kunthawat/ALwrity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kunthawat:codex/add-structured-tier-policy-configuration
Branches Tags
kunthawat:main kunthawat:codex/add-uniqueness-strategy-for-backlinklead kunthawat:alert-autofix-28 kunthawat:codex/update-cors-handling-in-streaming-endpoints kunthawat:codex/refactor-stream_strategic_intelligence-response-handling kunthawat:codex/implement-production-evaluators-in-quality_validation.py kunthawat:codex/replace-local-cache-with-shared-cache kunthawat:codex/implement-onboarding-module-functionality kunthawat:alert-autofix-88 kunthawat:alert-autofix-107 kunthawat:alert-autofix-116 kunthawat:alert-autofix-121 kunthawat:codex/expose-capability-flags-in-integration-manager kunthawat:codex/add-structured-tier-policy-configuration kunthawat:codex/implement-self-healing-executor-functionality kunthawat:codex/add-synthesis-step-to-context-pipeline kunthawat:codex/create-token-crypto-service-for-models kunthawat:codex/implement-oauth-validation-and-channel-management kunthawat:codex/add-task-loader-for-social-tokens kunthawat:codex/update-performance_monitor-and-safety_framework kunthawat:codex/define-versioned-metadata-schema-and-refactor-handlers kunthawat:codex/support-multi-source-filtering-in-api kunthawat:fix/add-matplotlib-backend-dependency kunthawat:codex/remove-heuristic-calculators-and-update-estimates-bhvhnh kunthawat:dependabot/npm_and_yarn/frontend/npm_and_yarn-7d3393088f kunthawat:codex/downgrade-api-key-warning-logging kunthawat:codex/refactor-onboarding-loading-logic kunthawat:codex/add-ci-lint-check-for-user_id-patterns kunthawat:codex/remove-sessionlocal-import-and-add-health-check kunthawat:codex/refactor-dubbed_audio_dir-to-tenant-path-resolver kunthawat:codex/update-task-metadata-and-api-responses kunthawat:codex/verify-podcast-analysis-and-cost-tracking kunthawat:codex/assert-api-endpoints-on-startup kunthawat:codex/add-env-controlled-guard-for-stripe-key kunthawat:codex/remove-feature-flag-for-production-demo kunthawat:codex/add-mode-aware-redirect-logic-in-pricingpage kunthawat:codex/document-deployment-configuration-for-demo-mode kunthawat:codex/ensure-api.subscription.router-always-included kunthawat:codex/guard-onboarding-manager-and-endpoints kunthawat:codex/wrap-router-inclusion-in-demo-mode-check kunthawat:codex/add-podcast-only-demo-mode-toggle kunthawat:dependabot/npm_and_yarn/frontend/npm_and_yarn-f5ea90b336
kunthawat:v0.5.1 kunthawat:v0.1
..
compare: kunthawat:codex/create-token-crypto-service-for-models
Branches Tags
kunthawat:main kunthawat:codex/add-uniqueness-strategy-for-backlinklead kunthawat:alert-autofix-28 kunthawat:codex/update-cors-handling-in-streaming-endpoints kunthawat:codex/refactor-stream_strategic_intelligence-response-handling kunthawat:codex/implement-production-evaluators-in-quality_validation.py kunthawat:codex/replace-local-cache-with-shared-cache kunthawat:codex/implement-onboarding-module-functionality kunthawat:alert-autofix-88 kunthawat:alert-autofix-107 kunthawat:alert-autofix-116 kunthawat:alert-autofix-121 kunthawat:codex/expose-capability-flags-in-integration-manager kunthawat:codex/add-structured-tier-policy-configuration kunthawat:codex/implement-self-healing-executor-functionality kunthawat:codex/add-synthesis-step-to-context-pipeline kunthawat:codex/create-token-crypto-service-for-models kunthawat:codex/implement-oauth-validation-and-channel-management kunthawat:codex/add-task-loader-for-social-tokens kunthawat:codex/update-performance_monitor-and-safety_framework kunthawat:codex/define-versioned-metadata-schema-and-refactor-handlers kunthawat:codex/support-multi-source-filtering-in-api kunthawat:fix/add-matplotlib-backend-dependency kunthawat:codex/remove-heuristic-calculators-and-update-estimates-bhvhnh kunthawat:dependabot/npm_and_yarn/frontend/npm_and_yarn-7d3393088f kunthawat:codex/downgrade-api-key-warning-logging kunthawat:codex/refactor-onboarding-loading-logic kunthawat:codex/add-ci-lint-check-for-user_id-patterns kunthawat:codex/remove-sessionlocal-import-and-add-health-check kunthawat:codex/refactor-dubbed_audio_dir-to-tenant-path-resolver kunthawat:codex/update-task-metadata-and-api-responses kunthawat:codex/verify-podcast-analysis-and-cost-tracking kunthawat:codex/assert-api-endpoints-on-startup kunthawat:codex/add-env-controlled-guard-for-stripe-key kunthawat:codex/remove-feature-flag-for-production-demo kunthawat:codex/add-mode-aware-redirect-logic-in-pricingpage kunthawat:codex/document-deployment-configuration-for-demo-mode kunthawat:codex/ensure-api.subscription.router-always-included kunthawat:codex/guard-onboarding-manager-and-endpoints kunthawat:codex/wrap-router-inclusion-in-demo-mode-check kunthawat:codex/add-podcast-only-demo-mode-toggle kunthawat:dependabot/npm_and_yarn/frontend/npm_and_yarn-f5ea90b336
kunthawat:v0.5.1 kunthawat:v0.1

1 Commits
codex/add- ... codex/crea

Author SHA1 Message Date
ي
afcb3d5478 Add token encryption service and Wix token rotation support 2026-05-18 15:57:47 +05:30
4 changed files with 215 additions and 310 deletions
Expand all files Collapse all files

254
backend/services/integrations/wix_oauth.py
View File

@@ -9,14 +9,16 @@ from typing import Optional, Dict, Any, List
from datetime import datetime, timedelta from datetime import datetime, timedelta
from loguru import logger from loguru import logger
from services.database import get_user_db_path from services.database import get_user_db_path
from services.token_crypto_service import TokenCryptoService
class WixOAuthService: class WixOAuthService:
"""Manages Wix OAuth2 authentication flow and token storage.""" """Manages Wix OAuth2 authentication flow and token storage."""
def __init__(self, db_path: Optional[str] = None): def __init__(self, db_path: Optional[str] = None):
self.db_path = db_path self.db_path = db_path
self.token_crypto = TokenCryptoService()
def _get_db_path(self, user_id: str) -> str: def _get_db_path(self, user_id: str) -> str:
if self.db_path: if self.db_path:
@@ -26,7 +28,6 @@ class WixOAuthService:
def _init_db(self, user_id: str): def _init_db(self, user_id: str):
"""Initialize database tables for OAuth tokens.""" """Initialize database tables for OAuth tokens."""
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
# Ensure directory exists
os.makedirs(os.path.dirname(db_path), exist_ok=True) os.makedirs(os.path.dirname(db_path), exist_ok=True)
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
@@ -45,69 +46,60 @@ class WixOAuthService:
member_id TEXT, member_id TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
is_active BOOLEAN DEFAULT TRUE is_active BOOLEAN DEFAULT TRUE,
token_key_version TEXT,
token_key_reference TEXT
) )
''') ''')
for column_name, column_def in [
("token_key_version", "TEXT"),
("token_key_reference", "TEXT"),
]:
try:
cursor.execute(f"ALTER TABLE wix_oauth_tokens ADD COLUMN {column_name} {column_def}")
except sqlite3.OperationalError:
pass
conn.commit() conn.commit()
def store_tokens( def store_tokens(self, user_id: str, access_token: str, refresh_token: Optional[str] = None,
self, expires_in: Optional[int] = None, token_type: str = 'bearer', scope: Optional[str] = None,
user_id: str, site_id: Optional[str] = None, member_id: Optional[str] = None) -> bool:
access_token: str,
refresh_token: Optional[str] = None,
expires_in: Optional[int] = None,
token_type: str = 'bearer',
scope: Optional[str] = None,
site_id: Optional[str] = None,
member_id: Optional[str] = None
) -> bool:
"""
Store Wix OAuth tokens in the database.
Args:
user_id: User ID (Clerk string)
access_token: Access token from Wix
refresh_token: Optional refresh token
expires_in: Optional expiration time in seconds
token_type: Token type (default: 'bearer')
scope: Optional OAuth scope
site_id: Optional Wix site ID
member_id: Optional Wix member ID
Returns:
True if tokens were stored successfully
"""
try: try:
# Ensure DB is initialized for this user
self._init_db(user_id) self._init_db(user_id)
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
expires_at = datetime.now() + timedelta(seconds=expires_in) if expires_in else None
expires_at = None encrypted_access_token, encrypted_refresh_token = self.token_crypto.encrypt_pair(access_token, refresh_token)
if expires_in:
expires_at = datetime.now() + timedelta(seconds=expires_in)
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
cursor = conn.cursor() cursor = conn.cursor()
cursor.execute(''' cursor.execute('''
INSERT INTO wix_oauth_tokens INSERT INTO wix_oauth_tokens
(user_id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id) (user_id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id, token_key_version, token_key_reference)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
''', (user_id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id)) ''', (
user_id,
encrypted_access_token,
encrypted_refresh_token,
token_type,
expires_at,
expires_in,
scope,
site_id,
member_id,
self.token_crypto.key_version,
self.token_crypto.key_reference,
))
conn.commit() conn.commit()
logger.info(f"Wix OAuth: Token inserted into database for user {user_id}") logger.info(f"Wix OAuth: Encrypted token stored for user {user_id}")
return True return True
except Exception as e: except Exception as e:
logger.error(f"Error storing Wix tokens for user {user_id}: {e}") logger.error(f"Error storing Wix tokens for user {user_id}: {e}")
return False return False
def get_user_tokens(self, user_id: str) -> List[Dict[str, Any]]: def get_user_tokens(self, user_id: str) -> List[Dict[str, Any]]:
"""Get all active Wix tokens for a user.""" """Get all active Wix token rows (encrypted values)."""
try: try:
# Ensure database tables exist to prevent 'no such table' errors
self._init_db(user_id) self._init_db(user_id)
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
if not os.path.exists(db_path): if not os.path.exists(db_path):
return [] return []
@@ -115,98 +107,72 @@ class WixOAuthService:
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
cursor = conn.cursor() cursor = conn.cursor()
cursor.execute(''' cursor.execute('''
SELECT id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id, created_at SELECT id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id, created_at, token_key_version, token_key_reference
FROM wix_oauth_tokens FROM wix_oauth_tokens
WHERE user_id = ? AND is_active = TRUE AND (expires_at IS NULL OR expires_at > datetime('now')) WHERE user_id = ? AND is_active = TRUE AND (expires_at IS NULL OR expires_at > datetime('now'))
ORDER BY created_at DESC ORDER BY created_at DESC
''', (user_id,)) ''', (user_id,))
tokens = [] return [{
for row in cursor.fetchall(): "id": row[0], "access_token": row[1], "refresh_token": row[2], "token_type": row[3],
tokens.append({ "expires_at": row[4], "expires_in": row[5], "scope": row[6], "site_id": row[7],
"id": row[0], "member_id": row[8], "created_at": row[9], "token_key_version": row[10],
"access_token": row[1], "token_key_reference": row[11]
"refresh_token": row[2], } for row in cursor.fetchall()]
"token_type": row[3],
"expires_at": row[4],
"expires_in": row[5],
"scope": row[6],
"site_id": row[7],
"member_id": row[8],
"created_at": row[9]
})
return tokens
except Exception as e: except Exception as e:
logger.error(f"Error getting Wix tokens for user {user_id}: {e}") logger.error(f"Error getting Wix tokens for user {user_id}: {e}")
return [] return []
def get_user_token_status(self, user_id: str) -> Dict[str, Any]: def get_user_tokens_decrypted(self, user_id: str) -> List[Dict[str, Any]]:
"""Get detailed token status for a user including expired tokens.""" """Decrypt tokens for integration managers and token refresh routines."""
try: decrypted = []
# Ensure database tables exist to prevent 'no such table' errors for token in self.get_user_tokens(user_id):
self._init_db(user_id) token_copy = dict(token)
token_copy["access_token"] = self.token_crypto.decrypt_token(token_copy.get("access_token"))
token_copy["refresh_token"] = self.token_crypto.decrypt_token(token_copy.get("refresh_token"))
decrypted.append(token_copy)
return decrypted
def get_user_token_status(self, user_id: str) -> Dict[str, Any]:
try:
self._init_db(user_id)
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
if not os.path.exists(db_path): if not os.path.exists(db_path):
return { return {"has_tokens": False, "has_active_tokens": False, "has_expired_tokens": False,
"has_tokens": False, "active_tokens": [], "expired_tokens": [], "total_tokens": 0, "last_token_date": None}
"has_active_tokens": False,
"has_expired_tokens": False,
"active_tokens": [],
"expired_tokens": [],
"total_tokens": 0,
"last_token_date": None
}
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
cursor = conn.cursor() cursor = conn.cursor()
# Get all tokens (active and expired)
cursor.execute(''' cursor.execute('''
SELECT id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id, created_at, is_active SELECT id, access_token, refresh_token, token_type, expires_at, expires_in, scope, site_id, member_id,
created_at, is_active, token_key_version, token_key_reference
FROM wix_oauth_tokens FROM wix_oauth_tokens
WHERE user_id = ? WHERE user_id = ?
ORDER BY created_at DESC ORDER BY created_at DESC
''', (user_id,)) ''', (user_id,))
all_tokens = [] all_tokens, active_tokens, expired_tokens = [], [], []
active_tokens = []
expired_tokens = []
for row in cursor.fetchall(): for row in cursor.fetchall():
token_data = { token_data = {
"id": row[0], "id": row[0], "access_token": row[1], "refresh_token": row[2], "token_type": row[3],
"access_token": row[1], "expires_at": row[4], "expires_in": row[5], "scope": row[6], "site_id": row[7],
"refresh_token": row[2], "member_id": row[8], "created_at": row[9], "is_active": bool(row[10]),
"token_type": row[3], "token_key_version": row[11], "token_key_reference": row[12]
"expires_at": row[4],
"expires_in": row[5],
"scope": row[6],
"site_id": row[7],
"member_id": row[8],
"created_at": row[9],
"is_active": bool(row[10])
} }
all_tokens.append(token_data) all_tokens.append(token_data)
# Determine expiry using robust parsing and is_active flag
is_active_flag = bool(row[10]) is_active_flag = bool(row[10])
not_expired = False not_expired = False
try: try:
expires_at_val = row[4] expires_at_val = row[4]
if expires_at_val: if expires_at_val:
# First try Python parsing
try: try:
dt = datetime.fromisoformat(expires_at_val) if isinstance(expires_at_val, str) else expires_at_val dt = datetime.fromisoformat(expires_at_val) if isinstance(expires_at_val, str) else expires_at_val
not_expired = dt > datetime.now() not_expired = dt > datetime.now()
except Exception: except Exception:
# Fallback to SQLite comparison
cursor.execute("SELECT datetime('now') < ?", (expires_at_val,)) cursor.execute("SELECT datetime('now') < ?", (expires_at_val,))
not_expired = cursor.fetchone()[0] == 1 not_expired = cursor.fetchone()[0] == 1
else: else:
# No expiry stored => consider not expired
not_expired = True not_expired = True
except Exception: except Exception:
not_expired = False not_expired = False
@@ -225,36 +191,19 @@ class WixOAuthService:
"total_tokens": len(all_tokens), "total_tokens": len(all_tokens),
"last_token_date": all_tokens[0]["created_at"] if all_tokens else None "last_token_date": all_tokens[0]["created_at"] if all_tokens else None
} }
except Exception as e: except Exception as e:
logger.error(f"Error getting Wix token status for user {user_id}: {e}") logger.error(f"Error getting Wix token status for user {user_id}: {e}")
return { return {"has_tokens": False, "has_active_tokens": False, "has_expired_tokens": False,
"has_tokens": False, "active_tokens": [], "expired_tokens": [], "total_tokens": 0, "last_token_date": None, "error": str(e)}
"has_active_tokens": False,
"has_expired_tokens": False,
"active_tokens": [],
"expired_tokens": [],
"total_tokens": 0,
"last_token_date": None,
"error": str(e)
}
def update_tokens( def update_tokens(self, user_id: str, access_token: str, refresh_token: Optional[str] = None,
self, expires_in: Optional[int] = None) -> bool:
user_id: str,
access_token: str,
refresh_token: Optional[str] = None,
expires_in: Optional[int] = None
) -> bool:
"""Update tokens for a user (e.g., after refresh)."""
try: try:
# Ensure DB initialized for this user
self._init_db(user_id) self._init_db(user_id)
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
expires_at = datetime.now() + timedelta(seconds=expires_in) if expires_in else None
expires_at = None encrypted_access_token = self.token_crypto.encrypt_token(access_token)
if expires_in: encrypted_refresh_token = self.token_crypto.encrypt_token(refresh_token) if refresh_token else None
expires_at = datetime.now() + timedelta(seconds=expires_in)
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
cursor = conn.cursor() cursor = conn.cursor()
@@ -262,27 +211,67 @@ class WixOAuthService:
cursor.execute(''' cursor.execute('''
UPDATE wix_oauth_tokens UPDATE wix_oauth_tokens
SET access_token = ?, refresh_token = ?, expires_at = ?, expires_in = ?, SET access_token = ?, refresh_token = ?, expires_at = ?, expires_in = ?,
is_active = TRUE, updated_at = datetime('now') is_active = TRUE, updated_at = datetime('now'), token_key_version = ?, token_key_reference = ?
WHERE user_id = ? AND refresh_token = ? WHERE user_id = ? AND (refresh_token = ? OR refresh_token = ?)
''', (access_token, refresh_token, expires_at, expires_in, user_id, refresh_token)) ''', (encrypted_access_token, encrypted_refresh_token, expires_at, expires_in,
self.token_crypto.key_version, self.token_crypto.key_reference,
user_id, encrypted_refresh_token, refresh_token))
else: else:
cursor.execute(''' cursor.execute('''
UPDATE wix_oauth_tokens UPDATE wix_oauth_tokens
SET access_token = ?, expires_at = ?, expires_in = ?, SET access_token = ?, expires_at = ?, expires_in = ?,
is_active = TRUE, updated_at = datetime('now') is_active = TRUE, updated_at = datetime('now'), token_key_version = ?, token_key_reference = ?
WHERE user_id = ? AND id = (SELECT id FROM wix_oauth_tokens WHERE user_id = ? ORDER BY created_at DESC LIMIT 1) WHERE user_id = ? AND id = (SELECT id FROM wix_oauth_tokens WHERE user_id = ? ORDER BY created_at DESC LIMIT 1)
''', (access_token, expires_at, expires_in, user_id, user_id)) ''', (encrypted_access_token, expires_at, expires_in,
self.token_crypto.key_version, self.token_crypto.key_reference, user_id, user_id))
conn.commit() conn.commit()
logger.info(f"Wix OAuth: Tokens updated for user {user_id}") logger.info(f"Wix OAuth: Encrypted tokens updated for user {user_id}")
return True return True
except Exception as e: except Exception as e:
logger.error(f"Error updating Wix tokens for user {user_id}: {e}") logger.error(f"Error updating Wix tokens for user {user_id}: {e}")
return False return False
def rotate_token_encryption(self, user_id: str, batch_size: int = 100) -> Dict[str, int]:
"""Re-encrypt existing token rows in batches for key rotation."""
self._init_db(user_id)
db_path = self._get_db_path(user_id)
rotated, skipped, last_id = 0, 0, 0
with sqlite3.connect(db_path) as conn:
cursor = conn.cursor()
while True:
cursor.execute('''
SELECT id, access_token, refresh_token
FROM wix_oauth_tokens
WHERE user_id = ? AND id > ?
ORDER BY id ASC
LIMIT ?
''', (user_id, last_id, batch_size))
rows = cursor.fetchall()
if not rows:
break
for row_id, enc_access, enc_refresh in rows:
last_id = row_id
try:
plain_access = self.token_crypto.decrypt_token(enc_access)
plain_refresh = self.token_crypto.decrypt_token(enc_refresh) if enc_refresh else None
except Exception:
skipped += 1
continue
new_access, new_refresh = self.token_crypto.encrypt_pair(plain_access, plain_refresh)
cursor.execute('''
UPDATE wix_oauth_tokens
SET access_token = ?, refresh_token = ?, token_key_version = ?, token_key_reference = ?, updated_at = datetime('now')
WHERE id = ?
''', (new_access, new_refresh, self.token_crypto.key_version, self.token_crypto.key_reference, row_id))
rotated += 1
conn.commit()
logger.info(f"Wix OAuth: Encryption rotation complete for user {user_id}; rotated={rotated}, skipped={skipped}")
return {"rotated": rotated, "skipped": skipped}
def revoke_token(self, user_id: str, token_id: int) -> bool: def revoke_token(self, user_id: str, token_id: int) -> bool:
"""Revoke a Wix OAuth token."""
try: try:
db_path = self._get_db_path(user_id) db_path = self._get_db_path(user_id)
with sqlite3.connect(db_path) as conn: with sqlite3.connect(db_path) as conn:
@@ -293,13 +282,10 @@ class WixOAuthService:
WHERE user_id = ? AND id = ? WHERE user_id = ? AND id = ?
''', (user_id, token_id)) ''', (user_id, token_id))
conn.commit() conn.commit()
if cursor.rowcount > 0: if cursor.rowcount > 0:
logger.info(f"Wix token {token_id} revoked for user {user_id}") logger.info(f"Wix token {token_id} revoked for user {user_id}")
return True return True
return False return False
except Exception as e: except Exception as e:
logger.error(f"Error revoking Wix token: {e}") logger.error(f"Error revoking Wix token: {e}")
return False return False

92
backend/services/intelligence/agents/performance_monitor.py
View File

@@ -99,17 +99,6 @@ class OptimizationRecommendation:
expires = datetime.utcnow().timestamp() + (7 * 24 * 60 * 60) expires = datetime.utcnow().timestamp() + (7 * 24 * 60 * 60)
self.expires_at = datetime.fromtimestamp(expires).isoformat() self.expires_at = datetime.fromtimestamp(expires).isoformat()
@dataclass
class TierPolicyConfig:
"""Structured policy for anomaly tiers and remediation controls"""
tier: int
trigger_metrics: List[str]
thresholds: Dict[str, float]
max_iterations: int
lock_criteria: Dict[str, Any]
class AgentPerformanceMonitor: class AgentPerformanceMonitor:
"""Main performance monitoring system for agents""" """Main performance monitoring system for agents"""
@@ -119,32 +108,6 @@ class AgentPerformanceMonitor:
self.agent_snapshots: Dict[str, AgentPerformanceSnapshot] = {} self.agent_snapshots: Dict[str, AgentPerformanceSnapshot] = {}
self.recommendations: List[OptimizationRecommendation] = [] self.recommendations: List[OptimizationRecommendation] = []
self.performance_history: deque = deque(maxlen=1000) # Keep last 1000 data points self.performance_history: deque = deque(maxlen=1000) # Keep last 1000 data points
self.systemic_alerts: List[Dict[str, Any]] = []
# Structured tier policy config
self.tier_policy_config: Dict[int, TierPolicyConfig] = {
1: TierPolicyConfig(
tier=1,
trigger_metrics=["success_rate", "efficiency_score", "response_time"],
thresholds={"success_rate": 0.80, "efficiency_score": 0.65, "response_time": 45.0},
max_iterations=3,
lock_criteria={"min_confidence": 0.85, "consecutive_failures": 6}
),
2: TierPolicyConfig(
tier=2,
trigger_metrics=["success_rate", "efficiency_score", "response_time", "market_impact"],
thresholds={"success_rate": 0.70, "efficiency_score": 0.50, "response_time": 60.0, "market_impact": 0.35},
max_iterations=2,
lock_criteria={"min_confidence": 0.75, "consecutive_failures": 4}
),
3: TierPolicyConfig(
tier=3,
trigger_metrics=["success_rate", "efficiency_score", "response_time", "market_impact"],
thresholds={"success_rate": 0.55, "efficiency_score": 0.35, "response_time": 90.0, "market_impact": 0.25},
max_iterations=1,
lock_criteria={"min_confidence": 0.65, "consecutive_failures": 3}
)
}
# Performance thresholds and targets # Performance thresholds and targets
self.performance_targets = { self.performance_targets = {
@@ -550,54 +513,6 @@ class AgentPerformanceMonitor:
} }
return priority_weights.get(priority, 0) return priority_weights.get(priority, 0)
def _build_recommended_action_payload(self, agent_id: str, snapshot: AgentPerformanceSnapshot) -> Dict[str, Any]:
"""Build recommended action payload including tier and confidence."""
tier = 1
if (snapshot.success_rate <= self.tier_policy_config[3].thresholds["success_rate"] or
snapshot.efficiency_score <= self.tier_policy_config[3].thresholds["efficiency_score"] or
snapshot.average_response_time >= self.tier_policy_config[3].thresholds["response_time"] or
snapshot.market_impact_score <= self.tier_policy_config[3].thresholds["market_impact"]):
tier = 3
elif (snapshot.success_rate <= self.tier_policy_config[2].thresholds["success_rate"] or
snapshot.efficiency_score <= self.tier_policy_config[2].thresholds["efficiency_score"] or
snapshot.average_response_time >= self.tier_policy_config[2].thresholds["response_time"] or
snapshot.market_impact_score <= self.tier_policy_config[2].thresholds["market_impact"]):
tier = 2
confidence = round(max(0.0, min(1.0, 1.0 - abs(0.75 - self._calculate_health_score(snapshot)))) , 2)
policy = self.tier_policy_config[tier]
return {
"agent_id": agent_id,
"tier": tier,
"confidence": confidence,
"max_iterations": policy.max_iterations,
"lock_criteria": policy.lock_criteria,
"trigger_metrics": policy.trigger_metrics
}
def _route_tier3_systemic_alert(self, action_payload: Dict[str, Any], alerts: List[Dict[str, Any]]) -> None:
"""Route Tier 3 systemic anomalies to alerting subsystem with diagnostic brief."""
diagnostic_brief = {
"type": "systemic_anomaly",
"severity": "critical",
"tier": 3,
"confidence": action_payload.get("confidence", 0.0),
"agent_id": action_payload.get("agent_id"),
"timestamp": datetime.utcnow().isoformat(),
"diagnostic_brief": {
"trigger_metrics": action_payload.get("trigger_metrics", []),
"alerts": alerts,
"max_iterations": action_payload.get("max_iterations"),
"lock_criteria": action_payload.get("lock_criteria", {})
}
}
self.systemic_alerts.append(diagnostic_brief)
if len(self.systemic_alerts) > 200:
self.systemic_alerts = self.systemic_alerts[-200:]
logger.critical(f"[ALERTING_SUBSYSTEM] Tier 3 systemic anomaly routed: {json.dumps(diagnostic_brief)}")
async def get_performance_alerts(self, agent_id: str) -> List[Dict[str, Any]]: async def get_performance_alerts(self, agent_id: str) -> List[Dict[str, Any]]:
"""Get performance alerts for an agent""" """Get performance alerts for an agent"""
alerts = [] alerts = []
@@ -659,13 +574,6 @@ class AgentPerformanceMonitor:
"timestamp": datetime.utcnow().isoformat() "timestamp": datetime.utcnow().isoformat()
}) })
action_payload = self._build_recommended_action_payload(agent_id, snapshot)
if action_payload["tier"] == 3:
self._route_tier3_systemic_alert(action_payload, alerts)
for alert in alerts:
alert["recommended_action"] = action_payload
return alerts return alerts
except Exception as e: except Exception as e:

62
backend/services/intelligence/agents/safety_framework.py
View File

@@ -84,17 +84,6 @@ class SafetyValidation:
if self.validation_timestamp is None: if self.validation_timestamp is None:
self.validation_timestamp = datetime.utcnow().isoformat() self.validation_timestamp = datetime.utcnow().isoformat()
@dataclass
class SafetyArbitrationDecision:
"""Explicit allow/deny/lock decision with reasons."""
decision: str
reasons: List[str]
tier: int
confidence: float
lock_state_active: bool
class SafetyConstraintManager: class SafetyConstraintManager:
"""Manages safety constraints for agent actions""" """Manages safety constraints for agent actions"""
@@ -103,8 +92,6 @@ class SafetyConstraintManager:
self.constraints: Dict[str, SafetyConstraint] = {} self.constraints: Dict[str, SafetyConstraint] = {}
self.action_history: List[Dict[str, Any]] = [] self.action_history: List[Dict[str, Any]] = []
self.violation_history: List[Dict[str, Any]] = [] self.violation_history: List[Dict[str, Any]] = []
self.lock_state_active: bool = False
self.lock_state_reason: Optional[str] = None
# Initialize default constraints # Initialize default constraints
self._initialize_default_constraints() self._initialize_default_constraints()
@@ -177,17 +164,6 @@ class SafetyConstraintManager:
try: try:
logger.info(f"Validating action for user {self.user_id}: {action_data.get('action_type', 'unknown')}") logger.info(f"Validating action for user {self.user_id}: {action_data.get('action_type', 'unknown')}")
if self.lock_state_active and action_data.get("autonomous_modification", True):
reason = self.lock_state_reason or "Safety lock is active due to Tier 3 systemic anomaly"
return SafetyValidation(
is_valid=False,
risk_level=RiskLevel.CRITICAL,
violations=["Autonomous modifications blocked while lock state is active"],
recommendations=[reason],
requires_approval=True,
confidence_score=1.0
)
violations = [] violations = []
recommendations = [] recommendations = []
requires_approval = False requires_approval = False
@@ -231,18 +207,8 @@ class SafetyConstraintManager:
# Final validation # Final validation
is_valid = len(violations) == 0 and not requires_approval is_valid = len(violations) == 0 and not requires_approval
confidence_score = max(0.0, min(1.0, confidence_score))
arbitration = self._arbitrate_decision(action_data, risk_level, violations, requires_approval, confidence_score)
if arbitration.decision == "lock": logger.info(f"Action validation completed for user {self.user_id}. Valid: {is_valid}, Risk: {risk_level.value}, Violations: {len(violations)}")
self.lock_state_active = True
self.lock_state_reason = "; ".join(arbitration.reasons)
is_valid = False
requires_approval = True
recommendations.extend([f"Arbitration decision: {arbitration.decision}", *arbitration.reasons])
logger.info(f"Action validation completed for user {self.user_id}. Decision: {arbitration.decision}, Valid: {is_valid}, Risk: {risk_level.value}, Violations: {len(violations)}")
# Record in history # Record in history
await self._record_validation_history(action_data, is_valid, violations) await self._record_validation_history(action_data, is_valid, violations)
@@ -253,7 +219,7 @@ class SafetyConstraintManager:
violations=violations, violations=violations,
recommendations=recommendations, recommendations=recommendations,
requires_approval=requires_approval, requires_approval=requires_approval,
confidence_score=confidence_score confidence_score=max(0.0, min(1.0, confidence_score))
) )
except Exception as e: except Exception as e:
@@ -269,30 +235,6 @@ class SafetyConstraintManager:
confidence_score=0.0 confidence_score=0.0
) )
def _arbitrate_decision(self, action_data: Dict[str, Any], risk_level: RiskLevel, violations: List[str], requires_approval: bool, confidence_score: float) -> SafetyArbitrationDecision:
"""Arbitrate allow/deny/lock with explicit reasons."""
reasons: List[str] = []
tier = int(action_data.get("recommended_tier", 1))
if self.lock_state_active:
reasons.append("Existing lock state is active")
return SafetyArbitrationDecision("lock", reasons, tier, confidence_score, True)
if tier >= 3 or risk_level == RiskLevel.CRITICAL:
reasons.append("Tier 3 systemic anomaly or critical risk detected")
if violations:
reasons.extend(violations)
return SafetyArbitrationDecision("lock", reasons, 3, confidence_score, True)
if violations or requires_approval:
reasons.append("Safety policy violation or approval requirement triggered")
reasons.extend(violations)
return SafetyArbitrationDecision("deny", reasons, tier, confidence_score, False)
reasons.append("No policy violations detected")
return SafetyArbitrationDecision("allow", reasons, tier, confidence_score, False)
def _determine_action_category(self, action_type: str) -> ActionCategory: def _determine_action_category(self, action_type: str) -> ActionCategory:
"""Determine the category of an action""" """Determine the category of an action"""
action_type_lower = action_type.lower() action_type_lower = action_type.lower()

69
backend/services/token_crypto_service.py Normal file
View File

@@ -0,0 +1,69 @@
"""Service for encrypting/decrypting integration tokens with key version metadata."""
import base64
import hashlib
import os
from typing import Optional, Tuple
from cryptography.fernet import Fernet, InvalidToken
from loguru import logger
class TokenCryptoService:
"""Token encryption/decryption service with key version support."""
ENV_KEY = "ALWRITY_TOKEN_ENCRYPTION_KEY"
ENV_KEY_VERSION = "ALWRITY_TOKEN_KEY_VERSION"
def __init__(self):
raw_key = os.getenv(self.ENV_KEY, "")
if raw_key:
self._fernet_key = self._normalize_key(raw_key)
else:
self._fernet_key = self._derive_dev_key()
self._fernet = Fernet(self._fernet_key)
self._key_version = os.getenv(self.ENV_KEY_VERSION, "v1")
self._key_reference = self._fingerprint(self._fernet_key)
@property
def key_version(self) -> str:
return self._key_version
@property
def key_reference(self) -> str:
return self._key_reference
def encrypt_token(self, token: Optional[str]) -> Optional[str]:
if token is None:
return None
return self._fernet.encrypt(token.encode("utf-8")).decode("utf-8")
def decrypt_token(self, encrypted_token: Optional[str]) -> Optional[str]:
if encrypted_token is None:
return None
try:
return self._fernet.decrypt(encrypted_token.encode("utf-8")).decode("utf-8")
except InvalidToken:
logger.error("Token decryption failed due to invalid token/key")
raise
def encrypt_pair(self, access_token: str, refresh_token: Optional[str]) -> Tuple[str, Optional[str]]:
return self.encrypt_token(access_token), self.encrypt_token(refresh_token)
@staticmethod
def _normalize_key(raw_key: str) -> bytes:
raw_key = raw_key.strip()
if len(raw_key) == 44 and raw_key.endswith("="):
return raw_key.encode("utf-8")
digest = hashlib.sha256(raw_key.encode("utf-8")).digest()
return base64.urlsafe_b64encode(digest)
@staticmethod
def _derive_dev_key() -> bytes:
seed = "alwrity-local-token-key"
digest = hashlib.sha256(seed.encode("utf-8")).digest()
return base64.urlsafe_b64encode(digest)
@staticmethod
def _fingerprint(key: bytes) -> str:
return hashlib.sha256(key).hexdigest()[:16]