Merge branch 'main' into codex/remove-disable-web-security-argument-from-playwright

Author: shayancoin

.github/workflows/perf-light.yml

@@ -11,6 +11,111 @@ on:
   pull_request: {}
 
 jobs:
+  playwright-budgets:
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Use Node.js 20
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Install Playwright browsers
+        working-directory: frontend
+        run: npx playwright install --with-deps chromium
+
+      - name: Start stack
+        run: |
+          docker compose --env-file .env.development -f docker-compose.dev.yml up -d --build
+
+      - name: Wait for API
+        run: |
+          for i in {1..60}; do curl -sf http://localhost:8000/healthcheck && break || sleep 2; done
+
+      - name: Wait for Frontend
+        run: |
+          for i in {1..60}; do curl -sf http://localhost:3000/models/manifest.json && break || sleep 2; done
+
+      - name: Seed backend for perf
+        env:
+          BASE_URL: http://localhost:8000
+        run: |
+          python - <<'PY'
+import json
+import os
+import urllib.error
+import urllib.request
+
+BASE_URL = os.environ.get("BASE_URL", "http://localhost:8000")
+
+def post(path: str, payload: dict) -> dict:
+    req = urllib.request.Request(
+        f"{BASE_URL}{path}",
+        data=json.dumps(payload).encode("utf-8"),
+        headers={"Content-Type": "application/json"},
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            return json.loads(resp.read().decode("utf-8"))
+    except urllib.error.HTTPError as exc:
+        detail = exc.read().decode("utf-8", "ignore")
+        raise SystemExit(f"Seed request failed ({exc.code}): {detail}")
+
+material = post(
+    "/api/materials/",
+    {"name": "Walnut", "texture_url": None, "cost_per_sq_ft": 12.5},
+)
+material_id = material.get("id")
+if not material_id:
+    raise SystemExit("Material creation failed; missing id")
+
+post(
+    "/api/modules/",
+    {
+        "name": "Base600",
+        "width": 600.0,
+        "height": 720.0,
+        "depth": 580.0,
+        "base_price": 100.0,
+        "material_id": material_id,
+    },
+)
+PY
+
+      - name: Run Playwright performance budgets
+        env:
+          PERF_RESULTS_DIR: ${{ github.workspace }}/artifacts/perf
+          PERF_BUDGET_CONFIG: ${{ github.workspace }}/perf-budget.yml
+        run: |
+          mkdir -p artifacts/perf
+          cd frontend
+          npm run test:perf -- --output=playwright-report/perf
+
+      - name: Convert Playwright metrics to JUnit
+        run: node tools/perf/metrics-to-junit.mjs artifacts/perf artifacts/perf/perf-metrics.junit.xml
+
+      - name: Upload performance artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: perf-budgets
+          path: |
+            artifacts/perf
+            frontend/playwright-report
+
+      - name: Shutdown stack
+        if: always()
+        run: |
+          docker compose --env-file .env.development -f docker-compose.dev.yml down
+
   k6:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -28,11 +133,33 @@ jobs:
 
       - name: Wait for API
         run: |
-          for i in {1..60}; do curl -sf http://localhost:8000/healthcheck && break || sleep 2; done
+          success=false
+          for i in {1..60}; do
+            if curl -sf http://localhost:8000/healthcheck; then
+              success=true
+              break
+            fi
+            sleep 2
+          done
+          if [ "$success" = false ]; then
+            echo "API did not become healthy in time" >&2
+            exit 1
+          fi
 
       - name: Wait for Frontend
         run: |
-          for i in {1..60}; do curl -sf http://localhost:3000/models/manifest.json && break || sleep 2; done
+          success=false
+          for i in {1..60}; do
+            if curl -sf http://localhost:3000/models/manifest.json; then
+              success=true
+              break
+            fi
+            sleep 2
+          done
+          if [ "$success" = false ]; then
+            echo "Frontend did not become healthy in time" >&2
+            exit 1
+          fi
 
       - name: Seed backend for perf
         env:
@@ -98,3 +225,28 @@ PY
         if: always()
         run: |
           docker compose --env-file .env.development -f docker-compose.dev.yml down
+
+  canary-metrics:
+    runs-on: ubuntu-latest
+    needs:
+      - playwright-budgets
+      - k6
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Compare canary metrics against budgets
+        env:
+          PROMETHEUS_URL: ${{ secrets.PROMETHEUS_URL }}
+          TEMPO_URL: ${{ secrets.TEMPO_URL }}
+          GITHUB_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_SHA: ${{ github.sha }}
+          CANARY_RESULTS_DIR: ${{ github.workspace }}/artifacts/canary
+        run: |
+          python tools/perf/check-canary-metrics.py
+
+      - name: Upload canary metric report
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: canary-metrics
+          path: artifacts/canary

.gitignore

@@ -36,6 +36,7 @@ yarn-error.log*
 .next/
 out/
 .cache/
+artifacts/
 
 # Env files (keep example)
 .env

backend/api/config.py

@@ -16,6 +16,17 @@ class Settings(BaseSettings):
         default=3000,
         description="Port for the frontend service",
     )
+    api_write_token: str | None = Field(
+        default=None,
+        description="Bearer token required for write-protected API routes.",
+        repr=False,
+    )
+
+    # Admin / write access token
+    api_write_token: str = Field(
+        default="",
+        description="Optional bearer token required for write/admin endpoints.",
+    )
 
     # Database and integration settings
     database_url: str = Field(
@@ -34,6 +45,11 @@ class Settings(BaseSettings):
         default="",
         description="Hygraph access token",
     )
+    api_write_token: str = Field(
+        default="",
+        description="Bearer token required for privileged write routes",
+        repr=False,
+    )
     hygraph_webhook_secret: str = Field(
         description=(
             "Shared secret used to verify Hygraph webhook signatures."

backend/api/main.py

@@ -11,7 +11,6 @@
 from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor
 from opentelemetry.trace import Status, StatusCode
 from starlette.middleware.cors import CORSMiddleware
-from starlette.middleware.base import BaseHTTPMiddleware
 
 from api.config import get_settings
 from api.instrumentation_boot import setup_instrumentation
@@ -24,10 +23,17 @@
 from api.routes_sync import router as sync_router
 from api.routes_observability import router as observability_router
 from prometheus_client import CONTENT_TYPE_LATEST, generate_latest
+from prometheus_fastapi_instrumentator import Instrumentator
 from api.metrics import observe_http_request
 
 setup_instrumentation()
 
+if bootstrap_instrumentation is not None:  # pragma: no branch - simple guard
+    try:
+        bootstrap_instrumentation()
+    except Exception:  # pragma: no cover - defensive guard
+        logger.exception("Failed to bootstrap OpenTelemetry instrumentation")
+
 # Initialize settings
 settings = get_settings()
 
@@ -67,37 +73,44 @@ def _resolve_route_label(request: Request) -> str:
     return request.url.path or "unknown"
 
 
-class PrometheusInstrumentationMiddleware(BaseHTTPMiddleware):
-    async def dispatch(self, request: Request, call_next):  # type: ignore[override]
-        if request.url.path == "/metrics":
-            return await call_next(request)
-
-        start = perf_counter()
-        try:
-            response = await call_next(request)
-        except Exception:
-            duration = perf_counter() - start
-            observe_http_request(
-                service="backend",
-                route=_resolve_route_label(request),
-                method=request.method,
-                status="500",
-                duration_seconds=duration,
-            )
-            raise
-
+@app.middleware("http")
+async def prometheus_instrumentation_middleware(request: Request, call_next):
+    if request.url.path == "/metrics":
+        return await call_next(request)
+
+    start = perf_counter()
+    try:
+        response = await call_next(request)
+    except HTTPException as exc:
         duration = perf_counter() - start
         observe_http_request(
             service="backend",
             route=_resolve_route_label(request),
             method=request.method,
-            status=str(response.status_code),
+            status=str(exc.status_code),
             duration_seconds=duration,
         )
-        return response
-
-
-app.add_middleware(PrometheusInstrumentationMiddleware)
+        raise
+    except Exception:
+        duration = perf_counter() - start
+        observe_http_request(
+            service="backend",
+            route=_resolve_route_label(request),
+            method=request.method,
+            status="500",
+            duration_seconds=duration,
+        )
+        raise
+
+    duration = perf_counter() - start
+    observe_http_request(
+        service="backend",
+        route=_resolve_route_label(request),
+        method=request.method,
+        status=str(response.status_code),
+        duration_seconds=duration,
+    )
+    return response
 
 # Include API router
 app.include_router(api_router)
@@ -195,4 +208,4 @@ async def metrics() -> Dict[str, str]:
 
     return {
         "detail": "Metrics are exported via OpenTelemetry OTLP; no local payload is available.",
-    }
+    }

backend/api/metrics.py

@@ -1,6 +1,36 @@
 from __future__ import annotations
+
+from typing import Any
+
 from prometheus_client import Counter, Histogram
 
+_otel_meter: Any | None = None
+_http_request_counter: Any | None = None
+_http_request_duration_histogram: Any | None = None
+_web_vitals_lcp_histogram: Any | None = None
+
+try:  # pragma: no cover - optional dependency guard
+    from opentelemetry import metrics as otel_metrics
+except ImportError:  # pragma: no cover - optional dependency guard
+    otel_metrics = None  # type: ignore[assignment]
+else:
+    _otel_meter = otel_metrics.get_meter(__name__)
+    _http_request_counter = _otel_meter.create_counter(
+        "http.server.request.count",
+        description="HTTP requests processed by the backend",
+        unit="1",
+    )
+    _http_request_duration_histogram = _otel_meter.create_histogram(
+        "http.server.duration",
+        description="Duration of HTTP requests handled by the backend",
+        unit="s",
+    )
+    _web_vitals_lcp_histogram = _otel_meter.create_histogram(
+        "frontend.web_vitals.lcp",
+        description="Largest Contentful Paint reported from the frontend",
+        unit="s",
+    )
+
 REQUEST_LATENCY_BUCKETS = (
     0.005,
     0.01,
@@ -86,21 +116,41 @@ def observe_http_request(
     service: str,
     route: str,
     method: str,
-    status: str,
+    status_code: int | str,
     duration_seconds: float,
 ) -> None:
     """Record a single HTTP request observation."""
 
+    status_label = str(status_code)
     http_requests_total.labels(
-        service=service, route=route, method=method, status=status
+        service=service, route=route, method=method, status=status_label
     ).inc()
     http_request_duration_seconds.labels(
-        service=service, route=route, method=method, status=status
+        service=service, route=route, method=method, status=status_label
     ).observe(duration_seconds)
 
+    if _http_request_counter is not None or _http_request_duration_histogram is not None:
+        attributes: dict[str, str | int] = {
+            "service.name": service,
+            "http.route": route,
+            "http.method": method,
+        }
+        try:
+            attributes["http.status_code"] = int(status_code)
+        except (TypeError, ValueError):
+            # Skip the status code attribute if it cannot be coerced to an int.
+            pass
+
+        if _http_request_counter is not None:
+            _http_request_counter.add(1, attributes)
+        if _http_request_duration_histogram is not None:
+            _http_request_duration_histogram.record(duration_seconds, attributes)
+
 
 def observe_lcp(*, app: str, seconds: float) -> None:
     """Record a Largest Contentful Paint measurement in seconds."""
 
     web_vitals_lcp.labels(app=app).observe(seconds)
+    if _web_vitals_lcp_histogram is not None:
+        _web_vitals_lcp_histogram.record(seconds, {"app": app})