Skip to content

Huey Bookbot chatflow runtime: option matching, direct service calls, CSRF fix#579

Merged
hardbyte merged 7 commits intomainfrom
feat/huey-bookbot-chatflow
Feb 7, 2026
Merged

Huey Bookbot chatflow runtime: option matching, direct service calls, CSRF fix#579
hardbyte merged 7 commits intomainfrom
feat/huey-bookbot-chatflow

Conversation

@hardbyte
Copy link
Owner

@hardbyte hardbyte commented Feb 7, 2026
edited
Loading

Summary

Extends the chat runtime to fully support the Huey Bookbot reading-preference flow end-to-end, including CMS-sourced questions with dynamic options, hue-based book recommendations, and cross-origin CSRF validation for production deployments.

Chat runtime (chat_runtime.py)

  • Full option object matching: Store resolved options in system._current_options so process_response() can return the complete option (with fields like age_number, hue_map) instead of just the label text
  • Choice routing: Option-index routing (OPTION_0/OPTION_1) before falling back to condition-based or DEFAULT connections
  • CMS random-source questions: Call process_node() to fetch content and resolve options for CMS-sourced questions encountered during node chaining
  • Variable substitution in question text: Resolve {{context.school_name}} etc. in question prompts
  • Book list message rendering: Handle book_list message type by resolving source variable to book data

Action processor (action_processor.py)

  • Direct internal service calls: For known internal endpoints (e.g. /v1/recommend), bypass HTTP and call the service layer directly — avoids auth requirements for anonymous chatbot sessions and eliminates HTTP overhead
  • Type-preserving variable resolution: Use substitute_object instead of substitute_variables in set_variable actions to preserve ints, dicts, lists
  • Deep merge for state updates: Preserve existing nested scope keys across action nodes
  • Nested response mapping: Use _set_nested_value for response_mapping paths like temp.book_count

New: Internal API handler registry (internal_api_handlers.py)

  • Decorator-based registry pattern for internal endpoint handlers
  • /v1/recommend handler calling get_recommendations_with_fallback directly

CEL evaluator

  • top_keys(dict, n) function for ranking hue profile keys by weight

Variable resolver

  • substitute_object now preserves typed values (int, dict, list) when the entire string is a single {{var}} reference

CSRF cross-origin fix (csrf.py, chat.py)

  • Accept header-only X-CSRF-Token when cookie is absent due to SameSite restrictions in cross-origin deployments
  • Set SameSite=none (with Secure) for production cookies
  • Fixes: 403 - CSRF token missing in cookie on production chatflow pages

Other

  • Server-side school name resolution in chat.py: Look up school name from school_wriveted_id in initial state
  • CMS repository: Fix ::jsonb cast syntax for SQLAlchemy parameter parsing
  • API client: Use structlog; null-safe WRIVETED_INTERNAL_API
  • Seed script: Hardened re-seeding with SET CONSTRAINTS ALL DEFERRED for booklist items; extended fixtures with CMS content and flow JSON loading
  • README: Rewritten with quick start, chatflow runtime docs, and restored operational references

Test plan

  • All 298 unit tests pass (poetry run pytest app/tests/unit/ -x)
  • New top_keys CEL function tests
  • Updated variable resolver tests for type preservation
  • Updated CSRF test for cross-origin header-only validation
  • Booklist reorder API tested manually (move-up + move-down)
  • Full E2E flow test with seeded data (python scripts/test_huey_flow_e2e.py)
  • Integration tests (bash scripts/integration-tests.sh)
  • Production CSRF validation on hueybooks.com

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 7, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f21106fb6b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@hardbyte
Fix chat runtime option matching and add direct service calls
4d0dd30 
- Store inline question options in _current_options (not just CMS-sourced),
  fixing cascading failures where age/reading answers stored as raw strings
  instead of full option dicts with typed fields like age_number
- Add internal API handler registry for direct service-layer calls, bypassing
  HTTP auth for anonymous chatbot sessions (e.g. /v1/recommend)
- Fix broken import in _find_matching_connection (app.crud.chat → chat_repo)
- Resolve school name server-side from school_wriveted_id during session start
- Add CEL functions for hue profile aggregation (merge, top_keys)
- Expand seed fixtures with book catalog, themes, and flow_file loading
@hardbyte
Fix limit parsing, internal API URL, and stale option clearing
c2ac293 
- Safely parse and clamp limit param in recommend handler (1-50)
- Point api service WRIVETED_INTERNAL_API at internal:8888, not itself
- Always write _current_options (even empty) to clear stale options
  from previous questions, preventing incorrect option reuse
@hardbyte
Fix CSRF cross-origin validation and seed script re-seeding
f46f2f1 
CSRF: Accept header-only X-CSRF-Token when cookie is absent due to
SameSite restrictions in cross-origin deployments. CORS prevents
unauthorized origins from obtaining the token. Set SameSite=none
(with Secure) for production cookies to enable cross-origin sending.

Seed script: Use SET CONSTRAINTS ALL DEFERRED when reconciling
booklist items to avoid IntegrityError on the unique order_id
constraint after drag-and-drop reordering.
@hardbyte
Rewrite README with chatflow runtime and quick start sections
253261a
@hardbyte
Restore dropped content in README rewrite
baf18f5 
Add back containers diagram, scrubbed dataset link, API consumer list,
joined-table inheritance docs link, ACL code example, Firebase console
link, get_auth_token.py reference, and cloudrun role SQL setup.
@hardbyte
Extract _build_input_request and _resolve_question_node helpers
725fc8f 
Eliminate code duplication in chat_runtime.py:
- Replace 9 inline input_request dict constructions with _build_input_request()
- Replace 4 duplicate question-processing blocks with _resolve_question_node()
- Collapse identical random/non-random CMS branches
- Fix MESSAGE→QUESTION path to process question nodes properly
- Fix get_initial_node to handle CMS question nodes correctly
@hardbyte
Include query_parameters in internal recommend handler response
623d0ed 
Match the public /v1/recommend endpoint's HueyOutput contract so
response_mapping for "query" works via both HTTP and direct paths.
@hardbyte hardbyte force-pushed the feat/huey-bookbot-chatflow branch from 54ccd3a to 623d0ed Compare February 7, 2026 07:00
@hardbyte hardbyte merged commit 2316ff8 into main Feb 7, 2026
11 checks passed
@hardbyte hardbyte deleted the feat/huey-bookbot-chatflow branch February 7, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hardbyte