greatmengqi
4b139fb689
Add request-scoped contextvar-based owner filtering to threads_meta,
runs, run_events, and feedback repositories. Router code is unchanged
— isolation is enforced at the storage layer so that any caller that
forgets to pass owner_id still gets filtered results, and new routes
cannot accidentally leak data.
Core infrastructure
-------------------
- deerflow/runtime/user_context.py (new):
- ContextVar[CurrentUser | None] with default None
- runtime_checkable CurrentUser Protocol (structural subtype with .id)
- set/reset/get/require helpers
- AUTO sentinel + resolve_owner_id(value, method_name) for sentinel
three-state resolution: AUTO reads contextvar, explicit str
overrides, explicit None bypasses the filter (for migration/CLI)
Repository changes
------------------
- ThreadMetaRepository: create/get/search/update_*/delete gain
owner_id=AUTO kwarg; read paths filter by owner, writes stamp it,
mutations check ownership before applying
- RunRepository: put/get/list_by_thread/delete gain owner_id=AUTO kwarg
- FeedbackRepository: create/get/list_by_run/list_by_thread/delete
gain owner_id=AUTO kwarg
- DbRunEventStore: list_messages/list_events/list_messages_by_run/
count_messages/delete_by_thread/delete_by_run gain owner_id=AUTO
kwarg. Write paths (put/put_batch) read contextvar softly: when a
request-scoped user is available, owner_id is stamped; background
worker writes without a user context pass None which is valid
(orphan row to be bound by migration)
Schema
------
- persistence/models/run_event.py: RunEventRow.owner_id = Mapped[
str | None] = mapped_column(String(64), nullable=True, index=True)
- No alembic migration needed: 2.0 ships fresh, Base.metadata.create_all
picks up the new column automatically
Middleware
----------
- auth_middleware.py: after cookie check, call get_optional_user_from_
request to load the real User, stamp it into request.state.user AND
the contextvar via set_current_user, reset in a try/finally. Public
paths and unauthenticated requests continue without contextvar, and
@require_auth handles the strict 401 path
Test infrastructure
-------------------
- tests/conftest.py: @pytest.fixture(autouse=True) _auto_user_context
sets a default SimpleNamespace(id="test-user-autouse") on every test
unless marked @pytest.mark.no_auto_user. Keeps existing 20+
persistence tests passing without modification
- pyproject.toml [tool.pytest.ini_options]: register no_auto_user
marker so pytest does not emit warnings for opt-out tests
- tests/test_user_context.py: 6 tests covering three-state semantics,
Protocol duck typing, and require/optional APIs
- tests/test_thread_meta_repo.py: one test updated to pass owner_id=
None explicitly where it was previously relying on the old default
Test results
------------
- test_user_context.py: 6 passed
- test_auth*.py + test_langgraph_auth.py + test_ensure_admin.py: 127
- test_run_event_store / test_run_repository / test_thread_meta_repo
/ test_feedback: 92 passed
- Full backend suite: 1905 passed, 2 failed (both @requires_llm flaky
integration tests unrelated to auth), 1 skipped
262 lines
12 KiB
Python
262 lines
12 KiB
Python
"""SQLAlchemy-backed RunEventStore implementation.
|
|
|
|
Persists events to the ``run_events`` table. Trace content is truncated
|
|
at ``max_trace_content`` bytes to avoid bloating the database.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
import logging
|
|
from datetime import UTC, datetime
|
|
|
|
from sqlalchemy import delete, func, select
|
|
from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker
|
|
|
|
from deerflow.persistence.models.run_event import RunEventRow
|
|
from deerflow.runtime.events.store.base import RunEventStore
|
|
from deerflow.runtime.user_context import AUTO, _AutoSentinel, get_current_user, resolve_owner_id
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class DbRunEventStore(RunEventStore):
|
|
def __init__(self, session_factory: async_sessionmaker[AsyncSession], *, max_trace_content: int = 10240):
|
|
self._sf = session_factory
|
|
self._max_trace_content = max_trace_content
|
|
|
|
@staticmethod
|
|
def _row_to_dict(row: RunEventRow) -> dict:
|
|
d = row.to_dict()
|
|
d["metadata"] = d.pop("event_metadata", {})
|
|
val = d.get("created_at")
|
|
if isinstance(val, datetime):
|
|
d["created_at"] = val.isoformat()
|
|
d.pop("id", None)
|
|
# Restore dict content that was JSON-serialized on write
|
|
raw = d.get("content", "")
|
|
if isinstance(raw, str) and d.get("metadata", {}).get("content_is_dict"):
|
|
try:
|
|
d["content"] = json.loads(raw)
|
|
except (json.JSONDecodeError, ValueError):
|
|
# Content looked like JSON (content_is_dict flag) but failed to parse;
|
|
# keep the raw string as-is.
|
|
logger.debug("Failed to deserialize content as JSON for event seq=%s", d.get("seq"))
|
|
return d
|
|
|
|
def _truncate_trace(self, category: str, content: str | dict, metadata: dict | None) -> tuple[str | dict, dict]:
|
|
if category == "trace":
|
|
text = json.dumps(content, default=str, ensure_ascii=False) if isinstance(content, dict) else content
|
|
encoded = text.encode("utf-8")
|
|
if len(encoded) > self._max_trace_content:
|
|
# Truncate by bytes, then decode back (may cut a multi-byte char, so use errors="ignore")
|
|
content = encoded[: self._max_trace_content].decode("utf-8", errors="ignore")
|
|
metadata = {**(metadata or {}), "content_truncated": True, "original_byte_length": len(encoded)}
|
|
return content, metadata or {}
|
|
|
|
@staticmethod
|
|
def _owner_from_context() -> str | None:
|
|
"""Soft read of owner_id from contextvar for write paths.
|
|
|
|
Returns ``None`` (no filter / no stamp) if contextvar is unset,
|
|
which is the expected case for background worker writes. HTTP
|
|
request writes will have the contextvar set by auth middleware
|
|
and get their user_id stamped automatically.
|
|
"""
|
|
user = get_current_user()
|
|
return user.id if user is not None else None
|
|
|
|
async def put(self, *, thread_id, run_id, event_type, category, content="", metadata=None, created_at=None): # noqa: D401
|
|
"""Write a single event — low-frequency path only.
|
|
|
|
This opens a dedicated transaction with a FOR UPDATE lock to
|
|
assign a monotonic *seq*. For high-throughput writes use
|
|
:meth:`put_batch`, which acquires the lock once for the whole
|
|
batch. Currently the only caller is ``worker.run_agent`` for
|
|
the initial ``human_message`` event (once per run).
|
|
"""
|
|
content, metadata = self._truncate_trace(category, content, metadata)
|
|
if isinstance(content, dict):
|
|
db_content = json.dumps(content, default=str, ensure_ascii=False)
|
|
metadata = {**(metadata or {}), "content_is_dict": True}
|
|
else:
|
|
db_content = content
|
|
owner_id = self._owner_from_context()
|
|
async with self._sf() as session:
|
|
async with session.begin():
|
|
# Use FOR UPDATE to serialize seq assignment within a thread.
|
|
# NOTE: with_for_update() on aggregates is a no-op on SQLite;
|
|
# the UNIQUE(thread_id, seq) constraint catches races there.
|
|
max_seq = await session.scalar(select(func.max(RunEventRow.seq)).where(RunEventRow.thread_id == thread_id).with_for_update())
|
|
seq = (max_seq or 0) + 1
|
|
row = RunEventRow(
|
|
thread_id=thread_id,
|
|
run_id=run_id,
|
|
owner_id=owner_id,
|
|
event_type=event_type,
|
|
category=category,
|
|
content=db_content,
|
|
event_metadata=metadata,
|
|
seq=seq,
|
|
created_at=datetime.fromisoformat(created_at) if created_at else datetime.now(UTC),
|
|
)
|
|
session.add(row)
|
|
return self._row_to_dict(row)
|
|
|
|
async def put_batch(self, events):
|
|
if not events:
|
|
return []
|
|
owner_id = self._owner_from_context()
|
|
async with self._sf() as session:
|
|
async with session.begin():
|
|
# Get max seq for the thread (assume all events in batch belong to same thread).
|
|
# NOTE: with_for_update() on aggregates is a no-op on SQLite;
|
|
# the UNIQUE(thread_id, seq) constraint catches races there.
|
|
thread_id = events[0]["thread_id"]
|
|
max_seq = await session.scalar(select(func.max(RunEventRow.seq)).where(RunEventRow.thread_id == thread_id).with_for_update())
|
|
seq = max_seq or 0
|
|
rows = []
|
|
for e in events:
|
|
seq += 1
|
|
content = e.get("content", "")
|
|
category = e.get("category", "trace")
|
|
metadata = e.get("metadata")
|
|
content, metadata = self._truncate_trace(category, content, metadata)
|
|
if isinstance(content, dict):
|
|
db_content = json.dumps(content, default=str, ensure_ascii=False)
|
|
metadata = {**(metadata or {}), "content_is_dict": True}
|
|
else:
|
|
db_content = content
|
|
row = RunEventRow(
|
|
thread_id=e["thread_id"],
|
|
run_id=e["run_id"],
|
|
owner_id=e.get("owner_id", owner_id),
|
|
event_type=e["event_type"],
|
|
category=category,
|
|
content=db_content,
|
|
event_metadata=metadata,
|
|
seq=seq,
|
|
created_at=datetime.fromisoformat(e["created_at"]) if e.get("created_at") else datetime.now(UTC),
|
|
)
|
|
session.add(row)
|
|
rows.append(row)
|
|
return [self._row_to_dict(r) for r in rows]
|
|
|
|
async def list_messages(
|
|
self,
|
|
thread_id,
|
|
*,
|
|
limit=50,
|
|
before_seq=None,
|
|
after_seq=None,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.list_messages")
|
|
stmt = select(RunEventRow).where(RunEventRow.thread_id == thread_id, RunEventRow.category == "message")
|
|
if resolved_owner_id is not None:
|
|
stmt = stmt.where(RunEventRow.owner_id == resolved_owner_id)
|
|
if before_seq is not None:
|
|
stmt = stmt.where(RunEventRow.seq < before_seq)
|
|
if after_seq is not None:
|
|
stmt = stmt.where(RunEventRow.seq > after_seq)
|
|
|
|
if after_seq is not None:
|
|
# Forward pagination: first `limit` records after cursor
|
|
stmt = stmt.order_by(RunEventRow.seq.asc()).limit(limit)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
return [self._row_to_dict(r) for r in result.scalars()]
|
|
else:
|
|
# before_seq or default (latest): take last `limit` records, return ascending
|
|
stmt = stmt.order_by(RunEventRow.seq.desc()).limit(limit)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
rows = list(result.scalars())
|
|
return [self._row_to_dict(r) for r in reversed(rows)]
|
|
|
|
async def list_events(
|
|
self,
|
|
thread_id,
|
|
run_id,
|
|
*,
|
|
event_types=None,
|
|
limit=500,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.list_events")
|
|
stmt = select(RunEventRow).where(RunEventRow.thread_id == thread_id, RunEventRow.run_id == run_id)
|
|
if resolved_owner_id is not None:
|
|
stmt = stmt.where(RunEventRow.owner_id == resolved_owner_id)
|
|
if event_types:
|
|
stmt = stmt.where(RunEventRow.event_type.in_(event_types))
|
|
stmt = stmt.order_by(RunEventRow.seq.asc()).limit(limit)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
return [self._row_to_dict(r) for r in result.scalars()]
|
|
|
|
async def list_messages_by_run(
|
|
self,
|
|
thread_id,
|
|
run_id,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.list_messages_by_run")
|
|
stmt = select(RunEventRow).where(RunEventRow.thread_id == thread_id, RunEventRow.run_id == run_id, RunEventRow.category == "message")
|
|
if resolved_owner_id is not None:
|
|
stmt = stmt.where(RunEventRow.owner_id == resolved_owner_id)
|
|
stmt = stmt.order_by(RunEventRow.seq.asc())
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
return [self._row_to_dict(r) for r in result.scalars()]
|
|
|
|
async def count_messages(
|
|
self,
|
|
thread_id,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.count_messages")
|
|
stmt = select(func.count()).select_from(RunEventRow).where(RunEventRow.thread_id == thread_id, RunEventRow.category == "message")
|
|
if resolved_owner_id is not None:
|
|
stmt = stmt.where(RunEventRow.owner_id == resolved_owner_id)
|
|
async with self._sf() as session:
|
|
return await session.scalar(stmt) or 0
|
|
|
|
async def delete_by_thread(
|
|
self,
|
|
thread_id,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.delete_by_thread")
|
|
async with self._sf() as session:
|
|
count_conditions = [RunEventRow.thread_id == thread_id]
|
|
if resolved_owner_id is not None:
|
|
count_conditions.append(RunEventRow.owner_id == resolved_owner_id)
|
|
count_stmt = select(func.count()).select_from(RunEventRow).where(*count_conditions)
|
|
count = await session.scalar(count_stmt) or 0
|
|
if count > 0:
|
|
await session.execute(delete(RunEventRow).where(*count_conditions))
|
|
await session.commit()
|
|
return count
|
|
|
|
async def delete_by_run(
|
|
self,
|
|
thread_id,
|
|
run_id,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
):
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="DbRunEventStore.delete_by_run")
|
|
async with self._sf() as session:
|
|
count_conditions = [RunEventRow.thread_id == thread_id, RunEventRow.run_id == run_id]
|
|
if resolved_owner_id is not None:
|
|
count_conditions.append(RunEventRow.owner_id == resolved_owner_id)
|
|
count_stmt = select(func.count()).select_from(RunEventRow).where(*count_conditions)
|
|
count = await session.scalar(count_stmt) or 0
|
|
if count > 0:
|
|
await session.execute(delete(RunEventRow).where(*count_conditions))
|
|
await session.commit()
|
|
return count
|