Files
FusionAGI/fusionagi/api/secret_rotation.py

103 lines
3.3 KiB
Python
Raw Normal View History

Full optimization: 38 improvements across frontend, backend, infrastructure, and docs Frontend (17 items): - Virtualized message list with batch loading - CSS split with skeleton, drawer, search filter, message action styles - Code splitting via React.lazy + Suspense for Admin/Ethics/Settings pages - Skeleton loading components (Skeleton, SkeletonCard, SkeletonGrid) - Debounced search/filter component (SearchFilter) - Error boundary with fallback UI - Keyboard shortcuts (Ctrl+K search, Ctrl+Enter send, Escape dismiss) - Page transition animations (fade-in) - PWA support (manifest.json + service worker) - WebSocket auto-reconnect with exponential backoff (10 retries) - Chat history persistence to localStorage (500 msg limit) - Message edit/delete on hover - Copy-to-clipboard on code blocks - Mobile drawer (bottom-sheet for consensus panel) - File upload support - User preferences sync to backend Testing (8 items): - Component tests: Toast, Markdown, ChatMessage, Avatar, ErrorBoundary, Skeleton - Hook tests: useChatHistory - E2E smoke tests (5 tests) - Accessibility audit utility Backend (12 items): - Vector memory with cosine similarity search - TTS/STT adapter factory wiring - Geometry kernel with orphan detection - Tenant registry with CRUD operations - Response cache with TTL - Connection pool (async) - Background task queue - Health check endpoints (/health, /ready) - Request tracing middleware (X-Request-ID) - API key rotation mechanism - Environment-based config (settings.py) - API route documentation improvements Infrastructure (4 items): - Grafana dashboard template - Database migration system - Storybook configuration Documentation (3 items): - ADR-001: Advisory Governance Model - ADR-002: Twelve-Head Architecture - ADR-003: Consequence Engine 552 Python tests + 45 frontend tests passing, 0 ruff errors. Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
2026-05-02 03:08:08 +00:00
"""API key rotation mechanism for FusionAGI."""
from __future__ import annotations
import hashlib
import secrets
import time
from typing import Any
from pydantic import BaseModel, Field
class APIKeyRecord(BaseModel):
"""Record for a rotatable API key."""
key_hash: str
created_at: float = Field(default_factory=time.time)
expires_at: float | None = None
label: str = "default"
active: bool = True
class SecretRotator:
"""Manages API key lifecycle: generation, rotation, and expiry.
Keys are stored as SHA-256 hashes for security.
Supports multiple active keys for zero-downtime rotation.
"""
def __init__(self, max_active_keys: int = 3) -> None:
self._keys: list[APIKeyRecord] = []
self._max_active = max_active_keys
@staticmethod
def _hash_key(key: str) -> str:
"""Hash a key using SHA-256."""
return hashlib.sha256(key.encode()).hexdigest()
def generate_key(self, label: str = "default", ttl_seconds: float | None = None) -> str:
"""Generate a new API key and register it. Returns the plaintext key."""
key = secrets.token_urlsafe(32)
record = APIKeyRecord(
key_hash=self._hash_key(key),
label=label,
expires_at=time.time() + ttl_seconds if ttl_seconds else None,
)
self._keys.append(record)
self._enforce_max_active()
return key
def validate_key(self, key: str) -> bool:
"""Check if a key is valid (active and not expired)."""
key_hash = self._hash_key(key)
now = time.time()
for record in self._keys:
if record.key_hash == key_hash and record.active:
if record.expires_at and now > record.expires_at:
record.active = False
return False
return True
return False
def rotate(self, label: str = "default", ttl_seconds: float | None = None) -> str:
"""Rotate keys: generate new, keep previous active for overlap period."""
return self.generate_key(label=label, ttl_seconds=ttl_seconds)
def revoke(self, key: str) -> bool:
"""Revoke a specific key."""
key_hash = self._hash_key(key)
for record in self._keys:
if record.key_hash == key_hash:
record.active = False
return True
return False
def revoke_expired(self) -> int:
"""Deactivate all expired keys."""
now = time.time()
count = 0
for record in self._keys:
if record.active and record.expires_at and now > record.expires_at:
record.active = False
count += 1
return count
def _enforce_max_active(self) -> None:
"""Ensure we don't exceed max active keys."""
active = [k for k in self._keys if k.active]
while len(active) > self._max_active:
active[0].active = False
active = active[1:]
def list_keys(self) -> list[dict[str, Any]]:
"""List all keys (without hashes)."""
return [
{
"label": k.label,
"active": k.active,
"created_at": k.created_at,
"expires_at": k.expires_at,
}
for k in self._keys
]