Skip to content

Add durable PostgreSQL authorization rate controls#113

Merged
abiorh-claw merged 18 commits into
mainfrom
codex/ws-auth-001-04b-postgres-rate-controls
Jul 14, 2026
Merged

Add durable PostgreSQL authorization rate controls#113
abiorh-claw merged 18 commits into
mainfrom
codex/ws-auth-001-04b-postgres-rate-controls

Conversation

@Abiorh001

@Abiorh001 Abiorh001 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

PR Trust Bundle: WS-AUTH-001-04B

Chunk

WS-AUTH-001-04B - PostgreSQL Rate Controls

Goal

Provide privacy-keyed, cross-replica PostgreSQL rate controls for future first
access and authority mutations without attaching them to production routes.

Human-Approved Intent

The user explicitly started AUTH-04B after AUTH-04A and its post-merge memory
merged. The approved boundary is a cross-replica PostgreSQL rate-control
foundation only: dependencies remain unattached, product authority remains in
later AUTH chunks, and only the user may approve PR merge.

What Changed

  • Added atomic database-time fixed-window counters with durable denial,
    saturation safety, and bounded lock-safe pruning.
  • Added HMAC-keyed server dependencies for first_access and
    admin_mutation; both remain unattached.
  • Added migration 0017_api_controls with guarded downgrade custody.
  • Added non-retaining secret configuration across constructor, environment,
    layered dotenv, and Pydantic's public model-validation methods.
  • Clarified that artifact production I/O requires central AUTH permissions,
    service principals, and exact resource authorization before adapter work.

Design

Each consume owns a short independent committed session. One PostgreSQL upsert
uses one statement_timestamp() CTE to insert, reset, increment, saturate, and
return authoritative window state. HMAC framing stores only scope and a 32-byte
digest. The server key is private SecretStr state assigned only after
successful Pydantic validation; Pydantic receives no recoverable key object.

Scope Control

The production delta is 480 non-comment lines, below the 500-line hard stop.
No route consumer, actor/grant behavior, product authority, artifact runtime,
AUTH-05 implementation, Redis counter, or in-memory cross-replica state was
added.

Behavior Proof

Tests cover exact limits, repeated denial, expiry, database-clock retry values,
concurrency, cross-session durability, downstream rollback, saturation,
pruning, unavailable database phases, cancellation, privacy-safe persistence,
schema constraints, migration races, and representative artifact preservation.
Secret tests traverse structured error objects and complete exception graphs
and instrument the BaseSettings boundary directly.

Acceptance Criteria Proof

  • PostgreSQL owns one clock-bound atomic upsert, durable denial, saturation,
    and bounded lock-safe pruning.
  • Persistence contains only exact scope and a 32-byte HMAC digest.
  • Constructor, environment, layered dotenv, and all public validation methods
    retain no raw or recoverable secret in structured errors or exception graphs.
  • Migration proof covers populated 0016 preservation, exact schema guards,
    refusal on nonempty downgrade, writer races, empty downgrade, and re-upgrade.
  • Route/dependency inventory proves neither new dependency is attached.
  • Artifact adapter I/O remains inactive behind central AUTH-07/AUTH-09 gates.

Evidence Commands And Results

  • 77 focused isolated PostgreSQL tests passed at 97 percent changed-subsystem
    statement coverage.
  • 59 final configuration/object-graph tests passed.
  • Exact AUTH-04B migration and real API E2E passed.
  • The exact CI failure order now passes 22/22 after the migration test restores
    Alembic head following destructive cleanup.
  • Ruff, docstring threshold, stale scans, links, loop memory, 36 Agent Gates,
    additive test delta, and diff hygiene passed.
  • GitHub Backend must provide the unchanged repository-wide 78 percent floor;
    the interrupted local global run is not evidence.

Reviewer Results

Reviewer Result Blocking findings
Senior engineering / architecture / docs / reuse PASS None
QA / test delta / CI integrity PASS None
Security / privacy / product ops PASS None

Reviewed implementation SHA is 922778b; reviewed production SHA is
67484b5. Later reviewed heads contain only tests, evidence, and lifecycle
memory unless explicitly recorded in the external-review response.

CI And Gate Integrity

  • No workflow, threshold, exclusion, skip, or coverage bypass changed.
  • Changed AUTH-04B subsystem remains above 90 percent coverage.
  • Repository docstring gate passes at 95.8 percent.
  • Internal evidence, loop memory, stale scans, links, and Agent Gates pass.
  • Backend must pass the repaired exact PR head at the 78 percent global floor.
  • Explicit human review and merge approval remain pending.

External Review

Ready PR #113 is open. Agent Gates passed on the prior published head.
CodeRabbit completed its available review with one valid test-deduplication
nit addressed; its later incremental review was rate-limited. The first Backend
run reached 82.12 percent coverage but exposed test-owned schema cleanup. All
final-head external checks and explicit human review remain pending. None
replaces the completed internal review.

Remaining Risks

  • The dependencies are intentionally unattached; later owning chunks must add
    route-specific permissions and consumer tests.
  • Secret rotation resets effective counters and requires the documented
    cross-replica quiescence procedure.
  • The global suite and 78 percent repository floor remain GitHub-owned because
    the local run was interrupted by host shutdown.

Human Review Focus

Inspect transaction custody, HMAC framing/privacy, database-time math, pruning
lock order, migration downgrade refusal, secret object-graph non-retention, and
the fact that no production route consumes either dependency.

Human Merge Ownership

Only the user may approve and merge this PR. Publication is not merge approval,
and AUTH-05 does not start automatically.

Summary by CodeRabbit

  • New Features

    • Added durable PostgreSQL-backed API rate controls with fixed windows, denial handling, retry guidance, concurrency safety, and bounded cleanup.
    • Added privacy-preserving configuration using HMAC-derived keys without retaining raw identity or secret values.
    • Added migration safeguards, operational guidance, and end-to-end contract verification.
  • Documentation

    • Updated authorization and artifact-storage guidance to require centralized authorization before production adapter operations.
    • Documented rate-control configuration, behavior, rotation, and safe database downgrade procedures.
  • Tests

    • Added comprehensive coverage for persistence, migration integrity, privacy, configuration validation, concurrency, failures, and API behavior.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1250ddda-8ad4-4a02-92d1-609f568ea979

📥 Commits

Reviewing files that changed from the base of the PR and between 5a186ad and 94fb2fe.

📒 Files selected for processing (10)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-external-review-response.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-pr-trust-bundle.md
  • backend/tests/test_alembic.py
  • backend/tests/test_api_rate_controls.py
🚧 Files skipped from review as they are similar to previous changes (9)
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-pr-trust-bundle.md
  • .agent-loop/REVIEW_LOG.md
  • backend/tests/test_alembic.py
  • backend/tests/test_api_rate_controls.py

📝 Walkthrough

Walkthrough

Changes

AUTH-04B PostgreSQL rate controls

Layer / File(s) Summary
Contract and authorization boundaries
.agent-loop/..., WS-ART-001-02-flow-node-adapter-reconciliation.md, WS-AUTH-001-04B-postgres-rate-controls.md
Updates workstream state, implementation constraints, artifact authorization boundaries, persistence requirements, privacy rules, and activation status.
Schema and secret configuration
backend/alembic/versions/0017_api_controls.py, backend/app/modules/api_controls/*, backend/app/core/config.py
Adds the counter schema/model and metadata registration, plus validated and redacted rate-limit secret settings.
Counter repository and service
backend/app/modules/api_controls/repository.py, backend/app/modules/api_controls/service.py
Implements atomic fixed-window counters, pruning, HMAC identity digests, transaction handling, saturation, and retry timing.
Dependency enforcement and contract drill
backend/app/api/deps/api_controls.py, backend/scripts/api_contract_e2e.py
Adds unattached FastAPI dependencies with 429/503 mapping and exercises the rate-control contract against PostgreSQL.
Migration, runtime, and configuration validation
backend/tests/test_alembic.py, backend/tests/test_api_rate_controls.py, backend/tests/test_config.py, backend/tests/test_auth.py
Covers schema guards, concurrency, rollback, pruning, error behavior, dependency wiring, route safety, secret non-retention, and configuration bounds.
Review evidence and operational documentation
.agent-loop/initiatives/.../reviews/*, docs/*
Records review outcomes and documents counter semantics, required settings, operational handling, rotation, cleanup, and downgrade constraints.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant RateControlDependency
  participant RateControlService
  participant PostgreSQL
  Caller->>RateControlDependency: Submit authenticated request
  RateControlDependency->>RateControlService: Consume scoped allowance
  RateControlService->>PostgreSQL: Upsert counter and prune expired rows
  PostgreSQL-->>RateControlService: Return count and database timestamps
  RateControlService-->>RateControlDependency: Return allow or deny decision
  RateControlDependency-->>Caller: Continue or return 429/503
Loading

Possibly related PRs

Suggested reviewers: abiorh-claw

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 34.95% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: durable PostgreSQL authorization rate controls.
Description check ✅ Passed The description covers the required trust-bundle sections and contains substantial implementation, evidence, and review detail.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ws-auth-001-04b-postgres-rate-controls

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
backend/tests/test_api_rate_controls.py (1)

270-280: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract a shared helper for the repeated raw-insert boilerplate.

The same insert into api_rate_control_counters (...) values (...) shape is copy-pasted across the concurrency, saturation, and deadlock tests, differing only in scope/digest/offsets/count. A small async helper (e.g. _insert_counter_row(factory, scope, digest, *, started_offset, expires_offset, request_count)) would cut duplication and reduce the chance of the copies silently diverging as more tests are added here.

Also applies to: 310-336, 364-381

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/tests/test_api_rate_controls.py` around lines 270 - 280, The repeated
raw INSERT statements in the concurrency, saturation, and deadlock tests should
be centralized. Add an async helper such as _insert_counter_row accepting the
factory, scope, digest, started/expires offsets, and request_count, then replace
the duplicated insert blocks around the affected tests with calls to that helper
while preserving each test’s values.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@backend/tests/test_api_rate_controls.py`:
- Around line 270-280: The repeated raw INSERT statements in the concurrency,
saturation, and deadlock tests should be centralized. Add an async helper such
as _insert_counter_row accepting the factory, scope, digest, started/expires
offsets, and request_count, then replace the duplicated insert blocks around the
affected tests with calls to that helper while preserving each test’s values.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 744fce6c-2b51-4d6a-b7ef-3acf3d2d2b5e

📥 Commits

Reviewing files that changed from the base of the PR and between 7749f54 and 5a186ad.

📒 Files selected for processing (27)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/PLAN.md
  • .agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-02-flow-node-adapter-reconciliation.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-04B-postgres-rate-controls.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-04B-pr-trust-bundle.md
  • backend/alembic/versions/0017_api_controls.py
  • backend/app/api/deps/api_controls.py
  • backend/app/core/config.py
  • backend/app/db/models.py
  • backend/app/modules/api_controls/__init__.py
  • backend/app/modules/api_controls/models.py
  • backend/app/modules/api_controls/repository.py
  • backend/app/modules/api_controls/service.py
  • backend/scripts/api_contract_e2e.py
  • backend/tests/test_alembic.py
  • backend/tests/test_api_rate_controls.py
  • backend/tests/test_auth.py
  • backend/tests/test_config.py
  • docs/architecture_data_model.md
  • docs/operations_authorization_service.md

@abiorh-claw abiorh-claw self-requested a review July 14, 2026 04:26
@abiorh-claw abiorh-claw merged commit 05a63c8 into main Jul 14, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants