docs(mkdocs): review readme and mkdocs flux schema

Author: Athroniaeth

README.md

@@ -164,7 +164,105 @@ If they match, the key is valid.
 
 Here is a diagram showing what happens after you initialize your API key service with a global prefix and delimiter when you provide an API key to the `.verify_key()` method.
 
-<img src="./docs/schema.svg">
+```mermaid
+---
+title: "keyshield — verify_key() Flow"
+---
+flowchart LR
+    %% ── Styles ──────────────────────────────────────────────
+    classDef startNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef processNode fill:#FFF9C4,stroke:#F9A825,color:#000
+    classDef rejectNode fill:#EF9A9A,stroke:#C62828,color:#000
+    classDef acceptNode fill:#A5D6A7,stroke:#2E7D32,color:#000
+    classDef cacheNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef noteStyle fill:#FFFDE7,stroke:#FBC02D,color:#555,font-size:11px
+
+    %% ── Entry ───────────────────────────────────────────────
+    INPUT(["`**Api Key**
+    _ak-7a74…10d-mAfP…bzw_`"]):::startNode
+
+    %% ── Main flow ───────────────────────────────────────────
+    CACHED{"`**Is cached key?**
+    _(hash api key to SHA-256
+    to avoid Argon slow hashing)_`"}:::processNode
+
+    NULL_CHECK{"`**Is null or empty
+    string value?**`"}:::processNode
+
+    SPLIT["`**Split string**
+    _(by global_prefix)_`"]:::processNode
+
+    THREE_PARTS{"`**Has strictly
+    3 parts?**`"}:::processNode
+
+    PREFIX_CHECK{"`**First part equals
+    to global prefix?**`"}:::processNode
+
+    QUERY_DB["`**Query API Key
+    by key_id**`"]:::processNode
+
+    COMPARE{"`**Compare db api key hash
+    to received api key hash**`"}:::processNode
+
+    %% ── Outcomes ────────────────────────────────────────────
+    REJECT(["`🔴 **Reject API Key**`"]):::rejectNode
+    ACCEPT(["`🟢 **Accept API Key**`"]):::acceptNode
+    CACHE_STORE(["`🔵 **Cache API Key**`"]):::cacheNode
+
+    %% ── Happy path (left → right) ──────────────────────────
+    INPUT --> CACHED
+    CACHED -- "no" --> NULL_CHECK
+    NULL_CHECK -- "no" --> SPLIT
+    SPLIT -- "exec" --> THREE_PARTS
+    THREE_PARTS -- "yes" --> PREFIX_CHECK
+    PREFIX_CHECK -- "yes" --> QUERY_DB
+    QUERY_DB -- "found" --> COMPARE
+
+    %% ── Accept path ─────────────────────────────────────────
+    CACHED -- "yes" --> ACCEPT
+    COMPARE -- "equals" --> ACCEPT
+    ACCEPT -- "`**APIKey.touch()**
+    _(update last_used_at)_`" --> CACHE_STORE
+
+    %% ── Reject paths ────────────────────────────────────────
+    NULL_CHECK -- "yes" --> REJECT
+    SPLIT -- "Exception" --> REJECT
+    THREE_PARTS -- "no" --> REJECT
+    PREFIX_CHECK -- "no" --> REJECT
+    QUERY_DB -- "not found" --> REJECT
+    COMPARE -- "not equals" --> REJECT
+
+    %% ── Notes (annotations) ─────────────────────────────────
+    NOTE_FORMAT["`**Format API Key**
+    {global_prefix}: str
+    {separator}: str
+    {key_prefix}: UUID
+    {separator}: str
+    {key_secret}: UUID
+
+    _global_prefix = 'ak'_
+    _separator = '-'_`"]:::noteStyle
+
+    NOTE_CACHE["`**Cache rules**
+    InMemory / Redis
+    • invalid if api key updated or deleted
+    • invalid after 3600s`"]:::noteStyle
+
+    NOTE_ARGON["`**ArgonApiKeyHasher**
+    • line salt apikey
+    • global pepper api key`"]:::noteStyle
+
+    NOTE_SLEEP["`**sleep random (0.1s – 0.5s)**
+    makes brute force less effective;
+    randomization helps prevent
+    timing attacks`"]:::noteStyle
+
+    NOTE_FORMAT ~~~ INPUT
+    NOTE_CACHE ~~~ CACHE_STORE
+    NOTE_ARGON ~~~ COMPARE
+    NOTE_SLEEP ~~~ REJECT
+
+```
 
 ### Mount the FastAPI router
 

docs/index.md

@@ -63,7 +63,105 @@ If they match, the key is valid.
 
 Here is a diagram showing what happens after you initialize your API key service with a global prefix and delimiter when you provide an API key to the `.verify_key()` method.
 
-<img src="./schema.svg">
+```mermaid
+---
+title: "keyshield — verify_key() Flow"
+---
+flowchart LR
+    %% ── Styles ──────────────────────────────────────────────
+    classDef startNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef processNode fill:#FFF9C4,stroke:#F9A825,color:#000
+    classDef rejectNode fill:#EF9A9A,stroke:#C62828,color:#000
+    classDef acceptNode fill:#A5D6A7,stroke:#2E7D32,color:#000
+    classDef cacheNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef noteStyle fill:#FFFDE7,stroke:#FBC02D,color:#555,font-size:11px
+
+    %% ── Entry ───────────────────────────────────────────────
+    INPUT(["`**Api Key**
+    _ak-7a74…10d-mAfP…bzw_`"]):::startNode
+
+    %% ── Main flow ───────────────────────────────────────────
+    CACHED{"`**Is cached key?**
+    _(hash api key to SHA-256
+    to avoid Argon slow hashing)_`"}:::processNode
+
+    NULL_CHECK{"`**Is null or empty
+    string value?**`"}:::processNode
+
+    SPLIT["`**Split string**
+    _(by global_prefix)_`"]:::processNode
+
+    THREE_PARTS{"`**Has strictly
+    3 parts?**`"}:::processNode
+
+    PREFIX_CHECK{"`**First part equals
+    to global prefix?**`"}:::processNode
+
+    QUERY_DB["`**Query API Key
+    by key_id**`"]:::processNode
+
+    COMPARE{"`**Compare db api key hash
+    to received api key hash**`"}:::processNode
+
+    %% ── Outcomes ────────────────────────────────────────────
+    REJECT(["`🔴 **Reject API Key**`"]):::rejectNode
+    ACCEPT(["`🟢 **Accept API Key**`"]):::acceptNode
+    CACHE_STORE(["`🔵 **Cache API Key**`"]):::cacheNode
+
+    %% ── Happy path (left → right) ──────────────────────────
+    INPUT --> CACHED
+    CACHED -- "no" --> NULL_CHECK
+    NULL_CHECK -- "no" --> SPLIT
+    SPLIT -- "exec" --> THREE_PARTS
+    THREE_PARTS -- "yes" --> PREFIX_CHECK
+    PREFIX_CHECK -- "yes" --> QUERY_DB
+    QUERY_DB -- "found" --> COMPARE
+
+    %% ── Accept path ─────────────────────────────────────────
+    CACHED -- "yes" --> ACCEPT
+    COMPARE -- "equals" --> ACCEPT
+    ACCEPT -- "`**APIKey.touch()**
+    _(update last_used_at)_`" --> CACHE_STORE
+
+    %% ── Reject paths ────────────────────────────────────────
+    NULL_CHECK -- "yes" --> REJECT
+    SPLIT -- "Exception" --> REJECT
+    THREE_PARTS -- "no" --> REJECT
+    PREFIX_CHECK -- "no" --> REJECT
+    QUERY_DB -- "not found" --> REJECT
+    COMPARE -- "not equals" --> REJECT
+
+    %% ── Notes (annotations) ─────────────────────────────────
+    NOTE_FORMAT["`**Format API Key**
+    {global_prefix}: str
+    {separator}: str
+    {key_prefix}: UUID
+    {separator}: str
+    {key_secret}: UUID
+
+    _global_prefix = 'ak'_
+    _separator = '-'_`"]:::noteStyle
+
+    NOTE_CACHE["`**Cache rules**
+    InMemory / Redis
+    • invalid if api key updated or deleted
+    • invalid after 3600s`"]:::noteStyle
+
+    NOTE_ARGON["`**ArgonApiKeyHasher**
+    • line salt apikey
+    • global pepper api key`"]:::noteStyle
+
+    NOTE_SLEEP["`**sleep random (0.1s – 0.5s)**
+    makes brute force less effective;
+    randomization helps prevent
+    timing attacks`"]:::noteStyle
+
+    NOTE_FORMAT ~~~ INPUT
+    NOTE_CACHE ~~~ CACHE_STORE
+    NOTE_ARGON ~~~ COMPARE
+    NOTE_SLEEP ~~~ REJECT
+
+```
 
 ## Additional notes
 

docs/schema.mermaid

@@ -0,0 +1,96 @@
+---
+title: "keyshield — verify_key() Flow"
+---
+flowchart LR
+    %% ── Styles ──────────────────────────────────────────────
+    classDef startNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef processNode fill:#FFF9C4,stroke:#F9A825,color:#000
+    classDef rejectNode fill:#EF9A9A,stroke:#C62828,color:#000
+    classDef acceptNode fill:#A5D6A7,stroke:#2E7D32,color:#000
+    classDef cacheNode fill:#90CAF9,stroke:#1565C0,color:#000
+    classDef noteStyle fill:#FFFDE7,stroke:#FBC02D,color:#555,font-size:11px
+
+    %% ── Entry ───────────────────────────────────────────────
+    INPUT(["`**Api Key**
+    _ak-7a74…10d-mAfP…bzw_`"]):::startNode
+
+    %% ── Main flow ───────────────────────────────────────────
+    CACHED{"`**Is cached key?**
+    _(hash api key to SHA-256
+    to avoid Argon slow hashing)_`"}:::processNode
+
+    NULL_CHECK{"`**Is null or empty
+    string value?**`"}:::processNode
+
+    SPLIT["`**Split string**
+    _(by global_prefix)_`"]:::processNode
+
+    THREE_PARTS{"`**Has strictly
+    3 parts?**`"}:::processNode
+
+    PREFIX_CHECK{"`**First part equals
+    to global prefix?**`"}:::processNode
+
+    QUERY_DB["`**Query API Key
+    by key_id**`"]:::processNode
+
+    COMPARE{"`**Compare db api key hash
+    to received api key hash**`"}:::processNode
+
+    %% ── Outcomes ────────────────────────────────────────────
+    REJECT(["`🔴 **Reject API Key**`"]):::rejectNode
+    ACCEPT(["`🟢 **Accept API Key**`"]):::acceptNode
+    CACHE_STORE(["`🔵 **Cache API Key**`"]):::cacheNode
+
+    %% ── Happy path (left → right) ──────────────────────────
+    INPUT --> CACHED
+    CACHED -- "no" --> NULL_CHECK
+    NULL_CHECK -- "no" --> SPLIT
+    SPLIT -- "exec" --> THREE_PARTS
+    THREE_PARTS -- "yes" --> PREFIX_CHECK
+    PREFIX_CHECK -- "yes" --> QUERY_DB
+    QUERY_DB -- "found" --> COMPARE
+
+    %% ── Accept path ─────────────────────────────────────────
+    CACHED -- "yes" --> ACCEPT
+    COMPARE -- "equals" --> ACCEPT
+    ACCEPT -- "`**APIKey.touch()**
+    _(update last_used_at)_`" --> CACHE_STORE
+
+    %% ── Reject paths ────────────────────────────────────────
+    NULL_CHECK -- "yes" --> REJECT
+    SPLIT -- "Exception" --> REJECT
+    THREE_PARTS -- "no" --> REJECT
+    PREFIX_CHECK -- "no" --> REJECT
+    QUERY_DB -- "not found" --> REJECT
+    COMPARE -- "not equals" --> REJECT
+
+    %% ── Notes (annotations) ─────────────────────────────────
+    NOTE_FORMAT["`**Format API Key**
+    {global_prefix}: str
+    {separator}: str
+    {key_prefix}: UUID
+    {separator}: str
+    {key_secret}: UUID
+
+    _global_prefix = 'ak'_
+    _separator = '-'_`"]:::noteStyle
+
+    NOTE_CACHE["`**Cache rules**
+    InMemory / Redis
+    • invalid if api key updated or deleted
+    • invalid after 3600s`"]:::noteStyle
+
+    NOTE_ARGON["`**ArgonApiKeyHasher**
+    • line salt apikey
+    • global pepper api key`"]:::noteStyle
+
+    NOTE_SLEEP["`**sleep random (0.1s – 0.5s)**
+    makes brute force less effective;
+    randomization helps prevent
+    timing attacks`"]:::noteStyle
+
+    NOTE_FORMAT ~~~ INPUT
+    NOTE_CACHE ~~~ CACHE_STORE
+    NOTE_ARGON ~~~ COMPARE
+    NOTE_SLEEP ~~~ REJECT

mkdocs.yml

@@ -40,6 +40,12 @@ theme:
         icon: material/weather-sunny
         name: Switch to light mode
 markdown_extensions:
+
+  - pymdownx.superfences:
+      custom_fences:
+        - name: mermaid
+          class: mermaid
+          format: !!python/name:pymdownx.superfences.fence_code_format
   - admonition
   - def_list
   - footnotes

src/keyshield/api.py

@@ -8,8 +8,7 @@
     import sqlalchemy  # noqa: F401
 except ModuleNotFoundError as e:  # pragma: no cover
     raise ImportError(
-        "FastAPI and SQLAlchemy backend requires 'fastapi' and 'sqlalchemy'. "
-        "Install it with: uv add keyshield[fastapi]"
+        "FastAPI and SQLAlchemy backend requires 'fastapi' and 'sqlalchemy'. Install it with: uv add keyshield[fastapi]"
     ) from e
 
 from typing import Annotated, Awaitable, Callable, List, Optional, Union

src/keyshield/litestar_api.py

@@ -27,9 +27,7 @@ async def provide_svc() -> ApiKeyService:
 try:
     import litestar  # noqa: F401
 except ModuleNotFoundError as e:  # pragma: no cover
-    raise ImportError(
-        "Litestar integration requires 'litestar'. Install it with: uv add keyshield[litestar]"
-    ) from e
+    raise ImportError("Litestar integration requires 'litestar'. Install it with: uv add keyshield[litestar]") from e
 
 from typing import Awaitable, Callable, List, Optional
 

src/keyshield/repositories/sql.py

@@ -4,9 +4,7 @@
 try:
     import sqlalchemy  # noqa: F401
 except ModuleNotFoundError as e:
-    raise ImportError(
-        "SQLAlchemy backend requires 'sqlalchemy'. Install it with: uv add keyshield[sqlalchemy]"
-    ) from e
+    raise ImportError("SQLAlchemy backend requires 'sqlalchemy'. Install it with: uv add keyshield[sqlalchemy]") from e
 
 
 from datetime import datetime

src/keyshield/services/cached.py

@@ -1,9 +1,7 @@
 try:
     import aiocache  # noqa: F401
 except ModuleNotFoundError as e:
-    raise ImportError(
-        "CachedApiKeyService requires 'aiocache'. Install it with: uv add keyshield[aiocache]"
-    ) from e
+    raise ImportError("CachedApiKeyService requires 'aiocache'. Install it with: uv add keyshield[aiocache]") from e
 
 import hashlib
 from typing import List, Optional