feat(cloud_session): shared cloud session resolution for all CF products

Extracts the JWT validation + Heimdall tier resolution + guest session pattern that was duplicated across kiwi and peregrine into a single reusable module. CloudSessionFactory is parameterized by product name. Products instantiate it once at module level and call .dependency() to get a FastAPI-compatible Depends() function. .require_tier(min_tier) returns a dependency factory for gated routes. CloudUser carries: user_id — Directus UUID, "local" (self-hosted), "local-dev" (bypass), "anon-<uuid>" tier — free | paid | premium | ultra | local product — which CF product this session is for has_byok — whether user has a configured LLM backend meta — dict for product-specific extras (household_id, license_key, etc.) Products can pass extra_meta= to attach product-specific fields without subclassing. The module is FastAPI-only (fastapi is a lazy import so local-mode products that never hit cloud paths don't pay the import cost).
2026-04-24 16:39:27 -07:00 · 2026-04-24 16:39:27 -07:00 · 00737d22cf
commit 00737d22cf
parent 383897f990
1 changed files with 314 additions and 0 deletions
--- a/circuitforge_core/cloud_session/init.py
+++ b/circuitforge_core/cloud_session/init.py
@ -0,0 +1,314 @@
 """
 circuitforge_core.cloud_session — shared cloud session resolution for all CF products.
 Usage (FastAPI product):
    from circuitforge_core.cloud_session import CloudSessionFactory
    from pathlib import Path
    _sessions = CloudSessionFactory(
        product="avocet",
        local_db=Path("data/avocet.db"),
    )
    get_session = _sessions.dependency()
    require_tier = _sessions.require_tier
    @router.get("/api/imitate")
    def imitate(session: CloudUser = Depends(get_session)):
        # session.user_id is the Directus UUID for cloud users, "local" for self-hosted
        ...
 Environment variables (set per-product via .env / compose):
    CLOUD_MODE              1/true/yes to enable cloud auth (default: off)
    CLOUD_DATA_ROOT         Root directory for per-user data (default: /devl/<product>-cloud-data)
    DIRECTUS_JWT_SECRET     HS256 secret used to sign cf_session JWTs (required in cloud mode)
    HEIMDALL_URL            License server base URL (default: https://license.circuitforge.tech)
    HEIMDALL_ADMIN_TOKEN    Heimdall admin bearer token (required for tier resolution)
    CF_SERVER_SECRET        Server-side secret for deriving per-user encryption keys
    CLOUD_AUTH_BYPASS_IPS   Comma-separated IPs/CIDRs to skip JWT auth (dev LAN only)
 """
 from __future__ import annotations
 import ipaddress
 import logging
 import os
 import re
 import time
 import uuid
 from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Any, Callable
 log = logging.getLogger(__name__)
 TIERS: list[str] = ["free", "paid", "premium", "ultra"]
 # ── CloudUser ─────────────────────────────────────────────────────────────────
@dataclass(frozen=True)
 class CloudUser:
    """Resolved user identity for one HTTP request.
    user_id:  Directus UUID for authenticated cloud users.
              "local"          for self-hosted / CLOUD_MODE=false.
              "local-dev"      for dev-bypass-IP sessions.
              "anon-<uuid>"    for unauthenticated guest visitors.
    tier:     free | paid | premium | ultra | local
    product:  Which CF product this session belongs to (e.g. "avocet").
    meta:     Product-specific extras (e.g. household_id for Kiwi).
              Access via session.meta.get("household_id").
    """
    user_id: str
    tier: str
    product: str
    has_byok: bool = False
    meta: dict[str, Any] = field(default_factory=dict)
 # ── Helpers ───────────────────────────────────────────────────────────────────
 def _parse_bypass_nets(raw: str) -> tuple[list[ipaddress.IPv4Network | ipaddress.IPv6Network], frozenset[str]]:
    nets: list[ipaddress.IPv4Network | ipaddress.IPv6Network] = []
    ips: set[str] = set()
    for entry in (e.strip() for e in raw.split(",") if e.strip()):
        try:
            nets.append(ipaddress.ip_network(entry, strict=False))
        except ValueError:
            ips.add(entry)
    return nets, frozenset(ips)
 def _is_bypass_ip(
    ip: str,
    nets: list[ipaddress.IPv4Network | ipaddress.IPv6Network],
    ips: frozenset[str],
 ) -> bool:
    if not ip or (not nets and not ips):
        return False
    if ip in ips:
        return True
    try:
        addr = ipaddress.ip_address(ip)
        return any(addr in net for net in nets)
    except ValueError:
        return False
 def _extract_session_token(header_value: str) -> str:
    """Pull cf_session value out of a raw Cookie header or return the value as-is."""
    m = re.search(r'(?:^|;)\s*cf_session=([^;]+)', header_value)
    return m.group(1).strip() if m else header_value.strip()
 # ── CloudSessionFactory ───────────────────────────────────────────────────────
 class CloudSessionFactory:
    """Per-product session factory. Instantiate once at module level.
    Args:
        product:          Product code string (e.g. "avocet", "kiwi").
        extra_meta:       Optional async-or-sync callable that receives
                          (user_id: str, tier: str) and returns a dict merged
                          into CloudUser.meta.  Use for product-specific fields
                          like household_id.
        byok_detector:    Callable() → bool.  Override to detect BYOK for this
                          product's config path.  Default: always False.
    """
    def __init__(
        self,
        product: str,
        extra_meta: Callable[[str, str], dict[str, Any]] | None = None,
        byok_detector: Callable[[], bool] | None = None,
    ) -> None:
        self.product = product
        self._extra_meta = extra_meta
        self._byok_detector = byok_detector or (lambda: False)
        # Config — read from environment at construction time so tests can patch env
        self._cloud_mode: bool = os.environ.get("CLOUD_MODE", "").lower() in ("1", "true", "yes")
        self._directus_secret: str = os.environ.get("DIRECTUS_JWT_SECRET", "")
        self._heimdall_url: str = os.environ.get("HEIMDALL_URL", "https://license.circuitforge.tech")
        self._heimdall_token: str = os.environ.get("HEIMDALL_ADMIN_TOKEN", "")
        self._cloud_data_root: Path = Path(
            os.environ.get("CLOUD_DATA_ROOT", f"/devl/{product}-cloud-data")
        )
        _bypass_raw = os.environ.get("CLOUD_AUTH_BYPASS_IPS", "")
        self._bypass_nets, self._bypass_ips = _parse_bypass_nets(_bypass_raw)
        # Tier resolution cache: {user_id: (result_dict, timestamp)}
        self._tier_cache: dict[str, tuple[dict, float]] = {}
        self._tier_cache_ttl: float = 300.0  # 5 minutes
    # ── JWT ───────────────────────────────────────────────────────────────────
    def validate_jwt(self, token: str) -> str:
        """Validate a cf_session JWT and return the Directus user_id. Raises HTTPException on failure."""
        try:
            import jwt as pyjwt  # lazy — not needed in local mode
            from fastapi import HTTPException
            payload = pyjwt.decode(
                token,
                self._directus_secret,
                algorithms=["HS256"],
                options={"require": ["id", "exp"]},
            )
            return payload["id"]
        except Exception as exc:
            log.debug("JWT validation failed: %s", exc)
            from fastapi import HTTPException
            raise HTTPException(status_code=401, detail="Session invalid or expired")
    # ── Heimdall ──────────────────────────────────────────────────────────────
    def _ensure_provisioned(self, user_id: str) -> None:
        if not self._heimdall_token:
            return
        try:
            import requests
            requests.post(
                f"{self._heimdall_url}/admin/provision",
                json={"directus_user_id": user_id, "product": self.product, "tier": "free"},
                headers={"Authorization": f"Bearer {self._heimdall_token}"},
                timeout=5,
            )
        except Exception as exc:
            log.warning("Heimdall provision failed for user %s: %s", user_id, exc)
    def _resolve_tier(self, user_id: str) -> dict[str, Any]:
        """Returns dict with keys: tier, license_key (and any product extras)."""
        now = time.monotonic()
        cached = self._tier_cache.get(user_id)
        if cached and (now - cached[1]) < self._tier_cache_ttl:
            return cached[0]
        result: dict[str, Any] = {"tier": "free", "license_key": None}
        if self._heimdall_token:
            try:
                import requests
                resp = requests.post(
                    f"{self._heimdall_url}/admin/cloud/resolve",
                    json={"directus_user_id": user_id, "product": self.product},
                    headers={"Authorization": f"Bearer {self._heimdall_token}"},
                    timeout=5,
                )
                if resp.ok:
                    data = resp.json()
                    result["tier"] = data.get("tier", "free")
                    result["license_key"] = data.get("key_display")
                    # Forward any extra fields Heimdall returns (household_id etc.)
                    result.update({k: v for k, v in data.items() if k not in result})
            except Exception as exc:
                log.warning("Heimdall tier resolve failed for %s: %s", user_id, exc)
        else:
            log.debug("HEIMDALL_ADMIN_TOKEN not set — defaulting tier to free")
        self._tier_cache[user_id] = (result, now)
        return result
    # ── Guest sessions ────────────────────────────────────────────────────────
    _GUEST_COOKIE = "cf_guest_id"
    _GUEST_COOKIE_MAX_AGE = 60 * 60 * 24 * 90  # 90 days
    def _resolve_guest(self, request: Any, response: Any) -> CloudUser:
        guest_id = (request.cookies.get(self._GUEST_COOKIE) or "").strip()
        if not guest_id:
            guest_id = str(uuid.uuid4())
        is_https = request.headers.get("x-forwarded-proto", "http").lower() == "https"
        response.set_cookie(
            key=self._GUEST_COOKIE,
            value=guest_id,
            max_age=self._GUEST_COOKIE_MAX_AGE,
            httponly=True,
            samesite="lax",
            secure=is_https,
        )
        return CloudUser(
            user_id=f"anon-{guest_id}",
            tier="free",
            product=self.product,
            has_byok=self._byok_detector(),
        )
    # ── Core resolver ─────────────────────────────────────────────────────────
    def resolve(self, request: Any, response: Any) -> CloudUser:
        """Resolve the CloudUser for a FastAPI request. Suitable as a Depends() target."""
        has_byok = self._byok_detector()
        if not self._cloud_mode:
            return CloudUser(user_id="local", tier="local", product=self.product, has_byok=has_byok)
        client_ip = (
            request.headers.get("x-real-ip", "")
            or (request.client.host if request.client else "")
        )
        if _is_bypass_ip(client_ip, self._bypass_nets, self._bypass_ips):
            log.debug("Bypass IP %s — returning local-dev session for product %s", client_ip, self.product)
            return CloudUser(user_id="local-dev", tier="local", product=self.product, has_byok=has_byok)
        raw_session = (
            request.headers.get("x-cf-session", "").strip()
            or request.cookies.get("cf_session", "").strip()
        )
        if not raw_session:
            return self._resolve_guest(request, response)
        token = _extract_session_token(raw_session)
        if not token:
            return self._resolve_guest(request, response)
        user_id = self.validate_jwt(token)
        self._ensure_provisioned(user_id)
        tier_data = self._resolve_tier(user_id)
        tier = tier_data.get("tier", "free")
        meta: dict[str, Any] = {}
        if self._extra_meta:
            meta = self._extra_meta(user_id, tier) or {}
        # Merge any extra fields from Heimdall response (e.g. household_id)
        meta.update({k: v for k, v in tier_data.items() if k not in ("tier", "license_key")})
        meta["license_key"] = tier_data.get("license_key")
        return CloudUser(
            user_id=user_id,
            tier=tier,
            product=self.product,
            has_byok=has_byok,
            meta=meta,
        )
    def dependency(self) -> Callable[[Any, Any], CloudUser]:
        """Return a FastAPI-compatible dependency function (use with Depends())."""
        factory = self
        def _get_session(request: Any, response: Any) -> CloudUser:
            return factory.resolve(request, response)
        return _get_session
    def require_tier(self, min_tier: str) -> Callable:
        """Dependency factory — raises 403 if the session tier is below min_tier."""
        from fastapi import Depends, HTTPException
        min_idx = TIERS.index(min_tier)
        get_session = self.dependency()
        def _check(session: CloudUser = Depends(get_session)) -> CloudUser:
            if session.tier in ("local", "local-dev"):
                return session
            try:
                if TIERS.index(session.tier) < min_idx:
                    raise HTTPException(
                        status_code=403,
                        detail=f"This feature requires {min_tier} tier or above.",
                    )
            except ValueError:
                raise HTTPException(status_code=403, detail="Unknown tier.")
            return session
        return _check