remdb 0.3.133__py3-none-any.whl → 0.3.171__py3-none-any.whl

rem/auth/middleware.py

@@ -1,17 +1,28 @@
 """
-OAuth Authentication Middleware for FastAPI.
+Authentication Middleware for FastAPI.
 
-Protects API endpoints by requiring valid session.
-Supports anonymous access with rate limiting when allow_anonymous=True.
+Protects API endpoints by requiring valid authentication.
+Supports multiple auth methods: JWT, API Key, Session, Dev Token.
+Anonymous access with rate limiting when allow_anonymous=True.
 MCP endpoints are always protected unless explicitly disabled.
 
 Design Pattern:
-- Check session for user on protected paths
-- Check Bearer token for dev token (non-production only)
+- API Key (X-API-Key): Access control guardrail, NOT user identity
+- JWT (Authorization: Bearer): Primary method for user identity
+- Dev token: Non-production testing (starts with "dev_")
+- Session: Backward compatibility for browser-based auth
 - MCP paths always require authentication (protected service)
-- If allow_anonymous=True: Allow unauthenticated requests (marked as ANONYMOUS tier)
-- If allow_anonymous=False: Return 401 for API calls, redirect browsers to login
-- Exclude auth endpoints and public paths
+
+Authentication Flow:
+1. If API key enabled: Validate X-API-Key header (access gate)
+2. Check JWT token for user identity (primary)
+3. Check dev token for testing (non-production only)
+4. Check session for user (backward compatibility)
+5. If allow_anonymous=True: Allow as anonymous (rate-limited)
+6. If allow_anonymous=False: Return 401 / redirect to login
+
+IMPORTANT: API key validates ACCESS, JWT identifies USER.
+Both can be required: API key for access + JWT for user identity.
 
 Access Modes (configured in settings.auth):
 - enabled=true, allow_anonymous=true: Auth available, anonymous gets rate-limited access
@@ -20,6 +31,11 @@ Access Modes (configured in settings.auth):
 - mcp_requires_auth=true (default): MCP always requires login regardless of allow_anonymous
 - mcp_requires_auth=false: MCP follows normal allow_anonymous rules (dev only)
 
+API Key Authentication (configured in settings.api):
+- api_key_enabled=true: Require X-API-Key header for access
+- api_key: The secret key to validate against
+- API key is an ACCESS GATE, not user identity - JWT still needed for user
+
 Dev Token Support (non-production only):
 - GET /api/auth/dev/token returns a Bearer token for test-user
 - Include as: Authorization: Bearer dev_<signature>
@@ -82,6 +98,67 @@ class AuthMiddleware(BaseHTTPMiddleware):
         self.mcp_requires_auth = mcp_requires_auth
         self.mcp_path = mcp_path
 
+    def _check_api_key(self, request: Request) -> dict | None:
+        """
+        Check for valid X-API-Key header.
+
+        Returns:
+            API key user dict if valid, None otherwise
+        """
+        # Only check if API key auth is enabled
+        if not settings.api.api_key_enabled:
+            return None
+
+        # Check for X-API-Key header
+        api_key = request.headers.get("x-api-key")
+        if not api_key:
+            return None
+
+        # Validate against configured API key
+        if settings.api.api_key and api_key == settings.api.api_key:
+            logger.debug("X-API-Key authenticated")
+            return {
+                "id": "api-key-user",
+                "email": "api@rem.local",
+                "name": "API Key User",
+                "provider": "api-key",
+                "tenant_id": "default",
+                "tier": "pro",  # API key users get full access
+                "roles": ["user"],
+            }
+
+        # Invalid API key
+        logger.warning("Invalid X-API-Key provided")
+        return None
+
+    def _check_jwt_token(self, request: Request) -> dict | None:
+        """
+        Check for valid JWT in Authorization header.
+
+        Returns:
+            User dict if valid JWT, None otherwise
+        """
+        auth_header = request.headers.get("authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return None
+
+        token = auth_header[7:]  # Strip "Bearer "
+
+        # Skip dev tokens (handled separately)
+        if token.startswith("dev_"):
+            return None
+
+        # Verify JWT token
+        from .jwt import get_jwt_service
+        jwt_service = get_jwt_service()
+        user = jwt_service.verify_token(token)
+
+        if user:
+            logger.debug(f"JWT authenticated: {user.get('email')}")
+            return user
+
+        return None
+
     def _check_dev_token(self, request: Request) -> dict | None:
         """
         Check for valid dev token in Authorization header (non-production only).
@@ -105,7 +182,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
         # Verify dev token
         from ..api.routers.dev import verify_dev_token
         if verify_dev_token(token):
-            logger.debug(f"Dev token authenticated as test-user")
+            logger.debug("Dev token authenticated as test-user")
             return {
                 "id": "test-user",
                 "email": "test@rem.local",
@@ -142,6 +219,34 @@ class AuthMiddleware(BaseHTTPMiddleware):
         if not is_protected or is_excluded:
             return await call_next(request)
 
+        # API key validation (access control, not user identity)
+        # API key is a guardrail for access - JWT identifies the actual user
+        if settings.api.api_key_enabled:
+            api_key = request.headers.get("x-api-key")
+            if not api_key:
+                logger.debug(f"Missing X-API-Key for: {path}")
+                return JSONResponse(
+                    status_code=401,
+                    content={"detail": "API key required. Include X-API-Key header."},
+                    headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
+                )
+            if api_key != settings.api.api_key:
+                logger.warning(f"Invalid X-API-Key for: {path}")
+                return JSONResponse(
+                    status_code=401,
+                    content={"detail": "Invalid API key"},
+                    headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
+                )
+            logger.debug("X-API-Key validated for access")
+            # API key valid - continue to check JWT for user identity
+
+        # Check for JWT token in Authorization header (primary user identity)
+        jwt_user = self._check_jwt_token(request)
+        if jwt_user:
+            request.state.user = jwt_user
+            request.state.is_anonymous = False
+            return await call_next(request)
+
         # Check for dev token (non-production only)
         dev_user = self._check_dev_token(request)
         if dev_user:
@@ -149,7 +254,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             request.state.is_anonymous = False
             return await call_next(request)
 
-        # Check for valid session
+        # Check for valid session (backward compatibility)
         user = request.session.get("user")
 
         if user:

rem/auth/providers/__init__.py

@@ -1,6 +1,7 @@
-"""OAuth provider implementations."""
+"""Authentication provider implementations."""
 
 from .base import OAuthProvider, OAuthTokens, OAuthUserInfo
+from .email import EmailAuthProvider, EmailAuthResult
 from .google import GoogleOAuthProvider
 from .microsoft import MicrosoftOAuthProvider
 
@@ -8,6 +9,8 @@ __all__ = [
     "OAuthProvider",
     "OAuthTokens",
     "OAuthUserInfo",
+    "EmailAuthProvider",
+    "EmailAuthResult",
     "GoogleOAuthProvider",
     "MicrosoftOAuthProvider",
 ]

rem/auth/providers/email.py

@@ -0,0 +1,215 @@
+"""
+Email Authentication Provider.
+
+Passwordless authentication using email verification codes.
+Unlike OAuth providers, this handles the full flow internally.
+
+Flow:
+1. User requests login with email address
+2. System generates code, upserts user, sends email
+3. User enters code
+4. System verifies code and creates session
+
+Design:
+- Uses EmailService for sending codes
+- Creates users with deterministic UUID from email hash
+- Stores challenge in user metadata
+- No external OAuth dependencies
+"""
+
+from typing import TYPE_CHECKING
+from pydantic import BaseModel, Field
+from loguru import logger
+
+from ...services.email import EmailService
+
+if TYPE_CHECKING:
+    from ...services.postgres import PostgresService
+
+
+class EmailAuthResult(BaseModel):
+    """Result of email authentication operations."""
+
+    success: bool = Field(description="Whether operation succeeded")
+    email: str = Field(description="Email address")
+    user_id: str | None = Field(default=None, description="User ID if authenticated")
+    error: str | None = Field(default=None, description="Error message if failed")
+    message: str | None = Field(default=None, description="User-friendly message")
+
+
+class EmailAuthProvider:
+    """
+    Email-based passwordless authentication provider.
+
+    Handles the complete email login flow:
+    1. send_code() - Generate and send verification code
+    2. verify_code() - Verify code and return user info
+    """
+
+    def __init__(
+        self,
+        email_service: EmailService | None = None,
+        template_kwargs: dict | None = None,
+    ):
+        """
+        Initialize EmailAuthProvider.
+
+        Args:
+            email_service: EmailService instance (creates new one if not provided)
+            template_kwargs: Customization for email templates (colors, branding, etc.)
+        """
+        self._email_service = email_service or EmailService()
+        self._template_kwargs = template_kwargs or {}
+
+    @property
+    def is_configured(self) -> bool:
+        """Check if email auth is properly configured."""
+        return self._email_service.is_configured
+
+    async def send_code(
+        self,
+        email: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Send a verification code to an email address.
+
+        Creates user if not exists (using deterministic UUID from email).
+        Stores code in user metadata.
+
+        Args:
+            email: Email address to send code to
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with success status
+        """
+        if not self.is_configured:
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error="Email service not configured",
+                message="Email login is not available. Please try another method.",
+            )
+
+        try:
+            result = await self._email_service.send_login_code(
+                email=email,
+                db=db,
+                tenant_id=tenant_id,
+                template_kwargs=self._template_kwargs,
+            )
+
+            if result["success"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message=f"Verification code sent to {email}. Check your inbox.",
+                )
+            else:
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=result.get("error", "Failed to send code"),
+                    message="Failed to send verification code. Please try again.",
+                )
+
+        except Exception as e:
+            logger.error(f"Error sending login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    async def verify_code(
+        self,
+        email: str,
+        code: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Verify a login code and authenticate user.
+
+        Args:
+            email: Email address
+            code: 6-digit verification code
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with user_id if successful
+        """
+        try:
+            result = await self._email_service.verify_login_code(
+                email=email,
+                code=code,
+                db=db,
+                tenant_id=tenant_id,
+            )
+
+            if result["valid"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message="Successfully authenticated!",
+                )
+            else:
+                error = result.get("error", "Invalid code")
+                # User-friendly error messages
+                if error == "Login code expired":
+                    message = "Your code has expired. Please request a new one."
+                elif error == "Invalid login code":
+                    message = "Invalid code. Please check and try again."
+                elif error == "No login code requested":
+                    message = "No code was requested for this email. Please request a new code."
+                elif error == "User not found":
+                    message = "Email not found. Please request a login code first."
+                else:
+                    message = "Verification failed. Please try again."
+
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=error,
+                    message=message,
+                )
+
+        except Exception as e:
+            logger.error(f"Error verifying login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    def get_user_dict(self, email: str, user_id: str) -> dict:
+        """
+        Create a user dict for session storage.
+
+        Compatible with OAuth user format for consistent session handling.
+
+        Args:
+            email: User's email
+            user_id: User's UUID
+
+        Returns:
+            User dict for session
+        """
+        return {
+            "id": user_id,
+            "email": email,
+            "email_verified": True,  # Email is verified through code
+            "name": email.split("@")[0],  # Use email prefix as name
+            "provider": "email",
+            "tenant_id": "default",
+            "tier": "free",  # Email users start at free tier
+            "roles": ["user"],
+        }

rem/cli/commands/configure.py

@@ -110,7 +110,7 @@ def prompt_llm_config(use_defaults: bool = False) -> dict:
     config = {}
 
     # Default values
-    default_model = "anthropic:claude-sonnet-4-5-20250929"
+    default_model = "openai:gpt-4.1"
     default_temperature = 0.5
 
     if use_defaults:
@@ -124,9 +124,9 @@ def prompt_llm_config(use_defaults: bool = False) -> dict:
         # Default model
         click.echo("\nDefault LLM model (format: provider:model-id)")
         click.echo("Examples:")
+        click.echo("  - openai:gpt-4.1")
         click.echo("  - anthropic:claude-sonnet-4-5-20250929")
-        click.echo("  - openai:gpt-4o")
-        click.echo("  - openai:gpt-4o-mini")
+        click.echo("  - openai:gpt-4.1-mini")
 
         config["default_model"] = click.prompt(
             "Default model", default=default_model
@@ -422,7 +422,6 @@ def configure_command(install: bool, claude_desktop: bool, show: bool, edit: boo
 
         try:
             import shutil
-            from pathlib import Path
             from fastmcp.mcp_config import update_config_file, StdioMCPServer
 
             # Find Claude Desktop config path

rem/cli/commands/experiments.py

@@ -125,19 +125,17 @@ def create(
         # Resolve base path: CLI arg > EXPERIMENTS_HOME env var > default "experiments"
         if base_path is None:
             base_path = os.getenv("EXPERIMENTS_HOME", "experiments")
-        # Build dataset reference
+        # Build dataset reference (format auto-detected from file extension)
         if dataset_location == "git":
             dataset_ref = DatasetReference(
                 location=DatasetLocation.GIT,
                 path="ground-truth/dataset.csv",
-                format="csv",
                 description="Ground truth Q&A dataset for evaluation"
             )
         else:  # s3 or hybrid
             dataset_ref = DatasetReference(
                 location=DatasetLocation(dataset_location),
                 path=f"s3://rem-experiments/{name}/datasets/ground_truth.parquet",
-                format="parquet",
                 schema_path="datasets/schema.yaml" if dataset_location == "hybrid" else None,
                 description="Ground truth dataset for evaluation"
             )
@@ -915,58 +913,61 @@ def run(
                 click.echo(f"  Last error: {evaluator_load_error}")
             raise click.Abort()
 
-        # Load dataset using Polars
-        import polars as pl
+        # Validate evaluator credentials before running expensive agent tasks
+        if evaluator_fn is not None and not only_vibes:
+            from rem.agentic.providers.phoenix import validate_evaluator_credentials
+
+            click.echo("Validating evaluator credentials...")
+            is_valid, error_msg = validate_evaluator_credentials()
+            if not is_valid:
+                click.echo(click.style(f"\n⚠️  Evaluator validation failed: {error_msg}", fg="yellow"))
+                click.echo("\nOptions:")
+                click.echo("  1. Fix the credentials issue and re-run")
+                click.echo("  2. Run with --only-vibes to skip LLM evaluation")
+                click.echo("  3. Use --evaluator-model to specify a different model")
+                raise click.Abort()
+            click.echo("✓ Evaluator credentials validated")
+
+        # Load dataset using read_dataframe utility (auto-detects format from extension)
+        from rem.utils.files import read_dataframe
 
         click.echo(f"Loading dataset: {list(config.datasets.keys())[0]}")
         dataset_ref = list(config.datasets.values())[0]
 
-        if dataset_ref.location.value == "git":
-            # Load from Git (local filesystem)
-            dataset_path = Path(base_path) / name / dataset_ref.path
-            if not dataset_path.exists():
-                click.echo(f"Error: Dataset not found: {dataset_path}")
-                raise click.Abort()
+        try:
+            if dataset_ref.location.value == "git":
+                # Load from Git (local filesystem)
+                dataset_path = Path(base_path) / name / dataset_ref.path
+                if not dataset_path.exists():
+                    click.echo(f"Error: Dataset not found: {dataset_path}")
+                    raise click.Abort()
 
-            if dataset_ref.format == "csv":
-                dataset_df = pl.read_csv(dataset_path)
-            elif dataset_ref.format == "parquet":
-                dataset_df = pl.read_parquet(dataset_path)
-            elif dataset_ref.format == "jsonl":
-                dataset_df = pl.read_ndjson(dataset_path)
-            else:
-                click.echo(f"Error: Format '{dataset_ref.format}' not yet supported")
-                raise click.Abort()
-        elif dataset_ref.location.value in ["s3", "hybrid"]:
-            # Load from S3 using FS provider
-            from rem.services.fs import FS
-            from io import BytesIO
+                dataset_df = read_dataframe(dataset_path)
 
-            fs = FS()
-
-            try:
-                if dataset_ref.format == "csv":
-                    content = fs.read(dataset_ref.path)
-                    dataset_df = pl.read_csv(BytesIO(content.encode() if isinstance(content, str) else content))
-                elif dataset_ref.format == "parquet":
-                    content_bytes = fs.read(dataset_ref.path)
-                    dataset_df = pl.read_parquet(BytesIO(content_bytes if isinstance(content_bytes, bytes) else content_bytes.encode()))
-                elif dataset_ref.format == "jsonl":
-                    content = fs.read(dataset_ref.path)
-                    dataset_df = pl.read_ndjson(BytesIO(content.encode() if isinstance(content, str) else content))
-                else:
-                    click.echo(f"Error: Format '{dataset_ref.format}' not yet supported")
-                    raise click.Abort()
+            elif dataset_ref.location.value in ["s3", "hybrid"]:
+                # Load from S3 using FS provider
+                from rem.services.fs import FS
 
+                fs = FS()
+                content = fs.read(dataset_ref.path)
+                # Ensure we have bytes
+                if isinstance(content, str):
+                    content = content.encode()
+                dataset_df = read_dataframe(content, filename=dataset_ref.path)
                 click.echo(f"✓ Loaded dataset from S3")
-            except Exception as e:
-                logger.error(f"Failed to load dataset from S3: {e}")
-                click.echo(f"Error: Could not load dataset from S3")
-                click.echo(f"  Path: {dataset_ref.path}")
-                click.echo(f"  Format: {dataset_ref.format}")
+
+            else:
+                click.echo(f"Error: Unknown dataset location: {dataset_ref.location.value}")
                 raise click.Abort()
-        else:
-            click.echo(f"Error: Unknown dataset location: {dataset_ref.location.value}")
+
+        except ValueError as e:
+            # Unsupported format error from read_dataframe
+            click.echo(f"Error: {e}")
+            raise click.Abort()
+        except Exception as e:
+            logger.error(f"Failed to load dataset: {e}")
+            click.echo(f"Error: Could not load dataset")
+            click.echo(f"  Path: {dataset_ref.path}")
             raise click.Abort()
 
         click.echo(f"✓ Loaded dataset: {len(dataset_df)} examples")
@@ -1286,7 +1287,7 @@ def prompt():
 @click.option("--system-prompt", "-s", required=True, help="System prompt text")
 @click.option("--description", "-d", help="Prompt description")
 @click.option("--model-provider", default="OPENAI", help="Model provider (OPENAI, ANTHROPIC)")
-@click.option("--model-name", "-m", help="Model name (e.g., gpt-4o, claude-sonnet-4-5)")
+@click.option("--model-name", "-m", help="Model name (e.g., gpt-4.1, claude-sonnet-4-5)")
 @click.option("--type", "-t", "prompt_type", default="Agent", help="Prompt type (Agent or Evaluator)")
 def prompt_create(
     name: str,
@@ -1302,7 +1303,7 @@ def prompt_create(
         # Create agent prompt
         rem experiments prompt create hello-world \\
             --system-prompt "You are a helpful assistant." \\
-            --model-name gpt-4o
+            --model-name gpt-4.1
 
         # Create evaluator prompt
         rem experiments prompt create correctness-evaluator \\
@@ -1320,7 +1321,7 @@ def prompt_create(
     try:
         # Set default model if not specified
         if not model_name:
-            model_name = "gpt-4o" if model_provider == "OPENAI" else "claude-sonnet-4-5-20250929"
+            model_name = "gpt-4.1" if model_provider == "OPENAI" else "claude-sonnet-4-5-20250929"
 
         # Get config
         phoenix_client = PhoenixClient()