PyPI - remdb - Versions diffs - 0.3.127__py3-none-any.whl → 0.3.172__py3-none-any.whl - Mend

remdb 0.3.127py3-none-any.whl → 0.3.172py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of remdb might be problematic. Click here for more details.

Files changed (62) hide show

rem/agentic/agents/__init__.py +16 -0
rem/agentic/agents/agent_manager.py +311 -0
rem/agentic/context.py +81 -3
rem/agentic/context_builder.py +36 -9
rem/agentic/mcp/tool_wrapper.py +132 -15
rem/agentic/providers/phoenix.py +371 -108
rem/agentic/providers/pydantic_ai.py +163 -45
rem/agentic/schema.py +8 -4
rem/api/deps.py +3 -5
rem/api/main.py +22 -3
rem/api/mcp_router/resources.py +15 -10
rem/api/mcp_router/server.py +2 -0
rem/api/mcp_router/tools.py +94 -2
rem/api/middleware/tracking.py +5 -5
rem/api/routers/auth.py +349 -6
rem/api/routers/chat/completions.py +5 -3
rem/api/routers/chat/streaming.py +95 -22
rem/api/routers/messages.py +24 -15
rem/auth/__init__.py +13 -3
rem/auth/jwt.py +352 -0
rem/auth/middleware.py +115 -10
rem/auth/providers/__init__.py +4 -1
rem/auth/providers/email.py +215 -0
rem/cli/commands/configure.py +3 -4
rem/cli/commands/experiments.py +226 -50
rem/cli/commands/session.py +336 -0
rem/cli/dreaming.py +2 -2
rem/cli/main.py +2 -0
rem/models/core/experiment.py +58 -14
rem/models/entities/__init__.py +4 -0
rem/models/entities/ontology.py +1 -1
rem/models/entities/ontology_config.py +1 -1
rem/models/entities/subscriber.py +175 -0
rem/models/entities/user.py +1 -0
rem/schemas/agents/core/agent-builder.yaml +235 -0
rem/schemas/agents/examples/contract-analyzer.yaml +1 -1
rem/schemas/agents/examples/contract-extractor.yaml +1 -1
rem/schemas/agents/examples/cv-parser.yaml +1 -1
rem/services/__init__.py +3 -1
rem/services/content/service.py +4 -3
rem/services/email/__init__.py +10 -0
rem/services/email/service.py +513 -0
rem/services/email/templates.py +360 -0
rem/services/postgres/README.md +38 -0
rem/services/postgres/diff_service.py +19 -3
rem/services/postgres/pydantic_to_sqlalchemy.py +45 -13
rem/services/postgres/repository.py +5 -4
rem/services/session/compression.py +113 -50
rem/services/session/reload.py +14 -7
rem/services/user_service.py +41 -9
rem/settings.py +292 -5
rem/sql/migrations/001_install.sql +1 -1
rem/sql/migrations/002_install_models.sql +91 -91
rem/sql/migrations/005_schema_update.sql +145 -0
rem/utils/README.md +45 -0
rem/utils/files.py +157 -1
rem/utils/schema_loader.py +45 -7
rem/utils/vision.py +1 -1
{remdb-0.3.127.dist-info → remdb-0.3.172.dist-info}/METADATA +7 -5
{remdb-0.3.127.dist-info → remdb-0.3.172.dist-info}/RECORD +62 -52
{remdb-0.3.127.dist-info → remdb-0.3.172.dist-info}/WHEEL +0 -0
{remdb-0.3.127.dist-info → remdb-0.3.172.dist-info}/entry_points.txt +0 -0

rem/auth/middleware.py CHANGED Viewed

@@ -1,17 +1,28 @@
 """
-OAuth Authentication Middleware for FastAPI.
+Authentication Middleware for FastAPI.
-Protects API endpoints by requiring valid session.
-Supports anonymous access with rate limiting when allow_anonymous=True.
+Protects API endpoints by requiring valid authentication.
+Supports multiple auth methods: JWT, API Key, Session, Dev Token.
+Anonymous access with rate limiting when allow_anonymous=True.
 MCP endpoints are always protected unless explicitly disabled.
 Design Pattern:
-- Check session for user on protected paths
-- Check Bearer token for dev token (non-production only)
+- API Key (X-API-Key): Access control guardrail, NOT user identity
+- JWT (Authorization: Bearer): Primary method for user identity
+- Dev token: Non-production testing (starts with "dev_")
+- Session: Backward compatibility for browser-based auth
 - MCP paths always require authentication (protected service)
-- If allow_anonymous=True: Allow unauthenticated requests (marked as ANONYMOUS tier)
-- If allow_anonymous=False: Return 401 for API calls, redirect browsers to login
-- Exclude auth endpoints and public paths
+Authentication Flow:
+1. If API key enabled: Validate X-API-Key header (access gate)
+2. Check JWT token for user identity (primary)
+3. Check dev token for testing (non-production only)
+4. Check session for user (backward compatibility)
+5. If allow_anonymous=True: Allow as anonymous (rate-limited)
+6. If allow_anonymous=False: Return 401 / redirect to login
+IMPORTANT: API key validates ACCESS, JWT identifies USER.
+Both can be required: API key for access + JWT for user identity.
 Access Modes (configured in settings.auth):
 - enabled=true, allow_anonymous=true: Auth available, anonymous gets rate-limited access
@@ -20,6 +31,11 @@ Access Modes (configured in settings.auth):
 - mcp_requires_auth=true (default): MCP always requires login regardless of allow_anonymous
 - mcp_requires_auth=false: MCP follows normal allow_anonymous rules (dev only)
+API Key Authentication (configured in settings.api):
+- api_key_enabled=true: Require X-API-Key header for access
+- api_key: The secret key to validate against
+- API key is an ACCESS GATE, not user identity - JWT still needed for user
 Dev Token Support (non-production only):
 - GET /api/auth/dev/token returns a Bearer token for test-user
 - Include as: Authorization: Bearer dev_<signature>
@@ -82,6 +98,67 @@ class AuthMiddleware(BaseHTTPMiddleware):
         self.mcp_requires_auth = mcp_requires_auth
         self.mcp_path = mcp_path
+    def _check_api_key(self, request: Request) -> dict | None:
+        """
+        Check for valid X-API-Key header.
+        Returns:
+            API key user dict if valid, None otherwise
+        """
+        # Only check if API key auth is enabled
+        if not settings.api.api_key_enabled:
+            return None
+        # Check for X-API-Key header
+        api_key = request.headers.get("x-api-key")
+        if not api_key:
+            return None
+        # Validate against configured API key
+        if settings.api.api_key and api_key == settings.api.api_key:
+            logger.debug("X-API-Key authenticated")
+            return {
+                "id": "api-key-user",
+                "email": "api@rem.local",
+                "name": "API Key User",
+                "provider": "api-key",
+                "tenant_id": "default",
+                "tier": "pro",  # API key users get full access
+                "roles": ["user"],
+            }
+        # Invalid API key
+        logger.warning("Invalid X-API-Key provided")
+        return None
+    def _check_jwt_token(self, request: Request) -> dict | None:
+        """
+        Check for valid JWT in Authorization header.
+        Returns:
+            User dict if valid JWT, None otherwise
+        """
+        auth_header = request.headers.get("authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return None
+        token = auth_header[7:]  # Strip "Bearer "
+        # Skip dev tokens (handled separately)
+        if token.startswith("dev_"):
+            return None
+        # Verify JWT token
+        from .jwt import get_jwt_service
+        jwt_service = get_jwt_service()
+        user = jwt_service.verify_token(token)
+        if user:
+            logger.debug(f"JWT authenticated: {user.get('email')}")
+            return user
+        return None
     def _check_dev_token(self, request: Request) -> dict | None:
         """
         Check for valid dev token in Authorization header (non-production only).
@@ -105,7 +182,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
         # Verify dev token
         from ..api.routers.dev import verify_dev_token
         if verify_dev_token(token):
-            logger.debug(f"Dev token authenticated as test-user")
+            logger.debug("Dev token authenticated as test-user")
             return {
                 "id": "test-user",
                 "email": "test@rem.local",
@@ -142,6 +219,34 @@ class AuthMiddleware(BaseHTTPMiddleware):
         if not is_protected or is_excluded:
             return await call_next(request)
+        # API key validation (access control, not user identity)
+        # API key is a guardrail for access - JWT identifies the actual user
+        if settings.api.api_key_enabled:
+            api_key = request.headers.get("x-api-key")
+            if not api_key:
+                logger.debug(f"Missing X-API-Key for: {path}")
+                return JSONResponse(
+                    status_code=401,
+                    content={"detail": "API key required. Include X-API-Key header."},
+                    headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
+                )
+            if api_key != settings.api.api_key:
+                logger.warning(f"Invalid X-API-Key for: {path}")
+                return JSONResponse(
+                    status_code=401,
+                    content={"detail": "Invalid API key"},
+                    headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
+                )
+            logger.debug("X-API-Key validated for access")
+            # API key valid - continue to check JWT for user identity
+        # Check for JWT token in Authorization header (primary user identity)
+        jwt_user = self._check_jwt_token(request)
+        if jwt_user:
+            request.state.user = jwt_user
+            request.state.is_anonymous = False
+            return await call_next(request)
         # Check for dev token (non-production only)
         dev_user = self._check_dev_token(request)
         if dev_user:
@@ -149,7 +254,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             request.state.is_anonymous = False
             return await call_next(request)
-        # Check for valid session
+        # Check for valid session (backward compatibility)
         user = request.session.get("user")
         if user:

rem/auth/providers/__init__.py CHANGED Viewed

@@ -1,6 +1,7 @@
-"""OAuth provider implementations."""
+"""Authentication provider implementations."""
 from .base import OAuthProvider, OAuthTokens, OAuthUserInfo
+from .email import EmailAuthProvider, EmailAuthResult
 from .google import GoogleOAuthProvider
 from .microsoft import MicrosoftOAuthProvider
@@ -8,6 +9,8 @@ __all__ = [
     "OAuthProvider",
     "OAuthTokens",
     "OAuthUserInfo",
+    "EmailAuthProvider",
+    "EmailAuthResult",
     "GoogleOAuthProvider",
     "MicrosoftOAuthProvider",
 ]

rem/auth/providers/email.py ADDED Viewed

@@ -0,0 +1,215 @@
+"""
+Email Authentication Provider.
+Passwordless authentication using email verification codes.
+Unlike OAuth providers, this handles the full flow internally.
+Flow:
+1. User requests login with email address
+2. System generates code, upserts user, sends email
+3. User enters code
+4. System verifies code and creates session
+Design:
+- Uses EmailService for sending codes
+- Creates users with deterministic UUID from email hash
+- Stores challenge in user metadata
+- No external OAuth dependencies
+"""
+from typing import TYPE_CHECKING
+from pydantic import BaseModel, Field
+from loguru import logger
+from ...services.email import EmailService
+if TYPE_CHECKING:
+    from ...services.postgres import PostgresService
+class EmailAuthResult(BaseModel):
+    """Result of email authentication operations."""
+    success: bool = Field(description="Whether operation succeeded")
+    email: str = Field(description="Email address")
+    user_id: str | None = Field(default=None, description="User ID if authenticated")
+    error: str | None = Field(default=None, description="Error message if failed")
+    message: str | None = Field(default=None, description="User-friendly message")
+class EmailAuthProvider:
+    """
+    Email-based passwordless authentication provider.
+    Handles the complete email login flow:
+    1. send_code() - Generate and send verification code
+    2. verify_code() - Verify code and return user info
+    """
+    def __init__(
+        self,
+        email_service: EmailService | None = None,
+        template_kwargs: dict | None = None,
+    ):
+        """
+        Initialize EmailAuthProvider.
+        Args:
+            email_service: EmailService instance (creates new one if not provided)
+            template_kwargs: Customization for email templates (colors, branding, etc.)
+        """
+        self._email_service = email_service or EmailService()
+        self._template_kwargs = template_kwargs or {}
+    @property
+    def is_configured(self) -> bool:
+        """Check if email auth is properly configured."""
+        return self._email_service.is_configured
+    async def send_code(
+        self,
+        email: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Send a verification code to an email address.
+        Creates user if not exists (using deterministic UUID from email).
+        Stores code in user metadata.
+        Args:
+            email: Email address to send code to
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+        Returns:
+            EmailAuthResult with success status
+        """
+        if not self.is_configured:
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error="Email service not configured",
+                message="Email login is not available. Please try another method.",
+            )
+        try:
+            result = await self._email_service.send_login_code(
+                email=email,
+                db=db,
+                tenant_id=tenant_id,
+                template_kwargs=self._template_kwargs,
+            )
+            if result["success"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message=f"Verification code sent to {email}. Check your inbox.",
+                )
+            else:
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=result.get("error", "Failed to send code"),
+                    message="Failed to send verification code. Please try again.",
+                )
+        except Exception as e:
+            logger.error(f"Error sending login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+    async def verify_code(
+        self,
+        email: str,
+        code: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Verify a login code and authenticate user.
+        Args:
+            email: Email address
+            code: 6-digit verification code
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+        Returns:
+            EmailAuthResult with user_id if successful
+        """
+        try:
+            result = await self._email_service.verify_login_code(
+                email=email,
+                code=code,
+                db=db,
+                tenant_id=tenant_id,
+            )
+            if result["valid"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message="Successfully authenticated!",
+                )
+            else:
+                error = result.get("error", "Invalid code")
+                # User-friendly error messages
+                if error == "Login code expired":
+                    message = "Your code has expired. Please request a new one."
+                elif error == "Invalid login code":
+                    message = "Invalid code. Please check and try again."
+                elif error == "No login code requested":
+                    message = "No code was requested for this email. Please request a new code."
+                elif error == "User not found":
+                    message = "Email not found. Please request a login code first."
+                else:
+                    message = "Verification failed. Please try again."
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=error,
+                    message=message,
+                )
+        except Exception as e:
+            logger.error(f"Error verifying login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+    def get_user_dict(self, email: str, user_id: str) -> dict:
+        """
+        Create a user dict for session storage.
+        Compatible with OAuth user format for consistent session handling.
+        Args:
+            email: User's email
+            user_id: User's UUID
+        Returns:
+            User dict for session
+        """
+        return {
+            "id": user_id,
+            "email": email,
+            "email_verified": True,  # Email is verified through code
+            "name": email.split("@")[0],  # Use email prefix as name
+            "provider": "email",
+            "tenant_id": "default",
+            "tier": "free",  # Email users start at free tier
+            "roles": ["user"],
+        }

rem/cli/commands/configure.py CHANGED Viewed

@@ -110,7 +110,7 @@ def prompt_llm_config(use_defaults: bool = False) -> dict:
     config = {}
     # Default values
-    default_model = "anthropic:claude-sonnet-4-5-20250929"
+    default_model = "openai:gpt-4.1"
     default_temperature = 0.5
     if use_defaults:
@@ -124,9 +124,9 @@ def prompt_llm_config(use_defaults: bool = False) -> dict:
         # Default model
         click.echo("\nDefault LLM model (format: provider:model-id)")
         click.echo("Examples:")
+        click.echo("  - openai:gpt-4.1")
         click.echo("  - anthropic:claude-sonnet-4-5-20250929")
-        click.echo("  - openai:gpt-4o")
-        click.echo("  - openai:gpt-4o-mini")
+        click.echo("  - openai:gpt-4.1-mini")
         config["default_model"] = click.prompt(
             "Default model", default=default_model
@@ -422,7 +422,6 @@ def configure_command(install: bool, claude_desktop: bool, show: bool, edit: boo
         try:
             import shutil
-            from pathlib import Path
             from fastmcp.mcp_config import update_config_file, StdioMCPServer
             # Find Claude Desktop config path

remdb 0.3.127__py3-none-any.whl → 0.3.172__py3-none-any.whl

Potentially problematic release.

remdb 0.3.127py3-none-any.whl → 0.3.172py3-none-any.whl