scriptgini 1.2.1__tar.gz → 1.3.1__tar.gz

{scriptgini-1.2.1 → scriptgini-1.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.2.1
+Version: 1.3.1
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -16,6 +16,8 @@ Description-Content-Type: text/markdown
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
+Current release: v1.3.1 (Sprint 4 hardening increment)
+
 ---
 
 ## What is ScriptGini?
@@ -33,6 +35,7 @@ ScriptGini is an AI-powered test automation engine built for Quality Engineering
 - **Project & AUT management** — Store multiple projects, each with its own base URL and defaults
 - **Full test case history** — Every generated script is stored in SQLite with status and token usage
 - **Execution history persistence** — Every run is stored in `script_runs` with stdout/stderr, exit code, and duration
+- **Durable execution APIs** — Async execution jobs with run/status/abort endpoints and idempotency-key support
 - **Hardened execution sandbox** — Script runs use isolated Python mode, static safety validation, and restricted environment variables
 - **Bulk job orchestration** — Project-level bulk generate and bulk run with pollable job status
 - **Run analytics dashboard** — Project-level pass/fail/timeout metrics and recent failure feed
@@ -438,8 +441,8 @@ The project follows an **enterprise-grade development roadmap** with 6 sprints c
 |--------|-------|--------|--------|
 | **Sprint 1** | IAM Core | 30-36pts | 🟡 Core delivered (auth hardening pending) |
 | **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🟡 Core delivered (RBAC hardening pending) |
-| **Sprint 3** | Durable Execution | 34-40pts | 🔲 Pending (Redis + Celery/Arq setup) |
-| **Sprint 4** | Security & Hardening | 30-36pts | 🔲 Pending (Container sandbox, audit logging) |
+| **Sprint 3** | Durable Execution | 34-40pts | ✅ Completed (Redis + Celery queue foundation) |
+| **Sprint 4** | Security & Hardening | 30-36pts | 🟡 In progress (isolation boundary + breakout tests pending) |
 | **Sprint 5** | Reporting & Analytics | 28-34pts | 🔲 Pending (Artifact storage, dashboards) |
 | **Sprint 6** | Advanced Features | 24-30pts | 🔲 Pending (Webhooks, defect sync, versioning) |
 

{scriptgini-1.2.1 → scriptgini-1.3.1}/README.md

@@ -2,6 +2,8 @@
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
+Current release: v1.3.1 (Sprint 4 hardening increment)
+
 ---
 
 ## What is ScriptGini?
@@ -19,6 +21,7 @@ ScriptGini is an AI-powered test automation engine built for Quality Engineering
 - **Project & AUT management** — Store multiple projects, each with its own base URL and defaults
 - **Full test case history** — Every generated script is stored in SQLite with status and token usage
 - **Execution history persistence** — Every run is stored in `script_runs` with stdout/stderr, exit code, and duration
+- **Durable execution APIs** — Async execution jobs with run/status/abort endpoints and idempotency-key support
 - **Hardened execution sandbox** — Script runs use isolated Python mode, static safety validation, and restricted environment variables
 - **Bulk job orchestration** — Project-level bulk generate and bulk run with pollable job status
 - **Run analytics dashboard** — Project-level pass/fail/timeout metrics and recent failure feed
@@ -424,8 +427,8 @@ The project follows an **enterprise-grade development roadmap** with 6 sprints c
 |--------|-------|--------|--------|
 | **Sprint 1** | IAM Core | 30-36pts | 🟡 Core delivered (auth hardening pending) |
 | **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🟡 Core delivered (RBAC hardening pending) |
-| **Sprint 3** | Durable Execution | 34-40pts | 🔲 Pending (Redis + Celery/Arq setup) |
-| **Sprint 4** | Security & Hardening | 30-36pts | 🔲 Pending (Container sandbox, audit logging) |
+| **Sprint 3** | Durable Execution | 34-40pts | ✅ Completed (Redis + Celery queue foundation) |
+| **Sprint 4** | Security & Hardening | 30-36pts | 🟡 In progress (isolation boundary + breakout tests pending) |
 | **Sprint 5** | Reporting & Analytics | 28-34pts | 🔲 Pending (Artifact storage, dashboards) |
 | **Sprint 6** | Advanced Features | 24-30pts | 🔲 Pending (Webhooks, defect sync, versioning) |
 

scriptgini-1.3.1/app/__init__.py

@@ -0,0 +1,3 @@
+__version__ = "1.3.1"
+__api_version__ = "v1.3.1"
+

{scriptgini-1.2.1 → scriptgini-1.3.1}/app/celery_app.py

@@ -16,8 +16,8 @@ celery_app.conf.update(
     timezone="UTC",
     enable_utc=True,
     task_track_started=True,
-    task_time_limit=30 * 60,  # 30 minute hard time limit
-    task_soft_time_limit=25 * 60,  # 25 minute soft time limit
+    task_time_limit=settings.CELERY_TASK_HARD_TIMEOUT,
+    task_soft_time_limit=settings.CELERY_TASK_TIMEOUT,
     worker_prefetch_multiplier=4,
     worker_max_tasks_per_child=1000,
 )

{scriptgini-1.2.1 → scriptgini-1.3.1}/app/config.py

@@ -8,6 +8,11 @@ class Settings(BaseSettings):
     # App
     APP_NAME: str = "ScriptGini"
     DEBUG: bool = False
+    CORS_ALLOWED_ORIGINS: str = "http://localhost:3000,http://127.0.0.1:3000"
+    RATE_LIMIT_REQUESTS: int = 120
+    RATE_LIMIT_WINDOW_SECONDS: int = 60
+    RATE_LIMIT_EXEMPT_PATHS: str = "/health,/docs,/redoc,/openapi.json,/static"
+    SECURITY_AUDIT_LOG_ENABLED: bool = True
 
     # Database (PostgreSQL)
     # Format: postgresql://user:password@host:port/dbname
@@ -22,6 +27,7 @@ class Settings(BaseSettings):
     CELERY_BROKER_URL: str = "redis://localhost:6379/1"  # Different DB for task queue
     CELERY_RESULT_BACKEND: str = "redis://localhost:6379/2"  # Different DB for results
     CELERY_TASK_TIMEOUT: int = 600  # 10 minutes default task timeout
+    CELERY_TASK_HARD_TIMEOUT: int = 660
     CELERY_MAX_RETRIES: int = 3
     JWT_SECRET_KEY: str = "your-secret-key-change-in-production"
     JWT_ALGORITHM: str = "HS256"
@@ -34,6 +40,8 @@ class Settings(BaseSettings):
     SCRIPT_GENERATION_TIMEOUT_SECONDS: int = 180
     PLAYWRIGHT_RUN_HEADED: bool = True
     SCRIPT_EXECUTION_TIMEOUT_SECONDS: int = 300
+    EXECUTION_ENV_ALLOWED_KEYS: str = "PATH,SYSTEMROOT,TEMP,TMP,HOME,USERPROFILE,PYTHONPATH,PYTHONHOME,PYTHONIOENCODING"
+    EXECUTION_ENV_ALLOWED_PREFIXES: str = "PLAYWRIGHT_"
     SKIP_REVIEW_FOR_OLLAMA: bool = True
     USE_LLM_INTENT_ANALYSIS: bool = True
 
@@ -71,5 +79,25 @@ class Settings(BaseSettings):
     AWS_REGION_NAME: str = "us-east-1"
     BEDROCK_MODEL_ID: str = "anthropic.claude-3-5-sonnet-20241022-v2:0"
 
+    @staticmethod
+    def _split_csv(value: str) -> list[str]:
+        return [entry.strip() for entry in value.split(",") if entry.strip()]
+
+    @property
+    def cors_allowed_origins_list(self) -> list[str]:
+        return self._split_csv(self.CORS_ALLOWED_ORIGINS)
+
+    @property
+    def rate_limit_exempt_paths_list(self) -> list[str]:
+        return self._split_csv(self.RATE_LIMIT_EXEMPT_PATHS)
+
+    @property
+    def execution_env_allowed_keys_set(self) -> set[str]:
+        return set(self._split_csv(self.EXECUTION_ENV_ALLOWED_KEYS))
+
+    @property
+    def execution_env_allowed_prefixes_tuple(self) -> tuple[str, ...]:
+        return tuple(self._split_csv(self.EXECUTION_ENV_ALLOWED_PREFIXES))
+
 
 settings = Settings()

scriptgini-1.3.1/app/main.py

@@ -0,0 +1,178 @@
+import logging
+import threading
+import time
+from contextlib import asynccontextmanager
+from pathlib import Path
+from uuid import uuid4
+
+from fastapi import FastAPI, Request
+from fastapi.responses import JSONResponse
+from fastapi.responses import FileResponse
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.staticfiles import StaticFiles
+
+from app import __version__
+from app.config import settings
+from app.llm.provider import get_llm_diagnostics
+from app.routers import projects, test_cases, scripts, bulk_jobs, analytics, demo, auth, api_key, organizations, execution
+
+logging.basicConfig(level=logging.DEBUG if settings.DEBUG else logging.INFO)
+logger = logging.getLogger(__name__)
+
+static_dir = Path(__file__).resolve().parent / "static"
+_RATE_LIMIT_BUCKETS: dict[str, tuple[int, float]] = {}
+_RATE_LIMIT_LOCK = threading.Lock()
+
+
+def _client_ip(request: Request) -> str:
+    forwarded_for = request.headers.get("x-forwarded-for", "")
+    if forwarded_for:
+        return forwarded_for.split(",")[0].strip()
+    return request.client.host if request.client else "unknown"
+
+
+def _is_exempt_path(path: str) -> bool:
+    for exempt in settings.rate_limit_exempt_paths_list:
+        if path == exempt or path.startswith(exempt):
+            return True
+    return False
+
+
+def _check_rate_limit(key: str, now: float) -> tuple[bool, int, int]:
+    window_seconds = max(1, settings.RATE_LIMIT_WINDOW_SECONDS)
+    max_requests = max(1, settings.RATE_LIMIT_REQUESTS)
+    window_start = now - window_seconds
+    with _RATE_LIMIT_LOCK:
+        current_count, reset_at = _RATE_LIMIT_BUCKETS.get(key, (0, now + window_seconds))
+        if reset_at <= now:
+            current_count = 0
+            reset_at = now + window_seconds
+        current_count += 1
+        _RATE_LIMIT_BUCKETS[key] = (current_count, reset_at)
+
+    remaining = max(0, max_requests - current_count)
+    retry_after = max(0, int(reset_at - now))
+    return current_count <= max_requests, remaining, retry_after
+
+
+def _security_audit(event: str, request: Request, status_code: int, request_id: str) -> None:
+    if not settings.SECURITY_AUDIT_LOG_ENABLED:
+        return
+    logger.info(
+        "security_audit event=%s request_id=%s method=%s path=%s status=%s ip=%s user_agent=%s",
+        event,
+        request_id,
+        request.method,
+        request.url.path,
+        status_code,
+        _client_ip(request),
+        request.headers.get("user-agent", "unknown"),
+    )
+
+
+@asynccontextmanager
+async def lifespan(_: FastAPI):
+    diagnostics = get_llm_diagnostics()
+    logger.info(
+        "Runtime LLM default: provider=%s model=%s api_key_env=%s api_key_present=%s api_key=%s",
+        diagnostics["provider"],
+        diagnostics["model"],
+        diagnostics["api_key_env"],
+        diagnostics["api_key_present"],
+        diagnostics["api_key_masked"],
+    )
+    yield
+
+app = FastAPI(
+    title=settings.APP_NAME,
+    description=(
+        "Enterprise-grade Agentic AI system that converts functional test cases "
+        "into high-quality automation scripts."
+    ),
+    version=__version__,
+    lifespan=lifespan,
+)
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=settings.cors_allowed_origins_list,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.middleware("http")
+async def apply_security_controls(request: Request, call_next):
+    request_id = request.headers.get("X-Request-ID") or str(uuid4())
+    request.state.request_id = request_id
+    path = request.url.path
+    now = time.time()
+
+    if not _is_exempt_path(path):
+        key = f"{_client_ip(request)}:{path}"
+        allowed, remaining, retry_after = _check_rate_limit(key, now)
+        if not allowed:
+            _security_audit("rate_limit_block", request, 429, request_id)
+            return JSONResponse(
+                status_code=429,
+                content={"detail": "Rate limit exceeded", "request_id": request_id},
+                headers={
+                    "X-Request-ID": request_id,
+                    "X-RateLimit-Limit": str(max(1, settings.RATE_LIMIT_REQUESTS)),
+                    "X-RateLimit-Remaining": "0",
+                    "Retry-After": str(retry_after),
+                },
+            )
+
+    response = await call_next(request)
+    response.headers["X-Request-ID"] = request_id
+
+    if not _is_exempt_path(path):
+        response.headers["X-RateLimit-Limit"] = str(max(1, settings.RATE_LIMIT_REQUESTS))
+        response.headers["X-RateLimit-Remaining"] = str(response.headers.get("X-RateLimit-Remaining", ""))
+        if not response.headers["X-RateLimit-Remaining"]:
+            key = f"{_client_ip(request)}:{path}"
+            with _RATE_LIMIT_LOCK:
+                count, _ = _RATE_LIMIT_BUCKETS.get(key, (0, now))
+            response.headers["X-RateLimit-Remaining"] = str(max(0, max(1, settings.RATE_LIMIT_REQUESTS) - count))
+
+    if path.startswith("/api/v1/auth") or path.startswith("/api/v1/execution"):
+        if response.status_code >= 400 or request.method in {"POST", "PUT", "PATCH", "DELETE"}:
+            _security_audit("security_sensitive_request", request, response.status_code, request_id)
+
+    return response
+
+app.include_router(projects.router, prefix="/api/v1")
+app.include_router(test_cases.router, prefix="/api/v1")
+app.include_router(scripts.router, prefix="/api/v1")
+app.include_router(bulk_jobs.router, prefix="/api/v1")
+app.include_router(analytics.router, prefix="/api/v1")
+app.include_router(demo.router, prefix="/api/v1")
+app.include_router(auth.router, prefix="/api/v1")
+app.include_router(api_key.router, prefix="/api/v1")
+app.include_router(organizations.router, prefix="/api/v1")
+app.include_router(execution.router, prefix="/api/v1")
+app.mount("/static", StaticFiles(directory=static_dir), name="static")
+
+
+@app.get("/api/v1/runtime/llm", tags=["Runtime"])
+def runtime_llm():
+    default_diagnostics = get_llm_diagnostics()
+    return {
+        "default_provider": default_diagnostics["provider"],
+        "default_model": default_diagnostics["model"],
+        "provider_diagnostics": {
+            provider: get_llm_diagnostics(provider) for provider in ["openai", "openrouter", "gemini", "ollama", "bedrock"]
+        },
+    }
+
+
+@app.get("/", include_in_schema=False)
+def index():
+    return FileResponse(static_dir / "index.html")
+
+
+@app.get("/health", tags=["Health"])
+def health():
+    return {"status": "ok", "app": settings.APP_NAME}

scriptgini-1.3.1/app/models/execution_job.py

@@ -0,0 +1,68 @@
+import enum
+from datetime import datetime, timezone
+
+from sqlalchemy import DateTime, Enum as SAEnum, ForeignKey, Integer, JSON, String, Text
+from sqlalchemy.orm import Mapped, mapped_column
+
+from app.database import Base
+
+
+class ExecutionJobStatus(str, enum.Enum):
+    pending = "pending"
+    running = "running"
+    completed = "completed"
+    failed = "failed"
+    cancelled = "cancelled"
+
+
+_ALLOWED_TRANSITIONS: dict[ExecutionJobStatus, set[ExecutionJobStatus]] = {
+    ExecutionJobStatus.pending: {
+        ExecutionJobStatus.running,
+        ExecutionJobStatus.completed,
+        ExecutionJobStatus.failed,
+        ExecutionJobStatus.cancelled,
+    },
+    ExecutionJobStatus.running: {
+        ExecutionJobStatus.completed,
+        ExecutionJobStatus.failed,
+        ExecutionJobStatus.cancelled,
+    },
+    ExecutionJobStatus.completed: set(),
+    ExecutionJobStatus.failed: set(),
+    ExecutionJobStatus.cancelled: set(),
+}
+
+
+class ExecutionJob(Base):
+    __tablename__ = "execution_jobs"
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    project_id: Mapped[int] = mapped_column(ForeignKey("projects.id", ondelete="CASCADE"), nullable=False, index=True)
+    script_id: Mapped[int] = mapped_column(ForeignKey("generated_scripts.id", ondelete="CASCADE"), nullable=False, index=True)
+    test_case_id: Mapped[int] = mapped_column(ForeignKey("test_cases.id", ondelete="CASCADE"), nullable=False, index=True)
+    created_by_user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    status: Mapped[ExecutionJobStatus] = mapped_column(
+        SAEnum(ExecutionJobStatus), nullable=False, default=ExecutionJobStatus.pending
+    )
+    idempotency_key: Mapped[str | None] = mapped_column(String(255), nullable=True, unique=True, index=True)
+    celery_task_id: Mapped[str | None] = mapped_column(String(255), nullable=True, index=True)
+    request_payload: Mapped[dict] = mapped_column(JSON, nullable=False, default=dict)
+    result_payload: Mapped[dict | None] = mapped_column(JSON, nullable=True)
+    error_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+    started_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    completed_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    cancelled_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+
+
+def can_transition(current: ExecutionJobStatus, new_status: ExecutionJobStatus) -> bool:
+    if current == new_status:
+        return True
+    return new_status in _ALLOWED_TRANSITIONS[current]

{scriptgini-1.2.1 → scriptgini-1.3.1}/app/routers/bulk_jobs.py

@@ -2,7 +2,7 @@ import logging
 import subprocess
 import sys
 
-from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
 
 from app.database import get_db
@@ -13,6 +13,7 @@ from app.models.project import Project
 from app.models.script_run import ScriptRunStatus
 from app.models.test_case import TestCase
 from app.schemas.bulk_job import BulkGenerateRequest, BulkJobResponse, BulkRunRequest
+from app.tasks import process_bulk_execution_job, process_bulk_generation_job
 from app.routers.scripts import (
     _create_script_run,
     _get_project_or_404,
@@ -218,7 +219,6 @@ def _run_bulk_execution(job_id: int, request: BulkRunRequest):
 def bulk_generate_scripts(
     project_id: int,
     payload: BulkGenerateRequest,
-    background_tasks: BackgroundTasks,
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
@@ -238,7 +238,14 @@ def bulk_generate_scripts(
     _refresh_job_counts(job, db)
     db.commit()
 
-    background_tasks.add_task(_run_bulk_generation, job.id, payload)
+    try:
+        process_bulk_generation_job.delay(job.id, payload.model_dump())
+    except Exception as exc:
+        logger.exception("Failed to enqueue bulk generation job_id=%s", job.id)
+        job.status = BulkJobStatus.failed
+        db.commit()
+        raise HTTPException(status_code=503, detail="Failed to enqueue bulk generation") from exc
+
     return _serialize_bulk_job(job, db)
 
 
@@ -246,7 +253,6 @@ def bulk_generate_scripts(
 def bulk_run_scripts(
     project_id: int,
     payload: BulkRunRequest,
-    background_tasks: BackgroundTasks,
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
@@ -266,7 +272,14 @@ def bulk_run_scripts(
     _refresh_job_counts(job, db)
     db.commit()
 
-    background_tasks.add_task(_run_bulk_execution, job.id, payload)
+    try:
+        process_bulk_execution_job.delay(job.id, payload.model_dump())
+    except Exception as exc:
+        logger.exception("Failed to enqueue bulk run job_id=%s", job.id)
+        job.status = BulkJobStatus.failed
+        db.commit()
+        raise HTTPException(status_code=503, detail="Failed to enqueue bulk run") from exc
+
     return _serialize_bulk_job(job, db)
 
 

scriptgini-1.3.1/app/routers/execution.py

@@ -0,0 +1,165 @@
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Depends, Header, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.celery_app import celery_app
+from app.database import get_db
+from app.models.execution_job import ExecutionJob, ExecutionJobStatus, can_transition
+from app.models.generated_script import GeneratedScript, ScriptStatus
+from app.schemas.execution import ExecutionJobResponse, ExecutionRunRequest
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_auth_with_scopes
+from app.tasks import execute_script
+
+router = APIRouter(prefix="/execution", tags=["Execution"])
+
+
+def _get_job_or_404(job_id: int, db: Session) -> ExecutionJob:
+    job = db.query(ExecutionJob).filter(ExecutionJob.id == job_id).first()
+    if not job:
+        raise HTTPException(status_code=404, detail="Execution job not found")
+    return job
+
+
+def _ensure_project_access(db: Session, project_id: int, user_id: int, require_manager: bool = False) -> None:
+    rbac_service.ensure_project_exists(db, project_id)
+    existing_members = rbac_service.list_project_members(db, project_id)
+    if not existing_members:
+        return
+
+    membership = rbac_service.get_user_project_membership(db, project_id, user_id)
+    if membership is None or membership.role not in rbac_service.READ_ROLES:
+        raise HTTPException(status_code=403, detail="Insufficient project role")
+
+    if require_manager and membership.role not in rbac_service.MANAGER_ROLES:
+        raise HTTPException(status_code=403, detail="Insufficient project role")
+
+
+def _apply_status_from_celery(job: ExecutionJob, db: Session) -> None:
+    if not job.celery_task_id or job.status not in {ExecutionJobStatus.pending, ExecutionJobStatus.running}:
+        return
+
+    task_result = celery_app.AsyncResult(job.celery_task_id)
+    state = task_result.state
+
+    if state == "PENDING":
+        return
+
+    if state == "STARTED" and can_transition(job.status, ExecutionJobStatus.running):
+        job.status = ExecutionJobStatus.running
+        if job.started_at is None:
+            job.started_at = datetime.now(timezone.utc)
+        db.commit()
+        db.refresh(job)
+        return
+
+    if state == "SUCCESS" and can_transition(job.status, ExecutionJobStatus.completed):
+        job.status = ExecutionJobStatus.completed
+        job.completed_at = datetime.now(timezone.utc)
+        if job.started_at is None:
+            job.started_at = job.completed_at
+        result = task_result.result
+        job.result_payload = result if isinstance(result, dict) else {"result": str(result)}
+        db.commit()
+        db.refresh(job)
+        return
+
+    if state == "REVOKED" and can_transition(job.status, ExecutionJobStatus.cancelled):
+        job.status = ExecutionJobStatus.cancelled
+        job.cancelled_at = datetime.now(timezone.utc)
+        db.commit()
+        db.refresh(job)
+        return
+
+    if state == "FAILURE" and can_transition(job.status, ExecutionJobStatus.failed):
+        job.status = ExecutionJobStatus.failed
+        job.completed_at = datetime.now(timezone.utc)
+        job.error_message = str(task_result.result)
+        db.commit()
+        db.refresh(job)
+
+
+def _enqueue_execution_task(script_id: int, execution_env: dict[str, str], job_id: int) -> str:
+    async_result = execute_script.delay(script_id, execution_env, job_id)
+    return async_result.id
+
+
+@router.post("/run", response_model=ExecutionJobResponse, status_code=status.HTTP_202_ACCEPTED)
+def run_execution_job(
+    payload: ExecutionRunRequest,
+    idempotency_key: str | None = Header(default=None, alias="Idempotency-Key"),
+    current_user=Depends(require_auth_with_scopes({"execution:write"})),
+    db: Session = Depends(get_db),
+):
+    script = db.query(GeneratedScript).filter(GeneratedScript.id == payload.script_id).first()
+    if not script:
+        raise HTTPException(status_code=404, detail="Script not found")
+    if script.status != ScriptStatus.completed or not script.script_content:
+        raise HTTPException(status_code=400, detail="Script is not ready to run")
+
+    _ensure_project_access(db, script.project_id, current_user.id)
+
+    if idempotency_key:
+        existing_job = (
+            db.query(ExecutionJob)
+            .filter(ExecutionJob.idempotency_key == idempotency_key, ExecutionJob.created_by_user_id == current_user.id)
+            .first()
+        )
+        if existing_job:
+            _ensure_project_access(db, existing_job.project_id, current_user.id)
+            return existing_job
+
+    job = ExecutionJob(
+        project_id=script.project_id,
+        script_id=script.id,
+        test_case_id=script.test_case_id,
+        created_by_user_id=current_user.id,
+        status=ExecutionJobStatus.pending,
+        idempotency_key=idempotency_key,
+        request_payload=payload.model_dump(),
+    )
+    db.add(job)
+    db.commit()
+    db.refresh(job)
+
+    job.celery_task_id = _enqueue_execution_task(script.id, payload.execution_env, job.id)
+    db.commit()
+    db.refresh(job)
+    return job
+
+
+@router.get("/status/{job_id}", response_model=ExecutionJobResponse)
+def get_execution_job_status(
+    job_id: int,
+    current_user=Depends(require_auth_with_scopes({"execution:read"})),
+    db: Session = Depends(get_db),
+):
+    job = _get_job_or_404(job_id, db)
+    _ensure_project_access(db, job.project_id, current_user.id)
+    _apply_status_from_celery(job, db)
+    return job
+
+
+@router.post("/abort/{job_id}", response_model=ExecutionJobResponse)
+def abort_execution_job(
+    job_id: int,
+    current_user=Depends(require_auth_with_scopes({"execution:write"})),
+    db: Session = Depends(get_db),
+):
+    job = _get_job_or_404(job_id, db)
+    _ensure_project_access(db, job.project_id, current_user.id, require_manager=True)
+
+    if job.status in {ExecutionJobStatus.completed, ExecutionJobStatus.failed, ExecutionJobStatus.cancelled}:
+        return job
+
+    if job.celery_task_id:
+        celery_app.control.revoke(job.celery_task_id, terminate=True)
+
+    if can_transition(job.status, ExecutionJobStatus.cancelled):
+        job.status = ExecutionJobStatus.cancelled
+        job.cancelled_at = datetime.now(timezone.utc)
+        db.commit()
+        db.refresh(job)
+
+    return job

{scriptgini-1.2.1 → scriptgini-1.3.1}/app/routers/scripts.py

@@ -11,7 +11,7 @@ import time
 from pathlib import Path
 from urllib.parse import urlparse
 
-from fastapi import APIRouter, Depends, HTTPException, status, BackgroundTasks
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
 
 from app.database import get_db
@@ -24,6 +24,7 @@ from app.schemas.generated_script import GenerateScriptRequest, GeneratedScriptR
 from app.agents.script_gini_agent import run_agent
 from app.llm.provider import LLMProvider, get_llm_diagnostics
 from app.services.git_export import export_generated_script
+from app.tasks import process_script_generation_job
 
 logger = logging.getLogger(__name__)
 
@@ -207,13 +208,14 @@ def _uses_pytest_playwright(script_content: str) -> bool:
 
 
 def _build_restricted_env() -> dict:
-    allowed_exact = {"PATH", "SYSTEMROOT", "TEMP", "TMP", "HOME", "USERPROFILE"}
-    allowed_prefixes = ("PLAYWRIGHT_", "PYTHON")
+    allowed_exact = settings.execution_env_allowed_keys_set
+    allowed_prefixes = settings.execution_env_allowed_prefixes_tuple
     env = {}
     for key, value in os.environ.items():
         if key in allowed_exact or key.startswith(allowed_prefixes):
             env[key] = value
     env["PLAYWRIGHT_HEADLESS"] = "0" if settings.PLAYWRIGHT_RUN_HEADED else "1"
+    env["PYTHONNOUSERSITE"] = "1"
     return env
 
 
@@ -393,7 +395,6 @@ def generate_script(
     project_id: int,
     tc_id: int,
     payload: GenerateScriptRequest,
-    background_tasks: BackgroundTasks,
     db: Session = Depends(get_db),
 ):
     """Kick off async script generation. Poll GET /scripts/{id} for the result."""
@@ -413,13 +414,20 @@ def generate_script(
     db.commit()
     db.refresh(script_record)
 
-    background_tasks.add_task(
-        _run_generation,
-        script_record.id,
-        project_id,
-        tc_id,
-        payload.model_dump(),
-    )
+    try:
+        process_script_generation_job.delay(
+            script_record.id,
+            project_id,
+            tc_id,
+            payload.model_dump(),
+        )
+    except Exception as exc:
+        logger.exception("Failed to enqueue generation task for script_id=%s", script_record.id)
+        script_record.status = ScriptStatus.failed
+        script_record.error_message = f"Queue enqueue failed: {exc}"
+        db.commit()
+        raise HTTPException(status_code=503, detail="Failed to enqueue script generation") from exc
+
     return script_record