From 41b8e9b7b3f731e77a0dddc70a577dfadd43845d Mon Sep 17 00:00:00 2001 From: anti Date: Sat, 9 May 2026 23:12:29 -0400 Subject: [PATCH] feat(realism/llm): GET/PUT /api/v1/realism/llm + worker hot-reload tick --- decnet/orchestrator/worker.py | 14 ++ decnet/realism/llm/config.py | 10 +- decnet/web/router/__init__.py | 2 + decnet/web/router/realism/api_llm.py | 173 ++++++++++++++++++ tests/web/test_api_llm.py | 263 +++++++++++++++++++++++++++ 5 files changed, 460 insertions(+), 2 deletions(-) create mode 100644 decnet/web/router/realism/api_llm.py create mode 100644 tests/web/test_api_llm.py diff --git a/decnet/orchestrator/worker.py b/decnet/orchestrator/worker.py index 3dd9a8d4..86e8aace 100644 --- a/decnet/orchestrator/worker.py +++ b/decnet/orchestrator/worker.py @@ -129,6 +129,7 @@ async def orchestrator_worker( # operator's intent rather than the baked-in defaults. A failure # here logs and falls through; the planner already holds defaults. await _refresh_realism_config(repo) + await _refresh_llm_config(repo) shutdown = asyncio.Event() heartbeat_task = asyncio.create_task( @@ -161,6 +162,7 @@ async def orchestrator_worker( await _periodic_prune(repo) if tick_n % _REALISM_CONFIG_REFRESH_TICKS == 0: await _refresh_realism_config(repo) + await _refresh_llm_config(repo) finally: for t in (heartbeat_task, control_task, probe_task): t.cancel() @@ -223,6 +225,18 @@ async def _refresh_realism_config(repo: BaseRepository) -> None: logger.warning("realism config refresh: rejected payload: %s", exc) +async def _refresh_llm_config(repo: BaseRepository) -> None: + """Pull operator-tuned LLM config from realism_config into the backend cache.""" + from decnet.realism.llm.config import apply, load_from_db + cfg = await load_from_db(repo) + if cfg is None: + return + try: + apply(cfg) + except Exception as exc: # noqa: BLE001 + logger.warning("llm config refresh: apply failed: %s", exc) + + def _roll_action_kind(rng: secrets.SystemRandom) -> str: total = sum(w for _, w in _ACTION_WEIGHTS) target = rng.randint(1, total) diff --git a/decnet/realism/llm/config.py b/decnet/realism/llm/config.py index 8bd4425f..1751164f 100644 --- a/decnet/realism/llm/config.py +++ b/decnet/realism/llm/config.py @@ -83,8 +83,14 @@ def apply(cfg: LLMConfig) -> None: if cfg.provider == "ollama": api_key: Optional[str] = None if cfg.api_key_ciphertext: - from decnet.web.db.secrets import decrypt_secret - api_key = decrypt_secret(cfg.api_key_ciphertext) + try: + from decnet.web.db.secrets import decrypt_secret + api_key = decrypt_secret(cfg.api_key_ciphertext) + except RuntimeError as exc: + log.warning( + "realism.llm.config: DECNET_SECRET_KEY unavailable, " + "api_key will not be passed to backend: %s", exc, + ) from decnet.realism.llm.impl.ollama import OllamaBackend _cached_backend = OllamaBackend( diff --git a/decnet/web/router/__init__.py b/decnet/web/router/__init__.py index f1e3e74a..096d2f84 100644 --- a/decnet/web/router/__init__.py +++ b/decnet/web/router/__init__.py @@ -40,6 +40,7 @@ from .orchestrator.api_list_events import router as orchestrator_list_router from .orchestrator.api_events import router as orchestrator_events_router from .orchestrator.api_event_stats import router as orchestrator_stats_router from .realism.api_config import router as realism_config_router +from .realism.api_llm import router as realism_llm_router from .realism.api_personas import router as realism_personas_router from .realism.api_synthetic_files import router as realism_synthetic_files_router from .transcripts import transcripts_router @@ -145,6 +146,7 @@ api_router.include_router(orchestrator_stats_router) api_router.include_router(realism_personas_router) api_router.include_router(realism_synthetic_files_router) api_router.include_router(realism_config_router) +api_router.include_router(realism_llm_router) # Observability api_router.include_router(stats_router) diff --git a/decnet/web/router/realism/api_llm.py b/decnet/web/router/realism/api_llm.py new file mode 100644 index 00000000..1c9bd78d --- /dev/null +++ b/decnet/web/router/realism/api_llm.py @@ -0,0 +1,173 @@ +"""GET/PUT ``/api/v1/realism/llm`` — LLM provider configuration. + +Reads accept viewer; writes are admin (same trust level as the existing +``/realism/config`` surface — LLM provider config controls all AI-generated +honeypot content). + +GET returns the current config **without** the encrypted API key — only +``api_key_set: bool`` is surfaced so the operator can see whether one is +stored without ever exfiltrating it. + +PUT body fields (all optional — unset fields keep their current value): + +* ``provider``: ``"ollama"`` (only supported provider today) +* ``base_url``: Ollama daemon URL, or ``""``/``null`` to clear +* ``model``: Ollama model tag +* ``timeout``: Generation timeout in seconds (float, > 0) +* ``api_key``: Plaintext; ``null`` / absent = leave unchanged, ``""`` = clear +""" +from __future__ import annotations + +import asyncio +import json +from typing import Any + +from fastapi import APIRouter, Depends, HTTPException + +from decnet.logging import get_logger +from decnet.realism.llm import config as llm_config +from decnet.realism.llm.config import LLMConfig, _CONFIG_KEY +from decnet.telemetry import traced as _traced +from decnet.web.dependencies import repo, require_admin, require_viewer + +router = APIRouter() +log = get_logger("api.realism.llm") + +_hydrated = False +_hydrate_lock = asyncio.Lock() + +_SENTINEL = object() + + +def _cfg_to_response(cfg: LLMConfig, api_key_set: bool) -> dict[str, Any]: + return { + "provider": cfg.provider, + "base_url": cfg.base_url, + "model": cfg.model, + "timeout": cfg.timeout, + "api_key_set": api_key_set, + } + + +async def _load_and_apply_from_db() -> LLMConfig: + """Load DB row into process cache; return current effective config.""" + cfg = await llm_config.load_from_db(repo) + if cfg is not None: + try: + llm_config.apply(cfg) + except Exception as exc: # noqa: BLE001 + log.warning("api.realism.llm: apply on hydrate failed: %s", exc) + return cfg or LLMConfig() + + +@router.get( + "/realism/llm", + tags=["Realism"], + responses={ + 401: {"description": "Could not validate credentials"}, + 403: {"description": "Insufficient permissions"}, + }, +) +@_traced("api.realism.get_llm") +async def get_llm_config( + user: dict = Depends(require_viewer), +) -> dict[str, Any]: + """Return the live LLM provider config (API key masked as ``api_key_set``).""" + global _hydrated + if not _hydrated: + async with _hydrate_lock: + if not _hydrated: + await _load_and_apply_from_db() + _hydrated = True + + row = await repo.get_realism_config(_CONFIG_KEY) + if row is not None: + try: + stored: dict[str, Any] = json.loads(row.get("value") or "{}") + except json.JSONDecodeError: + stored = {} + else: + stored = {} + + cfg = LLMConfig(**stored) if stored else LLMConfig() + api_key_set = bool(stored.get("api_key_ciphertext")) + return _cfg_to_response(cfg, api_key_set) + + +@router.put( + "/realism/llm", + tags=["Realism"], + responses={ + 400: {"description": "Invalid config payload"}, + 401: {"description": "Could not validate credentials"}, + 403: {"description": "Insufficient permissions"}, + }, +) +@_traced("api.realism.put_llm") +async def put_llm_config( + body: dict[str, Any], + user: dict = Depends(require_admin), +) -> dict[str, Any]: + """Replace LLM provider config. Persists and hot-reloads the backend. + + ``api_key`` handling: + + * absent or not in body → leave existing encrypted key unchanged + * ``null`` or ``""`` → clear the stored key + * non-empty string → encrypt and store + """ + global _hydrated + + if not isinstance(body, dict): + raise HTTPException(status_code=400, detail="body must be an object") + + # Load the current persisted config so we can merge partial updates. + row = await repo.get_realism_config(_CONFIG_KEY) + current: dict[str, Any] = {} + if row is not None: + try: + current = json.loads(row.get("value") or "{}") or {} + except json.JSONDecodeError: + current = {} + + api_key_raw: Any = body.pop("api_key", _SENTINEL) + + # Merge incoming fields over the current persisted state. + merged = {**current, **body} + + # Handle api_key: absent=keep, null/empty=clear, string=encrypt. + if api_key_raw is _SENTINEL: + pass # leave current api_key_ciphertext in merged unchanged + elif not api_key_raw: + merged.pop("api_key_ciphertext", None) + else: + try: + from decnet.web.db.secrets import encrypt_secret + merged["api_key_ciphertext"] = encrypt_secret(str(api_key_raw)) + except RuntimeError as exc: + raise HTTPException( + status_code=500, + detail=f"Secret encryption unavailable: {exc}", + ) from exc + + try: + cfg = LLMConfig(**merged) + except Exception as exc: + raise HTTPException(status_code=400, detail=str(exc)) from exc + + try: + llm_config.apply(cfg) + except Exception as exc: + raise HTTPException( + status_code=400, detail=f"Backend init failed: {exc}" + ) from exc + + await repo.set_realism_config(_CONFIG_KEY, json.dumps(merged)) + _hydrated = True + + log.info( + "api.realism.put_llm user=%s provider=%s model=%s base_url=%s", + user.get("username", user.get("uuid")), + cfg.provider, cfg.model, cfg.base_url, + ) + return _cfg_to_response(cfg, bool(merged.get("api_key_ciphertext"))) diff --git a/tests/web/test_api_llm.py b/tests/web/test_api_llm.py new file mode 100644 index 00000000..340e1e23 --- /dev/null +++ b/tests/web/test_api_llm.py @@ -0,0 +1,263 @@ +"""Tests for GET/PUT /api/v1/realism/llm.""" +from __future__ import annotations + +import json +from unittest.mock import AsyncMock, MagicMock, patch + +import pytest +from cryptography.fernet import Fernet +from fastapi import HTTPException + +import decnet.realism.llm.config as _cfg_mod + + +@pytest.fixture(autouse=True) +def _reset_llm_cache(): + """Each test starts with no cached backend.""" + _cfg_mod._cached_backend = None + yield + _cfg_mod._cached_backend = None + + +@pytest.fixture() +def fernet_key(monkeypatch) -> str: + key = Fernet.generate_key().decode() + monkeypatch.setenv("DECNET_SECRET_KEY", key) + return key + + +# ── GET ─────────────────────────────────────────────────────────────────────── + + +class TestGetLLMConfig: + @pytest.mark.asyncio + async def test_returns_defaults_when_no_row(self): + from decnet.web.router.realism.api_llm import get_llm_config, _hydrated + import decnet.web.router.realism.api_llm as _mod + _mod._hydrated = False + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + result = await get_llm_config(user={"uuid": "u1", "role": "viewer"}) + + assert result["provider"] == "ollama" + assert result["model"] == "llama3.1" + assert result["api_key_set"] is False + + @pytest.mark.asyncio + async def test_returns_stored_config(self): + from decnet.web.router.realism.api_llm import get_llm_config + import decnet.web.router.realism.api_llm as _mod + _mod._hydrated = False + + row_value = json.dumps({ + "provider": "ollama", + "base_url": "http://10.0.0.1:11434", + "model": "phi3", + "timeout": 30.0, + }) + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock( + return_value={"value": row_value} + ) + result = await get_llm_config(user={"uuid": "u1", "role": "viewer"}) + + assert result["provider"] == "ollama" + assert result["base_url"] == "http://10.0.0.1:11434" + assert result["model"] == "phi3" + assert result["api_key_set"] is False + + @pytest.mark.asyncio + async def test_api_key_set_true_when_ciphertext_present(self): + from decnet.web.router.realism.api_llm import get_llm_config + import decnet.web.router.realism.api_llm as _mod + _mod._hydrated = False + + row_value = json.dumps({ + "provider": "ollama", + "model": "llama3.1", + "api_key_ciphertext": "gAAAAABxxx", + }) + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock( + return_value={"value": row_value} + ) + result = await get_llm_config(user={"uuid": "u1", "role": "viewer"}) + + assert result["api_key_set"] is True + assert "api_key_ciphertext" not in result + assert "api_key" not in result + + +# ── PUT ─────────────────────────────────────────────────────────────────────── + + +class TestPutLLMConfig: + @pytest.mark.asyncio + async def test_saves_and_applies_config(self): + from decnet.web.router.realism.api_llm import put_llm_config + from decnet.realism.llm.impl.ollama import OllamaBackend + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + mock_repo.set_realism_config = AsyncMock() + + result = await put_llm_config( + body={"provider": "ollama", "model": "phi3", "timeout": 45.0}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert result["provider"] == "ollama" + assert result["model"] == "phi3" + assert result["timeout"] == 45.0 + mock_repo.set_realism_config.assert_called_once() + assert isinstance(_cfg_mod.get_cached_backend(), OllamaBackend) + + @pytest.mark.asyncio + async def test_merges_partial_update(self): + from decnet.web.router.realism.api_llm import put_llm_config + + existing = json.dumps({ + "provider": "ollama", "model": "llama3.1", + "base_url": "http://10.0.0.1:11434", + }) + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock( + return_value={"value": existing} + ) + mock_repo.set_realism_config = AsyncMock() + + result = await put_llm_config( + body={"model": "qwen2:7b"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert result["model"] == "qwen2:7b" + assert result["base_url"] == "http://10.0.0.1:11434" + + @pytest.mark.asyncio + async def test_api_key_encrypted_and_not_returned(self, fernet_key): + from decnet.web.router.realism.api_llm import put_llm_config + from decnet.web.db.secrets import decrypt_secret + + captured: dict = {} + + async def _capture_set(key, value): + captured["value"] = value + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + mock_repo.set_realism_config = AsyncMock(side_effect=_capture_set) + + result = await put_llm_config( + body={"provider": "ollama", "api_key": "sk-secret-key"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert result["api_key_set"] is True + assert "api_key" not in result + stored = json.loads(captured["value"]) + assert stored["api_key_ciphertext"] != "sk-secret-key" + assert decrypt_secret(stored["api_key_ciphertext"]) == "sk-secret-key" + + @pytest.mark.asyncio + async def test_empty_api_key_clears_ciphertext(self): + from decnet.web.router.realism.api_llm import put_llm_config + + existing = json.dumps({ + "provider": "ollama", "model": "llama3.1", + "api_key_ciphertext": "gAAAAABxxx", + }) + captured: dict = {} + + async def _cap(key, value): + captured["value"] = value + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock( + return_value={"value": existing} + ) + mock_repo.set_realism_config = AsyncMock(side_effect=_cap) + + result = await put_llm_config( + body={"api_key": ""}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert result["api_key_set"] is False + stored = json.loads(captured["value"]) + assert "api_key_ciphertext" not in stored + + @pytest.mark.asyncio + async def test_absent_api_key_leaves_existing_ciphertext(self): + from decnet.web.router.realism.api_llm import put_llm_config + + existing = json.dumps({ + "provider": "ollama", "model": "llama3.1", + "api_key_ciphertext": "gAAAAABxxx", + }) + captured: dict = {} + + async def _cap(key, value): + captured["value"] = value + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock( + return_value={"value": existing} + ) + mock_repo.set_realism_config = AsyncMock(side_effect=_cap) + + result = await put_llm_config( + body={"model": "phi3"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert result["api_key_set"] is True + stored = json.loads(captured["value"]) + assert stored["api_key_ciphertext"] == "gAAAAABxxx" + + @pytest.mark.asyncio + async def test_invalid_provider_returns_400(self): + from decnet.web.router.realism.api_llm import put_llm_config + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + + with pytest.raises(HTTPException) as exc_info: + await put_llm_config( + body={"provider": "vllm-someday"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert exc_info.value.status_code == 400 + + @pytest.mark.asyncio + async def test_invalid_base_url_returns_400(self): + from decnet.web.router.realism.api_llm import put_llm_config + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + + with pytest.raises(HTTPException) as exc_info: + await put_llm_config( + body={"base_url": "ollama://host"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert exc_info.value.status_code == 400 + + @pytest.mark.asyncio + async def test_missing_secret_key_returns_500(self, monkeypatch): + from decnet.web.router.realism.api_llm import put_llm_config + monkeypatch.delenv("DECNET_SECRET_KEY", raising=False) + + with patch("decnet.web.router.realism.api_llm.repo") as mock_repo: + mock_repo.get_realism_config = AsyncMock(return_value=None) + + with pytest.raises(HTTPException) as exc_info: + await put_llm_config( + body={"api_key": "sk-whatever"}, + user={"uuid": "admin-1", "role": "admin"}, + ) + + assert exc_info.value.status_code == 500