svc-infra 0.1.706__py3-none-any.whl → 1.1.0__py3-none-any.whl

svc_infra/security/oauth_models.py

@@ -8,8 +8,8 @@ Import this module only when enable_oauth=True is passed to add_auth_users.
 from __future__ import annotations
 
 import uuid
-from datetime import datetime, timezone
-from typing import TYPE_CHECKING, Optional
+from datetime import UTC, datetime
+from typing import TYPE_CHECKING
 
 from sqlalchemy import (
     JSON,
@@ -44,13 +44,13 @@ class ProviderAccount(ModelBase):
     )
     provider: Mapped[str] = mapped_column(String(50), nullable=False, index=True)
     provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)
-    access_token: Mapped[Optional[str]] = mapped_column(Text)
-    refresh_token: Mapped[Optional[str]] = mapped_column(Text)
-    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True))
-    raw_claims: Mapped[Optional[dict]] = mapped_column(JSON)
+    access_token: Mapped[str | None] = mapped_column(Text)
+    refresh_token: Mapped[str | None] = mapped_column(Text)
+    expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+    raw_claims: Mapped[dict | None] = mapped_column(JSON)
 
     # Bidirectional relationship to User model
-    user: Mapped["User"] = relationship(back_populates="provider_accounts")
+    user: Mapped[User] = relationship(back_populates="provider_accounts")
 
     created_at = mapped_column(
         DateTime(timezone=True),
@@ -60,7 +60,7 @@ class ProviderAccount(ModelBase):
     updated_at = mapped_column(
         DateTime(timezone=True),
         server_default=text("CURRENT_TIMESTAMP"),
-        onupdate=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(UTC),
         nullable=False,
     )
 

svc_infra/security/org_invites.py

@@ -2,8 +2,8 @@ from __future__ import annotations
 
 import hashlib
 import uuid
-from datetime import datetime, timedelta, timezone
-from typing import Any, Optional
+from datetime import UTC, datetime, timedelta
+from typing import Any
 
 try:
     from sqlalchemy import select
@@ -29,7 +29,7 @@ async def issue_invitation(
     org_id: uuid.UUID,
     email: str,
     role: str,
-    created_by: Optional[uuid.UUID] = None,
+    created_by: uuid.UUID | None = None,
     ttl_hours: int = 72,
 ) -> tuple[str, OrganizationInvitation]:
     """Create a new invitation; revoke any existing active invites for the same email+org."""
@@ -50,7 +50,7 @@ async def issue_invitation(
                 .scalars()
                 .all()
             )
-            now = datetime.now(timezone.utc)
+            now = datetime.now(UTC)
             for r in rows:
                 r.revoked_at = now
         except Exception:  # pragma: no cover
@@ -58,8 +58,8 @@ async def issue_invitation(
     else:
         # FakeDB path: revoke in-memory invites
         if hasattr(db, "added"):
-            now = datetime.now(timezone.utc)
-            for r in list(getattr(db, "added")):
+            now = datetime.now(UTC)
+            for r in list(db.added):
                 if (
                     isinstance(r, OrganizationInvitation)
                     and r.org_id == org_id
@@ -75,9 +75,9 @@ async def issue_invitation(
         email=email.lower().strip(),
         role=role,
         token_hash=_hash_token(raw),
-        expires_at=datetime.now(timezone.utc) + timedelta(hours=ttl_hours),
+        expires_at=datetime.now(UTC) + timedelta(hours=ttl_hours),
         created_by=created_by,
-        last_sent_at=datetime.now(timezone.utc),
+        last_sent_at=datetime.now(UTC),
         resend_count=0,
     )
     if hasattr(db, "add"):
@@ -90,7 +90,7 @@ async def issue_invitation(
 async def resend_invitation(db: Any, *, invitation: OrganizationInvitation) -> str:
     raw = _new_token()
     invitation.token_hash = _hash_token(raw)
-    invitation.last_sent_at = datetime.now(timezone.utc)
+    invitation.last_sent_at = datetime.now(UTC)
     invitation.resend_count = (invitation.resend_count or 0) + 1
     if hasattr(db, "flush"):
         await db.flush()
@@ -103,7 +103,7 @@ async def accept_invitation(
     invitation: OrganizationInvitation,
     user_id: uuid.UUID,
 ) -> OrganizationMembership:
-    now = datetime.now(timezone.utc)
+    now = datetime.now(UTC)
     if invitation.revoked_at or invitation.used_at:
         raise ValueError("invitation_unusable")
     if invitation.expires_at and invitation.expires_at < now:
@@ -113,9 +113,7 @@ async def accept_invitation(
     invitation.used_at = now
 
     # create membership (upsert-like enforced by DB unique constraint)
-    mem = OrganizationMembership(
-        org_id=invitation.org_id, user_id=user_id, role=invitation.role
-    )
+    mem = OrganizationMembership(org_id=invitation.org_id, user_id=user_id, role=invitation.role)
     if hasattr(db, "add"):
         db.add(mem)
         if hasattr(db, "flush"):

svc_infra/security/passwords.py

@@ -1,8 +1,8 @@
 from __future__ import annotations
 
 import re
+from collections.abc import Callable, Iterable
 from dataclasses import dataclass
-from typing import Callable, Iterable, Optional
 
 COMMON_PASSWORDS = {"password", "123456", "qwerty", "letmein", "admin"}
 
@@ -36,10 +36,10 @@ SYMBOL = re.compile(r"[!@#$%^&*()_+=\-{}\[\]:;,.?/]")
 BreachedChecker = Callable[[str], bool]
 
 
-_breached_checker: Optional[BreachedChecker] = None
+_breached_checker: BreachedChecker | None = None
 
 
-def configure_breached_checker(checker: Optional[BreachedChecker]) -> None:
+def configure_breached_checker(checker: BreachedChecker | None) -> None:
     global _breached_checker
     _breached_checker = checker
 
@@ -60,9 +60,7 @@ def validate_password(pw: str, policy: PasswordPolicy | None = None) -> None:
     if policy.forbid_common:
         lowered = pw.lower()
         # Reject if whole password matches a common one or contains it as a substring
-        if lowered in COMMON_PASSWORDS or any(
-            term in lowered for term in COMMON_PASSWORDS
-        ):
+        if lowered in COMMON_PASSWORDS or any(term in lowered for term in COMMON_PASSWORDS):
             reasons.append("common_password")
     if policy.forbid_breached and not HIBP_DISABLED:
         if _breached_checker and _breached_checker(pw):

svc_infra/security/permissions.py

@@ -2,7 +2,8 @@ from __future__ import annotations
 
 import inspect
 import threading
-from typing import Any, Awaitable, Callable, Dict, Iterable, Set
+from collections.abc import Awaitable, Callable, Iterable
+from typing import Any
 
 from fastapi import Depends, HTTPException
 
@@ -12,7 +13,7 @@ from svc_infra.api.fastapi.auth.security import Identity
 _PERMISSION_LOCK = threading.Lock()
 
 # Central role -> permissions mapping. Projects can extend at startup.
-PERMISSION_REGISTRY: Dict[str, Set[str]] = {
+PERMISSION_REGISTRY: dict[str, set[str]] = {
     "admin": {
         "user.read",
         "user.write",
@@ -27,13 +28,13 @@ PERMISSION_REGISTRY: Dict[str, Set[str]] = {
 }
 
 
-def register_role(role: str, permissions: Set[str]) -> None:
+def register_role(role: str, permissions: set[str]) -> None:
     """Thread-safe registration of a role and its permissions."""
     with _PERMISSION_LOCK:
         PERMISSION_REGISTRY[role] = permissions
 
 
-def extend_role(role: str, permissions: Set[str]) -> None:
+def extend_role(role: str, permissions: set[str]) -> None:
     """Thread-safe extension of an existing role's permissions."""
     with _PERMISSION_LOCK:
         if role in PERMISSION_REGISTRY:
@@ -42,15 +43,15 @@ def extend_role(role: str, permissions: Set[str]) -> None:
             PERMISSION_REGISTRY[role] = permissions
 
 
-def get_permissions_for_roles(roles: Iterable[str]) -> Set[str]:
-    perms: Set[str] = set()
+def get_permissions_for_roles(roles: Iterable[str]) -> set[str]:
+    perms: set[str] = set()
     with _PERMISSION_LOCK:
         for r in roles:
             perms |= PERMISSION_REGISTRY.get(r, set())
     return perms
 
 
-def principal_permissions(principal: Identity) -> Set[str]:
+def principal_permissions(principal: Identity) -> set[str]:
     roles = getattr(principal.user, "roles", []) or []
     return get_permissions_for_roles(roles)
 

svc_infra/security/session.py

@@ -1,8 +1,7 @@
 from __future__ import annotations
 
 import uuid
-from datetime import datetime, timedelta, timezone
-from typing import Optional
+from datetime import UTC, datetime, timedelta
 
 try:
     from sqlalchemy.ext.asyncio import AsyncSession
@@ -25,9 +24,9 @@ async def issue_session_and_refresh(
     db: AsyncSession,
     *,
     user_id: uuid.UUID,
-    tenant_id: Optional[str] = None,
-    user_agent: Optional[str] = None,
-    ip_hash: Optional[str] = None,
+    tenant_id: str | None = None,
+    user_agent: str | None = None,
+    ip_hash: str | None = None,
     ttl_minutes: int = DEFAULT_REFRESH_TTL_MINUTES,
 ) -> tuple[str, RefreshToken]:
     """Persist a new AuthSession + initial RefreshToken and return raw refresh token.
@@ -43,7 +42,7 @@ async def issue_session_and_refresh(
     db.add(session_row)
     raw = generate_refresh_token()
     token_hash = hash_refresh_token(raw)
-    expires_at = datetime.now(timezone.utc) + timedelta(minutes=ttl_minutes)
+    expires_at = datetime.now(UTC) + timedelta(minutes=ttl_minutes)
     rt = RefreshToken(
         session=session_row,
         token_hash=token_hash,
@@ -64,7 +63,7 @@ async def rotate_session_refresh(
 
     Returns: (new_raw_refresh_token, new_refresh_token_model)
     """
-    rotation_ts = datetime.now(timezone.utc)
+    rotation_ts = datetime.now(UTC)
     if current.revoked_at:
         raise ValueError("refresh token already revoked")
     if current.expires_at and current.expires_at <= rotation_ts:

svc_infra/security/signed_cookies.py

@@ -5,7 +5,7 @@ import hmac
 import json
 import time
 from hashlib import sha256
-from typing import Any, Dict, List, Optional, Tuple
+from typing import Any
 
 
 def _b64e(b: bytes) -> str:
@@ -26,12 +26,12 @@ def _now() -> int:
 
 
 def sign_cookie(
-    payload: Dict[str, Any],
+    payload: dict[str, Any],
     *,
     key: str,
-    expires_in: Optional[int] = None,
-    path: Optional[str] = None,
-    domain: Optional[str] = None,
+    expires_in: int | None = None,
+    path: str | None = None,
+    domain: str | None = None,
 ) -> str:
     """Produce a compact signed cookie value with optional expiry and scope binding.
 
@@ -57,10 +57,10 @@ def verify_cookie(
     value: str,
     *,
     key: str,
-    old_keys: Optional[List[str]] = None,
-    expected_path: Optional[str] = None,
-    expected_domain: Optional[str] = None,
-) -> Tuple[bool, Optional[Dict[str, Any]]]:
+    old_keys: list[str] | None = None,
+    expected_path: str | None = None,
+    expected_domain: str | None = None,
+) -> tuple[bool, dict[str, Any] | None]:
     """Verify a signed cookie against the primary key or any old key.
 
     Returns (ok, payload). If ok is False, payload will be None.

svc_infra/storage/add.py

@@ -6,7 +6,7 @@ Provides helpers to integrate storage backends with FastAPI applications.
 
 import logging
 from contextlib import asynccontextmanager
-from typing import Optional, cast
+from typing import cast
 
 from fastapi import FastAPI, HTTPException, Query, Request
 from fastapi.responses import StreamingResponse
@@ -19,7 +19,7 @@ logger = logging.getLogger(__name__)
 
 def add_storage(
     app: FastAPI,
-    backend: Optional[StorageBackend] = None,
+    backend: StorageBackend | None = None,
     serve_files: bool = False,
     file_route_prefix: str = "/files",
 ) -> StorageBackend:
@@ -145,9 +145,7 @@ def add_storage(
                     # Return file
                     return StreamingResponse(
                         iter([data]),
-                        media_type=metadata.get(
-                            "content_type", "application/octet-stream"
-                        ),
+                        media_type=metadata.get("content_type", "application/octet-stream"),
                         headers={
                             "Content-Disposition": content_disposition,
                             "Content-Length": str(len(data)),
@@ -197,11 +195,10 @@ def get_storage(request: Request) -> StorageBackend:
     """
     if not hasattr(request.app.state, "storage"):
         raise RuntimeError(
-            "Storage not initialized. "
-            "Call add_storage(app) during application setup."
+            "Storage not initialized. Call add_storage(app) during application setup."
         )
 
-    return cast(StorageBackend, request.app.state.storage)
+    return cast("StorageBackend", request.app.state.storage)
 
 
 async def health_check_storage(request: Request) -> dict:

svc_infra/storage/backends/local.py

@@ -8,9 +8,9 @@ import hashlib
 import hmac
 import json
 import secrets
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from pathlib import Path
-from typing import Any, Optional, cast
+from typing import Any, cast
 from urllib.parse import urlencode
 
 import aiofiles
@@ -50,7 +50,7 @@ class LocalBackend:
         self,
         base_path: str = "/data/uploads",
         base_url: str = "http://localhost:8000/files",
-        signing_secret: Optional[str] = None,
+        signing_secret: str | None = None,
     ):
         self.base_path = Path(base_path)
         self.base_url = base_url.rstrip("/")
@@ -71,9 +71,7 @@ class LocalBackend:
             raise InvalidKeyError("Key cannot exceed 1024 characters")
 
         # Check for safe characters
-        safe_chars = set(
-            "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-/"
-        )
+        safe_chars = set("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-/")
         if not all(c in safe_chars for c in key):
             raise InvalidKeyError(
                 "Key can only contain alphanumeric, dot, dash, underscore, and slash"
@@ -97,9 +95,7 @@ class LocalBackend:
         ).hexdigest()
         return signature
 
-    def _verify_signature(
-        self, key: str, expires_at: int, download: bool, signature: str
-    ) -> bool:
+    def _verify_signature(self, key: str, expires_at: int, download: bool, signature: str) -> bool:
         """Verify HMAC signature."""
         expected = self._sign_url(key, expires_at, download)
         return hmac.compare_digest(expected, signature)
@@ -109,7 +105,7 @@ class LocalBackend:
         key: str,
         data: bytes,
         content_type: str,
-        metadata: Optional[dict] = None,
+        metadata: dict | None = None,
     ) -> str:
         """Store file on local filesystem."""
         self._validate_key(key)
@@ -133,7 +129,7 @@ class LocalBackend:
             meta_data = {
                 "size": len(data),
                 "content_type": content_type,
-                "created_at": datetime.now(timezone.utc).isoformat(),
+                "created_at": datetime.now(UTC).isoformat(),
                 **(metadata or {}),
             }
 
@@ -224,7 +220,7 @@ class LocalBackend:
             raise StorageFileNotFoundError(f"File not found: {key}")
 
         # Calculate expiration timestamp
-        expires_at = int(datetime.now(timezone.utc).timestamp()) + expires_in
+        expires_at = int(datetime.now(UTC).timestamp()) + expires_in
 
         # Generate signature
         signature = self._sign_url(key, expires_at, download)
@@ -240,9 +236,7 @@ class LocalBackend:
         url = f"{self.base_url}/{key}?{urlencode(params)}"
         return url
 
-    def verify_url(
-        self, key: str, expires: str, signature: str, download: bool = False
-    ) -> bool:
+    def verify_url(self, key: str, expires: str, signature: str, download: bool = False) -> bool:
         """
         Verify a signed URL (for use in file serving endpoint).
 
@@ -266,7 +260,7 @@ class LocalBackend:
             return False
 
         # Check expiration
-        now = int(datetime.now(timezone.utc).timestamp())
+        now = int(datetime.now(UTC).timestamp())
         if now > expires_at:
             return False
 
@@ -323,15 +317,13 @@ class LocalBackend:
             return {
                 "size": stat.st_size,
                 "content_type": "application/octet-stream",
-                "created_at": datetime.fromtimestamp(
-                    stat.st_ctime, tz=timezone.utc
-                ).isoformat(),
+                "created_at": datetime.fromtimestamp(stat.st_ctime, tz=UTC).isoformat(),
             }
 
         try:
-            async with aiofiles.open(meta_path, "r") as f:
+            async with aiofiles.open(meta_path) as f:
                 content = await f.read()
-                return cast(dict[Any, Any], json.loads(content))
+                return cast("dict[Any, Any]", json.loads(content))
         except (OSError, json.JSONDecodeError) as e:
             raise StorageError(f"Failed to read metadata for {key}: {e}")
 

svc_infra/storage/backends/memory.py

@@ -5,8 +5,7 @@ WARNING: Data is not persisted across restarts. Use only for testing or developm
 """
 
 import asyncio
-from datetime import datetime, timezone
-from typing import Optional
+from datetime import UTC, datetime
 
 from ..base import FileNotFoundError, InvalidKeyError, QuotaExceededError
 
@@ -57,9 +56,7 @@ class MemoryBackend:
             raise InvalidKeyError("Key cannot exceed 1024 characters")
 
         # Check for safe characters
-        safe_chars = set(
-            "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-/"
-        )
+        safe_chars = set("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-/")
         if not all(c in safe_chars for c in key):
             raise InvalidKeyError(
                 "Key can only contain alphanumeric, dot, dash, underscore, and slash"
@@ -74,7 +71,7 @@ class MemoryBackend:
         key: str,
         data: bytes,
         content_type: str,
-        metadata: Optional[dict] = None,
+        metadata: dict | None = None,
     ) -> str:
         """Store file in memory."""
         self._validate_key(key)
@@ -101,7 +98,7 @@ class MemoryBackend:
             self._metadata[key] = {
                 "size": len(data),
                 "content_type": content_type,
-                "created_at": datetime.now(timezone.utc).isoformat(),
+                "created_at": datetime.now(UTC).isoformat(),
                 **(metadata or {}),
             }
 

svc_infra/storage/backends/s3.py

@@ -5,7 +5,7 @@ Works with AWS S3, DigitalOcean Spaces, Wasabi, Backblaze B2, Minio, and
 any S3-compatible object storage service.
 """
 
-from typing import Optional, cast
+from typing import cast
 
 try:
     import aioboto3
@@ -68,14 +68,13 @@ class S3Backend:
         self,
         bucket: str,
         region: str = "us-east-1",
-        endpoint: Optional[str] = None,
-        access_key: Optional[str] = None,
-        secret_key: Optional[str] = None,
+        endpoint: str | None = None,
+        access_key: str | None = None,
+        secret_key: str | None = None,
     ):
         if aioboto3 is None:
             raise ImportError(
-                "aioboto3 is required for S3Backend. "
-                "Install it with: pip install aioboto3"
+                "aioboto3 is required for S3Backend. Install it with: pip install aioboto3"
             )
 
         self.bucket = bucket
@@ -118,7 +117,7 @@ class S3Backend:
         key: str,
         data: bytes,
         content_type: str,
-        metadata: Optional[dict] = None,
+        metadata: dict | None = None,
     ) -> str:
         """Store file in S3."""
         self._validate_key(key)
@@ -131,9 +130,7 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 # Upload file
                 await s3.put_object(
                     Bucket=self.bucket,
@@ -165,12 +162,10 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 response = await s3.get_object(Bucket=self.bucket, Key=key)
                 async with response["Body"] as stream:
-                    return cast(bytes, await stream.read())
+                    return cast("bytes", await stream.read())
 
         except ClientError as e:
             error_code = e.response.get("Error", {}).get("Code", "Unknown")
@@ -193,9 +188,7 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 await s3.delete_object(Bucket=self.bucket, Key=key)
                 return True
 
@@ -214,9 +207,7 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 await s3.head_object(Bucket=self.bucket, Key=key)
                 return True
 
@@ -257,9 +248,7 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 # Prepare parameters
                 params = {"Bucket": self.bucket, "Key": key}
 
@@ -267,9 +256,7 @@ class S3Backend:
                 if download:
                     # Extract filename from key
                     filename = key.split("/")[-1]
-                    params["ResponseContentDisposition"] = (
-                        f'attachment; filename="{filename}"'
-                    )
+                    params["ResponseContentDisposition"] = f'attachment; filename="{filename}"'
 
                 # Generate presigned URL
                 url = await s3.generate_presigned_url(
@@ -277,7 +264,7 @@ class S3Backend:
                     Params=params,
                     ExpiresIn=expires_in,
                 )
-                return cast(str, url)
+                return cast("str", url)
 
         except ClientError as e:
             raise StorageError(f"Failed to generate presigned URL: {e}")
@@ -292,9 +279,7 @@ class S3Backend:
         """List stored keys with optional prefix filter."""
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 params = {
                     "Bucket": self.bucket,
                     "MaxKeys": limit,
@@ -320,17 +305,13 @@ class S3Backend:
 
         try:
             session = aioboto3.Session()
-            async with session.client(
-                "s3", **self._session_config, **self._client_config
-            ) as s3:
+            async with session.client("s3", **self._session_config, **self._client_config) as s3:
                 response = await s3.head_object(Bucket=self.bucket, Key=key)
 
                 # Extract metadata
                 metadata = {
                     "size": response["ContentLength"],
-                    "content_type": response.get(
-                        "ContentType", "application/octet-stream"
-                    ),
+                    "content_type": response.get("ContentType", "application/octet-stream"),
                     "created_at": response["LastModified"].isoformat(),
                 }
 

svc_infra/storage/base.py

@@ -4,7 +4,7 @@ Base storage abstractions and exceptions.
 Defines the StorageBackend protocol that all storage implementations must follow.
 """
 
-from typing import Optional, Protocol
+from typing import Protocol
 
 
 class StorageError(Exception):
@@ -60,7 +60,7 @@ class StorageBackend(Protocol):
         key: str,
         data: bytes,
         content_type: str,
-        metadata: Optional[dict] = None,
+        metadata: dict | None = None,
     ) -> str:
         """
         Store file content and return its URL.