDPOINT_REFERENCE = {
+    "_apps": (
+        "One MorphDB instance hosts many apps (one per website). Register an app, "
+        "then send its key as the 'X-App-Key' header on EVERY schema and object "
+        "request. Apps are isolated: type names may repeat across apps. There is "
+        "no list-apps endpoint by design."
+    ),
+    "app endpoints (register / delete a website)": {
+        "POST /app": "Register an app. Body: {\"key\": \"my-app\"}. 409 if the key is taken. Remember the key — there is no way to list it back.",
+        "DELETE /app/{key}": "Delete an app and cascade-delete all its schemas, objects, relations, and edges.",
+    },
+    "schema endpoints (you, the agent — reshape the data model)": {
+        "GET /schema": "View all type schemas (fields + relations + inverse relations) for this app.",
+        "GET /schema/{type}": "View one type's schema.",
+        "PUT /schema/{type}": (
+            "Create/replace a type. Body: {fields?, relations?, merge?} or a bare "
+            "field map. merge:true adds without dropping; merge:false replaces. "
+            "Absent 'fields'/'relations' are left untouched."
+        ),
+        "DELETE /schema/{type}": (
+            "Delete a type, its objects, and edges touching them. Neighbor objects "
+            "of other types are NOT deleted."
+        ),
+    },
+    "object endpoints (your frontend — read/write data)": {
+        "POST /objects/{type}": "Create an object. Body: field + relation values. Returns it with _guid.",
+        "GET /objects/{type}": "List/query. Query: field filters (field, field__gt, field__contains, field__in, ...), limit, offset, sort, order.",
+        "GET /objects/{type}/{guid}": "Read one object (fields + relation guids).",
+        "GET /object/{guid}": "Read one object by guid alone.",
+        "PUT /objects/{type}/{guid}": "Replace an object's fields (create if absent). Relations present in the body are set.",
+        "PATCH /objects/{type}/{guid}": "Merge fields into an object (create if absent). Relations present in the body are set.",
+        "DELETE /objects/{type}/{guid}": "Delete an object and its edges (neighbors survive).",
+    },
+    "relations": {
+        "declare": (
+            "In a type's schema under 'relations': "
+            "{\"assignee\": {\"to\": \"user\", \"cardinality\": \"many_to_one\", "
+            "\"inverse\": \"tasks\"}}. Declared once; the inverse ('tasks') appears "
+            "automatically on the other type."
+        ),
+        "read": "Relation values appear in the object body: a guid (to-one) or list of guids (to-many).",
+        "write": "Set a relation like a field: {\"assignee\": \"<guid>\"} or {\"tags\": [\"<g1>\", \"<g2>\"]}. null/[] clears. Last write wins on conflict.",
+        "symmetric": "Set symmetric:true (to == this type, one_to_one|many_to_many) for mutual links like friends — one shared label, edge counted once.",
+    },
+    "headers": {
+        "X-App-Key": "Required on every schema and object request: the key of the app you registered. Missing -> 400, unknown -> 404.",
+    },
+    "field_types": ["string", "number", "boolean", "json", "datetime"],
+    "cardinalities": ["one_to_one", "one_to_many", "many_to_one", "many_to_many"],
+    "filter_operators": ["eq (default)", "ne", "gt", "gte", "lt", "lte", "contains", "in", "exists"],
+    "list_response_shape": {"objects": "[...]", "total": "int (full filtered count)",
+                            "limit": "int", "offset": "int"},
+    "notes": [
+        "datetime values are validated as ISO-8601 (or epoch seconds) and normalized.",
+        "number fields reject NaN/Infinity.",
+        "schema edits are O(1) and lazy: after a field retype, an old-typed value reads as unset until rewritten.",
+        "relations are stored as single-row edges and read/written as object fields; filtering is on fields, not relations.",
+        "relation targets must be objects in the same app; cross-app links are rejected.",
+    ],
+}

morphdb/schema.py

@@ -0,0 +1,203 @@
+"""Object type schemas — the thing a coding agent edits constantly.
+
+A *type* bundles raw ``fields`` and ``relations`` (links to other types) into a
+single schema document. Editing it is O(1): we never rewrite stored objects.
+Reads reinterpret old rows through the current schema (lazy invalidation), so
+adding/removing/retyping a field is instant regardless of object count.
+
+Everything here is scoped to one **app** (passed as the first argument): a type
+named ``task`` in app A is independent of a ``task`` in app B.
+
+Relations are stored in their own table (see :mod:`associations`) because they
+have cardinality and two ends, but from the agent's point of view they live
+right inside the type document alongside fields — declared once, on one side.
+"""
+
+import json
+import re
+
+from . import associations as assoc
+from . import db
+from .errors import bad_request, not_found
+from .fieldtypes import normalize_fields
+from .util import now_iso
+
+# \Z (not $) so a trailing newline cannot sneak through (e.g. "task\n").
+_NAME_RE = re.compile(r"\A[A-Za-z][A-Za-z0-9_]*\Z")
+
+
+def _validate_type_name(name):
+    if not isinstance(name, str) or not _NAME_RE.match(name):
+        raise bad_request(
+            f"Invalid object type name {name!r}. Use a letter followed by "
+            "letters, digits, or underscores (e.g. 'task', 'blog_post')."
+        )
+    return name
+
+
+# --- low-level fields access (used internally by objects/associations) --------
+
+
+def get_object_schema(app, name, required=False):
+    """Return the raw ``{name, fields, created_at, updated_at}`` for a type.
+
+    Just the stored fields map — relations are resolved separately. This is the
+    hot path for object reads/writes.
+    """
+    row = db.conn().execute(
+        "SELECT * FROM object_schemas WHERE app = ? AND name = ?", (app, name)
+    ).fetchone()
+    if row is None:
+        if required:
+            raise not_found(f"No object type named '{name}'. Define it first.")
+        return None
+    return {
+        "name": row["name"],
+        "fields": json.loads(row["fields"]),
+        "created_at": row["created_at"],
+        "updated_at": row["updated_at"],
+    }
+
+
+# --- full type documents (the agent-facing schema surface) --------------------
+
+
+def get_type_doc(app, name, required=False):
+    """The full schema document for one type: fields + relations + inverses."""
+    base = get_object_schema(app, name, required=required)
+    if base is None:
+        return None
+    relations, inverse = assoc.schema_relations(app, name)
+    return {
+        "name": base["name"],
+        "fields": base["fields"],
+        "relations": relations,
+        "inverse_relations": inverse,
+        "created_at": base["created_at"],
+        "updated_at": base["updated_at"],
+    }
+
+
+def list_type_docs(app):
+    rows = db.conn().execute(
+        "SELECT name FROM object_schemas WHERE app = ? ORDER BY name", (app,)
+    ).fetchall()
+    return [get_type_doc(app, r["name"], required=True) for r in rows]
+
+
+def upsert_type(app, name, fields=None, relations=None, merge=False):
+    """Create or update a type from a schema document, within ``app``.
+
+    ``fields`` / ``relations`` that are ``None`` (absent from the request) are
+    left untouched, so a partial edit is natural. When present:
+
+      * ``merge=True``  — add/update the given fields/relations, drop nothing.
+      * ``merge=False`` — replace: fields become exactly the given map; relations
+        authored on this type become exactly the given set (omitted ones, and
+        their edges, are removed). Inverse relations (authored elsewhere) are
+        never affected.
+    """
+    _validate_type_name(name)
+    if relations is not None and not isinstance(relations, dict):
+        raise bad_request("'relations' must be an object mapping name -> definition.")
+
+    with db.transaction() as c:
+        existing = c.execute(
+            "SELECT * FROM object_schemas WHERE app = ? AND name = ?", (app, name)
+        ).fetchone()
+        ts = now_iso()
+
+        # --- fields ---
+        if fields is not None:
+            new_fields = normalize_fields(fields)
+            if existing and merge:
+                final = dict(json.loads(existing["fields"]))
+                final.update(new_fields)
+            else:
+                final = new_fields
+        else:
+            final = json.loads(existing["fields"]) if existing else {}
+
+        if existing:
+            c.execute(
+                "UPDATE object_schemas SET fields = ?, updated_at = ? "
+                "WHERE app = ? AND name = ?",
+                (json.dumps(final), ts, app, name),
+            )
+        else:
+            c.execute(
+                "INSERT INTO object_schemas (app, name, fields, created_at, updated_at) "
+                "VALUES (?, ?, ?, ?, ?)",
+                (app, name, json.dumps(final), ts, ts),
+            )
+
+        # --- relations ---
+        touched = {name}
+        if relations is not None:
+            for key, raw in relations.items():
+                d = assoc.upsert_relation(c, app, name, key, raw)
+                touched.add(d["to_type"])
+            if not merge:
+                assoc.prune_forward_relations(c, app, name, set(relations.keys()))
+
+        # Field names and relation names share the object body namespace, so they
+        # must not collide on any affected type.
+        for t in touched:
+            _assert_no_collisions(c, app, t)
+
+    return get_type_doc(app, name, required=True)
+
+
+def _assert_no_collisions(c, app, type_name):
+    row = c.execute(
+        "SELECT fields FROM object_schemas WHERE app = ? AND name = ?", (app, type_name)
+    ).fetchone()
+    if row is None:
+        return
+    field_keys = set(json.loads(row["fields"]).keys())
+    seen = set()
+    for v in assoc.relation_views(app, type_name, c):
+        k = v["key"]
+        if k in field_keys:
+            raise bad_request(
+                f"Relation '{k}' on type '{type_name}' collides with a field of the "
+                "same name. Rename one of them."
+            )
+        if k in seen:
+            raise bad_request(
+                f"Type '{type_name}' ends up with two relations named '{k}'. "
+                "Give the inverse a distinct name."
+            )
+        seen.add(k)
+
+
+def delete_type(app, name):
+    """Delete a type, its own objects, and every edge touching those objects.
+
+    Neighbor objects of *other* types are never deleted — only the relationship
+    metadata and the edge rows go. Relations where this type was an endpoint are
+    removed from the other types' schemas too. Scoped to ``app``.
+    """
+    with db.transaction() as c:
+        row = c.execute(
+            "SELECT * FROM object_schemas WHERE app = ? AND name = ?", (app, name)
+        ).fetchone()
+        if row is None:
+            raise not_found(f"No object type named '{name}'.")
+
+        guids = [
+            r["guid"] for r in c.execute(
+                "SELECT guid FROM objects WHERE app = ? AND object_type = ?", (app, name)
+            ).fetchall()
+        ]
+        if guids:
+            qmarks = ",".join("?" * len(guids))
+            c.execute(f"DELETE FROM objects WHERE app = ? AND guid IN ({qmarks})",
+                      [app, *guids])
+
+        # Drop relationships (and their edges) where this type is an endpoint;
+        # this also clears any edges from this type's objects to neighbors.
+        assoc.delete_relations_touching_type(c, app, name)
+        c.execute("DELETE FROM object_schemas WHERE app = ? AND name = ?", (app, name))
+
+    return {"deleted": name, "objects_removed": len(guids)}

morphdb/server.py

@@ -0,0 +1,194 @@
+"""Dependency-free HTTP server built on the standard library.
+
+ThreadingHTTPServer + a small dispatch shim. Every response carries permissive
+CORS headers so browser frontends served from any origin (file://, a Vite dev
+server, etc.) can call the API directly. All DB access is serialized by a lock
+in :mod:`morphdb.db`, so threaded request handling is safe.
+"""
+
+import json
+import os
+import sys
+import traceback
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from urllib.parse import parse_qs, urlparse
+
+from . import db
+from .errors import ApiError
+from .router import Request
+from .routes import router
+
+MAX_BODY = 16 * 1024 * 1024  # 16 MB cap to avoid runaway memory on bad input
+_BODY_METHODS = ("POST", "PUT", "PATCH", "DELETE")
+
+
+class Handler(BaseHTTPRequestHandler):
+    server_version = "MorphDB/0.1"
+    protocol_version = "HTTP/1.1"  # keep-alive; requires correct Content-Length
+
+    # -- helpers --------------------------------------------------------------
+
+    def _set_cors(self):
+        self.send_header("Access-Control-Allow-Origin", "*")
+        self.send_header("Access-Control-Allow-Methods",
+                         "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+        self.send_header("Access-Control-Allow-Headers",
+                         "Content-Type, Authorization, X-App-Key")
+        self.send_header("Access-Control-Max-Age", "86400")
+
+    def _send_json(self, status, payload):
+        try:
+            body = json.dumps(payload, default=str, allow_nan=False).encode("utf-8")
+        except (TypeError, ValueError):
+            status = 500
+            body = json.dumps(
+                {"error": {"code": "serialization_error",
+                           "message": "Result was not JSON-serializable."}}
+            ).encode("utf-8")
+        self.send_response(status)
+        self.send_header("Content-Type", "application/json; charset=utf-8")
+        self.send_header("Content-Length", str(len(body)))
+        # If we decided to close the connection (e.g. an unread body), tell the
+        # client so it doesn't reuse a desynced keep-alive socket.
+        if getattr(self, "close_connection", False):
+            self.send_header("Connection", "close")
+        self._set_cors()
+        self.end_headers()
+        if self.command != "HEAD":
+            try:
+                self.wfile.write(body)
+            except BrokenPipeError:
+                pass
+
+    def _read_raw_body(self):
+        """Read (drain) the request body for ANY method and return the bytes.
+
+        Draining regardless of method is essential: an unread body on a
+        keep-alive connection would be misparsed as the next request.
+        """
+        te = self.headers.get("Transfer-Encoding", "")
+        if te and te.strip().lower() != "identity":
+            # We don't decode chunked bodies; we also can't know their length to
+            # drain them, so close the connection to avoid a keep-alive desync.
+            self.close_connection = True
+            raise ApiError(400, "bad_request",
+                           "Transfer-Encoding is not supported; send a body with "
+                           "Content-Length.")
+        length = self.headers.get("Content-Length")
+        if not length:
+            return b""
+        try:
+            n = int(length)
+        except ValueError:
+            # We cannot know how many bytes to drain — close to avoid desyncing
+            # the next request on a keep-alive connection.
+            self.close_connection = True
+            raise ApiError(400, "bad_request", "Invalid Content-Length header.")
+        if n < 0:
+            # A negative length is invalid and leaves the body undrained; close
+            # the connection so leftover bytes can't be misread as the next req.
+            self.close_connection = True
+            raise ApiError(400, "bad_request", "Invalid Content-Length header.")
+        if n == 0:
+            return b""
+        if n > MAX_BODY:
+            # Don't read a potentially huge body; close the connection so the
+            # unread bytes can't be misread as the next request.
+            self.close_connection = True
+            raise ApiError(413, "payload_too_large",
+                           f"Request body exceeds {MAX_BODY} bytes.")
+        return self.rfile.read(n)
+
+    def _parse_body(self, raw):
+        if not raw:
+            return {}
+        try:
+            return json.loads(raw.decode("utf-8"))
+        except (json.JSONDecodeError, UnicodeDecodeError, RecursionError,
+                ValueError) as e:
+            # Body was fully read, so the connection stays in sync.
+            raise ApiError(400, "bad_request", f"Invalid JSON body: {e}")
+
+    # -- dispatch -------------------------------------------------------------
+
+    def _dispatch(self):
+        # Always drain the body first, for every method, so a stray body on a
+        # GET/HEAD/OPTIONS request cannot desync a reused keep-alive connection.
+        try:
+            raw = self._read_raw_body()
+        except ApiError as e:
+            self._send_json(e.status, e.to_dict())
+            return
+
+        if self.command == "OPTIONS":
+            self.send_response(204)
+            self._set_cors()
+            self.send_header("Content-Length", "0")
+            if getattr(self, "close_connection", False):
+                self.send_header("Connection", "close")
+            self.end_headers()
+            return
+
+        parsed = urlparse(self.path)
+        path = parsed.path
+        query = {
+            k: v[-1]
+            for k, v in parse_qs(parsed.query, keep_blank_values=True).items()
+        }
+
+        try:
+            body = self._parse_body(raw) if self.command in _BODY_METHODS else {}
+            handler, params, path_matched = router.match(self.command, path)
+            if handler is None:
+                if path_matched:
+                    raise ApiError(405, "method_not_allowed",
+                                   f"{self.command} not allowed on {path}.")
+                raise ApiError(404, "not_found",
+                               f"No route for {self.command} {path}. See GET /help.")
+            req = Request(self.command, path, params, query, body, self.headers)
+            result = handler(req)
+            status, payload = result if isinstance(result, tuple) else (200, result)
+            self._send_json(status, payload)
+        except ApiError as e:
+            self._send_json(e.status, e.to_dict())
+        except BrokenPipeError:
+            pass
+        except Exception as e:  # noqa: BLE001 — last-resort guard
+            traceback.print_exc()
+            self._send_json(
+                500, {"error": {"code": "internal_error", "message": str(e)}}
+            )
+
+    do_GET = _dispatch
+    do_POST = _dispatch
+    do_PUT = _dispatch
+    do_PATCH = _dispatch
+    do_DELETE = _dispatch
+    do_OPTIONS = _dispatch
+    do_HEAD = _dispatch
+
+    def log_message(self, fmt, *args):
+        if os.environ.get("MORPHDB_QUIET"):
+            return
+        sys.stderr.write("[morphdb] %s %s\n" % (self.address_string(), fmt % args))
+
+
+class MorphServer(ThreadingHTTPServer):
+    daemon_threads = True
+    allow_reuse_address = True
+
+
+def serve(host="127.0.0.1", port=8787, db_path="morphdb.sqlite3"):
+    db.init_db(db_path)
+    httpd = MorphServer((host, port), Handler)
+    sys.stderr.write(
+        f"MorphDB v{__import__('morphdb').__version__} listening on "
+        f"http://{host}:{port}  (db: {db_path})\n"
+        f"Try:  curl http://{host}:{port}/help\n"
+    )
+    try:
+        httpd.serve_forever()
+    except KeyboardInterrupt:
+        sys.stderr.write("\n[morphdb] shutting down\n")
+    finally:
+        httpd.server_close()

morphdb/util.py

@@ -0,0 +1,19 @@
+"""Small shared helpers."""
+
+import uuid
+from datetime import datetime, timezone
+
+
+def now_iso():
+    """Current UTC time as an ISO-8601 string with a trailing Z."""
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%fZ")
+
+
+def new_guid(object_type):
+    """A globally unique id, prefixed with a slug of the type for readability.
+
+    e.g. ``task_3f1c9a0b8e7d4f...``. The prefix is cosmetic; the uuid carries
+    the uniqueness. Non-alphanumeric chars in the type are stripped.
+    """
+    slug = "".join(c for c in str(object_type).lower() if c.isalnum())[:16] or "obj"
+    return f"{slug}_{uuid.uuid4().hex}"