svc-infra 0.1.595__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/api/fastapi/dual/public.py

@@ -20,3 +20,28 @@ def public_router(**kwargs: Any) -> DualAPIRouter:
     apply_default_responses(r, DEFAULT_PUBLIC)
 
     return r
+
+
+def ws_public_router(**kwargs: Any) -> DualAPIRouter:
+    """
+    Public WebSocket router: no auth dependencies.
+
+    Use this for WebSocket endpoints that don't require authentication.
+    This is the WebSocket equivalent of `public_router()`.
+
+    Example:
+        router = ws_public_router(prefix="/api")
+
+        @router.websocket("/ws/public")
+        async def ws_endpoint(websocket: WebSocket):
+            await websocket.accept()
+            # No auth required - anyone can connect
+            async for msg in websocket.iter_json():
+                await websocket.send_json({"echo": msg})
+    """
+    r = DualAPIRouter(**kwargs)
+
+    # Keep OpenAPI consistent - no security requirement
+    apply_default_security(r, default_security=[])
+
+    return r

svc_infra/api/fastapi/dual/router.py

@@ -37,7 +37,11 @@ class DualAPIRouter(APIRouter):
             if is_rootish:
                 # primary root
                 self.add_api_route(
-                    "", func, methods=methods, include_in_schema=show_in_schema, **kwargs
+                    "",
+                    func,
+                    methods=methods,
+                    include_in_schema=show_in_schema,
+                    **kwargs,
                 )
                 # only add the "/" twin for *safe* methods
                 if set(m.upper() for m in methods) <= safe_methods:
@@ -48,10 +52,16 @@ class DualAPIRouter(APIRouter):
 
             # non-root unchanged
             self.add_api_route(
-                primary, func, methods=methods, include_in_schema=show_in_schema, **kwargs
+                primary,
+                func,
+                methods=methods,
+                include_in_schema=show_in_schema,
+                **kwargs,
             )
             if alt != primary:
-                self.add_api_route(alt, func, methods=methods, include_in_schema=False, **kwargs)
+                self.add_api_route(
+                    alt, func, methods=methods, include_in_schema=False, **kwargs
+                )
             return func
 
         return decorator
@@ -68,25 +78,39 @@ class DualAPIRouter(APIRouter):
     # ---------- HTTP method shorthands ----------
 
     def get(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["GET"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["GET"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def post(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["POST"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["POST"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def patch(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["PATCH"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["PATCH"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def delete(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["DELETE"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["DELETE"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def put(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["PUT"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["PUT"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def options(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["OPTIONS"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["OPTIONS"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def head(self, path: str, *_, show_in_schema: bool = True, **kwargs: Any):
-        return self._dual_decorator(path, ["HEAD"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["HEAD"], show_in_schema=show_in_schema, **kwargs
+        )
 
     def list(
         self,
@@ -110,10 +134,11 @@ class DualAPIRouter(APIRouter):
         - Per-route opt-out of OpenAPI param auto-attach: openapi_extra={"x_no_auto_pagination": True}
         """
         # pick response model
+        response_model: Any
         if envelope:
-            response_model = Paginated[model]  # type: ignore[index]
+            response_model = Paginated[model]  # type: ignore[valid-type]
         else:
-            response_model = list[model]  # type: ignore[index]
+            response_model = list[model]  # type: ignore[valid-type]
 
         injector = make_pagination_injector(
             envelope=envelope,
@@ -130,7 +155,9 @@ class DualAPIRouter(APIRouter):
         kwargs["response_model"] = kwargs.get("response_model") or response_model
 
         # we still want the dual-registration behavior
-        return self._dual_decorator(path, ["GET"], show_in_schema=show_in_schema, **kwargs)
+        return self._dual_decorator(
+            path, ["GET"], show_in_schema=show_in_schema, **kwargs
+        )
 
     # ---------- WebSocket ----------
 

svc_infra/api/fastapi/dx.py

@@ -59,19 +59,36 @@ from svc_infra.api.fastapi.auth.security import (
     RequireUser,
 )
 from svc_infra.api.fastapi.auth.settings import AuthSettings, get_auth_settings
-from svc_infra.api.fastapi.dual.protected import (
+
+# ----------------
+# WebSocket identity primitives (lightweight JWT, no DB required)
+# ----------------
+from svc_infra.api.fastapi.auth.ws_security import (
+    AllowWSIdentity,
+    OptionalWSIdentity,
+    RequireWSAnyScope,
+    RequireWSIdentity,
+    RequireWSScopes,
+    WSIdentity,
+    WSPrincipal,
+)
+from svc_infra.api.fastapi.dual.protected import (  # WebSocket routers (DualAPIRouter with JWT auth, no DB required)
     optional_identity_router,
     protected_router,
     roles_router,
     scopes_router,
     service_router,
     user_router,
+    ws_optional_router,
+    ws_protected_router,
+    ws_scopes_router,
+    ws_user_router,
 )
 
 # ----------------
 # Pre-wired routers (OpenAPI security auto-injected)
 # ----------------
-from svc_infra.api.fastapi.dual.public import public_router
+from svc_infra.api.fastapi.dual.public import public_router, ws_public_router
 
 # ----------------
 # App bootstrap
@@ -127,6 +144,20 @@ __all__ = [
     "service_router",
     "scopes_router",
     "roles_router",
+    # WebSocket identity
+    "WSPrincipal",
+    "WSIdentity",
+    "OptionalWSIdentity",
+    "RequireWSIdentity",
+    "AllowWSIdentity",
+    "RequireWSScopes",
+    "RequireWSAnyScope",
+    # WebSocket routers
+    "ws_public_router",
+    "ws_protected_router",
+    "ws_user_router",
+    "ws_scopes_router",
+    "ws_optional_router",
     # Feature routers
     "apikey_router",
     "mfa_router",

svc_infra/api/fastapi/ease.py

@@ -104,9 +104,13 @@ class EasyAppOptions(BaseModel):
                 else self.logging.enable
             ),
             level=(
-                override.logging.level if override.logging.level is not None else self.logging.level
+                override.logging.level
+                if override.logging.level is not None
+                else self.logging.level
             ),
-            fmt=override.logging.fmt if override.logging.fmt is not None else self.logging.fmt,
+            fmt=override.logging.fmt
+            if override.logging.fmt is not None
+            else self.logging.fmt,
         )
 
         # observability
@@ -148,6 +152,7 @@ def easy_service_api(
     public_cors_origins: list[str] | str | None = None,
     root_public_base_url: str | None = None,
     root_include_api_key: bool | None = None,
+    **fastapi_kwargs,  # Forward all other FastAPI kwargs
 ) -> FastAPI:
     service = ServiceInfo(name=name, release=release)
     specs = [
@@ -161,6 +166,7 @@ def easy_service_api(
         public_cors_origins=public_cors_origins,
         root_public_base_url=root_public_base_url,
         root_include_api_key=root_include_api_key,
+        **fastapi_kwargs,  # Forward to setup_service_api
     )
 
 
@@ -176,6 +182,7 @@ def easy_service_app(
     options: EasyAppOptions | None = None,
     enable_logging: bool | None = None,
     enable_observability: bool | None = None,
+    **fastapi_kwargs,  # Forward all other FastAPI kwargs (lifespan, etc.)
 ) -> FastAPI:
     """
     One-call bootstrap with env + options + flags:
@@ -226,6 +233,7 @@ def easy_service_app(
         public_cors_origins=public_cors_origins,
         root_public_base_url=root_public_base_url,
         root_include_api_key=root_include_api_key,
+        **fastapi_kwargs,  # Forward FastAPI kwargs (lifespan, etc.)
     )
 
     # 5) Observability

svc_infra/api/fastapi/http/concurrency.py

@@ -10,5 +10,6 @@ def require_if_match(request: Request, current_etag: str):
         )
     if current_etag not in [t.strip() for t in val.split(",")]:
         raise HTTPException(
-            status_code=status.HTTP_412_PRECONDITION_FAILED, detail="ETag precondition failed."
+            status_code=status.HTTP_412_PRECONDITION_FAILED,
+            detail="ETag precondition failed.",
         )

svc_infra/api/fastapi/http/conditional.py

@@ -20,7 +20,9 @@ def set_conditional_headers(
         resp.headers["Last-Modified"] = format_datetime(last_modified)
 
 
-def maybe_not_modified(request: Request, etag: str | None, last_modified: datetime | None) -> bool:
+def maybe_not_modified(
+    request: Request, etag: str | None, last_modified: datetime | None
+) -> bool:
     inm = request.headers.get("If-None-Match")
     ims = request.headers.get("If-Modified-Since")
     etag_ok = etag and inm and etag in [t.strip() for t in inm.split(",")]

svc_infra/api/fastapi/middleware/debug.py

@@ -15,6 +15,9 @@ class RouteDebugMiddleware(BaseHTTPMiddleware):
         route = request.scope.get("route")
         ep = getattr(route, "endpoint", None) if route else None
         log.info(
-            "MATCHED %s %s -> %s", request.method, request.url.path, getattr(ep, "__name__", ep)
+            "MATCHED %s %s -> %s",
+            request.method,
+            request.url.path,
+            getattr(ep, "__name__", ep),
         )
         return response

svc_infra/api/fastapi/middleware/errors/catchall.py

@@ -31,7 +31,9 @@ class CatchAllExceptionMiddleware:
 
             if response_started:
                 try:
-                    await send({"type": "http.response.body", "body": b"", "more_body": False})
+                    await send(
+                        {"type": "http.response.body", "body": b"", "more_body": False}
+                    )
                 except Exception:
                     pass
             else:
@@ -52,4 +54,6 @@ class CatchAllExceptionMiddleware:
                         "headers": [(b"content-type", PROBLEM_MT.encode("ascii"))],
                     }
                 )
-                await send({"type": "http.response.body", "body": body, "more_body": False})
+                await send(
+                    {"type": "http.response.body", "body": body, "more_body": False}
+                )

svc_infra/api/fastapi/middleware/errors/exceptions.py

@@ -12,7 +12,7 @@ class FastApiException(Exception):
         detail: Optional[str] = None,
         status_code: int = 400,
         *,
-        code: str | None = None
+        code: str | None = None,
     ):
         self.title = title
         self.detail = detail

svc_infra/api/fastapi/middleware/errors/handlers.py

@@ -2,6 +2,7 @@ import logging
 import traceback
 from typing import Any, Dict, Optional
 
+import httpx
 from fastapi import Request
 from fastapi.exceptions import HTTPException, RequestValidationError
 from fastapi.responses import JSONResponse, Response
@@ -46,6 +47,7 @@ def problem_response(
     code: str | None = None,
     errors: list[dict] | None = None,
     trace_id: str | None = None,
+    headers: dict[str, str] | None = None,
 ) -> Response:
     body: Dict[str, Any] = {
         "type": type_uri,
@@ -62,10 +64,30 @@ def problem_response(
         body["errors"] = errors
     if trace_id:
         body["trace_id"] = trace_id
-    return JSONResponse(status_code=status, content=body, media_type=PROBLEM_MT)
+    return JSONResponse(
+        status_code=status, content=body, media_type=PROBLEM_MT, headers=headers
+    )
 
 
 def register_error_handlers(app):
+    @app.exception_handler(httpx.TimeoutException)
+    async def handle_httpx_timeout(request: Request, exc: httpx.TimeoutException):
+        trace_id = _trace_id_from_request(request)
+        # Map outbound HTTP client timeouts to 504 Gateway Timeout
+        # Keep details generic in prod
+        return problem_response(
+            status=504,
+            title="Gateway Timeout",
+            detail=(
+                "Upstream request timed out."
+                if IS_PROD
+                else (str(exc) or "httpx timeout")
+            ),
+            code="GATEWAY_TIMEOUT",
+            instance=str(request.url),
+            trace_id=trace_id,
+        )
+
     @app.exception_handler(FastApiException)
     async def handle_app_exception(request: Request, exc: FastApiException):
         trace_id = _trace_id_from_request(request)
@@ -104,14 +126,25 @@ def register_error_handlers(app):
     @app.exception_handler(HTTPException)
     async def handle_http_exception(request: Request, exc: HTTPException):
         trace_id = _trace_id_from_request(request)
-        title = {401: "Unauthorized", 403: "Forbidden", 404: "Not Found"}.get(
-            exc.status_code, "Error"
-        )
+        title = {
+            401: "Unauthorized",
+            403: "Forbidden",
+            404: "Not Found",
+            429: "Too Many Requests",
+        }.get(exc.status_code, "Error")
         detail = (
             exc.detail
             if not IS_PROD or exc.status_code < 500
             else "Something went wrong. Please contact support."
         )
+        # Preserve headers set on the exception (e.g., Retry-After for rate limits)
+        hdrs: dict[str, str] | None = None
+        try:
+            if getattr(exc, "headers", None):
+                # FastAPI/Starlette exceptions store headers as a dict[str, str]
+                hdrs = dict(getattr(exc, "headers"))
+        except Exception:
+            hdrs = None
         return problem_response(
             status=exc.status_code,
             title=title,
@@ -119,19 +152,31 @@ def register_error_handlers(app):
             code=title.replace(" ", "_").upper(),
             instance=str(request.url),
             trace_id=trace_id,
+            headers=hdrs,
         )
 
     @app.exception_handler(StarletteHTTPException)
-    async def handle_starlette_http_exception(request: Request, exc: StarletteHTTPException):
+    async def handle_starlette_http_exception(
+        request: Request, exc: StarletteHTTPException
+    ):
         trace_id = _trace_id_from_request(request)
-        title = {401: "Unauthorized", 403: "Forbidden", 404: "Not Found"}.get(
-            exc.status_code, "Error"
-        )
+        title = {
+            401: "Unauthorized",
+            403: "Forbidden",
+            404: "Not Found",
+            429: "Too Many Requests",
+        }.get(exc.status_code, "Error")
         detail = (
             exc.detail
             if not IS_PROD or exc.status_code < 500
             else "Something went wrong. Please contact support."
         )
+        hdrs: dict[str, str] | None = None
+        try:
+            if getattr(exc, "headers", None):
+                hdrs = dict(getattr(exc, "headers"))
+        except Exception:
+            hdrs = None
         return problem_response(
             status=exc.status_code,
             title=title,
@@ -139,6 +184,7 @@ def register_error_handlers(app):
             code=title.replace(" ", "_").upper(),
             instance=str(request.url),
             trace_id=trace_id,
+            headers=hdrs,
         )
 
     @app.exception_handler(IntegrityError)

svc_infra/api/fastapi/middleware/graceful_shutdown.py

@@ -0,0 +1,104 @@
+from __future__ import annotations
+
+import asyncio
+import logging
+import os
+from contextlib import asynccontextmanager
+from typing import Optional
+
+from fastapi import FastAPI
+from starlette.types import ASGIApp, Receive, Scope, Send
+
+from svc_infra.app.env import pick
+
+logger = logging.getLogger(__name__)
+
+
+def _get_grace_period_seconds() -> float:
+    default = pick(prod=20.0, nonprod=5.0)
+    raw = os.getenv("SHUTDOWN_GRACE_PERIOD_SECONDS")
+    if raw is None or raw == "":
+        return float(default)
+    try:
+        return float(raw)
+    except ValueError:
+        return float(default)
+
+
+class InflightTrackerMiddleware:
+    """Tracks number of in-flight requests to support graceful shutdown drains."""
+
+    def __init__(self, app: ASGIApp):
+        self.app = app
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send):
+        if scope.get("type") != "http":
+            await self.app(scope, receive, send)
+            return
+        app = scope.get("app")
+        if app is None:
+            await self.app(scope, receive, send)
+            return
+        state = getattr(app, "state", None)
+        if state is None:
+            await self.app(scope, receive, send)
+            return
+        state._inflight_requests = getattr(state, "_inflight_requests", 0) + 1
+        try:
+            await self.app(scope, receive, send)
+        finally:
+            state._inflight_requests = max(
+                0, getattr(state, "_inflight_requests", 1) - 1
+            )
+
+
+async def _wait_for_drain(app: FastAPI, grace: float) -> None:
+    interval = 0.1
+    waited = 0.0
+    while waited < grace:
+        inflight = int(getattr(app.state, "_inflight_requests", 0))
+        if inflight <= 0:
+            return
+        await asyncio.sleep(interval)
+        waited += interval
+    inflight = int(getattr(app.state, "_inflight_requests", 0))
+    if inflight > 0:
+        logger.warning(
+            "Graceful shutdown timeout: %s in-flight request(s) after %.2fs",
+            inflight,
+            waited,
+        )
+
+
+def install_graceful_shutdown(
+    app: FastAPI, *, grace_seconds: Optional[float] = None
+) -> None:
+    """Install inflight tracking and lifespan hooks to wait for requests to drain.
+
+    - Adds InflightTrackerMiddleware
+    - Registers a lifespan handler that initializes state and waits up to grace_seconds on shutdown
+    """
+    app.add_middleware(InflightTrackerMiddleware)
+
+    g = (
+        float(grace_seconds)
+        if grace_seconds is not None
+        else _get_grace_period_seconds()
+    )
+
+    # Preserve any existing lifespan and wrap it so our drain runs on shutdown.
+    previous_lifespan = getattr(app.router, "lifespan_context", None)
+
+    @asynccontextmanager
+    async def _lifespan(a: FastAPI):  # noqa: ANN202
+        # Startup: initialize inflight counter
+        a.state._inflight_requests = 0
+        if previous_lifespan is not None:
+            async with previous_lifespan(a):
+                yield
+        else:
+            yield
+        # Shutdown: wait for in-flight requests to drain (up to grace period)
+        await _wait_for_drain(a, g)
+
+    app.router.lifespan_context = _lifespan