PyPI - spanforge - Versions diffs - 1.0.0__py3-none-any.whl - Mend

spanforge 1.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

spanforge/__init__.py +815 -0
spanforge/_ansi.py +93 -0
spanforge/_batch_exporter.py +409 -0
spanforge/_cli.py +2094 -0
spanforge/_cli_audit.py +639 -0
spanforge/_cli_compliance.py +711 -0
spanforge/_cli_cost.py +243 -0
spanforge/_cli_ops.py +791 -0
spanforge/_cli_phase11.py +356 -0
spanforge/_hooks.py +337 -0
spanforge/_server.py +1708 -0
spanforge/_span.py +1036 -0
spanforge/_store.py +288 -0
spanforge/_stream.py +664 -0
spanforge/_trace.py +335 -0
spanforge/_tracer.py +254 -0
spanforge/actor.py +141 -0
spanforge/alerts.py +469 -0
spanforge/auto.py +464 -0
spanforge/baseline.py +335 -0
spanforge/cache.py +635 -0
spanforge/compliance.py +325 -0
spanforge/config.py +532 -0
spanforge/consent.py +228 -0
spanforge/consumer.py +377 -0
spanforge/core/__init__.py +5 -0
spanforge/core/compliance_mapping.py +1254 -0
spanforge/cost.py +600 -0
spanforge/debug.py +548 -0
spanforge/deprecations.py +205 -0
spanforge/drift.py +482 -0
spanforge/egress.py +58 -0
spanforge/eval.py +648 -0
spanforge/event.py +1064 -0
spanforge/exceptions.py +240 -0
spanforge/explain.py +178 -0
spanforge/export/__init__.py +69 -0
spanforge/export/append_only.py +337 -0
spanforge/export/cloud.py +357 -0
spanforge/export/datadog.py +497 -0
spanforge/export/grafana.py +320 -0
spanforge/export/jsonl.py +195 -0
spanforge/export/openinference.py +158 -0
spanforge/export/otel_bridge.py +294 -0
spanforge/export/otlp.py +811 -0
spanforge/export/otlp_bridge.py +233 -0
spanforge/export/redis_backend.py +282 -0
spanforge/export/siem_schema.py +98 -0
spanforge/export/siem_splunk.py +264 -0
spanforge/export/siem_syslog.py +212 -0
spanforge/export/webhook.py +299 -0
spanforge/exporters/__init__.py +30 -0
spanforge/exporters/console.py +271 -0
spanforge/exporters/jsonl.py +144 -0
spanforge/exporters/sqlite.py +142 -0
spanforge/gate.py +1150 -0
spanforge/governance.py +181 -0
spanforge/hitl.py +295 -0
spanforge/http.py +187 -0
spanforge/inspect.py +427 -0
spanforge/integrations/__init__.py +45 -0
spanforge/integrations/_pricing.py +280 -0
spanforge/integrations/anthropic.py +388 -0
spanforge/integrations/azure_openai.py +133 -0
spanforge/integrations/bedrock.py +292 -0
spanforge/integrations/crewai.py +251 -0
spanforge/integrations/gemini.py +351 -0
spanforge/integrations/groq.py +442 -0
spanforge/integrations/langchain.py +349 -0
spanforge/integrations/langgraph.py +306 -0
spanforge/integrations/llamaindex.py +373 -0
spanforge/integrations/ollama.py +287 -0
spanforge/integrations/openai.py +368 -0
spanforge/integrations/together.py +483 -0
spanforge/io.py +214 -0
spanforge/lint.py +322 -0
spanforge/metrics.py +417 -0
spanforge/metrics_export.py +343 -0
spanforge/migrate.py +402 -0
spanforge/model_registry.py +278 -0
spanforge/models.py +389 -0
spanforge/namespaces/__init__.py +254 -0
spanforge/namespaces/audit.py +256 -0
spanforge/namespaces/cache.py +237 -0
spanforge/namespaces/chain.py +77 -0
spanforge/namespaces/confidence.py +72 -0
spanforge/namespaces/consent.py +92 -0
spanforge/namespaces/cost.py +179 -0
spanforge/namespaces/decision.py +143 -0
spanforge/namespaces/diff.py +157 -0
spanforge/namespaces/drift.py +80 -0
spanforge/namespaces/eval_.py +251 -0
spanforge/namespaces/feedback.py +241 -0
spanforge/namespaces/fence.py +193 -0
spanforge/namespaces/guard.py +105 -0
spanforge/namespaces/hitl.py +91 -0
spanforge/namespaces/latency.py +72 -0
spanforge/namespaces/prompt.py +190 -0
spanforge/namespaces/redact.py +173 -0
spanforge/namespaces/retrieval.py +379 -0
spanforge/namespaces/runtime_governance.py +494 -0
spanforge/namespaces/template.py +208 -0
spanforge/namespaces/tool_call.py +77 -0
spanforge/namespaces/trace.py +1029 -0
spanforge/normalizer.py +171 -0
spanforge/plugins.py +82 -0
spanforge/presidio_backend.py +349 -0
spanforge/processor.py +258 -0
spanforge/prompt_registry.py +418 -0
spanforge/py.typed +0 -0
spanforge/redact.py +914 -0
spanforge/regression.py +192 -0
spanforge/runtime_policy.py +159 -0
spanforge/sampling.py +511 -0
spanforge/schema.py +183 -0
spanforge/schemas/v1.0/schema.json +170 -0
spanforge/schemas/v2.0/schema.json +536 -0
spanforge/sdk/__init__.py +625 -0
spanforge/sdk/_base.py +584 -0
spanforge/sdk/_base.pyi +71 -0
spanforge/sdk/_exceptions.py +1096 -0
spanforge/sdk/_types.py +2184 -0
spanforge/sdk/alert.py +1514 -0
spanforge/sdk/alert.pyi +56 -0
spanforge/sdk/audit.py +1196 -0
spanforge/sdk/audit.pyi +67 -0
spanforge/sdk/cec.py +1215 -0
spanforge/sdk/cec.pyi +37 -0
spanforge/sdk/config.py +641 -0
spanforge/sdk/config.pyi +55 -0
spanforge/sdk/enterprise.py +714 -0
spanforge/sdk/enterprise.pyi +79 -0
spanforge/sdk/explain.py +170 -0
spanforge/sdk/fallback.py +432 -0
spanforge/sdk/feedback.py +351 -0
spanforge/sdk/gate.py +874 -0
spanforge/sdk/gate.pyi +51 -0
spanforge/sdk/identity.py +2114 -0
spanforge/sdk/identity.pyi +47 -0
spanforge/sdk/lineage.py +175 -0
spanforge/sdk/observe.py +1065 -0
spanforge/sdk/observe.pyi +50 -0
spanforge/sdk/operator.py +338 -0
spanforge/sdk/pii.py +1473 -0
spanforge/sdk/pii.pyi +119 -0
spanforge/sdk/pipelines.py +458 -0
spanforge/sdk/pipelines.pyi +39 -0
spanforge/sdk/policy.py +930 -0
spanforge/sdk/rag.py +594 -0
spanforge/sdk/rbac.py +280 -0
spanforge/sdk/registry.py +430 -0
spanforge/sdk/registry.pyi +46 -0
spanforge/sdk/scope.py +279 -0
spanforge/sdk/secrets.py +293 -0
spanforge/sdk/secrets.pyi +25 -0
spanforge/sdk/security.py +560 -0
spanforge/sdk/security.pyi +57 -0
spanforge/sdk/trust.py +472 -0
spanforge/sdk/trust.pyi +41 -0
spanforge/secrets.py +799 -0
spanforge/signing.py +1179 -0
spanforge/stats.py +100 -0
spanforge/stream.py +560 -0
spanforge/testing.py +378 -0
spanforge/testing_mocks.py +1052 -0
spanforge/trace.py +199 -0
spanforge/types.py +696 -0
spanforge/ulid.py +300 -0
spanforge/validate.py +379 -0
spanforge-1.0.0.dist-info/METADATA +1509 -0
spanforge-1.0.0.dist-info/RECORD +174 -0
spanforge-1.0.0.dist-info/WHEEL +4 -0
spanforge-1.0.0.dist-info/entry_points.txt +5 -0
spanforge-1.0.0.dist-info/licenses/LICENSE +128 -0

spanforge/actor.py ADDED Viewed

@@ -0,0 +1,141 @@
+"""spanforge.actor — Actor identity context for audit-trail events.
+Provides :class:`ActorContext`, a lightweight carrier for the user, org,
+and team identity that SOC 2 Type II and enterprise compliance audits
+require on every operation that mutates system state.
+Typical usage
+-------------
+Embed an ``ActorContext`` directly inside an event payload to satisfy audit
+trail requirements::
+    from spanforge.actor import ActorContext
+    from spanforge import Event
+    from spanforge.types import EventType
+    from spanforge.namespaces.prompt import PromptPromotedPayload
+    actor = ActorContext(
+        user_id="usr_abc",
+        org_id="org_123",
+        team_id="team_456",
+        email="priya@acme.com",
+        ip_address="203.0.113.5",
+    )
+    payload = PromptPromotedPayload(
+        prompt_id="pmt_xyz",
+        version="v7",
+        from_environment="staging",
+        to_environment="production",
+        promoted_by=actor.user_id,
+    )
+    event = Event(
+        event_type=EventType.PROMPT_PROMOTED,
+        source="promptlock@1.0.0",
+        payload={**payload.to_dict(), "actor": actor.to_dict()},
+    )
+OTel span attributes
+---------------------
+When emitting to an OTel-compatible back-end, the actor dict maps to
+custom resource/span attributes::
+    span.set_attribute("enduser.id",   actor.user_id)
+    span.set_attribute("org.id",       actor.org_id)
+    span.set_attribute("team.id",      actor.team_id)
+These supplement the ``gen_ai.*`` semantic conventions without conflicting
+with them.
+"""
+from __future__ import annotations
+from dataclasses import dataclass
+from typing import Any
+__all__ = ["ActorContext"]
+@dataclass(frozen=True)
+class ActorContext:
+    """Identity and audit context for an actor performing an operation.
+    Satisfies SOC 2 audit trail requirements: every state-mutating operation
+    must record *who* did it, *from where*, and with what organisational
+    scope.  All fields except ``user_id`` are optional to accommodate both
+    human users and CI/CD service accounts.
+    Parameters
+    ----------
+    user_id:
+        Opaque user identifier — stable across sessions and required for
+        audit compliance.
+    org_id:
+        Optional organisation identifier corresponding to the top-level
+        tenant in a multi-tenant system.
+    team_id:
+        Optional team identifier within the organisation.
+    email:
+        Optional email address of the actor.  May be omitted or replaced
+        with a placeholder in high-privacy contexts.
+    ip_address:
+        Optional IP address from which the action originated.
+    service_account:
+        ``True`` if this action was performed by an automated CI/CD service
+        account rather than a human user.  Defaults to ``False``.
+    """
+    user_id: str
+    org_id: str | None = None
+    team_id: str | None = None
+    email: str | None = None
+    ip_address: str | None = None
+    service_account: bool = False
+    # -----------------------------------------------------------------
+    # Validation
+    # -----------------------------------------------------------------
+    def __post_init__(self) -> None:
+        if not self.user_id or not isinstance(self.user_id, str):
+            raise ValueError("ActorContext.user_id must be a non-empty string")
+        for attr in ("org_id", "team_id", "email", "ip_address"):
+            value = getattr(self, attr)
+            if value is not None and not isinstance(value, str):
+                raise TypeError(f"ActorContext.{attr} must be a string or None")
+        if not isinstance(self.service_account, bool):
+            raise TypeError("ActorContext.service_account must be a bool")
+    # -----------------------------------------------------------------
+    # Serialisation
+    # -----------------------------------------------------------------
+    def to_dict(self) -> dict[str, Any]:
+        """Return a plain dict suitable for embedding in ``Event.payload``.
+        Only non-``None`` optional fields are included so that the
+        serialised form stays compact.
+        """
+        result: dict[str, Any] = {"user_id": self.user_id}
+        if self.org_id is not None:
+            result["org_id"] = self.org_id
+        if self.team_id is not None:
+            result["team_id"] = self.team_id
+        if self.email is not None:
+            result["email"] = self.email
+        if self.ip_address is not None:
+            result["ip_address"] = self.ip_address
+        if self.service_account:
+            result["service_account"] = True
+        return result
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> ActorContext:
+        """Reconstruct an :class:`ActorContext` from a plain dict."""
+        return cls(
+            user_id=str(data["user_id"]),
+            org_id=data.get("org_id"),
+            team_id=data.get("team_id"),
+            email=data.get("email"),
+            ip_address=data.get("ip_address"),
+            service_account=bool(data.get("service_account", False)),
+        )

spanforge/alerts.py ADDED Viewed

@@ -0,0 +1,469 @@
+"""spanforge.alerts — Built-in alerting integrations for threshold-based notifications.
+Supports Slack, Microsoft Teams, PagerDuty, and SMTP email.  All alerters share
+a cooldown mechanism to avoid alert storms: the same ``alert_key`` will not fire
+again until ``cooldown_seconds`` have elapsed.
+Zero required dependencies — each alerter uses only stdlib (``urllib.request``,
+``smtplib``, ``json``).
+Usage::
+    from spanforge.alerts import AlertManager, AlertConfig, SlackAlerter
+    manager = AlertManager(
+        alerters=[SlackAlerter(webhook_url="https://hooks.slack.com/services/...")],
+        cooldown_seconds=300,
+    )
+    manager.fire("high_error_rate", "Error rate exceeded 5% in the last minute")
+Integration with cost budgets::
+    from spanforge import configure
+    from spanforge.alerts import AlertManager, SlackAlerter
+    configure(
+        alert_manager=AlertManager(
+            alerters=[SlackAlerter(webhook_url=os.environ["SLACK_WEBHOOK"])],
+        )
+    )
+"""
+from __future__ import annotations
+import json
+import logging
+import os
+import smtplib
+import ssl
+import threading
+import time
+import urllib.error
+import urllib.request
+from dataclasses import dataclass, field
+from email.mime.text import MIMEText
+from typing import TYPE_CHECKING, Any
+if TYPE_CHECKING:
+    from collections.abc import Sequence
+__all__ = [
+    "AlertConfig",
+    "AlertManager",
+    "Alerter",
+    "EmailAlerter",
+    "PagerDutyAlerter",
+    "SlackAlerter",
+    "TeamsAlerter",
+]
+logger = logging.getLogger(__name__)
+# ---------------------------------------------------------------------------
+# Base protocol
+# ---------------------------------------------------------------------------
+class Alerter:
+    """Abstract base class for alerters.  Subclasses must implement :meth:`send`."""
+    def send(self, title: str, message: str, severity: str = "warning") -> None:
+        """Send an alert notification."""
+        raise NotImplementedError
+# ---------------------------------------------------------------------------
+# Concrete alerters
+# ---------------------------------------------------------------------------
+@dataclass
+class SlackAlerter(Alerter):
+    """Send a message to a Slack Incoming Webhook.
+    Args:
+        webhook_url: Slack Incoming Webhook URL.
+        channel:     Optional channel override (e.g. ``"#alerts"``).
+        username:    Bot display name.
+        icon_emoji:  Emoji icon for the bot message.
+        timeout:     HTTP request timeout in seconds.
+    """
+    webhook_url: str
+    channel: str | None = None
+    username: str = "spanforge"
+    icon_emoji: str = ":robot_face:"
+    timeout: int = 10
+    def send(self, title: str, message: str, severity: str = "warning") -> None:
+        """Send alert via Slack Incoming Webhook."""
+        colour = {"info": "#36a64f", "warning": "#ffcc00", "critical": "#ff0000"}.get(
+            severity, "#36a64f"
+        )
+        payload: dict[str, Any] = {
+            "username": self.username,
+            "icon_emoji": self.icon_emoji,
+            "attachments": [
+                {
+                    "color": colour,
+                    "title": title,
+                    "text": message,
+                    "footer": "spanforge",
+                }
+            ],
+        }
+        if self.channel:
+            payload["channel"] = self.channel
+        data = json.dumps(payload).encode()
+        req = urllib.request.Request(
+            self.webhook_url,
+            data=data,
+            headers={"Content-Type": "application/json"},
+            method="POST",
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=self.timeout) as resp:  # nosec B310
+                if resp.status not in (200, 204):
+                    logger.warning("SlackAlerter: unexpected status %s", resp.status)
+        except urllib.error.URLError as exc:
+            logger.warning("SlackAlerter: request failed: %s", exc)
+@dataclass
+class TeamsAlerter(Alerter):
+    """Send an Adaptive Card to a Microsoft Teams Incoming Webhook.
+    Args:
+        webhook_url: Teams channel Incoming Webhook URL.
+        timeout:     HTTP request timeout in seconds.
+    """
+    webhook_url: str
+    timeout: int = 10
+    def send(self, title: str, message: str, severity: str = "warning") -> None:
+        """Send alert via Microsoft Teams Incoming Webhook."""
+        colour = {"info": "Good", "warning": "Warning", "critical": "Attention"}.get(
+            severity, "Warning"
+        )
+        payload = {
+            "type": "message",
+            "attachments": [
+                {
+                    "contentType": "application/vnd.microsoft.card.adaptive",
+                    "content": {
+                        "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
+                        "type": "AdaptiveCard",
+                        "version": "1.3",
+                        "body": [
+                            {
+                                "type": "TextBlock",
+                                "text": title,
+                                "weight": "Bolder",
+                                "size": "Medium",
+                                "color": colour,
+                            },
+                            {"type": "TextBlock", "text": message, "wrap": True},
+                        ],
+                    },
+                }
+            ],
+        }
+        data = json.dumps(payload).encode()
+        req = urllib.request.Request(
+            self.webhook_url,
+            data=data,
+            headers={"Content-Type": "application/json"},
+            method="POST",
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=self.timeout) as resp:  # nosec B310
+                if resp.status not in (200, 202):
+                    logger.warning("TeamsAlerter: unexpected status %s", resp.status)
+        except urllib.error.URLError as exc:
+            logger.warning("TeamsAlerter: request failed: %s", exc)
+@dataclass
+class PagerDutyAlerter(Alerter):
+    """Trigger a PagerDuty incident via the Events API v2.
+    Args:
+        integration_key: PagerDuty integration/routing key (32-char hex string).
+        source:          Source field in the PD event.
+        timeout:         HTTP request timeout in seconds.
+    """
+    integration_key: str = field(repr=False)
+    source: str = "spanforge"
+    timeout: int = 10
+    _PD_URL = "https://events.pagerduty.com/v2/enqueue"
+    def send(self, title: str, message: str, severity: str = "warning") -> None:
+        """Trigger a PagerDuty incident via the Events API v2."""
+        pd_severity = {"info": "info", "warning": "warning", "critical": "critical"}.get(
+            severity, "warning"
+        )
+        payload = {
+            "routing_key": self.integration_key,
+            "event_action": "trigger",
+            "payload": {
+                "summary": title,
+                "source": self.source,
+                "severity": pd_severity,
+                "custom_details": {"message": message},
+            },
+        }
+        data = json.dumps(payload).encode()
+        req = urllib.request.Request(
+            self._PD_URL,
+            data=data,
+            headers={"Content-Type": "application/json"},
+            method="POST",
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=self.timeout) as resp:  # nosec B310
+                if resp.status not in (200, 202):
+                    logger.warning("PagerDutyAlerter: unexpected status %s", resp.status)
+        except urllib.error.URLError as exc:
+            logger.warning("PagerDutyAlerter: request failed: %s", exc)
+@dataclass
+class EmailAlerter(Alerter):
+    """Send alert emails via SMTP.
+    Uses STARTTLS when ``use_tls=True`` (default).  Credentials are taken from
+    the ``username`` / ``password`` fields; pass ``None`` for unauthenticated
+    SMTP (e.g. internal relay).
+    Args:
+        smtp_host:    SMTP server hostname.
+        smtp_port:    SMTP server port (default: 587 for STARTTLS).
+        from_address: Sender address.
+        to_addresses: List of recipient addresses.
+        subject_prefix: Prefix for the email subject line.
+        username:     SMTP auth username; ``None`` skips AUTH.
+        password:     SMTP auth password; ``None`` skips AUTH.
+        use_tls:      Use STARTTLS (default: True).
+        timeout:      Connection timeout in seconds.
+    """
+    smtp_host: str
+    smtp_port: int = 587
+    from_address: str = "spanforge@localhost"
+    to_addresses: Sequence[str] = field(default_factory=list)
+    subject_prefix: str = "[spanforge]"
+    username: str | None = field(default=None, repr=False)
+    password: str | None = field(default=None, repr=False)
+    use_tls: bool = True
+    timeout: int = 10
+    def send(self, title: str, message: str, severity: str = "warning") -> None:
+        """Send alert email via SMTP."""
+        if not self.to_addresses:
+            logger.warning("EmailAlerter: no recipients configured, skipping")
+            return
+        subject = f"{self.subject_prefix} [{severity.upper()}] {title}"
+        body = f"{title}\n\nSeverity: {severity}\n\n{message}"
+        msg = MIMEText(body, "plain", "utf-8")
+        msg["Subject"] = subject
+        msg["From"] = self.from_address
+        msg["To"] = ", ".join(self.to_addresses)
+        context = ssl.create_default_context() if self.use_tls else None
+        try:
+            with smtplib.SMTP(self.smtp_host, self.smtp_port, timeout=self.timeout) as smtp:
+                if self.use_tls and context:
+                    smtp.starttls(context=context)
+                if self.username and self.password:
+                    smtp.login(self.username, self.password)
+                smtp.sendmail(self.from_address, list(self.to_addresses), msg.as_string())
+        except (smtplib.SMTPException, OSError) as exc:
+            logger.warning("EmailAlerter: send failed: %s", exc)
+# ---------------------------------------------------------------------------
+# AlertConfig (thin data container for env-var driven configuration)
+# ---------------------------------------------------------------------------
+@dataclass
+class AlertConfig:
+    """Data class holding alert configuration loaded from environment variables.
+    Typically accessed via :attr:`spanforge.config.SpanForgeConfig.alert_config`.
+    Environment variable mapping::
+        SPANFORGE_ALERT_SLACK_WEBHOOK    → slack_webhook_url
+        SPANFORGE_ALERT_TEAMS_WEBHOOK    → teams_webhook_url
+        SPANFORGE_ALERT_PAGERDUTY_KEY    → pagerduty_integration_key
+        SPANFORGE_ALERT_SMTP_HOST        → smtp_host
+        SPANFORGE_ALERT_SMTP_PORT        → smtp_port  (int)
+        SPANFORGE_ALERT_EMAIL_FROM       → email_from
+        SPANFORGE_ALERT_EMAIL_TO         → email_to   (comma-separated)
+        SPANFORGE_ALERT_EMAIL_USERNAME   → email_username
+        SPANFORGE_ALERT_EMAIL_PASSWORD   → email_password
+        SPANFORGE_ALERT_COOLDOWN_SECONDS → cooldown_seconds (int, default 300)
+    """
+    slack_webhook_url: str | None = None
+    teams_webhook_url: str | None = None
+    pagerduty_integration_key: str | None = field(default=None, repr=False)
+    smtp_host: str | None = None
+    smtp_port: int = 587
+    email_from: str = "spanforge@localhost"
+    email_to: Sequence[str] = field(default_factory=list)
+    email_username: str | None = field(default=None, repr=False)
+    email_password: str | None = field(default=None, repr=False)
+    cooldown_seconds: int = 300
+    @classmethod
+    def from_env(cls) -> AlertConfig:
+        """Construct an :class:`AlertConfig` by reading ``SPANFORGE_ALERT_*`` env vars."""
+        email_to_raw = os.environ.get("SPANFORGE_ALERT_EMAIL_TO", "")
+        email_to = [a.strip() for a in email_to_raw.split(",") if a.strip()]
+        cooldown_raw = os.environ.get("SPANFORGE_ALERT_COOLDOWN_SECONDS", "300")
+        try:
+            cooldown = int(cooldown_raw)
+        except ValueError:
+            cooldown = 300
+        smtp_port_raw = os.environ.get("SPANFORGE_ALERT_SMTP_PORT", "587")
+        try:
+            smtp_port = int(smtp_port_raw)
+        except ValueError:
+            smtp_port = 587
+        return cls(
+            slack_webhook_url=os.environ.get("SPANFORGE_ALERT_SLACK_WEBHOOK"),
+            teams_webhook_url=os.environ.get("SPANFORGE_ALERT_TEAMS_WEBHOOK"),
+            pagerduty_integration_key=os.environ.get("SPANFORGE_ALERT_PAGERDUTY_KEY"),
+            smtp_host=os.environ.get("SPANFORGE_ALERT_SMTP_HOST"),
+            smtp_port=smtp_port,
+            email_from=os.environ.get("SPANFORGE_ALERT_EMAIL_FROM", "spanforge@localhost"),
+            email_to=email_to,
+            email_username=os.environ.get("SPANFORGE_ALERT_EMAIL_USERNAME"),
+            email_password=os.environ.get("SPANFORGE_ALERT_EMAIL_PASSWORD"),
+            cooldown_seconds=cooldown,
+        )
+    def build_manager(self) -> AlertManager:
+        """Create an :class:`AlertManager` from this config."""
+        alerters: list[Alerter] = []
+        if self.slack_webhook_url:
+            alerters.append(SlackAlerter(webhook_url=self.slack_webhook_url))
+        if self.teams_webhook_url:
+            alerters.append(TeamsAlerter(webhook_url=self.teams_webhook_url))
+        if self.pagerduty_integration_key:
+            alerters.append(PagerDutyAlerter(integration_key=self.pagerduty_integration_key))
+        if self.smtp_host and self.email_to:
+            alerters.append(
+                EmailAlerter(
+                    smtp_host=self.smtp_host,
+                    smtp_port=self.smtp_port,
+                    from_address=self.email_from,
+                    to_addresses=self.email_to,
+                    username=self.email_username,
+                    password=self.email_password,
+                )
+            )
+        return AlertManager(alerters=alerters, cooldown_seconds=self.cooldown_seconds)
+# ---------------------------------------------------------------------------
+# AlertManager
+# ---------------------------------------------------------------------------
+class AlertManager:
+    """Dispatch alerts to one or more :class:`Alerter` backends with deduplication.
+    The same ``alert_key`` will not trigger again within ``cooldown_seconds``
+    (per-key cooldown window), preventing alert storms.
+    Thread-safe.
+    Args:
+        alerters:         List of :class:`Alerter` instances to notify.
+        cooldown_seconds: Minimum seconds between repeated firings of the same key.
+    Example::
+        manager = AlertManager(
+            alerters=[SlackAlerter(webhook_url="https://hooks.slack.com/...")],
+            cooldown_seconds=300,
+        )
+        manager.fire("budget_exceeded", "Daily spend exceeded $100", severity="critical")
+    """
+    def __init__(
+        self,
+        alerters: Sequence[Alerter] | None = None,
+        cooldown_seconds: int = 300,
+    ) -> None:
+        self._alerters: list[Alerter] = list(alerters or [])
+        self._cooldown = cooldown_seconds
+        self._last_fired: dict[str, float] = {}
+        self._lock = threading.Lock()
+    # ------------------------------------------------------------------
+    # Public interface
+    # ------------------------------------------------------------------
+    def add_alerter(self, alerter: Alerter) -> None:
+        """Append *alerter* to the notification list."""
+        with self._lock:
+            self._alerters.append(alerter)
+    def fire(
+        self,
+        alert_key: str,
+        message: str,
+        title: str | None = None,
+        severity: str = "warning",
+    ) -> bool:
+        """Fire an alert if the cooldown window has elapsed.
+        Args:
+            alert_key: Unique identifier for the alert type (used for deduplication).
+            message:   Human-readable alert body.
+            title:     Short alert title.  Defaults to *alert_key*.
+            severity:  One of ``"info"``, ``"warning"``, ``"critical"``.
+        Returns:
+            ``True`` if the alert was dispatched; ``False`` if suppressed by cooldown.
+        """
+        if not self._alerters:
+            return False
+        now = time.monotonic()
+        with self._lock:
+            last = self._last_fired.get(alert_key, 0.0)
+            if now - last < self._cooldown:
+                logger.debug(
+                    "AlertManager: suppressed '%s' (cooldown %ss remaining)",
+                    alert_key,
+                    int(self._cooldown - (now - last)),
+                )
+                return False
+            self._last_fired[alert_key] = now
+            active_alerters = list(self._alerters)
+        resolved_title = title or alert_key.replace("_", " ").title()
+        for alerter in active_alerters:
+            try:
+                alerter.send(resolved_title, message, severity=severity)
+            except Exception:
+                logger.exception("AlertManager: alerter %r raised an exception", alerter)
+        return True
+    def reset_cooldown(self, alert_key: str) -> None:
+        """Reset the cooldown for *alert_key*, allowing it to fire immediately."""
+        with self._lock:
+            self._last_fired.pop(alert_key, None)