api import fixes and dockerfile syntax issues

Nathan Parker · Nathan Parker · commit 6e45dfdb52a8 · 2025-12-03T18:15:35.000-08:00
diff --git a/Dockerfile b/Dockerfile
@@ -78,8 +78,9 @@ USER ome
 EXPOSE 8001
 
 # Health check
+# Use shell form to allow variable expansion for PORT
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:${PORT:-8001}/health || exit 1
+    CMD sh -c 'curl -f http://localhost:${PORT:-8001}/health || exit 1'
 
 # Set entrypoint
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
diff --git a/README_TESTING.md b/README_TESTING.md
@@ -0,0 +1,82 @@
+# Direct Cloud Run Testing
+
+This directory contains scripts for testing the Cloud Run service directly, bypassing the CI/CD pipeline.
+
+## Scripts
+
+### `test_cloud_run_direct.py`
+Direct testing script that sends requests to the deployed Cloud Run service and helps debug 500 errors.
+
+**Usage:**
+```bash
+# Set the service URL (defaults to the production URL)
+export SERVICE_URL="https://supply-graph-ai-1085931013579.us-west1.run.app"
+export USE_AUTH=true
+
+# Run the tests
+python test_cloud_run_direct.py
+```
+
+**What it tests:**
+- List OKH manifests (to check storage service)
+- Create OKH manifest
+- Create OKW facility
+- Match OKH to OKW (if OKH creation succeeds)
+
+### `check_cloud_logs.sh`
+Helper script to check Cloud Run logs for errors.
+
+**Usage:**
+```bash
+# Set project and service name (optional, has defaults)
+export PROJECT_ID="nathan-playground-368310"
+export SERVICE_NAME="supply-graph-ai"
+
+# Run the script
+./check_cloud_logs.sh
+```
+
+**What it shows:**
+- Recent ERROR level logs
+- Logs with "Error" or "Exception" in text
+- Recent 500 errors
+- Full tracebacks for recent errors
+
+## Workflow
+
+1. **Run the test script:**
+   ```bash
+   python test_cloud_run_direct.py
+   ```
+
+2. **If you see 500 errors, check the logs:**
+   ```bash
+   ./check_cloud_logs.sh
+   ```
+
+3. **Or check logs manually:**
+   ```bash
+   # View recent errors
+   gcloud logging read \
+     'resource.type=cloud_run_revision AND resource.labels.service_name=supply-graph-ai AND severity>=ERROR' \
+     --limit 50 --format json \
+     --project=nathan-playground-368310
+   ```
+
+4. **Fix the issues found in the logs**
+
+5. **Re-run the test script to verify fixes**
+
+## Authentication
+
+The scripts use GCP identity tokens for authentication. Make sure you're authenticated:
+
+```bash
+gcloud auth login
+gcloud auth application-default login
+```
+
+Or set an explicit token:
+```bash
+export IDENTITY_TOKEN=$(gcloud auth print-identity-token)
+```
diff --git a/check_cloud_logs.sh b/check_cloud_logs.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# Helper script to check Cloud Run logs for errors
+
+SERVICE_NAME="${SERVICE_NAME:-supply-graph-ai}"
+PROJECT_ID="${PROJECT_ID:-nathan-playground-368310}"
+
+echo "=========================================="
+echo "Cloud Run Logs - Recent Errors"
+echo "=========================================="
+echo ""
+
+echo "1. Recent ERROR level logs:"
+gcloud logging read \
+  "resource.type=cloud_run_revision AND resource.labels.service_name=${SERVICE_NAME} AND severity>=ERROR" \
+  --limit 20 \
+  --format json \
+  --project="${PROJECT_ID}" | jq -r '.[] | "\(.timestamp) [\(.severity)] \(.textPayload // .jsonPayload.message // "No message")"'
+
+echo ""
+echo "=========================================="
+echo "2. Recent logs with 'Error' or 'Exception' in text:"
+gcloud logging read \
+  "resource.type=cloud_run_revision AND resource.labels.service_name=${SERVICE_NAME} AND (textPayload=~\"Error\" OR textPayload=~\"Exception\" OR jsonPayload.message=~\"Error\" OR jsonPayload.message=~\"Exception\")" \
+  --limit 20 \
+  --format json \
+  --project="${PROJECT_ID}" | jq -r '.[] | "\(.timestamp) [\(.severity)] \(.textPayload // .jsonPayload.message // .jsonPayload.error // "No message")"'
+
+echo ""
+echo "=========================================="
+echo "3. Recent 500 errors:"
+gcloud logging read \
+  "resource.type=cloud_run_revision AND resource.labels.service_name=${SERVICE_NAME} AND jsonPayload.status_code=500" \
+  --limit 20 \
+  --format json \
+  --project="${PROJECT_ID}" | jq -r '.[] | "\(.timestamp) \(.jsonPayload.message // .textPayload // "No message")"'
+
+echo ""
+echo "=========================================="
+echo "4. Full traceback for recent errors:"
+gcloud logging read \
+  "resource.type=cloud_run_revision AND resource.labels.service_name=${SERVICE_NAME} AND severity>=ERROR" \
+  --limit 5 \
+  --format json \
+  --project="${PROJECT_ID}" | jq -r '.[] | select(.textPayload != null) | "\(.timestamp)\n\(.textPayload)\n---"'
+
diff --git a/get_cloud_run_token.sh b/get_cloud_run_token.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+# Helper script to get a valid identity token for Cloud Run
+
+SERVICE_URL="${1:-https://supply-graph-ai-1085931013579.us-west1.run.app}"
+
+echo "Getting identity token for Cloud Run service..."
+echo "Service URL: $SERVICE_URL"
+echo ""
+
+# Try with audience first (for service accounts)
+echo "Attempting to get token with audience..."
+if gcloud auth print-identity-token --audiences="$SERVICE_URL" 2>/dev/null; then
+    echo ""
+    echo "✓ Success! Token generated with correct audience."
+    exit 0
+fi
+
+# Try without audience (for user accounts - may not work)
+echo "Attempting to get token without audience..."
+if TOKEN=$(gcloud auth print-identity-token 2>/dev/null); then
+    echo "$TOKEN"
+    echo ""
+    echo "⚠ Token generated but may not work for Cloud Run."
+    echo "If you get 401 errors, you may need to:"
+    echo "  1. Grant yourself the invoker role:"
+    echo "     gcloud run services add-iam-policy-binding supply-graph-ai \\"
+    echo "       --member='user:$(gcloud config get-value account)' \\"
+    echo "       --role='roles/run.invoker' \\"
+    echo "       --region=us-west1"
+    echo ""
+    echo "  2. Or use a service account:"
+    echo "     gcloud auth activate-service-account SERVICE_ACCOUNT_EMAIL --key-file=KEY_FILE"
+    exit 0
+fi
+
+echo "❌ Failed to get identity token"
+echo ""
+echo "Make sure you're authenticated:"
+echo "  gcloud auth login"
+echo "  gcloud auth application-default login"
+exit 1
diff --git a/get_token_user_account.sh b/get_token_user_account.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Get identity token for user account to access Cloud Run
+
+SERVICE_URL="${1:-https://supply-graph-ai-1085931013579.us-west1.run.app}"
+SERVICE_ACCOUNT="${2:-supply-graph-ai@nathan-playground-368310.iam.gserviceaccount.com}"
+
+echo "Getting identity token for Cloud Run service..."
+echo "Service URL: $SERVICE_URL"
+echo "Service Account: $SERVICE_ACCOUNT"
+echo ""
+
+# Method 1: Try impersonating the service account (if you have permission)
+echo "Method 1: Impersonating service account..."
+if TOKEN=$(gcloud auth print-identity-token --impersonate-service-account="$SERVICE_ACCOUNT" --audiences="$SERVICE_URL" 2>/dev/null); then
+    echo "$TOKEN"
+    echo ""
+    echo "✓ Success! Token generated using service account impersonation."
+    exit 0
+fi
+
+# Method 2: Try without impersonation (user account token)
+echo "Method 2: Using user account token (may not work)..."
+if TOKEN=$(gcloud auth print-identity-token 2>/dev/null); then
+    echo "$TOKEN"
+    echo ""
+    echo "⚠ Token generated but may not work for Cloud Run."
+    echo ""
+    echo "If you get 401 errors, try:"
+    echo "  1. Grant yourself permission to impersonate the service account:"
+    echo "     gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT \\"
+    echo "       --member='user:$(gcloud config get-value account)' \\"
+    echo "       --role='roles/iam.serviceAccountTokenCreator'"
+    echo ""
+    echo "  2. Then use service account impersonation:"
+    echo "     gcloud auth print-identity-token --impersonate-service-account=$SERVICE_ACCOUNT --audiences=$SERVICE_URL"
+    exit 0
+fi
+
+echo "❌ Failed to get identity token"
+exit 1
diff --git a/src/core/api/routes/okh.py b/src/core/api/routes/okh.py
@@ -147,7 +147,7 @@ async def create_okh(
         processing_time = (datetime.now() - start_time).total_seconds()
 
         # Create enhanced response using the proper OKHResponse structure
-        from ...models.base import APIStatus
+        # APIStatus is already imported at the top of the file
 
         result_dict = result.to_dict() if hasattr(result, "to_dict") else result
         response_data = {
diff --git a/src/core/api/routes/okw.py b/src/core/api/routes/okw.py
@@ -200,7 +200,7 @@ async def create_okw(
         processing_time = (datetime.now() - start_time).total_seconds()
 
         # Create enhanced response matching OKWResponse structure
-        from ...models.base import APIStatus
+        # APIStatus is already imported at the top of the file
 
         response_data = {
             **facility_dict,  # Include all facility fields directly
diff --git a/test_cloud_run_direct.py b/test_cloud_run_direct.py
diff --git a/test_with_curl.sh b/test_with_curl.sh
