remdb 0.3.146__py3-none-any.whl → 0.3.163__py3-none-any.whl

rem/auth/middleware.py

@@ -1,14 +1,16 @@
 """
-OAuth Authentication Middleware for FastAPI.
+Authentication Middleware for FastAPI.
 
-Protects API endpoints by requiring valid session.
-Supports anonymous access with rate limiting when allow_anonymous=True.
+Protects API endpoints by requiring valid authentication.
+Supports multiple auth methods: JWT, API Key, Session, Dev Token.
+Anonymous access with rate limiting when allow_anonymous=True.
 MCP endpoints are always protected unless explicitly disabled.
 
 Design Pattern:
 - Check X-API-Key header first (if API key auth enabled)
+- Check JWT token in Authorization header (Bearer token)
+- Check dev token (non-production only, starts with "dev_")
 - Check session for user on protected paths
-- Check Bearer token for dev token (non-production only)
 - MCP paths always require authentication (protected service)
 - If allow_anonymous=True: Allow unauthenticated requests (marked as ANONYMOUS tier)
 - If allow_anonymous=False: Return 401 for API calls, redirect browsers to login
@@ -122,6 +124,34 @@ class AuthMiddleware(BaseHTTPMiddleware):
         logger.warning("Invalid X-API-Key provided")
         return None
 
+    def _check_jwt_token(self, request: Request) -> dict | None:
+        """
+        Check for valid JWT in Authorization header.
+
+        Returns:
+            User dict if valid JWT, None otherwise
+        """
+        auth_header = request.headers.get("authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return None
+
+        token = auth_header[7:]  # Strip "Bearer "
+
+        # Skip dev tokens (handled separately)
+        if token.startswith("dev_"):
+            return None
+
+        # Verify JWT token
+        from .jwt import get_jwt_service
+        jwt_service = get_jwt_service()
+        user = jwt_service.verify_token(token)
+
+        if user:
+            logger.debug(f"JWT authenticated: {user.get('email')}")
+            return user
+
+        return None
+
     def _check_dev_token(self, request: Request) -> dict | None:
         """
         Check for valid dev token in Authorization header (non-production only).
@@ -207,6 +237,13 @@ class AuthMiddleware(BaseHTTPMiddleware):
                 headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
             )
 
+        # Check for JWT token in Authorization header
+        jwt_user = self._check_jwt_token(request)
+        if jwt_user:
+            request.state.user = jwt_user
+            request.state.is_anonymous = False
+            return await call_next(request)
+
         # Check for dev token (non-production only)
         dev_user = self._check_dev_token(request)
         if dev_user:
@@ -214,7 +251,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             request.state.is_anonymous = False
             return await call_next(request)
 
-        # Check for valid session
+        # Check for valid session (backward compatibility)
         user = request.session.get("user")
 
         if user:

rem/auth/providers/__init__.py

@@ -1,6 +1,7 @@
-"""OAuth provider implementations."""
+"""Authentication provider implementations."""
 
 from .base import OAuthProvider, OAuthTokens, OAuthUserInfo
+from .email import EmailAuthProvider, EmailAuthResult
 from .google import GoogleOAuthProvider
 from .microsoft import MicrosoftOAuthProvider
 
@@ -8,6 +9,8 @@ __all__ = [
     "OAuthProvider",
     "OAuthTokens",
     "OAuthUserInfo",
+    "EmailAuthProvider",
+    "EmailAuthResult",
     "GoogleOAuthProvider",
     "MicrosoftOAuthProvider",
 ]

rem/auth/providers/email.py

@@ -0,0 +1,215 @@
+"""
+Email Authentication Provider.
+
+Passwordless authentication using email verification codes.
+Unlike OAuth providers, this handles the full flow internally.
+
+Flow:
+1. User requests login with email address
+2. System generates code, upserts user, sends email
+3. User enters code
+4. System verifies code and creates session
+
+Design:
+- Uses EmailService for sending codes
+- Creates users with deterministic UUID from email hash
+- Stores challenge in user metadata
+- No external OAuth dependencies
+"""
+
+from typing import TYPE_CHECKING
+from pydantic import BaseModel, Field
+from loguru import logger
+
+from ...services.email import EmailService
+
+if TYPE_CHECKING:
+    from ...services.postgres import PostgresService
+
+
+class EmailAuthResult(BaseModel):
+    """Result of email authentication operations."""
+
+    success: bool = Field(description="Whether operation succeeded")
+    email: str = Field(description="Email address")
+    user_id: str | None = Field(default=None, description="User ID if authenticated")
+    error: str | None = Field(default=None, description="Error message if failed")
+    message: str | None = Field(default=None, description="User-friendly message")
+
+
+class EmailAuthProvider:
+    """
+    Email-based passwordless authentication provider.
+
+    Handles the complete email login flow:
+    1. send_code() - Generate and send verification code
+    2. verify_code() - Verify code and return user info
+    """
+
+    def __init__(
+        self,
+        email_service: EmailService | None = None,
+        template_kwargs: dict | None = None,
+    ):
+        """
+        Initialize EmailAuthProvider.
+
+        Args:
+            email_service: EmailService instance (creates new one if not provided)
+            template_kwargs: Customization for email templates (colors, branding, etc.)
+        """
+        self._email_service = email_service or EmailService()
+        self._template_kwargs = template_kwargs or {}
+
+    @property
+    def is_configured(self) -> bool:
+        """Check if email auth is properly configured."""
+        return self._email_service.is_configured
+
+    async def send_code(
+        self,
+        email: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Send a verification code to an email address.
+
+        Creates user if not exists (using deterministic UUID from email).
+        Stores code in user metadata.
+
+        Args:
+            email: Email address to send code to
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with success status
+        """
+        if not self.is_configured:
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error="Email service not configured",
+                message="Email login is not available. Please try another method.",
+            )
+
+        try:
+            result = await self._email_service.send_login_code(
+                email=email,
+                db=db,
+                tenant_id=tenant_id,
+                template_kwargs=self._template_kwargs,
+            )
+
+            if result["success"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message=f"Verification code sent to {email}. Check your inbox.",
+                )
+            else:
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=result.get("error", "Failed to send code"),
+                    message="Failed to send verification code. Please try again.",
+                )
+
+        except Exception as e:
+            logger.error(f"Error sending login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    async def verify_code(
+        self,
+        email: str,
+        code: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Verify a login code and authenticate user.
+
+        Args:
+            email: Email address
+            code: 6-digit verification code
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with user_id if successful
+        """
+        try:
+            result = await self._email_service.verify_login_code(
+                email=email,
+                code=code,
+                db=db,
+                tenant_id=tenant_id,
+            )
+
+            if result["valid"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message="Successfully authenticated!",
+                )
+            else:
+                error = result.get("error", "Invalid code")
+                # User-friendly error messages
+                if error == "Login code expired":
+                    message = "Your code has expired. Please request a new one."
+                elif error == "Invalid login code":
+                    message = "Invalid code. Please check and try again."
+                elif error == "No login code requested":
+                    message = "No code was requested for this email. Please request a new code."
+                elif error == "User not found":
+                    message = "Email not found. Please request a login code first."
+                else:
+                    message = "Verification failed. Please try again."
+
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=error,
+                    message=message,
+                )
+
+        except Exception as e:
+            logger.error(f"Error verifying login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    def get_user_dict(self, email: str, user_id: str) -> dict:
+        """
+        Create a user dict for session storage.
+
+        Compatible with OAuth user format for consistent session handling.
+
+        Args:
+            email: User's email
+            user_id: User's UUID
+
+        Returns:
+            User dict for session
+        """
+        return {
+            "id": user_id,
+            "email": email,
+            "email_verified": True,  # Email is verified through code
+            "name": email.split("@")[0],  # Use email prefix as name
+            "provider": "email",
+            "tenant_id": "default",
+            "tier": "free",  # Email users start at free tier
+            "roles": ["user"],
+        }

rem/models/entities/__init__.py

@@ -39,6 +39,7 @@ from .shared_session import (
     SharedWithMeResponse,
     SharedWithMeSummary,
 )
+from .subscriber import Subscriber, SubscriberOrigin, SubscriberStatus
 from .user import User, UserTier
 
 __all__ = [
@@ -56,6 +57,9 @@ __all__ = [
     "FeedbackCategory",
     "User",
     "UserTier",
+    "Subscriber",
+    "SubscriberStatus",
+    "SubscriberOrigin",
     "File",
     "Moment",
     "Schema",

rem/models/entities/subscriber.py

@@ -0,0 +1,175 @@
+"""
+Subscriber - Email subscription management.
+
+This model stores subscribers who sign up via websites/apps.
+Subscribers can be collected before user registration for newsletters,
+updates, and approval-based access control.
+
+Key features:
+- Deterministic UUID from email (same email = same ID)
+- Approval workflow for access control
+- Tags for segmentation
+- Origin tracking for analytics
+"""
+
+import uuid
+from datetime import datetime, timezone
+from enum import Enum
+from typing import Optional
+
+from pydantic import Field, EmailStr, model_validator
+
+from ..core import CoreModel
+
+
+class SubscriberStatus(str, Enum):
+    """Subscription status."""
+
+    ACTIVE = "active"           # Actively subscribed
+    UNSUBSCRIBED = "unsubscribed"  # User unsubscribed
+    BOUNCED = "bounced"         # Email bounced
+    PENDING = "pending"         # Pending confirmation (if double opt-in)
+
+
+class SubscriberOrigin(str, Enum):
+    """Where the subscription originated from."""
+
+    WEBSITE = "website"         # Main website subscribe form
+    LANDING_PAGE = "landing_page"  # Campaign landing page
+    APP = "app"                 # In-app subscription
+    IMPORT = "import"           # Bulk import
+    REFERRAL = "referral"       # Referred by another user
+    OTHER = "other"
+
+
+class Subscriber(CoreModel):
+    """
+    Email subscriber for newsletters and access control.
+
+    This model captures subscribers who sign up via the website, landing pages,
+    or in-app prompts. Uses deterministic UUID from email for natural upserts.
+
+    Access control via `approved` field:
+    - When email auth checks subscriber status, only approved subscribers
+      can complete login (if approval is enabled in settings).
+    - Subscribers can be pre-approved, or approved manually/automatically.
+
+    Usage:
+        from rem.services.postgres import Repository
+        from rem.models.entities import Subscriber, SubscriberStatus
+
+        repo = Repository(Subscriber, db=db)
+
+        # Create subscriber (ID auto-generated from email)
+        subscriber = Subscriber(
+            email="user@example.com",
+            name="John Doe",
+            origin=SubscriberOrigin.WEBSITE,
+        )
+        await repo.upsert(subscriber)
+
+        # Check if approved for login
+        subscriber = await repo.get_by_id(subscriber.id, tenant_id="default")
+        if subscriber and subscriber.approved:
+            # Allow login
+            pass
+    """
+
+    # Required field
+    email: EmailStr = Field(
+        description="Subscriber's email address (unique identifier)"
+    )
+
+    # Optional fields
+    name: Optional[str] = Field(
+        default=None,
+        description="Subscriber's name (optional)"
+    )
+
+    comment: Optional[str] = Field(
+        default=None,
+        max_length=500,
+        description="Optional comment or message from subscriber"
+    )
+
+    status: SubscriberStatus = Field(
+        default=SubscriberStatus.ACTIVE,
+        description="Current subscription status"
+    )
+
+    # Access control
+    approved: bool = Field(
+        default=False,
+        description="Whether subscriber is approved for login (for approval workflows)"
+    )
+
+    approved_at: Optional[datetime] = Field(
+        default=None,
+        description="When the subscriber was approved"
+    )
+
+    approved_by: Optional[str] = Field(
+        default=None,
+        description="Who approved the subscriber (user ID or 'system')"
+    )
+
+    # Origin tracking
+    origin: SubscriberOrigin = Field(
+        default=SubscriberOrigin.WEBSITE,
+        description="Where the subscription originated"
+    )
+
+    origin_detail: Optional[str] = Field(
+        default=None,
+        description="Additional origin context (e.g., campaign name, page URL)"
+    )
+
+    # Timestamps
+    subscribed_at: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc),
+        description="When the subscription was created"
+    )
+
+    unsubscribed_at: Optional[datetime] = Field(
+        default=None,
+        description="When the user unsubscribed (if applicable)"
+    )
+
+    # Compliance
+    ip_address: Optional[str] = Field(
+        default=None,
+        description="IP address at subscription time (for compliance)"
+    )
+
+    user_agent: Optional[str] = Field(
+        default=None,
+        description="Browser user agent at subscription time"
+    )
+
+    # Segmentation
+    tags: list[str] = Field(
+        default_factory=list,
+        description="Tags for segmentation (e.g., ['early-access', 'beta'])"
+    )
+
+    @staticmethod
+    def email_to_uuid(email: str) -> uuid.UUID:
+        """Generate a deterministic UUID from an email address.
+
+        Uses UUID v5 with DNS namespace for consistency with
+        EmailService.generate_user_id_from_email().
+
+        Args:
+            email: Email address
+
+        Returns:
+            Deterministic UUID
+        """
+        return uuid.uuid5(uuid.NAMESPACE_DNS, email.lower().strip())
+
+    @model_validator(mode="after")
+    def set_id_from_email(self) -> "Subscriber":
+        """Auto-generate deterministic ID from email for natural upsert."""
+        if self.email:
+            self.id = self.email_to_uuid(self.email)
+        return self

rem/models/entities/user.py

@@ -22,6 +22,7 @@ from ..core import CoreModel
 class UserTier(str, Enum):
     """User subscription tier for feature gating."""
 
+    BLOCKED = "blocked"  # User is blocked from logging in
     ANONYMOUS = "anonymous"
     FREE = "free"
     BASIC = "basic"

rem/schemas/agents/core/agent-builder.yaml

@@ -0,0 +1,134 @@
+type: object
+description: |
+  # Agent Builder - Create Custom AI Agents Through Conversation
+
+  You help users create custom AI agents by chatting with them naturally.
+  Gather requirements conversationally, show previews, and save the agent when ready.
+
+  ## Your Workflow
+
+  1. **Understand the need**: Ask what they want the agent to do
+  2. **Define personality**: Help them choose tone and style
+  3. **Structure outputs**: If needed, define what data the agent captures
+  4. **Preview**: Show them what the agent will look like
+  5. **Save**: Use `save_agent` tool to persist it
+
+  ## Conversation Style
+
+  Be friendly and helpful. Ask one or two questions at a time.
+  Don't overwhelm with options - guide them step by step.
+
+  ## Gathering Requirements
+
+  Ask about:
+  - What should this agent help with?
+  - What tone should it have? (casual, professional, empathetic, etc.)
+  - Should it capture any specific information? (optional)
+  - What should it be called?
+
+  ## Preview Format
+
+  Before saving, show a preview using markdown:
+
+  ```
+  ## Agent Preview: {name}
+
+  **Personality:**
+  {brief description of tone and approach}
+
+  **System Prompt:**
+  {the actual prompt that will guide the agent}
+
+  **Structured Fields:** (if any)
+  | Field | Type | Description |
+  |-------|------|-------------|
+  | answer | string | Response to user |
+  | ... | ... | ... |
+  ```
+
+  Ask: "Does this look good? I can save it now or we can adjust anything."
+
+  ## Saving the Agent
+
+  When the user approves, call `save_agent` with:
+  - `name`: kebab-case name (e.g., "customer-support-bot")
+  - `description`: The full system prompt
+  - `properties`: Structured output fields (optional, defaults to just "answer")
+  - `required`: Which fields are required (optional, defaults to ["answer"])
+  - `tags`: Relevant tags for organization
+
+  ## Default Tools
+
+  All agents automatically get `search_rem` and `register_metadata` tools.
+  You don't need to specify these.
+
+  ## Example Conversation
+
+  User: "I want an agent that helps write professional emails"
+
+  You: "Great idea! Let me help you create an email writing assistant.
+
+  What tone should it have? For example:
+  - Professional and formal
+  - Friendly but polished
+  - Direct and concise"
+
+  User: "Friendly but polished"
+
+  You: "Perfect! Should it just write emails, or also help with things like:
+  - Suggesting subject lines
+  - Adjusting tone for different recipients
+  - Summarizing long email threads"
+
+  User: "All of those would be helpful"
+
+  You: "Let me show you a preview:
+
+  ## Agent Preview: email-assistant
+
+  **Personality:** Friendly, professional, helpful writing partner
+
+  **System Prompt:**
+  You are a friendly email writing assistant. Help users craft polished,
+  professional emails while maintaining a warm tone. You can:
+  - Write new emails from scratch
+  - Suggest compelling subject lines
+  - Adjust tone for different audiences
+  - Summarize long email threads
+
+  Always ask clarifying questions if the request is unclear.
+
+  **Structured Fields:**
+  | Field | Type | Description |
+  |-------|------|-------------|
+  | answer | string | Your response or the drafted email |
+
+  Does this look good? I can save it now or adjust anything."
+
+  User: "Looks great, save it!"
+
+  You: *calls save_agent tool*
+  "Done! Your email-assistant is ready. Use `/custom-agent email-assistant` to start chatting with it."
+
+properties:
+  answer:
+    type: string
+    description: Your conversational response to the user
+
+required:
+  - answer
+
+json_schema_extra:
+  kind: agent
+  name: agent-builder
+  version: "1.0.0"
+  tags:
+    - meta
+    - builder
+  tools:
+    - name: save_agent
+      description: "Save the agent schema to make it available for use"
+    - name: search_rem
+      description: "Search for existing agents as examples"
+    - name: register_metadata
+      description: "Record session metadata"

rem/services/__init__.py

@@ -4,13 +4,15 @@ REM Services
 Service layer for REM system operations:
 - PostgresService: PostgreSQL/CloudNativePG database operations
 - RemService: REM query execution and graph operations
+- EmailService: Transactional emails and passwordless login
 
 For file/S3 operations, use rem.services.fs instead:
     from rem.services.fs import FS, S3Provider
 """
 
+from .email import EmailService
 from .fs.service import FileSystemService
 from .postgres import PostgresService
 from .rem import RemService
 
-__all__ = ["PostgresService", "RemService", "FileSystemService"]
+__all__ = ["EmailService", "PostgresService", "RemService", "FileSystemService"]

rem/services/content/service.py

@@ -666,10 +666,11 @@ class ContentService:
         # IMPORTANT: category field distinguishes agents from evaluators
         # - kind=agent → category="agent" (AI agents with tools/resources)
         # - kind=evaluator → category="evaluator" (LLM-as-a-Judge evaluators)
-        # Schemas (agents/evaluators) default to system tenant for shared access
+        # User-scoped schemas: if user_id provided, scope to user's tenant
+        # System schemas: if no user_id, use "system" tenant for shared access
         schema_entity = Schema(
-            tenant_id="system",
-            user_id=None,
+            tenant_id=user_id or "system",
+            user_id=user_id,
             name=name,
             spec=schema_data,
             category=kind,  # Maps kind → category for database filtering

rem/services/email/__init__.py

@@ -0,0 +1,10 @@
+"""
+Email Service Module.
+
+Provides EmailService for sending transactional emails and passwordless login.
+"""
+
+from .service import EmailService
+from .templates import EmailTemplate, login_code_template
+
+__all__ = ["EmailService", "EmailTemplate", "login_code_template"]