Spaces:
Running
Running
File size: 13,198 Bytes
4b445f6 b9da50c 4b445f6 b9da50c 4b445f6 b9da50c 4b445f6 b9da50c 4b445f6 7c7cae5 4b445f6 b9da50c 4b445f6 b9da50c 4b445f6 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 | """
Ninja Code Guard β FastAPI Application Entry Point
=============================================
This is the main entry point for the Ninja Code Guard backend. It sets up:
1. The FastAPI application with CORS middleware
2. The /health endpoint (used by Render health checks and the pre-warm cron)
3. The /webhook/github endpoint (receives PR events from GitHub)
Request lifecycle for a PR review:
GitHub webhook β HMAC validation β Redis cache check β fetch PR data
β (Week 3+: run agents) β post review comments β cache result
The webhook handler uses FastAPI's "Background Tasks" feature to process
the review asynchronously. This means we return 200 to GitHub immediately
(within their 10-second timeout) and do the heavy lifting in the background.
Without this, GitHub would retry the webhook if we took too long.
"""
import asyncio
import json
import traceback
import structlog
from fastapi import (
BackgroundTasks,
Depends,
FastAPI,
Header,
HTTPException,
Request,
Response,
Security,
)
from fastapi.middleware.cors import CORSMiddleware
from fastapi.security import APIKeyHeader
from app.agents.performance_agent import PerformanceAgent
from app.agents.security_agent import SecurityAgent
from app.agents.style_agent import StyleAgent
from app.agents.synthesizer import synthesize
from app.config import settings
from app.context.indexer import index_repo_files
from app.context.retriever import retrieve_context
from app.db.postgres import save_review
from app.db.redis_cache import is_already_reviewed, mark_as_reviewed
from app.github.client import GitHubClient
from app.github.comment_formatter import (
findings_to_review_comments,
format_summary_comment,
)
from app.github.webhook import validate_webhook_signature
# ββ API Key auth for dashboard endpoints ββββββββββββββββββββββββββββββββββ
_api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
async def verify_api_key(api_key: str = Security(_api_key_header)):
"""Reject dashboard API requests that don't carry a valid API key."""
if not settings.dashboard_api_key:
return
if api_key != settings.dashboard_api_key:
raise HTTPException(status_code=403, detail="Invalid or missing API key")
_verify_api_key = Depends(verify_api_key)
logger = structlog.get_logger()
_is_production = settings.environment == "production"
app = FastAPI(
title="Ninja Code Guard",
description="Multi-agent PR review system",
version="0.1.0",
# Disable auto-generated docs in production (exposes API schema)
docs_url=None if _is_production else "/docs",
redoc_url=None if _is_production else "/redoc",
openapi_url=None if _is_production else "/openapi.json",
)
# CORS middleware allows the Next.js dashboard (on Vercel) to call our API.
# In production, restrict origins to your actual Vercel domain.
_allowed_origins = (
[o.strip() for o in settings.cors_allowed_origins.split(",") if o.strip()]
if settings.cors_allowed_origins
else ["http://localhost:3000"]
)
app.add_middleware(
CORSMiddleware,
allow_origins=_allowed_origins,
allow_credentials=True,
allow_methods=["GET", "POST"],
allow_headers=["Content-Type", "X-API-Key", "X-GitHub-Event", "X-Hub-Signature-256"],
)
@app.get("/")
async def root():
"""Root endpoint β confirms the service is running."""
return {"status": "ok", "service": "Ninja Code Guard", "docs": "/health"}
@app.get("/health")
async def health_check():
"""
Health check endpoint.
Used by:
- Render.com to verify the service is running (healthCheckPath in render.yaml)
- The GitHub Actions pre-warm cron to keep the service from going cold
- Our Next.js dashboard to show service status
"""
return {"status": "ok", "service": "Ninja Code Guard"}
# --- Dashboard API Endpoints ---
@app.get("/api/repos/{owner}/{repo}/reviews")
async def get_reviews(owner: str, repo: str, _=_verify_api_key):
"""Get recent PR reviews for a repo (used by dashboard)."""
from app.db.postgres import get_repo_reviews
repo_full_name = f"{owner}/{repo}"
reviews = await get_repo_reviews(repo_full_name)
return {"repo": repo_full_name, "reviews": reviews}
@app.get("/api/repos/{owner}/{repo}/stats")
async def get_stats(owner: str, repo: str, _=_verify_api_key):
"""Get aggregate stats for a repo (used by dashboard)."""
from app.db.postgres import get_repo_reviews
repo_full_name = f"{owner}/{repo}"
reviews = await get_repo_reviews(repo_full_name, limit=50)
if not reviews:
return {"repo": repo_full_name, "total_reviews": 0, "avg_health_score": 0}
avg_score = sum(r.get("health_score", 0) for r in reviews) / len(reviews)
return {
"repo": repo_full_name,
"total_reviews": len(reviews),
"avg_health_score": round(avg_score),
"reviews": reviews[:10],
}
# --- Webhook Actions (what to do for each event type) ---
# We only process these PR actions. Others (labeled, assigned, etc.) are irrelevant.
RELEVANT_PR_ACTIONS = {"opened", "synchronize", "reopened", "ready_for_review"}
async def _process_pr_review(
repo_full_name: str,
pr_number: int,
commit_sha: str,
installation_id: int,
) -> None:
"""
Background task: fetch PR data and post a review.
Pipeline:
1. Fetch PR diff and file contents from GitHub
2. Index files into ChromaDB for RAG context
3. Run 3 domain agents IN PARALLEL (asyncio.gather)
4. Merge all findings and compute health score
5. Post review to GitHub
6. Cache result in Redis
"""
try:
logger.info(
"Starting PR review",
repo=repo_full_name,
pr=pr_number,
sha=commit_sha[:8],
)
# Step 1: Fetch PR data
client = GitHubClient(installation_id)
pr_data = await client.fetch_pr_data(repo_full_name, pr_number)
# Step 2: Index files for RAG context
# This embeds the file contents into ChromaDB so agents can
# semantically search for related code across the repo
rag_context = ""
try:
collection_name = await index_repo_files(
repo_full_name, pr_data.file_contents
)
rag_context = await retrieve_context(
collection_name, pr_data.diff[:5000]
)
except Exception as rag_err:
logger.warning("RAG context unavailable", error=str(rag_err))
# Step 3: Run all 3 domain agents IN PARALLEL
# asyncio.gather() runs all three concurrently β total latency is
# max(agent_latencies) instead of sum(agent_latencies).
# With Groq at 500+ tokens/sec, each agent takes 2-5 seconds.
# Parallel: ~5 seconds total. Sequential: ~15 seconds.
security_agent = SecurityAgent()
performance_agent = PerformanceAgent()
style_agent = StyleAgent()
security_findings, performance_findings, style_findings = await asyncio.gather(
security_agent.review(pr_data, rag_context),
performance_agent.review(pr_data, rag_context),
style_agent.review(pr_data, rag_context),
)
logger.info(
"All agents completed",
security=len(security_findings),
performance=len(performance_findings),
style=len(style_findings),
total=len(security_findings) + len(performance_findings) + len(style_findings),
repo=repo_full_name,
pr=pr_number,
)
# Step 4: Synthesize β deduplicate, rank, score, summarize
review = synthesize(security_findings, performance_findings, style_findings)
# Post the review to GitHub
if review.findings:
# Post inline comments anchored to specific lines
review_comments = findings_to_review_comments(review.findings)
try:
await client.post_review(
repo_full_name,
pr_number,
commit_sha,
body=format_summary_comment(review),
comments=review_comments,
)
except Exception as review_err:
# If inline comments fail (e.g., line not in diff), fall back to summary only
logger.warning(
"Inline review failed, posting summary comment instead",
error=str(review_err),
)
await client.post_comment(
repo_full_name, pr_number, format_summary_comment(review)
)
else:
# No findings β post a clean bill of health
await client.post_comment(
repo_full_name,
pr_number,
format_summary_comment(review),
)
# Save to Neon Postgres (for dashboard)
await save_review(repo_full_name, pr_number, commit_sha, review)
# Mark this commit as reviewed in Redis cache
await mark_as_reviewed(commit_sha)
logger.info(
"PR review completed",
repo=repo_full_name,
pr=pr_number,
sha=commit_sha[:8],
)
except Exception as e:
# Log the full traceback so we can debug failures
logger.error(
"PR review failed",
repo=repo_full_name,
pr=pr_number,
error=str(e),
traceback=traceback.format_exc(),
)
@app.post("/webhook/github")
async def webhook_github(
request: Request,
background_tasks: BackgroundTasks,
x_github_event: str = Header(..., alias="X-GitHub-Event"),
body: bytes = Depends(validate_webhook_signature),
):
"""
Receive and process GitHub webhook events.
This endpoint is called by GitHub whenever a PR event occurs on repos
where Ninja Code Guard is installed.
How the flow works:
1. FastAPI calls validate_webhook_signature() BEFORE this function runs
(it's a Depends() dependency). If HMAC validation fails, we never get here.
2. We parse the validated payload and check if it's a relevant event.
3. If it's a PR event we care about, we check Redis cache.
4. If not cached, we enqueue the review as a background task.
5. We return 200 immediately β GitHub expects a response within 10 seconds.
Why background tasks?
- GitHub has a 10-second webhook timeout. If we don't respond in time,
GitHub marks the delivery as failed and may retry (causing duplicates).
- Our actual review takes 15-20 seconds (agent calls + synthesis).
- So we acknowledge receipt immediately and process in the background.
Args:
request: The FastAPI request object
background_tasks: FastAPI's background task queue
x_github_event: The event type header (e.g., "pull_request")
body: The validated request body (returned by validate_webhook_signature)
"""
# Parse the validated JSON payload
payload = json.loads(body)
# We only handle pull_request events for now
if x_github_event != "pull_request":
logger.debug("Ignoring non-PR event", github_event=x_github_event)
return {"status": "ignored", "reason": f"event type: {x_github_event}"}
action = payload.get("action", "")
if action not in RELEVANT_PR_ACTIONS:
logger.debug("Ignoring irrelevant PR action", action=action)
return {"status": "ignored", "reason": f"action: {action}"}
# Extract key data from the webhook payload
pr = payload["pull_request"]
repo_full_name = payload["repository"]["full_name"]
pr_number = payload["number"]
commit_sha = pr["head"]["sha"]
# Skip draft PRs β they're not ready for review
if pr.get("draft", False):
logger.info("Skipping draft PR", repo=repo_full_name, pr=pr_number)
return {"status": "ignored", "reason": "draft PR"}
# Check Redis cache β have we already reviewed this exact commit?
if await is_already_reviewed(commit_sha):
return {"status": "skipped", "reason": "already reviewed", "sha": commit_sha[:8]}
# Get the installation ID (needed for GitHub App authentication)
installation_id = payload.get("installation", {}).get("id")
if not installation_id:
logger.error("No installation ID in webhook payload")
return Response(status_code=400, content="Missing installation ID")
# Enqueue the review as a background task
# This returns 200 to GitHub immediately while processing continues
background_tasks.add_task(
_process_pr_review,
repo_full_name=repo_full_name,
pr_number=pr_number,
commit_sha=commit_sha,
installation_id=installation_id,
)
logger.info(
"Webhook received β review enqueued",
repo=repo_full_name,
pr=pr_number,
sha=commit_sha[:8],
action=action,
)
return {
"status": "accepted",
"pr": pr_number,
"sha": commit_sha[:8],
}
|