Feature/python sdk enhancements

[ciresnave]

Updated Python SDK and some of the core Rust code that supplies its functionality. Since I haven't been using the Python SDK, I didn't keep it updated as much as I should. This should get it closer to parity with the Rust interface.

Summary by Sourcery

Enhance the Python SDK to achieve parity with the Rust interface by adding health and token services, new models, admin rate-limiting support, framework integrations, expanded tests, documentation, and minor server route fixes.

New Features:

• Add HealthService with basic, detailed, metrics, readiness, and liveness endpoints and corresponding Pydantic models
• Introduce TokenService with validate, refresh, create, and revoke operations and related token models
• Expose rate limiting endpoints in AdminService along with new rate limit configuration and statistics models
• Add FastAPI and Flask integration modules providing decorators for authentication, role, and permission enforcement

Enhancements:

• Extend BaseClient with _make_text_request and _attempt_text_request to support raw text endpoints
• Initialize client.health and client.tokens services in AuthFrameworkClient
• Fix Rust API route parameter syntax for consistent path definitions

Build:

• Update pyproject.toml dependencies, bump typing-extensions, define dev dependency groups, and add a flexible test runner script

Documentation:

• Add comprehensive guides for custom Rust storage backends and third-party storage usage
• Include examples for FastAPI and Flask integrations and an enhanced SDK usage demo

Tests:

• Expand Python SDK test suite with real-server integration tests, server lifecycle fixtures, and a run_tests.py test runner script

[sourcery-ai]

Reviewer's Guide

This PR enhances the Python SDK by bringing it closer to parity with the Rust API: new Pydantic models for health, metrics, tokens, rate limits, and admin entities; BaseClient extensions to support raw text endpoints; registration and implementation of HealthService and TokenService; expanded AdminService with rate-limiting methods; refined error handling; dependency and packaging updates; alignment of Rust server routing syntax; addition of FastAPI/Flask integration modules and demos; and a comprehensive integration test suite with a test runner.

Sequence diagram for FastAPI authentication integration

sequenceDiagram
    participant actor User
    participant FastAPI
    participant AuthFrameworkFastAPI
    participant TokenService
    participant AuthUser
    User->>FastAPI: Request /protected with Authorization header
    FastAPI->>AuthFrameworkFastAPI: require_auth() dependency
    AuthFrameworkFastAPI->>TokenService: validate(token)
    TokenService-->>AuthFrameworkFastAPI: validation_result
    AuthFrameworkFastAPI->>AuthUser: create AuthUser from validation_result
    AuthFrameworkFastAPI-->>FastAPI: AuthUser
    FastAPI-->>User: Protected endpoint response

Loading

Class diagram for new and updated Python SDK models

classDiagram
    class HealthMetrics {
        uptime_seconds: int
        memory_usage_bytes: int
        cpu_usage_percent: float
        active_connections: int
        request_count: int
        error_count: int
        timestamp: datetime
    }
    class ReadinessCheck {
        ready: bool
        dependencies: dict[str, bool]
        timestamp: datetime
    }
    class LivenessCheck {
        alive: bool
        timestamp: datetime
    }
    class TokenValidationResponse {
        valid: bool
        expired: bool
        token_type: str | None
        expires_at: datetime | None
        user_id: str | None
        scopes: list[str] | None
    }
    class CreateTokenRequest {
        user_id: str
        scopes: list[str] | None
        expires_in: int | None
        token_type: str | None
    }
    class CreateTokenResponse {
        token: str
        token_type: str
        expires_in: int
        expires_at: datetime
    }
    class TokenInfo {
        id: str
        user_id: str
        token_type: str
        scopes: list[str]
        expires_at: datetime
        created_at: datetime
        last_used: datetime | None
    }
    class RateLimitConfig {
        enabled: bool
        requests_per_minute: int
        requests_per_hour: int
        burst_size: int
        whitelist: list[str] | None
        blacklist: list[str] | None
    }
    class RateLimitStats {
        total_requests: int
        blocked_requests: int
        current_minute_requests: int
        current_hour_requests: int
        top_ips: list[dict[str, Any]]
        timestamp: datetime
    }
    class Permission {
        id: str
        name: str
        description: str | None
        resource: str
        action: str
        created_at: datetime
    }
    class Role {
        id: str
        name: str
        description: str | None
        permissions: list[Permission]
        created_at: datetime
        updated_at: datetime
    }
    class CreatePermissionRequest {
        name: str
        description: str | None
        resource: str
        action: str
    }
    class CreateRoleRequest {
        name: str
        description: str | None
        permission_ids: list[str] | None
    }
    Role "1" -- "*" Permission: contains

Loading

Class diagram for new Python SDK services and integration classes

classDiagram
    class HealthService {
        +check()
        +detailed_check()
        +get_metrics()
        +readiness_check()
        +liveness_check()
    }
    class TokenService {
        +validate(token)
        +refresh(refresh_token)
        +create(user_id, permissions, expires_in, ...)
        +revoke(token)
        +list_user_tokens(user_id)
    }
    class AuthFrameworkFastAPI {
        +require_auth()
        +require_role(required_role)
        +require_any_role(required_roles)
        +require_permission(resource, action)
        +get_current_user()
    }
    class AuthUser {
        user_info: UserInfo
        token: str
        id: str
        username: str
        email: str
        roles: list[str]
        mfa_enabled: bool
        +has_role(role)
        +has_any_role(roles)
    }
    class AuthFrameworkFlask {
        +_get_token_from_request()
        +_validate_token(token)
        +_handle_auth_error(message, status_code)
    }
    class FlaskAuthUser {
        user_info: UserInfo
        token: str
        id: str
        username: str
        email: str
        roles: list[str]
        mfa_enabled: bool
        +has_role(role)
        +has_any_role(roles)
    }
    AuthFrameworkFastAPI "1" -- "1" AuthUser: returns
    AuthFrameworkFlask "1" -- "1" FlaskAuthUser: returns

Loading

File-Level Changes

Change	Details	Files
Add new Pydantic models for health, tokens, rate limiting, and admin extensions	Defined HealthMetrics, ReadinessCheck, LivenessCheck models Created TokenValidationResponse, CreateTokenRequest/Response, TokenInfo Added RateLimitConfig and RateLimitStats models Introduced Permission, Role, CreatePermissionRequest/CreateRoleRequest classes	sdks/python/src/authframework/models.py sdks/python/src/authframework/__init__.py
Extend BaseClient to handle text-based endpoints	Adjusted async context manager return type to BaseClient Implemented _make_text_request for raw text responses Added _attempt_text_request with retry/backoff logic	sdks/python/src/authframework/_base.py
Register and implement HealthService and TokenService	Registered client.health = HealthService, client.tokens = TokenService Created src/authframework/_health.py with check, detailed, metrics, readiness, liveness Created src/authframework/_tokens.py with validate, refresh, create, revoke methods	sdks/python/src/authframework/client.py sdks/python/src/authframework/_health.py sdks/python/src/authframework/_tokens.py
Extend AdminService for rate-limiting management	Added get_rate_limits to fetch current rate-limit config Added configure_rate_limits to update settings Added get_rate_limit_stats to retrieve usage statistics	sdks/python/src/authframework/_admin.py
Refine error handling for rate limits	Extract retry_after from error response Pass retry_after into RateLimitError constructor	sdks/python/src/authframework/exceptions.py
Update packaging and dependencies	Bumped typing-extensions to >=4.5.0 Added fastapi and flask optional dependencies Introduced respx dev dependency and dependency-groups	sdks/python/pyproject.toml
Align Rust API server routing syntax	Replaced colon style (/:param) with curly braces ({param}) Updated multiple user, session, client, and admin routes	src/api/server.rs
Add FastAPI and Flask integration modules and demos	Created fastapi integration with AuthFrameworkFastAPI, dependencies Implemented FlaskAuth user decorators in flask integration Provided example demos under examples/ for both frameworks	sdks/python/src/authframework/integrations/fastapi.py sdks/python/src/authframework/integrations/flask.py sdks/python/examples/fastapi_integration_demo.py
Build out integration test suite and runner	Added pytest fixtures and conftest for real-server tests Wrote integration tests for health, auth, token, admin services Introduced run_tests.py to orchestrate unit/integration modes	sdks/python/tests/integration/ sdks/python/run_tests.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider consolidating the duplicate retry/backoff logic in _make_text_request and _make_request into a shared helper to reduce code duplication and simplify maintenance.
• In HealthService.get_metrics, switch to using the new _make_text_request directly instead of make_request so raw text metrics aren’t implicitly JSON-parsed and remain consistent with other text-based endpoints.
• The Flask and FastAPI permission decorators currently stub permission checks by requiring an ‘admin’ role; add a clear TODO or mark these as experimental until the server exposes a real permissions endpoint to avoid confusion.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider consolidating the duplicate retry/backoff logic in `_make_text_request` and `_make_request` into a shared helper to reduce code duplication and simplify maintenance.
- In `HealthService.get_metrics`, switch to using the new `_make_text_request` directly instead of `make_request` so raw text metrics aren’t implicitly JSON-parsed and remain consistent with other text-based endpoints.
- The Flask and FastAPI permission decorators currently stub permission checks by requiring an ‘admin’ role; add a clear TODO or mark these as experimental until the server exposes a real permissions endpoint to avoid confusion.

## Individual Comments

### Comment 1
<location> `sdks/python/src/authframework/_tokens.py:25-34` </location>
<code_context>
+        """
+        self._client = client
+
+    async def validate(self, token: str | None = None) -> dict[str, Any]:
+        """Validate a token.
+
+        Args:
+            token: Token to validate. If None, uses the stored access token.
+
+        Returns:
+            Token validation result with user information.
+
+        """
+        config = RequestConfig()
+        
+        # If a specific token is provided, we need to temporarily set it
+        original_token = None
+        if token is not None:
+            original_token = self._client.get_access_token()
+            self._client.set_access_token(token)
+        
+        try:
+            return await self._client.make_request("GET", "/auth/validate", config=config)
+        finally:
+            # Restore original token if we temporarily changed it
+            if token is not None and original_token is not None:
+                self._client.set_access_token(original_token)
+            elif token is not None:
</code_context>

<issue_to_address>
**issue (bug_risk):** Temporarily setting the access token on the client may cause race conditions in concurrent usage.

To prevent race conditions, refactor to avoid mutating shared client state. Instead, pass the token directly in request headers during validation.
</issue_to_address>

### Comment 2
<location> `sdks/python/src/authframework/integrations/fastapi.py:123-136` </location>
<code_context>
+            return user
+        return _require_any_role
+
+    def require_permission(self, resource: str, action: str) -> Callable:
+        """Require a specific permission decorator/dependency."""
+        async def _require_permission(
+            user: AuthUser = Depends(self.get_current_user())
+        ) -> AuthUser:
+            # Note: This would need to be implemented in the Rust API
+            # For now, we'll check if the user has an 'admin' role as a placeholder
+            if not user.has_role("admin"):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=f"Permission '{action}' on '{resource}' required"
+                )
+            return user
+        return _require_permission
+
+
</code_context>

<issue_to_address>
**suggestion:** Permission check is currently hardcoded to 'admin' role.

Since this is a placeholder, consider raising a NotImplementedError or warning to clearly indicate that granular permission checks are not yet supported.

```suggestion
    def require_permission(self, resource: str, action: str) -> Callable:
        """Require a specific permission decorator/dependency."""
        async def _require_permission(
            user: AuthUser = Depends(self.get_current_user())
        ) -> AuthUser:
            # Placeholder: granular permission checks are not yet supported
            raise NotImplementedError(
                f"Permission checks for '{action}' on '{resource}' are not yet implemented."
            )
        return _require_permission
```
</issue_to_address>

### Comment 3
<location> `sdks/python/src/authframework/models.py:304` </location>
<code_context>
     role: str | None = None
+
+
+# Health and Metrics Models
+class HealthMetrics(BaseModel):
+    """Health metrics model."""
</code_context>

<issue_to_address>
**issue (complexity):** Consider splitting the new models into separate files by domain and re-exporting them to keep each file small and maintain a clear public API.

Split out the new models into focused files so each domain stays small and easy to scan. You can keep one public API by re-exporting them in `models/__init__.py`.

Example structure:

```bash
app/
└── models/
    ├── __init__.py
    ├── health_models.py
    ├── token_models.py
    ├── rate_limit_models.py
    └── admin_models.py
```

health_models.py
```python
from pydantic import BaseModel
from datetime import datetime

class HealthMetrics(BaseModel):
    uptime_seconds: int
    memory_usage_bytes: int
    cpu_usage_percent: float
    active_connections: int
    request_count: int
    error_count: int
    timestamp: datetime

class ReadinessCheck(BaseModel):
    ready: bool
    dependencies: dict[str, bool]
    timestamp: datetime

class LivenessCheck(BaseModel):
    alive: bool
    timestamp: datetime
```

token_models.py
```python
from pydantic import BaseModel
from datetime import datetime

class CreateTokenRequest(BaseModel):
    user_id: str
    scopes: list[str] | None = None
    expires_in: int | None = None
    token_type: str | None = "access"

# ...and so on for CreateTokenResponse, TokenInfo, TokenValidationResponse
```

rate_limit_models.py
```python
from pydantic import BaseModel
from datetime import datetime
from typing import Any

class RateLimitConfig(BaseModel):
    enabled: bool
    requests_per_minute: int
    requests_per_hour: int
    burst_size: int
    whitelist: list[str] | None = None
    blacklist: list[str] | None = None

class RateLimitStats(BaseModel):
    total_requests: int
    blocked_requests: int
    current_minute_requests: int
    current_hour_requests: int
    top_ips: list[dict[str, Any]]
    timestamp: datetime
```

admin_models.py
```python
from pydantic import BaseModel
from datetime import datetime

class Permission(BaseModel):
    id: str
    name: str
    description: str | None = None
    resource: str
    action: str
    created_at: datetime

class Role(BaseModel):
    id: str
    name: str
    description: str | None = None
    permissions: list[Permission]
    created_at: datetime
    updated_at: datetime

# CreatePermissionRequest, CreateRoleRequest...
```

Then re-export in `models/__init__.py`:
```python
from .health_models   import HealthMetrics, ReadinessCheck, LivenessCheck
from .token_models    import CreateTokenRequest, CreateTokenResponse, TokenInfo, TokenValidationResponse
from .rate_limit_models import RateLimitConfig, RateLimitStats
from .admin_models    import Permission, Role, CreatePermissionRequest, CreateRoleRequest
```

This keeps each file under ~100 LOC, groups related models, and preserves your public API exactly as before.
</issue_to_address>

### Comment 4
<location> `sdks/python/src/authframework/_base.py:169` </location>
<code_context>
         retries_msg = "Max retries exceeded"
         raise AuthFrameworkError(retries_msg)

+    async def _make_text_request(
+        self,
+        method: str,
</code_context>

<issue_to_address>
**issue (complexity):** Consider refactoring the request logic to use a generic method with a parser function for both JSON and text responses.

Here’s one way to collapse the two “text” methods and the existing JSON methods into a single generic flow:

1. Extract a generic `_attempt_request_generic` that takes a `parser` function.  
2. Extract a generic `_make_request` that handles URL-building, retries/backoff, and calls the generic attempt.  
3. Implement your old JSON and new text methods in terms of those two.

```python
from typing import Callable, Any

# 1) Generic attempt + parser
async def _attempt_request_generic(
    self,
    method: str,
    url: str,
    headers: dict[str, str],
    config: RequestConfig,
    timeout: float,
    parser: Callable[[httpx.Response], Any],
) -> Any | None:
    try:
        response = await self._execute_request(
            method, url, headers, config, timeout
        )
        if response.status_code < HTTP_SUCCESS_THRESHOLD:
            return parser(response)

        error_info = self._parse_error_response(response)
        self._raise_api_error(response.status_code, error_info)

    except httpx.TimeoutException as e:
        raise AuthTimeoutError("Request timeout") from e
    except httpx.NetworkError as e:
        raise NetworkError("Network error") from e
    except AuthFrameworkError:
        raise
    except Exception as e:
        if not is_retryable_error(e):
            raise AuthFrameworkError("Request failed") from e
        return None

    return None
```

```python
# 2) Generic make + retries/backoff
async def _make_request(
    self,
    method: str,
    endpoint: str,
    parser: Callable[[httpx.Response], Any],
    *,
    config: RequestConfig | None = None,
) -> Any:
    config = config or RequestConfig()
    url = urljoin(self.base_url, endpoint.lstrip("/"))
    timeout = config.timeout or self.timeout
    retries = config.retries if config.retries is not None else self.retries

    headers: dict[str, str] = {}
    if self._access_token:
        headers["Authorization"] = f"Bearer {self._access_token}"

    for attempt in range(retries + 1):
        result = await self._attempt_request_generic(
            method, url, headers, config, timeout, parser
        )
        if result is not None:
            return result

        if attempt < retries:
            await asyncio.sleep(min(2 ** attempt, 10))

    raise AuthFrameworkError("Max retries exceeded")
```

```python
# 3) JSON and TEXT entry-points
async def make_request(
    self,
    method: str,
    endpoint: str,
    *,
    config: RequestConfig | None = None,
) -> dict[str, Any]:
    return await self._make_request(
        method, endpoint, parser=lambda r: r.json(), config=config
    )

async def make_text_request(
    self,
    method: str,
    endpoint: str,
    *,
    config: RequestConfig | None = None,
) -> str:
    return await self._make_request(
        method, endpoint, parser=lambda r: r.text, config=config
    )
```

This preserves retries, backoff, error-handling, and keeps JSON vs. text parsing as a single‐line switch.
</issue_to_address>

### Comment 5
<location> `sdks/python/src/authframework/integrations/flask.py:97` </location>
<code_context>
+    return getattr(g, 'current_user', None)
+
+
+def auth_required(auth_framework: AuthFrameworkFlask):
+    """Decorator to require authentication."""
+    def decorator(f: Callable) -> Callable:
</code_context>

<issue_to_address>
**issue (complexity):** Consider refactoring the decorators to use a single shared factory function for authentication and authorization checks.

```python
# Add a single decorator‐factory to capture all common logic:
def _make_auth_decorator(
    auth_framework: AuthFrameworkFlask,
    *,
    post_check: Callable[[FlaskAuthUser], bool] | None = None,
    error_builder: Callable[[FlaskAuthUser | None], str] | None = None,
    error_status: int = 403
) -> Callable[[Callable], Callable]:

    def decorator(f: Callable) -> Callable:
        @functools.wraps(f)
        async def wrapper(*args: Any, **kwargs: Any) -> Any:
            token = auth_framework._get_token_from_request()
            if not token:
                return auth_framework._handle_auth_error("Authorization header missing")

            try:
                user = await auth_framework._validate_token(token)
                g.current_user = user
            except AuthFrameworkError as e:
                return auth_framework._handle_auth_error(f"Authentication failed: {e}")

            if post_check and not post_check(user):
                msg = error_builder(user) if error_builder else "Forbidden"
                return auth_framework._handle_auth_error(msg, error_status)

            return await f(*args, **kwargs)
        return wrapper
    return decorator


# Then simplify your four public decorators:

def auth_required(af: AuthFrameworkFlask):
    return _make_auth_decorator(af)


def role_required(af: AuthFrameworkFlask, role: str):
    return _make_auth_decorator(
        af,
        post_check=lambda u: u.has_role(role),
        error_builder=lambda u: f"Role '{role}' required",
    )


def any_role_required(af: AuthFrameworkFlask, roles: list[str]):
    return _make_auth_decorator(
        af,
        post_check=lambda u: u.has_any_role(roles),
        error_builder=lambda u: "One of the following roles required: " + ", ".join(f"'{r}'" for r in roles),
    )


def permission_required(af: AuthFrameworkFlask, resource: str, action: str):
    return _make_auth_decorator(
        af,
        post_check=lambda u: u.has_role("admin"),  # replace with real permission check later
        error_builder=lambda u: f"Permission '{action}' on '{resource}' required",
    )
```

This removes the nested decorators and duplicated token‐validation logic while preserving all existing behavior.
</issue_to_address>

### Comment 6
<location> `sdks/python/examples/fastapi_integration_demo.py:106-107` </location>
<code_context>
@app.get("/health")
async def health_check():
    """Health check endpoint using AuthFramework's health service."""
    try:
        health_status = await client.health.check()
        return health_status
    except Exception as e:
        return JSONResponse(
            status_code=503,
            content={"status": "unhealthy", "error": str(e)}
        )

</code_context>

<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Default-Rules/refactorings/inline-immediately-returned-variable/))

```suggestion
        return await client.health.check()
```
</issue_to_address>

### Comment 7
<location> `sdks/python/examples/fastapi_integration_demo.py:119-120` </location>
<code_context>
@app.get("/health/detailed")
async def detailed_health_check():
    """Detailed health check endpoint."""
    try:
        detailed_health = await client.health.detailed_check()
        return detailed_health
    except Exception as e:
        return JSONResponse(
            status_code=503,
            content={"status": "unhealthy", "error": str(e)}
        )

</code_context>

<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Default-Rules/refactorings/inline-immediately-returned-variable/))

```suggestion
        return await client.health.detailed_check()
```
</issue_to_address>

### Comment 8
<location> `sdks/python/src/authframework/_tokens.py:47-50` </location>
<code_context>
    async def validate(self, token: str | None = None) -> dict[str, Any]:
        """Validate a token.

        Args:
            token: Token to validate. If None, uses the stored access token.

        Returns:
            Token validation result with user information.

        """
        config = RequestConfig()

        # If a specific token is provided, we need to temporarily set it
        original_token = None
        if token is not None:
            original_token = self._client.get_access_token()
            self._client.set_access_token(token)

        try:
            return await self._client.make_request("GET", "/auth/validate", config=config)
        finally:
            # Restore original token if we temporarily changed it
            if token is not None and original_token is not None:
                self._client.set_access_token(original_token)
            elif token is not None:
                self._client.clear_access_token()

</code_context>

<issue_to_address>
**issue (code-quality):** Lift repeated conditional into its own if statement ([`lift-duplicated-conditional`](https://docs.sourcery.ai/Reference/Default-Rules/refactorings/lift-duplicated-conditional/))
</issue_to_address>

### Comment 9
<location> `sdks/python/src/authframework/integrations/fastapi.py:46` </location>
<code_context>
    async def _validate_token(self, credentials: HTTPAuthorizationCredentials) -> AuthUser:
        """Validate token and return user information."""
        try:
            # Validate token using the tokens service
            validation_result = await self.client.tokens.validate(credentials.credentials)

            if not validation_result.get("valid", False):
                raise HTTPException(
                    status_code=status.HTTP_401_UNAUTHORIZED,
                    detail="Invalid or expired token"
                )

            # Get user information
            user_id = validation_result.get("user_id")
            if not user_id:
                raise HTTPException(
                    status_code=status.HTTP_401_UNAUTHORIZED,
                    detail="Token does not contain user information"
                )

            # This would typically come from the validation response
            # For now, we'll create a basic user info object
            user_info = UserInfo(
                id=user_id,
                username=validation_result.get("username", ""),
                email=validation_result.get("email", ""),
                roles=validation_result.get("scopes", []),
                mfa_enabled=validation_result.get("mfa_enabled", False),
                created_at=validation_result.get("created_at"),
                last_login=validation_result.get("last_login")
            )

            return AuthUser(user_info, credentials.credentials)

        except AuthFrameworkError as e:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=f"Authentication failed: {e}"
            )

</code_context>

<issue_to_address>
**issue (code-quality):** Explicitly raise from a previous error ([`raise-from-previous-error`](https://docs.sourcery.ai/Reference/Default-Rules/suggestions/raise-from-previous-error/))
</issue_to_address>

### Comment 10
<location> `sdks/python/tests/integration_conftest.py:47-55` </location>
<code_context>
    async def start(self) -> None:
        """Start the AuthFramework server."""
        print(f"🚀 Starting AuthFramework server on port {self.port}...")

        # Build the server first
        build_result = subprocess.run(
            ["cargo", "build", "--bin", "auth-framework", "--features", "admin-binary"],
            cwd=self.project_root,
            capture_output=True,
            text=True
        )

        if build_result.returncode != 0:
            raise RuntimeError(f"Failed to build AuthFramework server: {build_result.stderr}")

        # Start the server
        env = os.environ.copy()
        env.update({
            "AUTH_FRAMEWORK_HOST": "127.0.0.1",
            "AUTH_FRAMEWORK_PORT": str(self.port),
            "AUTH_FRAMEWORK_DATABASE_URL": "sqlite::memory:",
            "AUTH_FRAMEWORK_JWT_SECRET": "test-secret-for-integration-tests-only-not-secure",
            "AUTH_FRAMEWORK_LOG_LEVEL": "info",
            "RUST_LOG": "auth_framework=debug",
        })

        self.process = subprocess.Popen(
            [self.project_root / "target" / "debug" / "auth-framework"],
            cwd=self.project_root,
            env=env,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            text=True
        )

        # Wait for server to be ready
        await self._wait_for_server_ready()
        print(f"✅ AuthFramework server ready at {self.base_url}")

</code_context>

<issue_to_address>
**issue (code-quality):** Merge dictionary updates via the union operator [×2] ([`dict-assign-update-to-union`](https://docs.sourcery.ai/Reference/Default-Rules/suggestions/dict-assign-update-to-union/))
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

[P0] Path placeholders no longer match Axum syntax

The router now declares parameterised routes using "/users/{user_id}/profile" and similar. Axum’s router still expects placeholders in the /:param form (e.g. "/users/:user_id/profile"). Because matchit treats braces as literal characters, every endpoint that relies on a path parameter (client info, session revocation, user profile, admin user operations, etc.) will stop matching and return 404s even though the handlers are registered. The URLs must use the colon syntax unless the framework version is also updated to one that supports braces.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

[P1] FastAPI integration misreads token validation response

The FastAPI dependency expects tokens.validate() to return top-level fields like valid, user_id, username, etc., and builds a UserInfo directly from those keys. The actual /auth/validate handler returns an ApiResponse with {"success": true, "data": {...}}, so validation_result.get("valid", False) will always be False and the call raises 401 even for valid tokens. Additionally, UserInfo requires non‑optional email and created_at, so the current code will raise a ValidationError if those keys are missing. As written, the dependency rejects all tokens and can crash; the code should read from validation_result["data"] and handle missing fields.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

[P1] Flask integration always treats tokens as invalid

The Flask decorators repeat the same assumptions as the FastAPI helper by checking validation_result.get("valid", False) and pulling user attributes directly from the top-level response. Because /auth/validate returns {"success": true, "data": {...}}, every call reports the token as invalid and UserInfo construction can fail when required fields like email or created_at are absent. The decorators therefore return authentication errors for valid tokens and may raise exceptions. The implementation should read validation_result["data"] (and supply defaults for required fields) instead of the current structure.

Useful? React with 👍 / 👎.

[ciresnave]

@sourcery-ai review

[sourcery-ai]

Sorry @ciresnave, your pull request is larger than the review limit of 150000 diff characters

[ciresnave]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

[P1] Parse token validation response before enforcing authentication

The FastAPI dependency treats the result of tokens.validate() as a flat dict with valid and user_id keys, but /auth/validate returns an ApiResponse ({"success": true, "data": {...}}) without those fields at the top level (see src/api/auth.rs). Because validation_result.get("valid", False) is always false and user_id stays None, every request is rejected with 401 even for valid tokens. The handler needs to check validation_result["success"] and read the user data from validation_result["data"] before building UserInfo.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

[P1] Token validation parsing is incompatible with API response shape

The Flask integration expects tokens.validate() to return keys like valid and user_id, yet the server wraps validation in an ApiResponse with the payload under data and no valid boolean. Consequently validation_result.get("valid", False) evaluates to false and user_id is missing, causing the decorator to raise AuthFrameworkError for every request even when the token is valid. The code should unwrap the data field and rely on the success flag returned by /auth/validate.

Useful? React with 👍 / 👎.

[Copilot]

Pull Request Overview

This PR enhances the AuthFramework Python SDK to achieve near parity with the Rust interface, along with fixing minor routing issues in the Rust server. The update significantly expands SDK capabilities from ~60-70% to ~90% functionality coverage.

Key Changes:

• Adds comprehensive Health and Token management services
• Introduces framework integrations for FastAPI and Flask with authentication decorators
• Establishes robust integration testing framework with server lifecycle management

Reviewed Changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/api/server.rs	Updates route path parameters from :param to {param} syntax for consistency
sdks/python/src/authframework/	Adds HealthService and TokenService with comprehensive API coverage
sdks/python/src/authframework/integrations/	New FastAPI and Flask integration modules with auth decorators
sdks/python/tests/integration/	Complete integration test framework with real server testing capabilities
sdks/python/src/authframework/models/	Domain-specific model files for health, tokens, rate limits, and admin operations
sdks/python/examples/	Enhanced demo applications showing new SDK features and framework integrations

[Copilot]

Route path parameter syntax has been updated from :client_id to {client_id}, which is consistent with Axum's modern routing conventions. Ensure all handler functions are updated to use the new parameter extraction syntax if they haven't been already.

[Copilot]

[nitpick] These imports are placed inside the method rather than at the module level. For better maintainability and performance, consider moving these imports to the top of the file with appropriate error handling for optional dependencies.

[Copilot]

The UserInfo model expects created_at to be a datetime object, but validation_result.get('created_at') might return None or a string. This could cause validation errors. Consider adding proper datetime parsing or default values.

[ciresnave]

This PR was largely invalidated when I split the SDKs out of the main repository. All of the code modifications will be integrated into the codebase in other ways.