svc-infra 0.1.621__py3-none-any.whl → 0.1.623__py3-none-any.whl

svc_infra/docs/security.md

@@ -0,0 +1,155 @@
+# Security: Configuration & Examples
+
+This guide covers the security primitives built into svc-infra and how to wire them:
+
+> ℹ️ Environment variables for the auth/security helpers are catalogued in [Environment Reference](environment.md).
+
+- Password policy and breach checking
+- Account lockout (exponential backoff)
+- Sessions and refresh tokens (rotation + revocation)
+- JWT key rotation
+- Signed cookies
+- CORS and security headers
+- RBAC and ABAC
+- MFA policy hooks
+
+Module map (examples reference these):
+- `svc_infra.security.lockout` (LockoutConfig, compute_lockout, record_attempt, get_lockout_status)
+- `svc_infra.security.signed_cookies` (sign_cookie, verify_cookie)
+- `svc_infra.security.audit` and `security.audit_service` (hash-chain audit logs)
+- `svc_infra.api.fastapi.auth.gaurd` (password login with lockout checks)
+- `svc_infra.api.fastapi.auth.routers.*` (sessions, oauth routes, etc.)
+- `svc_infra.api.fastapi.auth.settings.get_auth_settings` (cookie + token settings)
+- `svc_infra.api.fastapi.middleware.security_headers` and CORS setup (strict defaults)
+
+## Password policy and breach checking
+- Enforced by validators with a configurable policy.
+- Breach checking uses the HIBP k-Anonymity range API; can be toggled via settings.
+
+Example toggles (pseudo-config):
+- `AUTH_PASSWORD_MIN_LENGTH=12`
+- `AUTH_PASSWORD_REQUIRE_SYMBOL=True`
+- `AUTH_PASSWORD_BREACH_CHECK=True`
+
+## Account lockout
+- Exponential backoff with a max cooldown cap to deter credential stuffing.
+- Attempts tracked by user_id and/or IP hash.
+- Login endpoint blocks with 429 + `Retry-After` during cooldown.
+
+Key API (from `svc_infra.security.lockout`):
+- `LockoutConfig(threshold=5, window_minutes=15, base_cooldown_seconds=30, max_cooldown_seconds=3600)`
+- `compute_lockout(fail_count, cfg)` → `LockoutStatus(locked, next_allowed_at, failure_count)`
+- `record_attempt(session, user_id, ip_hash, success)`
+- `get_lockout_status(session, user_id, ip_hash, cfg)`
+
+Login integration (simplified):
+```python
+from svc_infra.security.lockout import get_lockout_status, record_attempt
+
+# Compute ip_hash from request.client.host
+status = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
+if status.locked:
+		raise HTTPException(429, headers={"Retry-After": ..})
+
+user = await user_manager.user_db.get_by_email(email)
+if not user:
+		await record_attempt(session, user_id=None, ip_hash=ip_hash, success=False)
+		raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
+```
+
+## Sessions and refresh tokens
+- Sessions are enumerable and revocable via the sessions router.
+- Refresh tokens are rotated; old tokens are invalidated via a revocation list.
+
+Operational notes:
+- Persist sessions/tokens in a durable DB.
+- Favor short access token TTLs if refresh flow is robust.
+
+## JWT key rotation
+- Primary secret plus `old_secrets` allow seamless rotation.
+- Set environment variables:
+	- `AUTH_JWT__SECRET="..."`
+	- `AUTH_JWT__OLD_SECRETS="old1,old2"`
+
+## Signed cookies
+Module: `svc_infra.security.signed_cookies`
+
+```python
+from svc_infra.security.signed_cookies import sign_cookie, verify_cookie
+
+sig = sign_cookie({"sub": "user-123"}, secret="k1", exp_seconds=3600)
+payload = verify_cookie(sig, secret="k1", old_secrets=["k0"])  # returns dict
+```
+
+## CORS and security headers
+- Strict CORS defaults (deny by default). Provide allowlist entries.
+- Security headers middleware sets common protections (X-Frame-Options, X-Content-Type-Options, etc.).
+
+Use `svc_infra.security.add.add_security` to install the default middlewares on any
+FastAPI app. By default it adds:
+
+- `SecurityHeadersMiddleware` with strict defaults (HSTS, X-Frame-Options, etc.).
+- A strict `CORSMiddleware` that only enables CORS when origins are provided (via
+  parameters or environment variables such as `CORS_ALLOW_ORIGINS`).
+
+The helper also supports optional toggles so you can match the same cookie and
+header configuration that `setup_service_api` uses.
+
+```python
+from fastapi import FastAPI
+
+from svc_infra.security.add import add_security
+
+app = FastAPI()
+
+add_security(
+    app,
+    cors_origins=["https://app.example.com"],
+    headers_overrides={"Content-Security-Policy": "default-src 'self'"},
+    install_session_middleware=True,  # adds Starlette's SessionMiddleware
+)
+```
+
+Environment variables (applied when parameters are omitted):
+
+| Variable | Purpose |
+| --- | --- |
+| `CORS_ALLOW_ORIGINS` | Comma-separated CORS origins (e.g. `https://app.example.com, https://admin.example.com`) |
+| `CORS_ALLOW_METHODS` | Allowed HTTP methods (defaults to `*`) |
+| `CORS_ALLOW_HEADERS` | Allowed headers (defaults to `*`) |
+| `CORS_ALLOW_ORIGIN_REGEX` | Regex used when matching origins (ignored if not set) |
+| `CORS_ALLOW_CREDENTIALS` | Toggle credentials support (`true` / `false`) |
+| `SESSION_COOKIE_NAME` | Session cookie name (defaults to `svc_session`) |
+| `SESSION_COOKIE_MAX_AGE_SECONDS` | Max age for the session cookie (defaults to `14400`) |
+| `SESSION_COOKIE_SAMESITE` | SameSite policy (`lax` by default) |
+| `SESSION_COOKIE_SECURE` | Force the session cookie to be HTTPS-only |
+| `SESSION_SECRET` | Secret key for Starlette's SessionMiddleware |
+
+When your service already uses `setup_service_api`, call `add_security` after
+building the parent app if you need additional overrides while keeping the
+defaults intact:
+
+```python
+from svc_infra.api.fastapi.setup import setup_service_api
+from svc_infra.security.add import add_security
+
+app = setup_service_api(...)
+
+add_security(
+    app,
+    headers_overrides={"Strict-Transport-Security": "max-age=63072000; includeSubDomains"},
+    enable_hsts_preload=False,
+)
+```
+
+## RBAC and ABAC
+- RBAC decorators guard endpoints by role/permission.
+- ABAC evaluates resource ownership and attributes (e.g., `owns_resource`).
+
+## MFA policy hooks
+- Policy decides when MFA is required; login returns 401 with `MFA_REQUIRED` and a pre-token when applicable.
+
+## Troubleshooting
+- 429 on login: lockout active. Check `Retry-After` and `FailedAuthAttempt` rows.
+- Token invalid post-refresh: confirm rotation + revocation writes.
+- Cookie verification errors: check signing keys/exp.

svc_infra/docs/tenancy.md

@@ -0,0 +1,35 @@
+# Tenancy model and integration
+
+This framework uses a soft-tenant isolation model by default: tenant_id is a column on tenant-scoped tables, and all queries are filtered by this value. Consumers can later adopt schema-per-tenant or DB-per-tenant strategies; the API surfaces remain compatible.
+
+## How tenant is resolved
+- `resolve_tenant_id(request)` looks up tenant id in this order:
+  1) Global override hook (set via `add_tenancy(app, resolver=...)`)
+  2) Auth identity (user.tenant_id or api_key.tenant_id) when auth is enabled
+  3) `X-Tenant-Id` request header
+  4) `request.state.tenant_id`
+
+Use `TenantId` dependency to require it in routes, and `OptionalTenantId` to access it if present.
+
+## Enforcement in data layer
+- Wrap services with `TenantSqlService` to automatically:
+  - Apply `WHERE model.tenant_id == <tenant>` on list/get/update/delete/search/count.
+  - Inject `tenant_id` upon create when the model has the tenant field.
+
+## Tenant-aware CRUD router
+- When defining a `SqlResource`, set `tenant_field="tenant_id"` to mount a tenant-aware CRUD router. All endpoints will require `TenantId` and enforce scoping.
+
+## Per-tenant rate limits / quotas
+- Global middleware and per-route dependency support tenant-aware policies:
+  - `scope_by_tenant=True` puts requests in independent buckets per tenant.
+  - `limit_resolver(request, tenant_id)` lets you return dynamic limits (e.g., plan-based quotas).
+
+## Export a tenant’s data (SQL)
+- CLI command: `sql export-tenant`
+  - Example:
+    - `python -m svc_infra.cli sql export-tenant items --tenant-id t1 --output out.json`
+  - Flags:
+    - `--tenant-id` (required), `--tenant-field` (default `tenant_id`), `--limit` (optional), `--database-url` (or set `SQL_URL`).
+
+## Migration to other isolation strategies
+- Schema-per-tenant or DB-per-tenant can be layered by adapting the session factory or repository to select the schema/DB based on `tenant_id`. Your application code that relies on `TenantId` and tenant-aware services/routers remains the same.

svc_infra/docs/webhooks.md

@@ -0,0 +1,112 @@
+# Webhooks Framework
+
+This module provides primitives to publish events to external consumers via webhooks, verify inbound signatures, and handle robust retries using the shared JobQueue and Outbox patterns.
+
+> ℹ️ Webhook helper environment expectations live in [Environment Reference](environment.md).
+
+## Quickstart
+
+- Subscriptions and publishing:
+
+```python
+from svc_infra.webhooks.service import InMemoryWebhookSubscriptions, WebhookService
+from svc_infra.db.outbox import InMemoryOutboxStore
+
+subs = InMemoryWebhookSubscriptions()
+subs.add("invoice.created", "https://example.com/webhook", "sekrit")
+svc = WebhookService(outbox=InMemoryOutboxStore(), subs=subs)
+svc.publish("invoice.created", {"id": "inv_1", "version": 1})
+```
+
+- Delivery worker and headers:
+
+```python
+from svc_infra.jobs.builtins.webhook_delivery import make_webhook_handler
+from svc_infra.jobs.worker import process_one
+
+handler = make_webhook_handler(
+    outbox=..., inbox=..., get_webhook_url_for_topic=lambda t: url, get_secret_for_topic=lambda t: secret,
+)
+# process_one(queue, handler) will POST JSON with headers:
+# X-Event-Id, X-Topic, X-Attempt, X-Signature (HMAC-SHA256), X-Signature-Alg, X-Signature-Version, X-Payload-Version
+```
+
+- Verification (FastAPI):
+
+```python
+from fastapi import Depends, FastAPI
+from svc_infra.webhooks.fastapi import require_signature
+from svc_infra.webhooks.signing import sign
+
+app = FastAPI()
+app.post("/webhook")(lambda body=Depends(require_signature(lambda: ["old","new"])): {"ok": True})
+```
+
+## FastAPI wiring
+
+- Attach the router with shared in-memory stores (great for tests / local runs):
+
+```python
+from fastapi import FastAPI
+
+from svc_infra.webhooks import add_webhooks
+
+app = FastAPI()
+add_webhooks(app)
+```
+
+- Respect environment overrides for Redis-backed stores by exporting `REDIS_URL`
+  and selecting the backend via `WEBHOOKS_OUTBOX=redis` (optional
+  `WEBHOOKS_INBOX=redis` for the dedupe store).  The helper records the chosen
+  instances on `app.state` for further customisation:
+
+```python
+import os
+
+os.environ["WEBHOOKS_OUTBOX"] = "redis"
+os.environ["WEBHOOKS_INBOX"] = "redis"
+
+app = FastAPI()
+add_webhooks(app)  # creates RedisOutboxStore / RedisInboxStore when redis-py is available
+
+# Later you can inspect or extend behaviour:
+app.state.webhooks_subscriptions.add("invoice.created", "https://example.com/webhook", "sekrit")
+```
+
+- Provide explicit overrides (e.g. dependency-injected SQL stores) or reuse your
+  existing job queue / scheduler.  Passing a queue automatically registers the
+  outbox tick and delivery handler so your worker loop can process jobs:
+
+```python
+from svc_infra.jobs.easy import easy_jobs
+
+queue, scheduler = easy_jobs()
+
+add_webhooks(
+    app,
+    outbox=my_outbox_store,
+    inbox=lambda: my_inbox_store,  # factories are supported
+    queue=queue,
+    scheduler=scheduler,
+)
+
+# scheduler.add_task(...) is handled internally when both queue and scheduler are supplied
+```
+
+## Runner wiring
+
+If you prefer explicit wiring, you can still register the tick manually:
+
+```python
+from svc_infra.jobs.easy import easy_jobs
+from svc_infra.jobs.builtins.outbox_processor import make_outbox_tick
+
+queue, scheduler = easy_jobs()  # uses JOBS_DRIVER and REDIS_URL
+scheduler.add_task("outbox", 1, make_outbox_tick(outbox_store, queue))
+# Start runner: `svc-infra jobs run`
+```
+
+## Notes
+- Retries/backoff are handled by the JobQueue; delivery marks Inbox after success to prevent duplicates.
+- For production subscriptions and inbox/outbox, provide persistent implementations and override DI in your app.
+- Signature rotation supported via `verify_any` and FastAPI dependency accepting multiple secrets.

{svc_infra-0.1.621.dist-info → svc_infra-0.1.623.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: svc-infra
-Version: 0.1.621
+Version: 0.1.623
 Summary: Infrastructure for building and deploying prod-ready services
 License: MIT
 Keywords: fastapi,sqlalchemy,alembic,auth,infra,async,pydantic
@@ -77,7 +77,7 @@ Description-Content-Type: text/markdown
 # svc-infra
 
 [![PyPI](https://img.shields.io/pypi/v/svc-infra.svg)](https://pypi.org/project/svc-infra/)
-[![Docs](https://img.shields.io/badge/docs-reference-blue)](docs/)
+[![Docs](https://img.shields.io/badge/docs-reference-blue)](src/svc_infra/docs/)
 
 svc-infra packages the shared building blocks we use to ship production FastAPI services fast—HTTP APIs with secure auth, durable persistence, background execution, cache, observability, and webhook plumbing that all share the same batteries-included defaults.
 
@@ -85,17 +85,17 @@ svc-infra packages the shared building blocks we use to ship production FastAPI
 
 | Helper | What it covers | Guide |
 | --- | --- | --- |
-| API | FastAPI bootstrap, envelopes, middleware, docs wiring | [FastAPI guide](docs/api.md) |
-| Auth | Sessions, OAuth/OIDC, MFA, SMTP delivery | [Auth settings](docs/auth.md) |
-| Database | SQL + Mongo wiring, Alembic helpers, inbox/outbox patterns | [Database guide](docs/database.md) |
-| Jobs | JobQueue, scheduler, CLI worker | [Jobs quickstart](docs/jobs.md) |
-| Cache | cashews decorators, namespace management, TTL helpers | [Cache guide](docs/cache.md) |
-| Observability | Prometheus middleware, Grafana automation, OTEL hooks | [Observability guide](docs/observability.md) |
-| Ops | Probes, breaker, SLOs & dashboards | [SLOs & Ops](docs/ops.md) |
-| Webhooks | Subscription store, signing, retry worker | [Webhooks framework](docs/webhooks.md) |
-| Security | Password policy, lockout, signed cookies, headers | [Security hardening](docs/security.md) |
-| Contributing | Dev setup and quality gates | [Contributing guide](docs/contributing.md) |
-| Data Lifecycle | Fixtures, retention, erasure, backups | [Data lifecycle](docs/data-lifecycle.md) |
+| API | FastAPI bootstrap, envelopes, middleware, docs wiring | [FastAPI guide](src/svc_infra/docs/api.md) |
+| Auth | Sessions, OAuth/OIDC, MFA, SMTP delivery | [Auth settings](src/svc_infra/docs/auth.md) |
+| Database | SQL + Mongo wiring, Alembic helpers, inbox/outbox patterns | [Database guide](src/svc_infra/docs/database.md) |
+| Jobs | JobQueue, scheduler, CLI worker | [Jobs quickstart](src/svc_infra/docs/jobs.md) |
+| Cache | cashews decorators, namespace management, TTL helpers | [Cache guide](src/svc_infra/docs/cache.md) |
+| Observability | Prometheus middleware, Grafana automation, OTEL hooks | [Observability guide](src/svc_infra/docs/observability.md) |
+| Ops | Probes, breaker, SLOs & dashboards | [SLOs & Ops](src/svc_infra/docs/ops.md) |
+| Webhooks | Subscription store, signing, retry worker | [Webhooks framework](src/svc_infra/docs/webhooks.md) |
+| Security | Password policy, lockout, signed cookies, headers | [Security hardening](src/svc_infra/docs/security.md) |
+| Contributing | Dev setup and quality gates | [Contributing guide](src/svc_infra/docs/contributing.md) |
+| Data Lifecycle | Fixtures, retention, erasure, backups | [Data lifecycle](src/svc_infra/docs/data-lifecycle.md) |
 
 ## Minimal FastAPI bootstrap
 
@@ -123,9 +123,9 @@ async def handle_webhook(payload = Depends(require_signature(lambda: ["current",
 - **API** – toggle logging/observability and docs exposure with `ENABLE_LOGGING`, `LOG_LEVEL`, `LOG_FORMAT`, `ENABLE_OBS`, `METRICS_PATH`, `OBS_SKIP_PATHS`, and `CORS_ALLOW_ORIGINS`. 【F:src/svc_infra/api/fastapi/ease.py†L67-L111】【F:src/svc_infra/api/fastapi/setup.py†L47-L88】
 - **Auth** – configure JWT secrets, SMTP, cookies, and policy using the `AUTH_…` settings family (e.g., `AUTH_JWT__SECRET`, `AUTH_SMTP_HOST`, `AUTH_SESSION_COOKIE_SECURE`). 【F:src/svc_infra/api/fastapi/auth/settings.py†L23-L91】
 - **Database** – set connection URLs or components via `SQL_URL`/`SQL_URL_FILE`, `DB_DIALECT`, `DB_HOST`, `DB_USER`, `DB_PASSWORD`, plus Mongo knobs like `MONGO_URL`, `MONGO_DB`, and `MONGO_URL_FILE`. 【F:src/svc_infra/api/fastapi/db/sql/add.py†L55-L114】【F:src/svc_infra/db/sql/utils.py†L85-L206】【F:src/svc_infra/db/nosql/mongo/settings.py†L9-L13】【F:src/svc_infra/db/nosql/utils.py†L56-L113】
-- **Jobs** – choose the queue backend with `JOBS_DRIVER` and provide Redis via `REDIS_URL`; interval schedules can be declared with `JOBS_SCHEDULE_JSON`. 【F:src/svc_infra/jobs/easy.py†L11-L27】【F:docs/jobs.md†L11-L48】
+- **Jobs** – choose the queue backend with `JOBS_DRIVER` and provide Redis via `REDIS_URL`; interval schedules can be declared with `JOBS_SCHEDULE_JSON`. 【F:src/svc_infra/jobs/easy.py†L11-L27】【F:src/svc_infra/docs/jobs.md†L11-L48】
 - **Cache** – namespace keys and lifetimes through `CACHE_PREFIX`, `CACHE_VERSION`, and TTL overrides `CACHE_TTL_DEFAULT`, `CACHE_TTL_SHORT`, `CACHE_TTL_LONG`. 【F:src/svc_infra/cache/README.md†L20-L173】【F:src/svc_infra/cache/ttl.py†L26-L55】
 - **Observability** – turn metrics on/off or adjust scrape paths with `ENABLE_OBS`, `METRICS_PATH`, `OBS_SKIP_PATHS`, and Prometheus/Grafana flags like `SVC_INFRA_DISABLE_PROMETHEUS`, `SVC_INFRA_RATE_WINDOW`, `SVC_INFRA_DASHBOARD_REFRESH`, `SVC_INFRA_DASHBOARD_RANGE`. 【F:src/svc_infra/api/fastapi/ease.py†L67-L111】【F:src/svc_infra/obs/metrics/asgi.py†L49-L206】【F:src/svc_infra/obs/cloud_dash.py†L85-L108】
-- **Webhooks** – reuse the jobs envs (`JOBS_DRIVER`, `REDIS_URL`) for the delivery worker and queue configuration. 【F:docs/webhooks.md†L32-L53】
-- **Security** – enforce password policy, MFA, and rotation with auth prefixes such as `AUTH_PASSWORD_MIN_LENGTH`, `AUTH_PASSWORD_REQUIRE_SYMBOL`, `AUTH_JWT__SECRET`, and `AUTH_JWT__OLD_SECRETS`. 【F:docs/security.md†L24-L70】
+- **Webhooks** – reuse the jobs envs (`JOBS_DRIVER`, `REDIS_URL`) for the delivery worker and queue configuration. 【F:src/svc_infra/docs/webhooks.md†L32-L53】
+- **Security** – enforce password policy, MFA, and rotation with auth prefixes such as `AUTH_PASSWORD_MIN_LENGTH`, `AUTH_PASSWORD_REQUIRE_SYMBOL`, `AUTH_JWT__SECRET`, and `AUTH_JWT__OLD_SECRETS`. 【F:src/svc_infra/docs/security.md†L24-L70】
 

{svc_infra-0.1.621.dist-info → svc_infra-0.1.623.dist-info}/RECORD

@@ -142,7 +142,7 @@ svc_infra/cli/cmds/db/sql/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 svc_infra/cli/cmds/db/sql/alembic_cmds.py,sha256=uCreHg69Zf6B5gbv9Dm39jCRk6q2KQy_05A-75IP0Fg,9650
 svc_infra/cli/cmds/db/sql/sql_export_cmds.py,sha256=YpkguUJFeFApMphVkhOJllTi25ejlsQaJarMe6vJD54,2685
 svc_infra/cli/cmds/db/sql/sql_scaffold_cmds.py,sha256=MKc_T_tY1Y_wQl7XTlq8GhYWMMI1q1_vcFZVPOEcNUg,4601
-svc_infra/cli/cmds/docs/docs_cmds.py,sha256=fbdnTEfzx3HNNXK3zL5fa_Lk3FowzHBcfS_VHQah7VQ,10720
+svc_infra/cli/cmds/docs/docs_cmds.py,sha256=Gyi0cr22-SY8kThAutRSzW9LmZ1ek9LTpwFpvlclKWM,6407
 svc_infra/cli/cmds/dx/__init__.py,sha256=wQtl3-kOgoESlpVkjl3YFtqkOnQSIvVsOdutiaZFejM,197
 svc_infra/cli/cmds/dx/dx_cmds.py,sha256=XTKUJzS3UIYn6h3CHzDEWKYJaWn0TzGiUCq3OeW27E0,3326
 svc_infra/cli/cmds/help.py,sha256=wGfZFMYaR2ZPwW2JwKDU7M3m4AtdCd8GRQ412AmEBUM,758
@@ -216,6 +216,34 @@ svc_infra/db/sql/uniq_hooks.py,sha256=6gCnO0_Y-rhB0p-VuY0mZ9m1u3haiLWI3Ns_iUTqF_
 svc_infra/db/sql/utils.py,sha256=nzuDcDhnVNehx5Y9BZLgxw8fvpfYbxTfXQsgnznVf4w,32862
 svc_infra/db/sql/versioning.py,sha256=okZu2ad5RAFXNLXJgGpcQvZ5bc6gPjRWzwiBT0rEJJw,400
 svc_infra/db/utils.py,sha256=aTD49VJSEu319kIWJ1uijUoP51co4lNJ3S0_tvuyGio,802
+svc_infra/docs/acceptance-matrix.md,sha256=1J0722pdxNGVtjI5tAZA2wzzr1UiagjvPgzB8zo0Ks8,2383
+svc_infra/docs/acceptance.md,sha256=1e9Ym4YOwnKHLfCTjx9garKlSKEnxzIYunx4cqoWhZ8,2327
+svc_infra/docs/adr/0002-background-jobs-and-scheduling.md,sha256=iscWFmDmMFcaON3W1FePZT9aHvlBLWCoB4QE7iA5BBI,2418
+svc_infra/docs/adr/0003-webhooks-framework.md,sha256=CFFd4RrmbTbKPr_RRuEe4zdpbpU8C6vD_DimCd702zE,1405
+svc_infra/docs/adr/0004-tenancy-model.md,sha256=ZaJesiWqVggrRLbTXCIyyaVNiDDjl0NWPt7dSrj5SIQ,2732
+svc_infra/docs/adr/0005-data-lifecycle.md,sha256=XLFu2I0d_6Oc7e-MOy9UE_UuCkVHCvhWy8rUlVBeAcE,4897
+svc_infra/docs/adr/0006-ops-slos-and-metrics.md,sha256=Qd17l0RKGXczLs2AKJewCAxr2g0SP7BpcLLViGknJnE,2453
+svc_infra/docs/adr/0007-docs-and-sdks.md,sha256=uQ-q-5omaOXPL5tW5q0_1FE9P_OmO9aDHXqWSGme3eg,4481
+svc_infra/docs/adr/0008-billing-primitives.md,sha256=trqzGWsyk_QXNtVRHXcTayEV4Sx1Zjhis93bCnsqDvo,5544
+svc_infra/docs/adr/0009-acceptance-harness.md,sha256=jDmoWn2uJTeK28YZo75YR1ym6NdgcmPOlMfupZlCCBs,2146
+svc_infra/docs/api.md,sha256=AlPL9kBS6_dM0NrOteDQ9WqalSfKf_p9_zdy1CtGJdU,2384
+svc_infra/docs/auth.md,sha256=PRl9G4UW78cT_7c4koVh5NDlheNAr02CpJT2YFbEXto,1333
+svc_infra/docs/cache.md,sha256=XUsJ8p6QFBWTNuqata1HJjB6accdPANipdoNAkKirqs,673
+svc_infra/docs/cli.md,sha256=w5og4SWrLyizlJAJiFgcWu2jDSc1Wj3NCYqzbbvg8VE,1702
+svc_infra/docs/contributing.md,sha256=a0PhmzCLFw8S3odxFbI3p5_FOiPMZLrxk15Ujrk7ao4,1175
+svc_infra/docs/data-lifecycle.md,sha256=_XFZCj9qiYgEiN9jO_lq7RcpVIeLVN7REaFziiNCnEI,2684
+svc_infra/docs/database.md,sha256=p_t-4ApQqa7ImhiV6wv0oklDTEZPn-snO1K1FoNtZpI,1129
+svc_infra/docs/docs-and-sdks.md,sha256=v5Uz-CVNswiZ-ITiqo6tiOX5xGJSnftfbA7b3hrqHqI,2330
+svc_infra/docs/environment.md,sha256=w84-1hL3zog6fYYgDLiQRQiAlS2CadjmZmu87Frzxy8,9700
+svc_infra/docs/idempotency.md,sha256=jvemdVY4g6xoHW38OAZIS5JxA3SdK8a0iAayx18kIbk,3890
+svc_infra/docs/jobs.md,sha256=iyDPo6oo7fJdBZ9e6Qt9x_kX4sX7_TUUdY89CFiZ61I,1586
+svc_infra/docs/observability.md,sha256=qzu44CSmGwjdLkBj0TQ1LBMmXd7BO2hmJSdByZlBXck,1021
+svc_infra/docs/ops.md,sha256=to47s3Z66-wQ4WvwEnD3xMrcmvKf-lowBqWqS-2n2HQ,1306
+svc_infra/docs/rate-limiting.md,sha256=W_96ch1dIjD9NP9Ma45UgsNTqDh6wlMbhJgAN3Uc4do,3983
+svc_infra/docs/repo-review.md,sha256=REz2zT1LXURQUB9yZiBn9ICXHkpdpBSJCRTp-AKH190,8153
+svc_infra/docs/security.md,sha256=tjr5IlBYu47Z1qs2ZHQE-Low1ZOQDtZWoKjmaNXalG4,6121
+svc_infra/docs/tenancy.md,sha256=k7mOvIQWZF1b3-CETyE8UsIPdhGjNNa9Q4j5AXAqQrQ,2023
+svc_infra/docs/webhooks.md,sha256=b0F2vnkxOWdYWwCBAo9i39xdi11nbgEtl05JE3e0lrE,3671
 svc_infra/dx/add.py,sha256=FAnLGP0BPm_q_VCEcpUwfj-b0mEse988chh9DHeS7GU,1474
 svc_infra/dx/changelog.py,sha256=9SD29ZzKzbGTA6kHQXiPLtb7uueL1wrRiiLE2qMzz8o,1941
 svc_infra/dx/checks.py,sha256=R6YqRvpKPr9zQgif4QVx2_Zl4s9YjehSkAvwlxK46lI,2267
@@ -296,7 +324,7 @@ svc_infra/webhooks/fastapi.py,sha256=BCNvGNxukf6dC2a4i-6en-PrjBGV19YvCWOot5lXWsA
 svc_infra/webhooks/router.py,sha256=6JvAVPMEth_xxHX-IsIOcyMgHX7g1H0OVxVXKLuMp9w,1596
 svc_infra/webhooks/service.py,sha256=hWgiJRXKBwKunJOx91C7EcLUkotDtD3Xp0RT6vj2IC0,1797
 svc_infra/webhooks/signing.py,sha256=NCwdZzmravUe7HVIK_uXK0qqf12FG-_MVsgPvOw6lsM,784
-svc_infra-0.1.621.dist-info/METADATA,sha256=QD-ETuukvgwtsMr9N5ylyIOBUgPW6yms4kDLJbFN1H4,8106
-svc_infra-0.1.621.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
-svc_infra-0.1.621.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
-svc_infra-0.1.621.dist-info/RECORD,,
+svc_infra-0.1.623.dist-info/METADATA,sha256=b0847FKVzDHLtuU1uxB7G6qubJkOqpztMsuZmEhK43I,8316
+svc_infra-0.1.623.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+svc_infra-0.1.623.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
+svc_infra-0.1.623.dist-info/RECORD,,