^i%UdZddlmZddlZddlZddlmZddlmZejdZ e hdZ de d <dd Zdd Z dd lmZdd lmZddlmZGddeZdZddZddZy#e$rdZdZYwxYw)aRLM Neo-Cortex -- Tenant ID Extraction Middleware. Every incoming request to the RLM API must carry a tenant identity so the gateway can enforce per-tenant isolation, quota, and entitlements. Two extraction strategies are supported (tried in order): 1. **JWT Bearer token** (``Authorization: Bearer ``) The JWT payload must include a ``tenant_id`` or ``sub`` claim that is a valid UUID v4. The token is verified with HS256 against ``JWT_SECRET``. 2. **API key header** (default: ``X-Api-Key: ``) The header name is configurable via the ``API_KEY_HEADER`` env var. The key is looked up in Redis/PostgreSQL via the EntitlementLedger. The first 8 characters are used as a fast-path Redis key prefix. If neither strategy produces a valid tenant UUID the middleware returns HTTP 401 with a JSON ``{"error": "missing_tenant_identity"}`` body. The extracted tenant UUID is attached to ``request.state.tenant_id`` so downstream route handlers can access it without re-parsing headers. Story: integration-layer-middleware ) annotationsN)Optional)UUIDzcore.rlm.middleware>/docs/redoc/health /openapi.json/zfrozenset[str] _EXEMPT_PATHSc ddl}|j|||g}|jdxs|jd}|rtt |S y#t $r }t jd|Yd}~yd}~wwxYw)aDecode a JWT and extract the tenant UUID from payload. Returns None if the token is invalid, expired, or does not contain a recognised UUID claim. Args: token: Raw JWT string (without 'Bearer ' prefix). secret: HS256 signing secret. algorithm: JWT algorithm (usually 'HS256'). Returns: UUID extracted from 'tenant_id' or 'sub' claim, or None. rN) algorithms tenant_idsubzJWT decode failed: %s)jwtdecodegetrstr Exceptionloggerdebug)tokensecret algorithmpyjwtpayloadraw_idexcs ,/mnt/e/genesis-system/core/rlm/middleware.py _decode_jwtr0s3,,uf),E[)?W[[-? F $ $   3 ,c22 3sAA B A;;BcKtjjdd}tjjdd}t|dk\r|ddn|}|r] ddlm}|j |dd }|jd |d{}|jd{|r t|S |r ddl }|j|d d{} | jd|d{} | jd{| rxtt!| d} |r] ddlm}|j |dd }|j#d |t!| dd{|jd{| S| S yy77#t$r }tjd |Yd}~d}~wwxYw7777Y7C#t$rY| SwxYw#t$r }tjd|Yd}~yd}~wwxYww)u{Resolve an API key to a tenant UUID via Redis fast-path, then PostgreSQL. Redis key format: ``rlm:apikey:`` → ```` If not in Redis, falls back to querying the ``rlm_tenant_api_keys`` table. Args: api_key: The raw API key string from the request header. Returns: UUID if the API key is recognised, else None. REDIS_URL DATABASE_URLNrT)decode_responsessocket_timeoutz rlm:apikey:zRedis API-key lookup failed: %s)timeoutzNSELECT tenant_id FROM rlm_tenant_api_keys WHERE api_key = $1 AND active = TRUEri,)exz$PostgreSQL API-key lookup failed: %s)osenvironrlen redis.asyncioasynciofrom_urlacloserrrrasyncpgconnectfetchrowcloserset) api_key redis_urlpg_dsnprefix8aioredisrcachedrr2connrowtids r_lookup_api_keyrAMs {B/I ~r2F \Q.gbqkGG A ,!!)dST!UA55;wi!899F((*  F|#  F  ;;D `C**,  3s;/018$--i$_`-aeek'$;SX#eNNNhhj(( s  A:  A LL:C @ @ A< O($  F LL? E E  FsAG>1F F F $F %F 5G>:GF8G.F:/GF<G'=G$F>%G<G=GGG>GG>G>F F F5F0+G>0F55G>8G:G<G>GG G G G>GG G;G61G>6G;;G>)BaseHTTPMiddleware)Request) JSONResponseceZdZdZddZy)TenantMiddlewareu]Extract tenant UUID from JWT or API key and attach to request state. Attach to a FastAPI app:: from core.rlm.middleware import TenantMiddleware app.add_middleware(TenantMiddleware) After this middleware runs, downstream handlers can access:: tenant_id: UUID = request.state.tenant_id # may be None for exempt paths Configuration (from os.environ, no hardcoded values): JWT_SECRET — HS256 signing secret JWT_ALGORITHM — default HS256 API_KEY_HEADER — header name, default X-Api-Key cKd|j_|jjtvr||d{St |d{}|Et jd|j|jjtddddS||j_t jd||j|jj||d{S777w)Nz"Tenant extraction failed for %s %simissing_tenant_identityz_Provide a valid JWT Bearer token (with tenant_id claim) or an API key in the configured header.)errordetail) status_codecontentz!Tenant %s authenticated for %s %s) staterurlpathr _extract_tenantrwarningmethodrDr)selfrequest call_nextrs rdispatchzTenantMiddleware.dispatchs&*GMM #{{=0&w///-g66I 8NNGKK$4$4$ #!:F  '0GMM # LL37>>7;;+;+; #7++ +306.,s49C7C1C7C3BC7,C5-C73C75C7N)rTrC)__name__ __module__ __qualname____doc__rVrrFrFs  " ,r\rFTFcKtjjdd}tjjdd}tjjdd}|jjdd}|j dr!|r|t dd }t |||}|r|S|jj|d}|rt|d {}|r|Sy 7 w) zTry JWT, then API key; return UUID or None. Separated from the middleware class so it can be unit-tested independently and reused by the MCP bridge. JWT_SECRETr" JWT_ALGORITHMHS256API_KEY_HEADER X-Api-Key AuthorizationBearer N)r+r,rheaders startswithr-rrA)rT jwt_secret jwt_algorithmapi_key_header auth_headerrr@r7s rrPrPs JJNN<4JJJNN?G>/2 .D y!jS^_%%]; Jnn^R0G$W--- <.sBDDA)DD D)rrrrrrreturnOptional[UUID])r7rrtru)rTz 'Request'rtru)redictrtru)rZ __future__rloggingr+typingruuidr getLoggerr frozensetr __annotations__rrAstarlette.middleware.baserBstarlette.requestsrCstarlette.responsesrDrF_MIDDLEWARE_AVAILABLE ImportErrorrPrsr[r\rrs0#    0 1!*+! ~:6z;<*00,-0,d!@S!sA00 A<;A<