Add save-config webhook + gmail_auth helper

.dockerignore

@@ -0,0 +1,20 @@
+# secrets
+.env
+_local_secrets/
+
+# oauth files (should be provided via env/volume, not baked into images)
+backend/credentials.json
+backend/token.json
+**/credentials.json
+**/token.json
+
+# runtime artifacts
+backend/worker/tmp/
+backend/worker/uploads/
+__pycache__/
+*.pyc
+.DS_Store
+
+# local tooling
+.venv/
+.git/

README.md

@@ -5,3 +5,32 @@ app_port: 7860
 ---
 
 Worker + health API.
+
+## Local run
+
+```sh
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+
+set -a; source .env; set +a
+./start.sh
+```
+
+## Trainer “Save configuration” webhook
+
+The health API exposes a webhook that the Trainer UI can call when a rep clicks **Save configuration**.
+
+- Endpoint: `POST /api/trainer/save-config`
+- Header: `X-Webhook-Secret: $PDF_PIPELINE_WEBHOOK_SECRET`
+- Body JSON:
+  - `pdf_id` (string)
+  - `template_id` (string)
+  - `config` (object)
+  - `notify_to` (string, optional override)
+
+Required env vars for the webhook to send the confirmation email:
+
+- `PDF_PIPELINE_WEBHOOK_SECRET`
+- `PDF_PIPELINE_NOTIFY_FROM` (must be the same Gmail account you authorized)
+- `PDF_PIPELINE_PIPELINE_NOTIFY_TO` (recipient for the confirmation email)

backend/worker/gmail_auth.py

@@ -0,0 +1,98 @@
+from __future__ import annotations
+
+import argparse
+import os
+from pathlib import Path
+
+from dotenv import load_dotenv
+from google_auth_oauthlib.flow import InstalledAppFlow
+
+try:
+    from backend.worker.hf_env_files import resolve_json_or_path
+except ModuleNotFoundError:
+    import sys
+
+    sys.path.insert(0, str(Path(__file__).resolve().parents[2]))
+    from backend.worker.hf_env_files import resolve_json_or_path
+
+
+SCOPES = [
+    "https://www.googleapis.com/auth/gmail.modify",
+    "https://www.googleapis.com/auth/gmail.send",
+]
+
+
+def _repo_root() -> Path:
+    return Path(__file__).resolve().parents[2]
+
+
+def _alias_env(primary: str, fallback: str) -> None:
+    if (os.environ.get(primary) or "").strip():
+        return
+    fb = (os.environ.get(fallback) or "").strip()
+    if fb:
+        os.environ[primary] = fb
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Interactive Gmail OAuth token generator.")
+    parser.add_argument(
+        "--credentials",
+        help="Path to OAuth client credentials JSON (overrides env).",
+        default="",
+    )
+    parser.add_argument(
+        "--token",
+        help="Path to write token JSON (overrides env).",
+        default="",
+    )
+    parser.add_argument(
+        "--console",
+        action="store_true",
+        help="Use console-based auth (no local server).",
+    )
+    args = parser.parse_args()
+
+    repo_root = _repo_root()
+
+    # Load local env files if present (helps local dev; HF will use injected env vars).
+    load_dotenv(repo_root / ".env", override=False)
+    load_dotenv(repo_root / "backend" / ".env", override=False)
+
+    if args.credentials:
+        os.environ["GMAIL_CREDENTIALS_JSON"] = args.credentials
+    if args.token:
+        os.environ["GMAIL_TOKEN_JSON"] = args.token
+
+    # Back-compat with older env var names.
+    _alias_env("GMAIL_CREDENTIALS_JSON", "PDF_PIPELINE_GMAIL_CREDENTIALS_JSON")
+    _alias_env("GMAIL_TOKEN_JSON", "PDF_PIPELINE_GMAIL_TOKEN_JSON")
+
+    backend_dir = repo_root / "backend"
+    default_creds = backend_dir / "credentials.json"
+    default_token = backend_dir / "token.json"
+
+    creds_path = resolve_json_or_path("GMAIL_CREDENTIALS_JSON", default_creds, Path("/tmp/credentials.json"))
+    token_path = resolve_json_or_path("GMAIL_TOKEN_JSON", default_token, Path("/tmp/token.json"))
+
+    if not creds_path.exists() and default_creds.exists():
+        print(f"[gmail_auth] WARN: {creds_path} not found; using {default_creds}")
+        creds_path = default_creds
+
+    if not creds_path.exists():
+        raise FileNotFoundError(f"Missing OAuth client json: {creds_path}")
+
+    flow = InstalledAppFlow.from_client_secrets_file(str(creds_path), SCOPES)
+
+    if args.console:
+        creds = flow.run_console()
+    else:
+        creds = flow.run_local_server(port=0, access_type="offline", prompt="consent")
+
+    token_path.parent.mkdir(parents=True, exist_ok=True)
+    token_path.write_text(creds.to_json(), encoding="utf-8")
+    print(f"[gmail_auth] Wrote token: {token_path}")
+
+
+if __name__ == "__main__":
+    main()

health_api.py

@@ -1,7 +1,211 @@
-from fastapi import FastAPI
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+from typing import Any, Dict, Optional, Union
+from urllib.parse import urlparse
+
+from fastapi import FastAPI, Header, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from pydantic import AliasChoices, BaseModel, Field
+
+from backend.worker.gmail_client import GmailClient
+from backend.worker.hf_env_files import resolve_json_or_path
+from backend.worker.template_store import save_trainer_template
 
 app = FastAPI()
 
+
+def _origin_from_url(url: str) -> Optional[str]:
+    url = (url or "").strip()
+    if not url:
+        return None
+    try:
+        parsed = urlparse(url)
+    except Exception:
+        return None
+    if not parsed.scheme or not parsed.netloc:
+        return None
+    return f"{parsed.scheme}://{parsed.netloc}"
+
+
+_allowed_origins = {
+    "http://localhost:5173",
+    "http://localhost:3000",
+}
+trainer_origin = _origin_from_url(os.environ.get("PDF_TRAINER_BASE_URL", ""))
+if trainer_origin:
+    _allowed_origins.add(trainer_origin)
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=sorted(_allowed_origins) if _allowed_origins else ["*"],
+    allow_credentials=False,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+def _require_webhook_secret(provided: Optional[str]) -> None:
+    expected = (os.environ.get("PDF_PIPELINE_WEBHOOK_SECRET") or "").strip()
+    if not expected:
+        raise HTTPException(
+            status_code=500,
+            detail="Server missing PDF_PIPELINE_WEBHOOK_SECRET env var",
+        )
+    if (provided or "").strip() != expected:
+        raise HTTPException(status_code=401, detail="Invalid webhook secret")
+
+
+def _alias_env(primary: str, fallback: str) -> None:
+    if (os.environ.get(primary) or "").strip():
+        return
+    fb = (os.environ.get(fallback) or "").strip()
+    if fb:
+        os.environ[primary] = fb
+
+
+def _gmail_paths(repo_root: Path) -> tuple[Path, Path]:
+    _alias_env("GMAIL_CREDENTIALS_JSON", "PDF_PIPELINE_GMAIL_CREDENTIALS_JSON")
+    _alias_env("GMAIL_TOKEN_JSON", "PDF_PIPELINE_GMAIL_TOKEN_JSON")
+
+    backend_dir = repo_root / "backend"
+    creds = resolve_json_or_path("GMAIL_CREDENTIALS_JSON", backend_dir / "credentials.json", Path("/tmp/credentials.json"))
+    token = resolve_json_or_path("GMAIL_TOKEN_JSON", backend_dir / "token.json", Path("/tmp/token.json"))
+    return creds, token
+
+
+def _uploads_dir(repo_root: Path) -> Path:
+    return repo_root / "backend" / "worker" / "uploads"
+
+
+class SaveConfigRequest(BaseModel):
+    pdf_id: str = Field(
+        ...,
+        validation_alias=AliasChoices("pdf_id", "pdfId"),
+        description="The pdf_id used by the trainer link (?pdf_id=...).",
+    )
+    template_id: str = Field(
+        ...,
+        validation_alias=AliasChoices("template_id", "templateId"),
+        description="The template_id being saved/updated.",
+    )
+    config: Union[Dict[str, Any], str] = Field(
+        ...,
+        validation_alias=AliasChoices("config", "configuration", "config_json", "configJson"),
+        description="Trainer configuration JSON.",
+    )
+    notify_to: Optional[str] = Field(
+        None,
+        validation_alias=AliasChoices("notify_to", "notifyTo"),
+        description="Override recipient email (optional).",
+    )
+
+
+@app.post("/api/trainer/save-config")
+def save_config(
+    req: SaveConfigRequest,
+    x_webhook_secret: Optional[str] = Header(default=None, alias="X-Webhook-Secret"),
+):
+    """
+    Called by the PDF Trainer UI when "Save configuration" is clicked.
+    Behavior:
+      - persists the config JSON to backend/worker/trainer_templates/<template_id>.json
+      - sends a confirmation email with the config JSON + the original PDF attached
+    """
+    _require_webhook_secret(x_webhook_secret)
+
+    repo_root = Path(__file__).resolve().parent
+
+    notify_from = (os.environ.get("PDF_PIPELINE_NOTIFY_FROM") or "").strip()
+    if not notify_from:
+        raise HTTPException(status_code=500, detail="Missing PDF_PIPELINE_NOTIFY_FROM env var")
+
+    # Where to send the confirmation
+    default_to = (os.environ.get("PDF_PIPELINE_PIPELINE_NOTIFY_TO") or "").strip()
+    to_email = (req.notify_to or default_to).strip()
+    if not to_email:
+        raise HTTPException(
+            status_code=500,
+            detail="Missing PDF_PIPELINE_PIPELINE_NOTIFY_TO env var (or provide notify_to in request)",
+        )
+
+    # Persist config JSON for local tracking/backups
+    cfg_obj: Dict[str, Any]
+    if isinstance(req.config, str):
+        try:
+            parsed = json.loads(req.config)
+        except Exception as e:
+            raise HTTPException(status_code=422, detail=f"config is not valid JSON: {e}")
+        if not isinstance(parsed, dict):
+            raise HTTPException(status_code=422, detail="config JSON must be an object")
+        cfg_obj = parsed
+    else:
+        cfg_obj = req.config
+
+    try:
+        saved_path = save_trainer_template(req.template_id, cfg_obj)
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Failed to save template config: {e}")
+
+    # Load original PDF from uploads/ (best-effort)
+    uploads = _uploads_dir(repo_root)
+    pdf_path = uploads / f"{req.pdf_id}.pdf"
+    name_path = uploads / f"{req.pdf_id}.name.txt"
+    pdf_name = f"{req.pdf_id}.pdf"
+    if name_path.exists():
+        try:
+            pdf_name = (name_path.read_text(encoding="utf-8") or "").strip() or pdf_name
+        except Exception:
+            pass
+
+    pdf_bytes: Optional[bytes] = None
+    if pdf_path.exists():
+        try:
+            pdf_bytes = pdf_path.read_bytes()
+        except Exception:
+            pdf_bytes = None
+
+    cfg_bytes = json.dumps(cfg_obj, indent=2).encode("utf-8")
+    cfg_filename = f"trainer_config_{req.pdf_id}__{req.template_id}.json"
+
+    attachments = [(cfg_filename, cfg_bytes)]
+    body_lines = [
+        "Configuration has been updated.",
+        "",
+        f"template_id: {req.template_id}",
+        f"pdf_id: {req.pdf_id}",
+        f"saved: {saved_path}",
+    ]
+
+    if pdf_bytes and len(pdf_bytes) < 20 * 1024 * 1024:
+        attachments.append((pdf_name, pdf_bytes))
+    elif pdf_bytes:
+        body_lines.append("")
+        body_lines.append("Note: PDF was too large to attach.")
+    else:
+        body_lines.append("")
+        body_lines.append("Note: Original PDF not found on worker; only config JSON is attached.")
+
+    subject = f"PDF Trainer: configuration updated ({req.template_id})"
+    body = "\n".join(body_lines) + "\n"
+
+    creds_path, token_path = _gmail_paths(repo_root)
+    try:
+        gmail = GmailClient(creds_path, token_path)
+        gmail.send_email(
+            to_email=to_email,
+            from_email=notify_from,
+            subject=subject,
+            body_text=body,
+            attachments=attachments,
+        )
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Failed to send confirmation email: {e}")
+
+    return {"ok": True}
+
 @app.get("/")
 def root():
     return {"ok": True}