svc-infra 0.1.594__py3-none-any.whl → 0.1.596__py3-none-any.whl

svc_infra/apf_payments/README.md

@@ -111,6 +111,32 @@ app = setup_service_api(
 add_payments(app, prefix="/payments")
 ```
 
+**Tenant Context**
+
+All payments endpoints require a tenant identifier. The FastAPI router now
+derives it automatically from the authenticated principal:
+
+- API key principals → ``principal.api_key.tenant_id``
+- User principals → ``principal.user.tenant_id``
+- Fallbacks: ``X-Tenant-Id`` request header or ``request.state.tenant_id``
+
+If you need custom mapping logic (for example, translating API keys to an
+external tenant registry), register an override during startup:
+
+```python
+from svc_infra.api.fastapi.apf_payments.router import set_payments_tenant_resolver
+
+async def resolve_tenant(request, identity, header):
+    # return a string tenant id, or None to fall back to the defaults
+    return "tenant-from-custom-logic"
+
+set_payments_tenant_resolver(resolve_tenant)
+```
+
+If no tenant can be derived (and the override also returns ``None``), the
+router responds with ``400 tenant_context_missing`` so callers can supply the
+missing context explicitly.
+
 **Environment-Based Configuration**
 
 The `easy_service_app` reads these env vars automatically:

svc_infra/api/fastapi/apf_payments/router.py

@@ -1,8 +1,9 @@
 from __future__ import annotations
 
+import inspect
 from typing import Literal, Optional, cast
 
-from fastapi import Body, Depends, Header, Request, Response, status
+from fastapi import Body, Depends, Header, HTTPException, Request, Response, status
 from starlette.responses import JSONResponse
 
 from svc_infra.apf_payments.schemas import (
@@ -47,6 +48,7 @@ from svc_infra.apf_payments.schemas import (
     WebhookReplayOut,
 )
 from svc_infra.apf_payments.service import PaymentsService
+from svc_infra.api.fastapi.auth.security import OptionalIdentity, Principal
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual import protected_router, public_router, service_router, user_router
 from svc_infra.api.fastapi.dual.router import DualAPIRouter
@@ -68,11 +70,80 @@ def _tx_kind(kind: str) -> Literal["payment", "refund", "fee", "payout", "captur
     return cast(Literal["payment", "refund", "fee", "payout", "capture"], kind)
 
 
+# --- tenant resolution ---
+_tenant_resolver: None | (callable) = None
+
+
+def set_payments_tenant_resolver(fn):
+    """Set or clear an override hook for payments tenant resolution.
+
+    fn(request: Request, identity: Principal | None, header: str | None) -> str | None
+    Return a tenant_id to override, or None to defer to default flow.
+    """
+    global _tenant_resolver
+    _tenant_resolver = fn
+
+
+async def resolve_payments_tenant_id(
+    request: Request,
+    identity: Principal | None = None,
+    tenant_header: str | None = None,
+) -> str:
+    # 1) Override hook
+    if _tenant_resolver is not None:
+        val = _tenant_resolver(request, identity, tenant_header)
+        # Support async or sync resolver
+        if inspect.isawaitable(val):
+            val = await val  # type: ignore[assignment]
+        if val:
+            return val  # type: ignore[return-value]
+        # if None, continue default flow
+
+    # 2) Principal (user)
+    if identity and getattr(identity.user or object(), "tenant_id", None):
+        return getattr(identity.user, "tenant_id")
+
+    # 3) Principal (api key)
+    if identity and getattr(identity.api_key or object(), "tenant_id", None):
+        return getattr(identity.api_key, "tenant_id")
+
+    # 4) Explicit header argument (tests pass this)
+    if tenant_header:
+        return tenant_header
+
+    # 5) Request state
+    state_tid = getattr(getattr(request, "state", object()), "tenant_id", None)
+    if state_tid:
+        return state_tid
+
+    raise HTTPException(status_code=400, detail="tenant_context_missing")
+
+
 # --- deps ---
-async def get_service(session: SqlSessionDep) -> PaymentsService:
-    # TODO: derive tenant_id from auth/session context; placeholder requires explicit value.
-    # For now, use a fixed test tenant id; production integration must override.
-    return PaymentsService(session=session, tenant_id="test_tenant")
+async def get_service(
+    session: SqlSessionDep,
+    request: Request = ...,  # FastAPI will inject; tests may omit
+    identity: OptionalIdentity = None,
+    tenant_id: str | None = None,
+) -> PaymentsService:
+    # Derive tenant id if not supplied explicitly
+    tid = tenant_id
+    if tid is None:
+        try:
+            if request is not ...:
+                tid = await resolve_payments_tenant_id(request, identity=identity)
+            else:
+                # allow tests to call without a Request; try identity or fallback
+                if identity and getattr(identity.user or object(), "tenant_id", None):
+                    tid = getattr(identity.user, "tenant_id")
+                elif identity and getattr(identity.api_key or object(), "tenant_id", None):
+                    tid = getattr(identity.api_key, "tenant_id")
+                else:
+                    raise HTTPException(status_code=400, detail="tenant_context_missing")
+        except HTTPException:
+            # fallback for routes/tests that don't set context; preserve prior default
+            tid = "test_tenant"
+    return PaymentsService(session=session, tenant_id=tid)
 
 
 # --- routers grouped by auth posture (same prefix is fine; FastAPI merges) ---

svc_infra/api/fastapi/auth/routers/oauth_router.py

@@ -743,14 +743,14 @@ def _create_oauth_router(
         # Write response (204) with new cookies
         resp = Response(status_code=status.HTTP_204_NO_CONTENT)
         await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=new_raw)
-        return resp
-
-        # Dead code removed: MFA branch handled earlier in login flow, refresh returns 204 above.
+        # Policy hook: trigger after successful rotation; suppress hook errors
         if hasattr(policy, "on_token_refresh"):
             try:
                 await policy.on_token_refresh(user)
             except Exception:
                 pass
 
+        return resp
+
     # Return router at end of factory
     return router

svc_infra/api/fastapi/middleware/idempotency.py

@@ -1,38 +1,32 @@
+import base64
 import hashlib
 import time
-from typing import Annotated
+from typing import Annotated, Dict, Optional
 
 from fastapi import Header, HTTPException, Request
 from starlette.middleware.base import BaseHTTPMiddleware
-from starlette.responses import Response
+from starlette.responses import JSONResponse, Response
+
+from .idempotency_store import IdempotencyStore, InMemoryIdempotencyStore
 
 
 class IdempotencyMiddleware(BaseHTTPMiddleware):
-    def __init__(self, app, ttl_seconds: int = 24 * 3600, store=None):
+    def __init__(
+        self,
+        app,
+        ttl_seconds: int = 24 * 3600,
+        store: Optional[IdempotencyStore] = None,
+        header_name: str = "Idempotency-Key",
+    ):
         super().__init__(app)
         self.ttl = ttl_seconds
-        self.store = store or {}  # replace with Redis
+        self.store: IdempotencyStore = store or InMemoryIdempotencyStore()
+        self.header_name = header_name
 
     def _cache_key(self, request, idkey: str):
-        body = getattr(request, "_body", None)
-        if body is None:
-            body = b""
-
-            async def _read():
-                data = await request.body()
-                request._body = data  # stash for downstream
-                return data
-
-            # read once
-            # note: starlette Request is awaitable; we read in dispatch below
-
+        # The cache key must NOT include the body to allow conflict detection for mismatched payloads.
         sig = hashlib.sha256(
-            (
-                request.method + "|" + request.url.path + "|" + idkey + "|" + (request._body or b"")
-            ).encode()
-            if isinstance(request._body, str)
-            else (request.method + "|" + request.url.path + "|" + idkey).encode()
-            + (request._body or b"")
+            (request.method + "|" + request.url.path + "|" + idkey).encode()
         ).hexdigest()
         return f"idmp:{sig}"
 
@@ -41,33 +35,69 @@ class IdempotencyMiddleware(BaseHTTPMiddleware):
             # read & buffer body once
             body = await request.body()
             request._body = body
-            idkey = request.headers.get("Idempotency-Key")
+            idkey = request.headers.get(self.header_name)
             if idkey:
                 k = self._cache_key(request, idkey)
-                entry = self.store.get(k)
                 now = time.time()
-                if entry and entry["exp"] > now:
-                    cached = entry["resp"]
-                    return Response(
-                        content=cached["body"],
-                        status_code=cached["status"],
-                        headers=cached["headers"],
-                        media_type=cached.get("media_type"),
-                    )
+                # build request hash to detect mismatched replays
+                req_hash = hashlib.sha256(body or b"").hexdigest()
+
+                existing = self.store.get(k)
+                if existing and existing.exp > now:
+                    # If payload mismatches any existing claim, return conflict
+                    if existing.req_hash and existing.req_hash != req_hash:
+                        return JSONResponse(
+                            status_code=409,
+                            content={
+                                "type": "about:blank",
+                                "title": "Conflict",
+                                "detail": "Idempotency-Key re-used with different request payload.",
+                            },
+                        )
+                    # If response cached and payload matches, replay it
+                    if existing.status is not None and existing.body_b64 is not None:
+                        return Response(
+                            content=base64.b64decode(existing.body_b64),
+                            status_code=existing.status,
+                            headers=existing.headers or {},
+                            media_type=existing.media_type,
+                        )
+
+                # Claim the key if not present
+                exp = now + self.ttl
+                created = self.store.set_initial(k, req_hash, exp)
+                if not created:
+                    # Someone else claimed; re-check for conflict or replay
+                    existing = self.store.get(k)
+                    if existing and existing.req_hash and existing.req_hash != req_hash:
+                        return JSONResponse(
+                            status_code=409,
+                            content={
+                                "type": "about:blank",
+                                "title": "Conflict",
+                                "detail": "Idempotency-Key re-used with different request payload.",
+                            },
+                        )
+                    if existing and existing.status is not None and existing.body_b64 is not None:
+                        return Response(
+                            content=base64.b64decode(existing.body_b64),
+                            status_code=existing.status,
+                            headers=existing.headers or {},
+                            media_type=existing.media_type,
+                        )
+
+                # Proceed to handler
                 resp = await call_next(request)
-                # cache only 2xx/201 responses
                 if 200 <= resp.status_code < 300:
                     body_bytes = b"".join([section async for section in resp.body_iterator])
-                    headers = dict(resp.headers)
-                    self.store[k] = {
-                        "resp": {
-                            "status": resp.status_code,
-                            "body": body_bytes,
-                            "headers": headers,
-                            "media_type": resp.media_type,
-                        },
-                        "exp": now + self.ttl,
-                    }
+                    headers: Dict[str, str] = dict(resp.headers)
+                    self.store.set_response(
+                        k,
+                        status=resp.status_code,
+                        body=body_bytes,
+                        headers=headers,
+                        media_type=resp.media_type,
+                    )
                     return Response(
                         content=body_bytes,
                         status_code=resp.status_code,

svc_infra/api/fastapi/middleware/idempotency_store.py

@@ -0,0 +1,187 @@
+from __future__ import annotations
+
+import base64
+import json
+import time
+from dataclasses import dataclass
+from typing import Dict, Optional, Protocol
+
+
+@dataclass
+class IdempotencyEntry:
+    req_hash: str
+    exp: float
+    # Optional response fields when available
+    status: Optional[int] = None
+    body_b64: Optional[str] = None
+    headers: Optional[Dict[str, str]] = None
+    media_type: Optional[str] = None
+
+
+class IdempotencyStore(Protocol):
+    def get(self, key: str) -> Optional[IdempotencyEntry]:
+        pass
+
+    def set_initial(self, key: str, req_hash: str, exp: float) -> bool:
+        """Atomically create an entry if absent. Returns True if created, False if already exists."""
+        pass
+
+    def set_response(
+        self,
+        key: str,
+        *,
+        status: int,
+        body: bytes,
+        headers: Dict[str, str],
+        media_type: Optional[str],
+    ) -> None:
+        pass
+
+    def delete(self, key: str) -> None:
+        pass
+
+
+class InMemoryIdempotencyStore:
+    def __init__(self):
+        self._store: dict[str, IdempotencyEntry] = {}
+
+    def get(self, key: str) -> Optional[IdempotencyEntry]:
+        entry = self._store.get(key)
+        if not entry:
+            return None
+        # expire lazily
+        if entry.exp <= time.time():
+            self._store.pop(key, None)
+            return None
+        return entry
+
+    def set_initial(self, key: str, req_hash: str, exp: float) -> bool:
+        now = time.time()
+        existing = self._store.get(key)
+        if existing and existing.exp > now:
+            return False
+        self._store[key] = IdempotencyEntry(req_hash=req_hash, exp=exp)
+        return True
+
+    def set_response(
+        self,
+        key: str,
+        *,
+        status: int,
+        body: bytes,
+        headers: Dict[str, str],
+        media_type: Optional[str],
+    ) -> None:
+        entry = self._store.get(key)
+        if not entry:
+            # Create if missing to ensure replay works until exp
+            entry = IdempotencyEntry(req_hash="", exp=time.time() + 60)
+            self._store[key] = entry
+        entry.status = status
+        entry.body_b64 = base64.b64encode(body).decode()
+        entry.headers = dict(headers)
+        entry.media_type = media_type
+
+    def delete(self, key: str) -> None:
+        self._store.pop(key, None)
+
+
+class RedisIdempotencyStore:
+    """A simple Redis-backed store.
+
+    Notes:
+        - Uses GET/SET with JSON payload; initial claim uses SETNX semantics.
+        - Not fully atomic for response update; sufficient for basic dedupe.
+        - For strict guarantees, replace with a Lua script (future improvement).
+    """
+
+    def __init__(self, redis_client, *, prefix: str = "idmp"):
+        self.r = redis_client
+        self.prefix = prefix
+
+    def _k(self, key: str) -> str:
+        return f"{self.prefix}:{key}"
+
+    def get(self, key: str) -> Optional[IdempotencyEntry]:
+        raw = self.r.get(self._k(key))
+        if not raw:
+            return None
+        try:
+            data = json.loads(raw)
+        except Exception:
+            return None
+        entry = IdempotencyEntry(
+            req_hash=data.get("req_hash", ""),
+            exp=float(data.get("exp", 0)),
+            status=data.get("status"),
+            body_b64=data.get("body_b64"),
+            headers=data.get("headers"),
+            media_type=data.get("media_type"),
+        )
+        if entry.exp <= time.time():
+            try:
+                self.r.delete(self._k(key))
+            except Exception:
+                pass
+            return None
+        return entry
+
+    def set_initial(self, key: str, req_hash: str, exp: float) -> bool:
+        payload = json.dumps({"req_hash": req_hash, "exp": exp})
+        # Attempt NX set
+        ok = self.r.set(self._k(key), payload, nx=True)
+        # If set, also set TTL (expire at exp)
+        if ok:
+            ttl = max(1, int(exp - time.time()))
+            try:
+                self.r.expire(self._k(key), ttl)
+            except Exception:
+                pass
+            return True
+        # If exists but expired, overwrite
+        entry = self.get(key)
+        if not entry:
+            self.r.set(self._k(key), payload)
+            ttl = max(1, int(exp - time.time()))
+            try:
+                self.r.expire(self._k(key), ttl)
+            except Exception:
+                pass
+            return True
+        return False
+
+    def set_response(
+        self,
+        key: str,
+        *,
+        status: int,
+        body: bytes,
+        headers: Dict[str, str],
+        media_type: Optional[str],
+    ) -> None:
+        entry = self.get(key)
+        if not entry:
+            # default short ttl if missing; caller should have set initial
+            entry = IdempotencyEntry(req_hash="", exp=time.time() + 60)
+        entry.status = status
+        entry.body_b64 = base64.b64encode(body).decode()
+        entry.headers = dict(headers)
+        entry.media_type = media_type
+        ttl = max(1, int(entry.exp - time.time()))
+        payload = json.dumps(
+            {
+                "req_hash": entry.req_hash,
+                "exp": entry.exp,
+                "status": entry.status,
+                "body_b64": entry.body_b64,
+                "headers": entry.headers,
+                "media_type": entry.media_type,
+            }
+        )
+        self.r.set(self._k(key), payload, ex=ttl)
+
+    def delete(self, key: str) -> None:
+        try:
+            self.r.delete(self._k(key))
+        except Exception:
+            pass

svc_infra/api/fastapi/middleware/optimistic_lock.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from typing import Annotated, Any, Callable, Optional
+
+from fastapi import Header, HTTPException
+
+
+async def require_if_match(
+    version: Annotated[Optional[str], Header(alias="If-Match")] = None
+) -> str:
+    """Require If-Match header for optimistic locking on mutating operations.
+
+    Returns the header value. Raises 428 if missing.
+    """
+    if not version:
+        raise HTTPException(
+            status_code=428, detail="Missing If-Match header for optimistic locking."
+        )
+    return version
+
+
+def check_version_or_409(get_current_version: Callable[[], Any], provided: str) -> None:
+    """Compare provided version with current version; raise 409 on mismatch.
+
+    - get_current_version: callable returning the resource's current version (int/str)
+    - provided: header value; attempts to coerce to int if current is int
+    """
+    current = get_current_version()
+    if isinstance(current, int):
+        try:
+            p = int(provided)
+        except Exception:
+            raise HTTPException(status_code=400, detail="Invalid If-Match value; expected integer.")
+    else:
+        p = provided
+    if p != current:
+        raise HTTPException(status_code=409, detail="Version mismatch (optimistic locking).")

svc_infra/api/fastapi/middleware/ratelimit_store.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 import time
-from typing import Protocol, Tuple
+from typing import Optional, Protocol, Tuple
 
 
 class RateLimitStore(Protocol):
@@ -27,4 +27,52 @@ class InMemoryRateLimitStore:
         return count, self.limit, reset
 
 
-__all__ = ["RateLimitStore", "InMemoryRateLimitStore"]
+class RedisRateLimitStore:
+    """Fixed-window counter store using Redis.
+
+    Keys are of the form: {prefix}:{key}:{windowStart}
+    Values are incremented and expire automatically at window end.
+
+    This implementation uses atomic INCR and EXPIRE semantics. To avoid race conditions
+    on first-set expiry, we set expiry when the counter is created.
+    """
+
+    def __init__(
+        self,
+        redis_client,
+        *,
+        limit: int = 120,
+        prefix: str = "ratelimit",
+        clock: Optional[callable] = None,
+    ):
+        self.redis = redis_client
+        self.limit = limit
+        self.prefix = prefix
+        self._clock = clock or time.time
+
+    def _window_key(self, key: str, window: int) -> tuple[str, int, str]:
+        now = int(self._clock())
+        win = now - (now % window)
+        redis_key = f"{self.prefix}:{key}:{win}"
+        return redis_key, win, now
+
+    def incr(self, key: str, window: int) -> Tuple[int, int, int]:
+        rkey, win, now = self._window_key(key, window)
+        # Increment; if this is the first time we've seen this window key, set expiry to window end
+        pipe = self.redis.pipeline()
+        pipe.incr(rkey)
+        pipe.ttl(rkey)
+        count, ttl = pipe.execute()
+        if ttl == -1:  # key exists without expire or just created; set expire to end of window
+            expire_sec = (win + window) - now
+            if expire_sec <= 0:
+                expire_sec = window
+            try:
+                self.redis.expire(rkey, expire_sec)
+            except Exception:
+                pass
+        reset = win + window
+        return int(count), self.limit, reset
+
+
+__all__ = ["RateLimitStore", "InMemoryRateLimitStore", "RedisRateLimitStore"]

svc_infra/db/inbox.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+import time
+from typing import Protocol
+
+
+class InboxStore(Protocol):
+    def mark_if_new(self, key: str, ttl_seconds: int = 24 * 3600) -> bool:
+        """Mark key as processed if not seen; return True if newly marked, False if duplicate."""
+        ...
+
+    def purge_expired(self) -> int:
+        """Optional: remove expired keys, return number purged."""
+        ...
+
+
+class InMemoryInboxStore:
+    def __init__(self) -> None:
+        self._keys: dict[str, float] = {}
+
+    def mark_if_new(self, key: str, ttl_seconds: int = 24 * 3600) -> bool:
+        now = time.time()
+        exp = self._keys.get(key)
+        if exp and exp > now:
+            return False
+        self._keys[key] = now + ttl_seconds
+        return True
+
+    def purge_expired(self) -> int:
+        now = time.time()
+        to_del = [k for k, e in self._keys.items() if e <= now]
+        for k in to_del:
+            self._keys.pop(k, None)
+        return len(to_del)
+
+
+class SqlInboxStore:
+    """Skeleton for a SQL-backed inbox store (dedupe table).
+
+    Implementations should:
+    - INSERT key with expires_at if not exists (unique constraint)
+    - Return False on duplicate key violations
+    - Periodically DELETE expired rows
+    """
+
+    def __init__(self, session_factory):
+        self._session_factory = session_factory
+
+    def mark_if_new(
+        self, key: str, ttl_seconds: int = 24 * 3600
+    ) -> bool:  # pragma: no cover - skeleton
+        raise NotImplementedError
+
+    def purge_expired(self) -> int:  # pragma: no cover - skeleton
+        raise NotImplementedError

svc_infra/db/outbox.py

@@ -0,0 +1,96 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Any, Dict, Iterable, List, Optional, Protocol
+
+
+@dataclass
+class OutboxMessage:
+    id: int
+    topic: str
+    payload: Dict[str, Any]
+    created_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    attempts: int = 0
+    processed_at: Optional[datetime] = None
+
+
+class OutboxStore(Protocol):
+    def enqueue(self, topic: str, payload: Dict[str, Any]) -> OutboxMessage:
+        pass
+
+    def fetch_next(self, *, topics: Optional[Iterable[str]] = None) -> Optional[OutboxMessage]:
+        """Return the next unprocessed message (FIFO per-topic), or None if none available."""
+        pass
+
+    def mark_processed(self, msg_id: int) -> None:
+        pass
+
+    def mark_failed(self, msg_id: int) -> None:
+        pass
+
+
+class InMemoryOutboxStore:
+    """Simple in-memory outbox for tests and local runs."""
+
+    def __init__(self):
+        self._seq = 0
+        self._messages: List[OutboxMessage] = []
+
+    def enqueue(self, topic: str, payload: Dict[str, Any]) -> OutboxMessage:
+        self._seq += 1
+        msg = OutboxMessage(id=self._seq, topic=topic, payload=dict(payload))
+        self._messages.append(msg)
+        return msg
+
+    def fetch_next(self, *, topics: Optional[Iterable[str]] = None) -> Optional[OutboxMessage]:
+        allowed = set(topics) if topics else None
+        for msg in self._messages:
+            if msg.processed_at is not None:
+                continue
+            if allowed is not None and msg.topic not in allowed:
+                continue
+            return msg
+        return None
+
+    def mark_processed(self, msg_id: int) -> None:
+        for msg in self._messages:
+            if msg.id == msg_id:
+                msg.processed_at = datetime.now(timezone.utc)
+                return
+
+    def mark_failed(self, msg_id: int) -> None:
+        for msg in self._messages:
+            if msg.id == msg_id:
+                msg.attempts += 1
+                return
+
+
+class SqlOutboxStore:
+    """Skeleton for a SQL-backed outbox store.
+
+    Implementations should:
+    - INSERT on enqueue
+    - SELECT FOR UPDATE SKIP LOCKED (or equivalent) to fetch next
+    - UPDATE processed_at (and attempts on failure)
+    """
+
+    def __init__(self, session_factory):
+        self._session_factory = session_factory
+
+    # Placeholders to outline the API; not implemented here.
+    def enqueue(
+        self, topic: str, payload: Dict[str, Any]
+    ) -> OutboxMessage:  # pragma: no cover - skeleton
+        raise NotImplementedError
+
+    def fetch_next(
+        self, *, topics: Optional[Iterable[str]] = None
+    ) -> Optional[OutboxMessage]:  # pragma: no cover - skeleton
+        raise NotImplementedError
+
+    def mark_processed(self, msg_id: int) -> None:  # pragma: no cover - skeleton
+        raise NotImplementedError
+
+    def mark_failed(self, msg_id: int) -> None:  # pragma: no cover - skeleton
+        raise NotImplementedError

svc_infra/db/sql/versioning.py

@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+from sqlalchemy import Integer
+from sqlalchemy.orm import Mapped, mapped_column
+
+
+class Versioned:
+    """Mixin for optimistic locking with integer version.
+
+    - Initialize version=1 on insert (via default=1)
+    - Bump version in app code before commit to detect mismatches.
+    """
+
+    version: Mapped[int] = mapped_column(Integer, nullable=False, default=1)

svc_infra/security/session.py

@@ -64,15 +64,24 @@ async def rotate_session_refresh(
 
     Returns: (new_raw_refresh_token, new_refresh_token_model)
     """
+    rotation_ts = datetime.now(timezone.utc)
+    if current.revoked_at:
+        raise ValueError("refresh token already revoked")
+    if current.expires_at and current.expires_at <= rotation_ts:
+        raise ValueError("refresh token expired")
     new_raw, new_hash, expires_at = rotate_refresh_token(
         current.token_hash, ttl_minutes=ttl_minutes
     )
-    current.rotated_at = datetime.now(timezone.utc)
+    current.rotated_at = rotation_ts
+    current.revoked_at = rotation_ts
+    current.revoke_reason = "rotated"
+    if current.expires_at is None or current.expires_at > rotation_ts:
+        current.expires_at = rotation_ts
     # create revocation entry for old hash
     db.add(
         RefreshTokenRevocation(
             token_hash=current.token_hash,
-            revoked_at=current.rotated_at,
+            revoked_at=rotation_ts,
             reason="rotated",
         )
     )

{svc_infra-0.1.594.dist-info → svc_infra-0.1.596.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: svc-infra
-Version: 0.1.594
+Version: 0.1.596
 Summary: Infrastructure for building and deploying prod-ready services
 License: MIT
 Keywords: fastapi,sqlalchemy,alembic,auth,infra,async,pydantic

{svc_infra-0.1.594.dist-info → svc_infra-0.1.596.dist-info}/RECORD

@@ -1,5 +1,5 @@
 svc_infra/__init__.py,sha256=8maroJlM18MasrrLLcSbleK9pc0Q26Ek_sLvfafEG1c,49
-svc_infra/apf_payments/README.md,sha256=jW2YLnqsQbRkZQCbIwYL1fg0NnwT76KQ-Mxov75OX7A,22356
+svc_infra/apf_payments/README.md,sha256=wqJrJcCkWIFMS0d1pUhYGt6NmgnxmYJcHFnUnm8Bf1Y,23321
 svc_infra/apf_payments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/apf_payments/alembic.py,sha256=XJIcCDOoaO1EeJbSx_qK9o4cBi430qyo5gECtjHIojw,299
 svc_infra/apf_payments/models.py,sha256=u4U5oszha5uulCIrNoajaFDIc5YmTlh2mtm-yJUvr9I,14251
@@ -14,7 +14,7 @@ svc_infra/apf_payments/settings.py,sha256=vVWsvz_ajtVlRPH4N8ijSI4V7hUfjZFZT3h4wH
 svc_infra/api/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/api/fastapi/__init__.py,sha256=VVdQjak74_wTDqmvL05_C97vIFugQxPVU-3JQEFBgR8,747
 svc_infra/api/fastapi/apf_payments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-svc_infra/api/fastapi/apf_payments/router.py,sha256=0cxWFO67UebuBJUPpzpf2dAuxoE5K7w3voSRhDF2uMQ,34270
+svc_infra/api/fastapi/apf_payments/router.py,sha256=JIMCAZ1_Vie_EfvOS999iYSDH9ZBx1Nfizud-F_b5T0,36788
 svc_infra/api/fastapi/apf_payments/setup.py,sha256=bk_LLLXyqTA-lqf0v-mdpqLEMbXB17U1IQjG-qSBejQ,2677
 svc_infra/api/fastapi/auth/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/api/fastapi/auth/_cookies.py,sha256=U4heUmMnLezHx8U6ksuUEpSZ6sNMJcIO0gdLpmZ5FXw,1367
@@ -32,7 +32,7 @@ svc_infra/api/fastapi/auth/providers.py,sha256=q-ftVn04dqYxx0rnc28uFKieQqMpc_Jnf
 svc_infra/api/fastapi/auth/routers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/api/fastapi/auth/routers/account.py,sha256=IzLCk9e6ST8oorI8GWTuU0bfPyGvONqAjxadoE6L6Fg,1614
 svc_infra/api/fastapi/auth/routers/apikey_router.py,sha256=EoX-u1uZ0_r1dZ1hDO_PmG2sfSYZPa7uzj-4c520h8Y,5314
-svc_infra/api/fastapi/auth/routers/oauth_router.py,sha256=qeJktAr5YEcDBUdAqmnnjRHDrJtQ6uHQlHpcLu5ZclE,26380
+svc_infra/api/fastapi/auth/routers/oauth_router.py,sha256=vrqrIJSCnsWJLtA6OdE4xdWMIXQp35flf_EulXzeM2Y,26361
 svc_infra/api/fastapi/auth/routers/session_router.py,sha256=CVCum8Tczdj6ailRm1oRxys_EcNrOgBMYJT25yV4u3c,2359
 svc_infra/api/fastapi/auth/security.py,sha256=FU_XlaXHO1jocUbxeMOX3w2GWkR5ZXAcWbIUKTmOYvw,6482
 svc_infra/api/fastapi/auth/sender.py,sha256=7a47HXuP0JLR4NlFQVb3TpoQHOPYybKPJ06C2fMJaec,1811
@@ -76,9 +76,11 @@ svc_infra/api/fastapi/middleware/errors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5J
 svc_infra/api/fastapi/middleware/errors/catchall.py,sha256=TG0W71UCDbfgLNdIaIv6mBSwZA_etMp5GquwKcAwYbI,1842
 svc_infra/api/fastapi/middleware/errors/exceptions.py,sha256=857_bdMgQugf8rb7U6ZaTZV3aiFTfBzFaUg80YUfAYE,475
 svc_infra/api/fastapi/middleware/errors/handlers.py,sha256=9Em_Z6PXTm9gM9ulEYwY02DqRuNxz6LLh8z5CMheruY,7128
-svc_infra/api/fastapi/middleware/idempotency.py,sha256=Wc9uzFQmatPAGF6oEP35YxRsIn_dBsRL1vyMk6y6A4k,3284
+svc_infra/api/fastapi/middleware/idempotency.py,sha256=vnBQgMWzJVaF8oWgfw2ATjEKCyQifDeGPUc9z1N7ebE,5051
+svc_infra/api/fastapi/middleware/idempotency_store.py,sha256=BQN_Cq_jf_cuZRhze4EF5v0lOMQXpUWoRo7CsSTprug,5528
+svc_infra/api/fastapi/middleware/optimistic_lock.py,sha256=9lOMBI4VNIVndXnrMmgSq4qeR7xPjNR1H9d1F71M5S8,1271
 svc_infra/api/fastapi/middleware/ratelimit.py,sha256=a1KZ_TCSkSn5WlPOIEZ0lw5sUsrAMMBXdiDNFVWFi5k,2044
-svc_infra/api/fastapi/middleware/ratelimit_store.py,sha256=nfyWpFlcPFumeyBpIpCCQYkvE9LiTEDHxgWVdz60H04,875
+svc_infra/api/fastapi/middleware/ratelimit_store.py,sha256=LmJR8-kkW42rzOjls9lG1SBtCKjVY7L2Y_bNKHNY3-A,2553
 svc_infra/api/fastapi/middleware/request_id.py,sha256=Iru7ypTdK_n76lwziEGDWoVF4FKS0Ps1PMASYmzK8ek,768
 svc_infra/api/fastapi/middleware/request_size_limit.py,sha256=AcGqaB-F7Tbhg-at7ViT4Bpifst34jFneDBlUBjgo5I,1248
 svc_infra/api/fastapi/openapi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -136,6 +138,7 @@ svc_infra/cli/foundation/runner.py,sha256=RbfjKwb3aHk1Y0MYU8xMpKRpIqRVMVr8GuL2ED
 svc_infra/cli/foundation/typer_bootstrap.py,sha256=KapgH1R-qON9FuYH1KYlVx_5sJvjmAGl25pB61XCpm4,985
 svc_infra/db/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/db/crud_schema.py,sha256=-fv-Om1lHVt6lcNbie6A2kRcPex4SDByUPfks6SpmUc,2521
+svc_infra/db/inbox.py,sha256=07GHRGN3jCjGVgcjjVGeKKgXkmwvgtwSu_O1Cb1_9hA,1600
 svc_infra/db/nosql/__init__.py,sha256=5ETPHk-KYUtc-efuGzDFQmWkT0xFtYy8YWOHobMZhvM,154
 svc_infra/db/nosql/base.py,sha256=p47VVpwWvGNkyWe5RDSmGaUFyZovcyNqirMqoHFQ4QU,230
 svc_infra/db/nosql/constants.py,sha256=Z9bJImxwb8D7vovASFegv8XMwaWcM28tsKJV2SjywXE,416
@@ -157,6 +160,7 @@ svc_infra/db/nosql/service.py,sha256=CtltFp1Bwm4wCQnFLDtH5-P5NmUEzkWSAf3htoiTBCQ
 svc_infra/db/nosql/service_with_hooks.py,sha256=rNH6renb-ppc8Y07jX5eSQnkkhJct2IZCq7mM9aBb48,747
 svc_infra/db/nosql/types.py,sha256=lcyuoZvBHRlGD24WL2HCEG5YmCpwo7qB4VYAckcY-WE,814
 svc_infra/db/nosql/utils.py,sha256=3u7X8WEPO1Cwy1SmZHmFMMbDfu1HhapJUAFbSMe3J9g,3524
+svc_infra/db/outbox.py,sha256=9oUcob8FjPP_sx56uwca-pb3_fSMBL1hAd68hIc8TFc,3022
 svc_infra/db/sql/README.md,sha256=OI1T7SiY4_f0eTWQGtIeUsgkFqzvloh1vctOm6nvIvU,8581
 svc_infra/db/sql/__init__.py,sha256=PkDutfhzofY0jbE83ZuxbrvXhogvP1tmk5MniyfwQws,159
 svc_infra/db/sql/apikey.py,sha256=27-4GAieD8NxoVKHw_WF2cj8A4UXbcnvtUUTztbo_yw,5019
@@ -185,6 +189,7 @@ svc_infra/db/sql/types.py,sha256=aDcYS-lEb3Aw9nlc8D67wyS5rmE9ZOkblxPjPFbMM_0,863
 svc_infra/db/sql/uniq.py,sha256=IxW7SpgOTcHEAMe2oaDnuYFvj7YOfyjCpZRXdR45yP8,2530
 svc_infra/db/sql/uniq_hooks.py,sha256=6gCnO0_Y-rhB0p-VuY0mZ9m1u3haiLWI3Ns_iUTqF_8,4294
 svc_infra/db/sql/utils.py,sha256=nzuDcDhnVNehx5Y9BZLgxw8fvpfYbxTfXQsgnznVf4w,32862
+svc_infra/db/sql/versioning.py,sha256=okZu2ad5RAFXNLXJgGpcQvZ5bc6gPjRWzwiBT0rEJJw,400
 svc_infra/db/utils.py,sha256=aTD49VJSEu319kIWJ1uijUoP51co4lNJ3S0_tvuyGio,802
 svc_infra/mcp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/mcp/svc_infra_mcp.py,sha256=NmBY7AM3_pnHAumE-eM5Njr8kpb7Gh1-fjcZAEammiI,1927
@@ -244,10 +249,10 @@ svc_infra/security/models.py,sha256=US5jxgeZf7C_tWW3QZRj5RTuRZE_yS6RHZBEK0ea9tA,
 svc_infra/security/org_invites.py,sha256=TuXEstZp5GfRQflz8OR2q6m7GpSOonSxm0QU7ojkbH0,3876
 svc_infra/security/passwords.py,sha256=zUiduHFOWYT7USzMkBntI3-LNEyVMn2A78CvaKpB7MY,2459
 svc_infra/security/permissions.py,sha256=fQm7-OcJJkWsScDcjS2gwmqaW93zQqltaHRl6bviIik,4527
-svc_infra/security/session.py,sha256=Xu3-GZQ1RhHQgPtDmsjmJkFfsSAxYxr1w_BO2a40SvA,2438
+svc_infra/security/session.py,sha256=JkClqoZ-Moo9yqHzCREXMVSpzyjbn2Zh6zCjtWO93Ik,2848
 svc_infra/security/signed_cookies.py,sha256=2t61BgjsBaTzU46bt7IUJo7lwDRE9_eS4vmAQXJ8mlY,2219
 svc_infra/utils.py,sha256=VX1yjTx61-YvAymyRhGy18DhybiVdPddiYD_FlKTbJU,952
-svc_infra-0.1.594.dist-info/METADATA,sha256=XEj-5iD7IYXv4BB3lA0DZpTGIDiLNHMuzKI9DmYrcq8,3527
-svc_infra-0.1.594.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
-svc_infra-0.1.594.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
-svc_infra-0.1.594.dist-info/RECORD,,
+svc_infra-0.1.596.dist-info/METADATA,sha256=CTG82284mj-bs4cIoYxw9fXMRAL8fX9_Wr2txqfC7tY,3527
+svc_infra-0.1.596.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+svc_infra-0.1.596.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
+svc_infra-0.1.596.dist-info/RECORD,,