Skip to content

Commit 2d6922c

Browse files
clean up comments and remove unused import
1 parent 85a3711 commit 2d6922c

6 files changed

Lines changed: 47 additions & 50 deletions

File tree

src/mlpa/core/auth/authorize.py

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -154,15 +154,14 @@ async def authorize_chat_request(
154154
use_play_integrity=use_play_integrity,
155155
)
156156
except HTTPException as exc:
157-
# Record only the terminal auth dispositions the dependency intentionally
158-
# emits. 401 is an expected or normalized auth rejection. 400 is a
159-
# client-error request to the auth layer (invalid purpose, or malformed App
160-
# Attest base64 decoded in app_attest_auth). Any other status, including App
161-
# Attest's explicit 500, is re-raised unrecorded; auth-system-failure capture
162-
# is left to a follow-on auth backend change. Non-HTTPException errors are not
163-
# caught here and propagate unrecorded. Purpose is unresolved at these
164-
# dispositions, so a stable "" placeholder is used, never the unvalidated
165-
# header value.
157+
# Only record terminal HTTP failures from the shared auth call:
158+
# - 401: expected or normalized auth rejection (bad creds, expired token, etc.)
159+
# - 400: client error to the auth layer (invalid purpose, or malformed App
160+
# Attest base64 decoded in app_attest_auth before its try block)
161+
# - anything else (e.g. App Attest's explicit 500): re-raised unrecorded;
162+
# auth-system-failure capture is left to a follow-on auth backend change
163+
# Non-HTTPException errors are not caught here and propagate unrecorded.
164+
# Purpose is unknown at this point, so "" is always used as a placeholder.
166165
if exc.status_code == 401:
167166
reason = AvailabilityReason.AUTH_REJECTED
168167
elif exc.status_code == 400:

src/mlpa/core/completions.py

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -54,9 +54,12 @@ def _build_litellm_body(req: AuthorizedChatRequest, *, stream: bool) -> dict:
5454
async def get_or_create_user_for_completion(
5555
user_id: str, req: AuthorizedChatRequest | AuthorizedSearchRequest
5656
):
57-
"""Wraps get_or_create_user, recording the signup-cap rejection metric and the
58-
pre-completion availability disposition (signup cap, or a 5xx provisioning
59-
failure) for chat requests."""
57+
"""
58+
Wraps get_or_create_user and records availability for chat requests:
59+
- signup cap (403 + MAX_USERS_REACHED): excluded, alongside the existing rejection metric
60+
- user-resolution failure (status >= 500): failure
61+
- search requests and non-signup-cap, non-5xx failures: not recorded
62+
"""
6063
try:
6164
return await get_or_create_user(user_id)
6265
except HTTPException as exc:
@@ -72,10 +75,9 @@ async def get_or_create_user_for_completion(
7275
)
7376
record_chat_availability(req, AvailabilityReason.SIGNUP_CAP_EXCEEDED)
7477
elif exc.status_code >= 500:
75-
# User-resolution / provisioning system failure for an eligible
76-
# request. Non-signup-cap, non-5xx dispositions are left unrecorded;
77-
# a future client-side 4xx should get its own classification rather
78-
# than counting as an availability failure.
78+
# User-resolution system failure. Non-signup-cap 4xx errors are
79+
# not recorded; a client-side 4xx should get its own classification
80+
# rather than counting as an availability failure.
7981
record_chat_availability(req, AvailabilityReason.PROVISIONING_FAILURE)
8082
raise
8183

src/mlpa/core/errors.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,8 @@ class RejectionMatch:
3737
log_message: str = ""
3838

3939
def availability_reason(self) -> AvailabilityReason:
40-
# classify_upstream_error only ever produces these completion-stage
41-
# rejection reasons; SIGNUP_CAP_EXCEEDED is recorded pre-completion.
40+
# SIGNUP_CAP_EXCEEDED is recorded pre-completion, not via classify_upstream_error,
41+
# so it is not in the mapping below.
4242
if self.reason == PrometheusRejectionReason.RATE_LIMITED:
4343
if self.error_code == ERROR_CODE_UPSTREAM_RATE_LIMIT_EXCEEDED:
4444
return AvailabilityReason.RATE_LIMITED_UPSTREAM

src/mlpa/core/prometheus_metrics.py

Lines changed: 27 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -27,36 +27,33 @@ class AvailabilityOutcome(StrEnum):
2727

2828

2929
class AvailabilityReason(StrEnum):
30-
# Values overlapping PrometheusRejectionReason are kept identical so the
31-
# availability counter and the rejection counter reconcile on shared strings.
32-
# Keep them in sync if a rejection reason is added.
33-
# success
34-
CLEAN_COMPLETION = "clean_completion"
35-
# failure
36-
UPSTREAM_ERROR = "upstream_error"
37-
EMPTY_RESPONSE = "empty_response"
38-
# excluded (policy rejections)
39-
BUDGET_EXCEEDED = "budget_exceeded"
40-
RATE_LIMITED_OWN = "rate_limited_own"
41-
RATE_LIMITED_UPSTREAM = "rate_limited_upstream"
42-
PAYLOAD_TOO_LARGE = "payload_too_large"
43-
INVALID_MODEL_NAME = "invalid_model_name"
44-
INVALID_REQUEST = "invalid_request"
45-
# abort
46-
CLIENT_DISCONNECT = "client_disconnect"
47-
# pre-completion (auth dependency and route body, before the completion path)
48-
# excluded
49-
AUTH_REJECTED = "auth_rejected"
50-
INVALID_AUTH_REQUEST = "invalid_auth_request"
51-
INVALID_SERVICE_TYPE_FOR_MODEL = "invalid_service_type_for_model"
52-
SIGNUP_CAP_EXCEEDED = "signup_cap_exceeded"
53-
BLOCKED = "blocked"
54-
# failure
55-
PROVISIONING_FAILURE = "provisioning_failure"
56-
# Defined but not emitted yet: auth backends normalize system failures to 401
57-
# (indistinguishable from expected rejections), so capturing this is left to a
58-
# follow-on auth backend change that surfaces a real disposition.
59-
AUTH_SYSTEM_FAILURE = "auth_system_failure"
30+
# Strings shared with PrometheusRejectionReason are kept identical so the
31+
# two counters reconcile. Keep them in sync when a rejection reason is added.
32+
33+
# --- completion-stage reasons (recorded inside stream_completion / get_completion) ---
34+
CLEAN_COMPLETION = "clean_completion" # success
35+
UPSTREAM_ERROR = "upstream_error" # failure
36+
EMPTY_RESPONSE = "empty_response" # failure
37+
BUDGET_EXCEEDED = "budget_exceeded" # excluded
38+
RATE_LIMITED_OWN = "rate_limited_own" # excluded
39+
RATE_LIMITED_UPSTREAM = "rate_limited_upstream" # excluded
40+
PAYLOAD_TOO_LARGE = "payload_too_large" # excluded
41+
INVALID_MODEL_NAME = "invalid_model_name" # excluded
42+
INVALID_REQUEST = "invalid_request" # excluded
43+
CLIENT_DISCONNECT = "client_disconnect" # abort
44+
45+
# --- pre-completion reasons (recorded in the auth dependency and route body) ---
46+
AUTH_REJECTED = "auth_rejected" # excluded
47+
INVALID_AUTH_REQUEST = "invalid_auth_request" # excluded
48+
INVALID_SERVICE_TYPE_FOR_MODEL = "invalid_service_type_for_model" # excluded
49+
SIGNUP_CAP_EXCEEDED = "signup_cap_exceeded" # excluded
50+
BLOCKED = "blocked" # excluded
51+
PROVISIONING_FAILURE = "provisioning_failure" # failure
52+
53+
# Defined but not yet emitted: auth backends normalize system failures to 401,
54+
# making them indistinguishable from expected rejections. Capturing this
55+
# properly requires a follow-on change to the auth backends themselves.
56+
AUTH_SYSTEM_FAILURE = "auth_system_failure" # failure
6057

6158

6259
_AVAILABILITY_OUTCOME_BY_REASON: dict[AvailabilityReason, AvailabilityOutcome] = {

src/tests/unit/test_precompletion_availability.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@
2222
from mlpa.core.prometheus_metrics import (
2323
AvailabilityOutcome,
2424
AvailabilityReason,
25-
PrometheusRejectionReason,
2625
)
2726
from tests.consts import SAMPLE_REQUEST
2827

uv.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)