svc-infra 0.1.562__py3-none-any.whl → 0.1.654__py3-none-any.whl

svc_infra/api/fastapi/db/sql/add.py

@@ -10,7 +10,7 @@ from svc_infra.db.sql.management import make_crud_schemas
 from svc_infra.db.sql.repository import SqlRepository
 from svc_infra.db.sql.resource import SqlResource
 
-from .crud_router import make_crud_router_plus_sql
+from .crud_router import make_crud_router_plus_sql, make_tenant_crud_router_plus_sql
 from .health import _make_db_health_router
 from .session import dispose_session, initialize_session
 
@@ -37,18 +37,37 @@ def add_sql_resources(app: FastAPI, resources: Sequence[SqlResource]) -> None:
                 update_name=r.update_name,
             )
 
-        router = make_crud_router_plus_sql(
-            model=r.model,
-            service=svc,
-            read_schema=Read,
-            create_schema=Create,
-            update_schema=Update,
-            prefix=r.prefix,
-            tags=r.tags,
-            search_fields=r.search_fields,
-            default_ordering=r.ordering_default,
-            allowed_order_fields=r.allowed_order_fields,
-        )
+        if r.tenant_field:
+            # wrap service factory/instance through tenant router
+            def _factory():
+                return svc
+
+            router = make_tenant_crud_router_plus_sql(
+                model=r.model,
+                service_factory=_factory,
+                read_schema=Read,
+                create_schema=Create,
+                update_schema=Update,
+                prefix=r.prefix,
+                tenant_field=r.tenant_field,
+                tags=r.tags,
+                search_fields=r.search_fields,
+                default_ordering=r.ordering_default,
+                allowed_order_fields=r.allowed_order_fields,
+            )
+        else:
+            router = make_crud_router_plus_sql(
+                model=r.model,
+                service=svc,
+                read_schema=Read,
+                create_schema=Create,
+                update_schema=Update,
+                prefix=r.prefix,
+                tags=r.tags,
+                search_fields=r.search_fields,
+                default_ordering=r.ordering_default,
+                allowed_order_fields=r.allowed_order_fields,
+            )
         app.include_router(router)
 
 
@@ -67,16 +86,19 @@ def add_sql_db(app: FastAPI, *, url: Optional[str] = None, dsn_env: str = "SQL_U
         app.router.lifespan_context = lifespan
         return
 
-    @app.on_event("startup")
-    async def _startup() -> None:  # noqa: ANN202
+    # Use lifespan context manager instead of deprecated on_event
+    @asynccontextmanager
+    async def lifespan(_app: FastAPI):
         env_url = os.getenv(dsn_env)
         if not env_url:
             raise RuntimeError(f"Missing environment variable {dsn_env} for database URL")
         initialize_session(env_url)
+        try:
+            yield
+        finally:
+            await dispose_session()
 
-    @app.on_event("shutdown")
-    async def _shutdown() -> None:  # noqa: ANN202
-        await dispose_session()
+    app.router.lifespan_context = lifespan
 
 
 def add_sql_health(

svc_infra/api/fastapi/db/sql/crud_router.py

@@ -1,4 +1,4 @@
-from typing import Annotated, Any, Optional, Sequence, Type, TypeVar, cast
+from typing import Annotated, Any, Optional, Sequence, Type, TypeVar
 
 from fastapi import APIRouter, Body, Depends, HTTPException
 from pydantic import BaseModel
@@ -15,7 +15,9 @@ from svc_infra.api.fastapi.db.http import (
 )
 from svc_infra.api.fastapi.dual.public import public_router
 from svc_infra.db.sql.service import SqlService
+from svc_infra.db.sql.tenant import TenantSqlService
 
+from ...tenancy.context import TenantId
 from .session import SqlSessionDep
 
 CreateModel = TypeVar("CreateModel", bound=BaseModel)
@@ -44,6 +46,18 @@ def make_crud_router_plus_sql(
         redirect_slashes=False,
     )
 
+    def _coerce_id(v: Any) -> Any:
+        """Best-effort coercion of path ids: cast digit-only strings to int.
+
+        Keeps original type otherwise to avoid breaking non-integer IDs.
+        """
+        if isinstance(v, str) and v.isdigit():
+            try:
+                return int(v)
+            except Exception:
+                return v
+        return v
+
     def _parse_ordering_to_fields(order_spec: Optional[str]) -> list[str]:
         if not order_spec:
             return []
@@ -59,7 +73,7 @@ def make_crud_router_plus_sql(
     # -------- LIST --------
     @router.get(
         "",
-        response_model=cast(Any, Page[read_schema]),
+        response_model=Page[read_schema],
         description=f"List items of type {model.__name__}",
     )
     async def list_items(
@@ -85,18 +99,16 @@ def make_crud_router_plus_sql(
         else:
             items = await service.list(session, limit=lp.limit, offset=lp.offset, order_by=order_by)
             total = await service.count(session)
-        return Page[read_schema].from_items(
-            total=total, items=items, limit=lp.limit, offset=lp.offset
-        )
+        return Page[Any].from_items(total=total, items=items, limit=lp.limit, offset=lp.offset)
 
     # -------- GET by id --------
     @router.get(
         "/{item_id}",
-        response_model=cast(Any, read_schema),
+        response_model=read_schema,
         description=f"Get item of type {model.__name__}",
     )
     async def get_item(item_id: Any, session: SqlSessionDep):  # type: ignore[name-defined]
-        row = await service.get(session, item_id)
+        row = await service.get(session, _coerce_id(item_id))
         if not row:
             raise HTTPException(404, "Not found")
         return row
@@ -104,7 +116,7 @@ def make_crud_router_plus_sql(
     # -------- CREATE --------
     @router.post(
         "",
-        response_model=cast(Any, read_schema),
+        response_model=read_schema,
         status_code=201,
         description=f"Create item of type {model.__name__}",
     )
@@ -112,13 +124,18 @@ def make_crud_router_plus_sql(
         session: SqlSessionDep,  # type: ignore[name-defined]
         payload: create_schema = Body(...),
     ):
-        data = cast(BaseModel, payload).model_dump(exclude_unset=True)
+        if isinstance(payload, BaseModel):
+            data = payload.model_dump(exclude_unset=True)
+        elif isinstance(payload, dict):
+            data = payload
+        else:
+            raise HTTPException(422, "invalid_payload")
         return await service.create(session, data)
 
     # -------- UPDATE --------
     @router.patch(
         "/{item_id}",
-        response_model=cast(Any, read_schema),
+        response_model=read_schema,
         description=f"Update item of type {model.__name__}",
     )
     async def update_item(
@@ -126,8 +143,13 @@ def make_crud_router_plus_sql(
         session: SqlSessionDep,  # type: ignore[name-defined]
         payload: update_schema = Body(...),
     ):
-        data = cast(BaseModel, payload).model_dump(exclude_unset=True)
-        row = await service.update(session, item_id, data)
+        if isinstance(payload, BaseModel):
+            data = payload.model_dump(exclude_unset=True)
+        elif isinstance(payload, dict):
+            data = payload
+        else:
+            raise HTTPException(422, "invalid_payload")
+        row = await service.update(session, _coerce_id(item_id), data)
         if not row:
             raise HTTPException(404, "Not found")
         return row
@@ -137,7 +159,147 @@ def make_crud_router_plus_sql(
         "/{item_id}", status_code=204, description=f"Delete item of type {model.__name__}"
     )
     async def delete_item(item_id: Any, session: SqlSessionDep):  # type: ignore[name-defined]
-        ok = await service.delete(session, item_id)
+        ok = await service.delete(session, _coerce_id(item_id))
+        if not ok:
+            raise HTTPException(404, "Not found")
+        return
+
+    return router
+
+
+def make_tenant_crud_router_plus_sql(
+    *,
+    model: type[Any],
+    service_factory: callable,  # factory that returns a SqlService (will be wrapped)
+    read_schema: Type[ReadModel],
+    create_schema: Type[CreateModel],
+    update_schema: Type[UpdateModel],
+    prefix: str,
+    tenant_field: str = "tenant_id",
+    tags: list[str] | None = None,
+    search_fields: Optional[Sequence[str]] = None,
+    default_ordering: Optional[str] = None,
+    allowed_order_fields: Optional[list[str]] = None,
+    mount_under_db_prefix: bool = True,
+) -> APIRouter:
+    """Like make_crud_router_plus_sql, but requires TenantId and scopes all operations."""
+    router_prefix = ("/_sql" + prefix) if mount_under_db_prefix else prefix
+    router = public_router(
+        prefix=router_prefix,
+        tags=tags or [prefix.strip("/")],
+        redirect_slashes=False,
+    )
+
+    # Evaluate the base service once to preserve in-memory state across requests in tests/local.
+    # Consumers may pass either an instance or a zero-arg factory function.
+    try:
+        _base_instance = service_factory() if callable(service_factory) else service_factory  # type: ignore[misc]
+    except TypeError:
+        # If the callable requires args, assume it's already an instance
+        _base_instance = service_factory  # type: ignore[assignment]
+
+    def _coerce_id(v: Any) -> Any:
+        """Best-effort coercion of path ids: cast digit-only strings to int.
+        Keeps original type otherwise.
+        """
+        if isinstance(v, str) and v.isdigit():
+            try:
+                return int(v)
+            except Exception:
+                return v
+        return v
+
+    def _parse_ordering_to_fields(order_spec: Optional[str]) -> list[str]:
+        if not order_spec:
+            return []
+        pieces = [p.strip() for p in order_spec.split(",") if p.strip()]
+        fields: list[str] = []
+        for p in pieces:
+            name = p[1:] if p.startswith("-") else p
+            if allowed_order_fields and name not in (allowed_order_fields or []):
+                continue
+            fields.append(p)
+        return fields
+
+    # create per-request service with tenant scoping
+    async def _svc(session: SqlSessionDep, tenant_id: TenantId):  # type: ignore[name-defined]
+        repo_or_service = getattr(_base_instance, "repo", _base_instance)
+        svc: Any = TenantSqlService(repo_or_service, tenant_id=tenant_id, tenant_field=tenant_field)  # type: ignore[arg-type]
+        return svc  # type: ignore[return-value]
+
+    @router.get("", response_model=Page[read_schema])
+    async def list_items(
+        lp: Annotated[LimitOffsetParams, Depends(dep_limit_offset)],
+        op: Annotated[OrderParams, Depends(dep_order)],
+        sp: Annotated[SearchParams, Depends(dep_search)],
+        session: SqlSessionDep,  # type: ignore[name-defined]
+        tenant_id: TenantId,
+    ):
+        svc = await _svc(session, tenant_id)
+        order_spec = op.order_by or default_ordering
+        order_fields = _parse_ordering_to_fields(order_spec)
+        order_by = build_order_by(model, order_fields)
+        if sp.q:
+            fields = [
+                f.strip()
+                for f in (sp.fields or (",".join(search_fields or []) or "")).split(",")
+                if f.strip()
+            ]
+            items = await svc.search(
+                session, q=sp.q, fields=fields, limit=lp.limit, offset=lp.offset, order_by=order_by
+            )
+            total = await svc.count_filtered(session, q=sp.q, fields=fields)
+        else:
+            items = await svc.list(session, limit=lp.limit, offset=lp.offset, order_by=order_by)
+            total = await svc.count(session)
+        return Page[Any].from_items(total=total, items=items, limit=lp.limit, offset=lp.offset)
+
+    @router.get("/{item_id}", response_model=read_schema)
+    async def get_item(item_id: Any, session: SqlSessionDep, tenant_id: TenantId):  # type: ignore[name-defined]
+        svc = await _svc(session, tenant_id)
+        obj = await svc.get(session, item_id)
+        if not obj:
+            raise HTTPException(404, "not_found")
+        return obj
+
+    @router.post("", response_model=read_schema, status_code=201)
+    async def create_item(
+        session: SqlSessionDep,  # type: ignore[name-defined]
+        tenant_id: TenantId,
+        payload: create_schema = Body(...),
+    ):
+        svc = await _svc(session, tenant_id)
+        if isinstance(payload, BaseModel):
+            data = payload.model_dump(exclude_unset=True)
+        elif isinstance(payload, dict):
+            data = payload
+        else:
+            raise HTTPException(422, "invalid_payload")
+        return await svc.create(session, data)
+
+    @router.patch("/{item_id}", response_model=read_schema)
+    async def update_item(
+        item_id: Any,
+        session: SqlSessionDep,  # type: ignore[name-defined]
+        tenant_id: TenantId,
+        payload: update_schema = Body(...),
+    ):
+        svc = await _svc(session, tenant_id)
+        if isinstance(payload, BaseModel):
+            data = payload.model_dump(exclude_unset=True)
+        elif isinstance(payload, dict):
+            data = payload
+        else:
+            raise HTTPException(422, "invalid_payload")
+        updated = await svc.update(session, item_id, data)
+        if not updated:
+            raise HTTPException(404, "not_found")
+        return updated
+
+    @router.delete("/{item_id}", status_code=204)
+    async def delete_item(item_id: Any, session: SqlSessionDep, tenant_id: TenantId):  # type: ignore[name-defined]
+        svc = await _svc(session, tenant_id)
+        ok = await svc.delete(session, _coerce_id(item_id))
         if not ok:
             raise HTTPException(404, "Not found")
         return
@@ -145,4 +307,4 @@ def make_crud_router_plus_sql(
     return router
 
 
-__all__ = ["make_crud_router_plus_sql"]
+__all__ = ["make_crud_router_plus_sql", "make_tenant_crud_router_plus_sql"]

svc_infra/api/fastapi/db/sql/session.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
 
 import logging
+import os
 from typing import Annotated, AsyncIterator, Tuple
 
 from fastapi import Depends
+from sqlalchemy import text
 from sqlalchemy.ext.asyncio import (
     AsyncEngine,
     AsyncSession,
@@ -53,6 +55,20 @@ async def get_session() -> AsyncIterator[AsyncSession]:
     if _SessionLocal is None:
         raise RuntimeError("Database not initialized. Call add_sql_db(app, ...) first.")
     async with _SessionLocal() as session:
+        # Optional: set a per-transaction statement timeout for Postgres if configured
+        raw_ms = os.getenv("DB_STATEMENT_TIMEOUT_MS")
+        if raw_ms:
+            try:
+                ms = int(raw_ms)
+                if ms > 0:
+                    try:
+                        # SET LOCAL applies for the duration of the current transaction only
+                        await session.execute(text("SET LOCAL statement_timeout = :ms"), {"ms": ms})
+                    except Exception:
+                        # Non-PG dialects (e.g., SQLite) will error; ignore silently
+                        pass
+            except ValueError:
+                pass
         try:
             yield session
             await session.commit()

svc_infra/api/fastapi/db/sql/users.py

@@ -12,6 +12,7 @@ from svc_infra.api.fastapi.auth.settings import get_auth_settings
 from svc_infra.api.fastapi.dual.dualize import dualize_public, dualize_user
 from svc_infra.api.fastapi.dual.router import DualAPIRouter
 from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV
+from svc_infra.security.jwt_rotation import RotatingJWTStrategy
 
 from ...auth.security import auth_login_path
 from ...auth.sender import get_sender
@@ -94,7 +95,18 @@ def get_fastapi_users(
         lifetime = getattr(jwt_block, "lifetime_seconds", None) if jwt_block else None
         if not isinstance(lifetime, int) or lifetime <= 0:
             lifetime = 3600
-        return JWTStrategy(secret=secret, lifetime_seconds=lifetime)
+        old = []
+        if jwt_block and getattr(jwt_block, "old_secrets", None):
+            old = [s.get_secret_value() for s in jwt_block.old_secrets or []]
+        audience = "fastapi-users:auth"
+        if old:
+            return RotatingJWTStrategy(
+                secret=secret,
+                lifetime_seconds=lifetime,
+                old_secrets=old,
+                token_audience=audience,
+            )
+        return JWTStrategy(secret=secret, lifetime_seconds=lifetime, token_audience=audience)
 
     bearer_transport = BearerTransport(tokenUrl=auth_login_path)
     auth_backend = AuthenticationBackend(

svc_infra/api/fastapi/dependencies/ratelimit.py

@@ -0,0 +1,116 @@
+from __future__ import annotations
+
+import time
+from typing import Callable, Optional
+
+from fastapi import HTTPException
+from starlette.requests import Request
+
+from svc_infra.api.fastapi.middleware.ratelimit_store import InMemoryRateLimitStore, RateLimitStore
+
+try:
+    from svc_infra.api.fastapi.tenancy.context import resolve_tenant_id as _resolve_tenant_id
+except Exception:  # pragma: no cover - minimal builds
+    _resolve_tenant_id = None  # type: ignore
+from svc_infra.obs.metrics import emit_rate_limited
+
+
+class RateLimiter:
+    def __init__(
+        self,
+        *,
+        limit: int,
+        window: int = 60,
+        key_fn: Callable = lambda r: "global",
+        limit_resolver: Optional[Callable[[Request, Optional[str]], Optional[int]]] = None,
+        scope_by_tenant: bool = False,
+        store: RateLimitStore | None = None,
+    ):
+        self.limit = limit
+        self.window = window
+        self.key_fn = key_fn
+        self._limit_resolver = limit_resolver
+        self.scope_by_tenant = scope_by_tenant
+        self.store = store or InMemoryRateLimitStore(limit=limit)
+
+    async def __call__(self, request: Request):
+        # Try resolving tenant when asked
+        tenant_id = None
+        if self.scope_by_tenant or self._limit_resolver:
+            try:
+                if _resolve_tenant_id is not None:
+                    tenant_id = await _resolve_tenant_id(request)
+            except Exception:
+                tenant_id = None
+
+        key = self.key_fn(request)
+        if self.scope_by_tenant and tenant_id:
+            key = f"{key}:tenant:{tenant_id}"
+
+        eff_limit = self.limit
+        if self._limit_resolver:
+            try:
+                v = self._limit_resolver(request, tenant_id)
+                eff_limit = int(v) if v is not None else self.limit
+            except Exception:
+                eff_limit = self.limit
+
+        count, store_limit, reset = self.store.incr(str(key), self.window)
+        if count > eff_limit:
+            retry = max(0, reset - int(time.time()))
+            try:
+                emit_rate_limited(str(key), eff_limit, retry)
+            except Exception:
+                pass
+            raise HTTPException(
+                status_code=429, detail="Rate limit exceeded", headers={"Retry-After": str(retry)}
+            )
+
+
+__all__ = ["RateLimiter"]
+
+
+def rate_limiter(
+    *,
+    limit: int,
+    window: int = 60,
+    key_fn: Callable = lambda r: "global",
+    limit_resolver: Optional[Callable[[Request, Optional[str]], Optional[int]]] = None,
+    scope_by_tenant: bool = False,
+    store: RateLimitStore | None = None,
+):
+    store_ = store or InMemoryRateLimitStore(limit=limit)
+
+    async def dep(request: Request):
+        tenant_id = None
+        if scope_by_tenant or limit_resolver:
+            try:
+                if _resolve_tenant_id is not None:
+                    tenant_id = await _resolve_tenant_id(request)
+            except Exception:
+                tenant_id = None
+
+        key = key_fn(request)
+        if scope_by_tenant and tenant_id:
+            key = f"{key}:tenant:{tenant_id}"
+
+        eff_limit = limit
+        if limit_resolver:
+            try:
+                v = limit_resolver(request, tenant_id)
+                eff_limit = int(v) if v is not None else limit
+            except Exception:
+                eff_limit = limit
+
+        count, _store_limit, reset = store_.incr(str(key), window)
+        if count > eff_limit:
+            retry = max(0, reset - int(time.time()))
+            try:
+                emit_rate_limited(str(key), eff_limit, retry)
+            except Exception:
+                pass
+            raise HTTPException(
+                status_code=429, detail="Rate limit exceeded", headers={"Retry-After": str(retry)}
+            )
+
+    return dep

svc_infra/api/fastapi/docs/add.py

@@ -0,0 +1,160 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Optional
+
+from fastapi import FastAPI, Request
+from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html
+from fastapi.responses import HTMLResponse, JSONResponse
+
+from .landing import CardSpec, DocTargets, render_index_html
+from .scoped import DOC_SCOPES
+
+
+def add_docs(
+    app: FastAPI,
+    *,
+    redoc_url: str = "/redoc",
+    swagger_url: str = "/docs",
+    openapi_url: str = "/openapi.json",
+    export_openapi_to: Optional[str] = None,
+    # Landing page options
+    landing_url: str = "/",
+    include_landing: bool = True,
+) -> None:
+    """Enable docs endpoints and optionally export OpenAPI schema to disk on startup.
+
+    We mount docs and OpenAPI routes explicitly so this works even when configured post-init.
+    """
+
+    # OpenAPI JSON route
+    async def openapi_handler() -> JSONResponse:  # noqa: ANN201
+        return JSONResponse(app.openapi())
+
+    app.add_api_route(openapi_url, openapi_handler, methods=["GET"], include_in_schema=False)
+
+    # Swagger UI route
+    async def swagger_ui(request: Request) -> HTMLResponse:  # noqa: ANN201
+        resp = get_swagger_ui_html(openapi_url=openapi_url, title="API Docs")
+        theme = request.query_params.get("theme")
+        if theme == "dark":
+            return _with_dark_mode(resp)
+        return resp
+
+    app.add_api_route(swagger_url, swagger_ui, methods=["GET"], include_in_schema=False)
+
+    # Redoc route
+    async def redoc_ui(request: Request) -> HTMLResponse:  # noqa: ANN201
+        resp = get_redoc_html(openapi_url=openapi_url, title="API ReDoc")
+        theme = request.query_params.get("theme")
+        if theme == "dark":
+            return _with_dark_mode(resp)
+        return resp
+
+    app.add_api_route(redoc_url, redoc_ui, methods=["GET"], include_in_schema=False)
+
+    # Optional export to disk on startup
+    if export_openapi_to:
+        export_path = Path(export_openapi_to)
+
+        async def _export_docs() -> None:
+            # Startup export
+            spec = app.openapi()
+            export_path.parent.mkdir(parents=True, exist_ok=True)
+            export_path.write_text(json.dumps(spec, indent=2))
+
+        app.add_event_handler("startup", _export_docs)
+
+    # Optional landing page with the same look/feel as setup_service_api
+    if include_landing:
+        # Avoid path collision; if landing_url is already taken for GET, fallback to "/_docs"
+        existing_paths = {
+            (getattr(r, "path", None) or getattr(r, "path_format", None))
+            for r in getattr(app, "routes", [])
+            if getattr(r, "methods", None) and "GET" in r.methods
+        }
+        landing_path = landing_url or "/"
+        if landing_path in existing_paths:
+            landing_path = "/_docs"
+
+        async def _landing() -> HTMLResponse:  # noqa: ANN201
+            cards: list[CardSpec] = []
+            # Root docs card using the provided paths
+            cards.append(
+                CardSpec(
+                    tag="",
+                    docs=DocTargets(swagger=swagger_url, redoc=redoc_url, openapi_json=openapi_url),
+                )
+            )
+            # Scoped docs (if any were registered via add_prefixed_docs)
+            for scope, swagger, redoc, openapi_json, _title in DOC_SCOPES:
+                cards.append(
+                    CardSpec(
+                        tag=scope.strip("/"),
+                        docs=DocTargets(swagger=swagger, redoc=redoc, openapi_json=openapi_json),
+                    )
+                )
+            html = render_index_html(
+                service_name=app.title or "API", release=app.version or "", cards=cards
+            )
+            return HTMLResponse(html)
+
+        app.add_api_route(landing_path, _landing, methods=["GET"], include_in_schema=False)
+
+
+def _with_dark_mode(resp: HTMLResponse) -> HTMLResponse:
+    """Return a copy of the HTMLResponse with a minimal dark-theme CSS injected.
+
+    We avoid depending on custom Swagger/ReDoc builds; this works by inlining a small CSS
+    block and toggling a `.dark` class on the body element.
+    """
+    try:
+        body = resp.body.decode("utf-8", errors="ignore")
+    except Exception:  # pragma: no cover - very unlikely
+        return resp
+
+    css = _DARK_CSS
+    if "</head>" in body:
+        body = body.replace("</head>", f"<style>\n{css}\n</style></head>", 1)
+    # add class to body to allow stronger selectors
+    body = body.replace("<body>", '<body class="dark">', 1)
+    return HTMLResponse(content=body, status_code=resp.status_code, headers=dict(resp.headers))
+
+
+_DARK_CSS = """
+/* Minimal dark mode override for Swagger/ReDoc */
+@media (prefers-color-scheme: dark) { :root { color-scheme: dark; } }
+html.dark, body.dark { background: #0b0e14; color: #e0e6f1; }
+#swagger, .redoc-wrap { background: transparent; }
+a { color: #62aef7; }
+"""
+
+
+def add_sdk_generation_stub(
+    app: FastAPI,
+    *,
+    on_generate: Optional[callable] = None,
+    openapi_path: str = "/openapi.json",
+) -> None:
+    """Hook to add an SDK generation stub.
+
+    Provide `on_generate()` to run generation (e.g., openapi-generator). This is a stub only; we
+    don't ship a hard dependency. If `on_generate` is provided, we expose `/_docs/generate-sdk`.
+    """
+    from svc_infra.api.fastapi.dual.public import public_router
+
+    if not on_generate:
+        return
+
+    router = public_router(prefix="/_docs", include_in_schema=False)
+
+    @router.post("/generate-sdk")
+    async def _generate() -> dict:  # noqa: ANN201
+        on_generate()
+        return {"status": "ok"}
+
+    app.include_router(router)
+
+
+__all__ = ["add_docs", "add_sdk_generation_stub"]