Merge pull request #222 from Two-Weeks-Team/feat/vertex-routing-by-role

feat: Vertex AI routing by user role

Author: ComBba

.env.example

@@ -1,48 +1,13 @@
-# Somm.dev Environment Variables
-# Copy this file to .env and fill in your values
+# Somm.dev Frontend Environment Variables (Next.js / Vercel)
+# Copy this file to .env.local and fill in your values
+#
+# Backend environment variables → see backend/.env.example
 
 # ==========================================
-# Server Configuration
-# ==========================================
-ENVIRONMENT=development
-DEBUG=false
-PORT=8000
-
-# URLs
-FRONTEND_URL=http://localhost:3000
-BACKEND_URL=http://localhost:8000
-
-# ==========================================
-# Database
-# ==========================================
-MONGO_DB=somm_db
-MONGODB_URI=mongodb://localhost:27017/somm_db
-
-# ==========================================
-# Authentication
-# ==========================================
-# JWT Secret (generate with: python -c "import secrets; print(secrets.token_urlsafe(32))")
-JWT_SECRET_KEY=generate-a-secure-random-key
-
-# GitHub OAuth (create at: https://github.com/settings/developers)
-GITHUB_CLIENT_ID=your-github-client-id
-GITHUB_CLIENT_SECRET=your-github-client-secret
-
-# ==========================================
-# LLM API Keys
-# ==========================================
-GEMINI_API_KEY=
-OPENAI_API_KEY=
-ANTHROPIC_API_KEY=
-
-# ==========================================
-# Optional
-# ==========================================
-GITHUB_TOKEN=
-SENTRY_DSN=
-RATE_LIMIT_PER_MINUTE=60
-
-# ==========================================
-# Frontend (for Next.js)
+# Frontend (Next.js)
 # ==========================================
+# Development:
 NEXT_PUBLIC_API_URL=http://localhost:8000
+
+# Production (deployed backend):
+# NEXT_PUBLIC_API_URL=https://api.somm.dev

.gitignore

@@ -105,5 +105,8 @@ backend/ENV/
 
 backend/.env.production
 
+# Backup files
+*.backup.*
+
 # Local demo assets (not for deployment)
 _local/

backend/.env.example

@@ -18,13 +18,16 @@ MONGODB_URI=mongodb://localhost:27017/somm_db
 # Get Gemini API key from: https://makersuite.google.com/app/apikey
 GEMINI_API_KEY=your_gemini_api_key_here
 
-# Optional: OpenAI as fallback
-# Get OpenAI API key from: https://platform.openai.com/api-keys
-OPENAI_API_KEY=your_openai_api_key_here
+# Vertex AI Express (API key auth for premium/admin routing)
+VERTEX_API_KEY=your_vertex_express_api_key_here
+GOOGLE_CLOUD_PROJECT=your_gcp_project_id
+GOOGLE_CLOUD_LOCATION=asia-northeast3
 
-# Optional: Anthropic as fallback
-# Get Anthropic API key from: https://console.anthropic.com/
-ANTHROPIC_API_KEY=your_anthropic_api_key_here
+# Vertex AI role-based routing allowlists (comma-separated)
+# VERTEX_PREMIUM_USER_IDS=user_id_1,user_id_2
+# VERTEX_ADMIN_USER_IDS=admin_id_1,admin_id_2
+# VERTEX_PREMIUM_EMAILS=premium@example.com
+# VERTEX_ADMIN_EMAILS=admin@example.com
 
 # GitHub Personal Access Token
 # Required permissions: repo (read access)
@@ -44,6 +47,4 @@ LANGSMITH_ENDPOINT=https://api.smith.langchain.com
 LANGSMITH_TRACING=true
 LANGCHAIN_PROJECT=somm-dev-local
 
-# RAG Enrichment - Synthetic API (free tier for embeddings)
-# Get API key from: https://synthetic.new/
-SYNTHETIC_API_KEY=your_synthetic_api_key_here
+

backend/app/api/routes/admin.py

@@ -0,0 +1,126 @@
+"""Admin API routes for user role/plan management.
+
+Only accessible by users with role='admin' or listed in VERTEX_ADMIN_USER_IDS/EMAILS.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+from bson import ObjectId
+from bson.errors import InvalidId
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel, Field
+
+from app.api.deps import User, get_current_user
+from app.database.repositories.user import UserRepository
+from app.services.provider_routing import _is_admin
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/admin", tags=["admin"])
+
+VALID_ROLES = {"user", "admin"}
+VALID_PLANS = {"free", "premium", "pro", "enterprise"}
+
+
+async def require_admin(user: User = Depends(get_current_user)) -> User:
+    """Dependency that requires the current user to be an admin."""
+    user_repo = UserRepository()
+    user_doc = await user_repo.get_by_id(user.id)
+    if not _is_admin(user_doc):
+        raise HTTPException(status_code=403, detail="Admin access required")
+    return user
+
+
+class UserRoleUpdate(BaseModel):
+    role: str | None = Field(None, description="User role (user, admin)")
+    plan: str | None = Field(
+        None, description="User plan (free, premium, pro, enterprise)"
+    )
+
+
+class AdminUserResponse(BaseModel):
+    id: str
+    username: str
+    email: str | None = None
+    github_id: str | None = None
+    avatar_url: str | None = None
+    role: str = "user"
+    plan: str = "free"
+    created_at: str | None = None
+
+
+def _to_admin_response(u: dict) -> AdminUserResponse:
+    return AdminUserResponse(
+        id=str(u["_id"]),
+        username=u.get("username", ""),
+        email=u.get("email"),
+        github_id=str(u.get("github_id", "")),
+        avatar_url=u.get("avatar_url"),
+        role=u.get("role", "user"),
+        plan=u.get("plan", "free"),
+        created_at=str(u.get("created_at", "")),
+    )
+
+
+@router.get("/users", response_model=list[AdminUserResponse])
+async def list_users(
+    _admin: User = Depends(require_admin),
+) -> list[AdminUserResponse]:
+    """List all users with their roles and plans."""
+    user_repo = UserRepository()
+    users = await user_repo.list(limit=500)
+    return [_to_admin_response(u) for u in users]
+
+
+@router.patch("/users/{user_id}", response_model=AdminUserResponse)
+async def update_user_role(
+    user_id: str,
+    update: UserRoleUpdate,
+    _admin: User = Depends(require_admin),
+) -> AdminUserResponse:
+    """Update a user's role and/or plan."""
+    try:
+        ObjectId(user_id)
+    except (InvalidId, Exception):
+        raise HTTPException(status_code=400, detail="Invalid user ID format")
+
+    update_data: dict[str, Any] = {}
+
+    if update.role is not None:
+        if update.role not in VALID_ROLES:
+            raise HTTPException(
+                status_code=400,
+                detail=f"Invalid role: {update.role}. Must be one of {VALID_ROLES}",
+            )
+        if update.role != "admin" and user_id == _admin.id:
+            raise HTTPException(
+                status_code=400,
+                detail="Cannot demote yourself. Ask another admin.",
+            )
+        update_data["role"] = update.role
+
+    if update.plan is not None:
+        if update.plan not in VALID_PLANS:
+            raise HTTPException(
+                status_code=400,
+                detail=f"Invalid plan: {update.plan}. Must be one of {VALID_PLANS}",
+            )
+        update_data["plan"] = update.plan
+
+    if not update_data:
+        raise HTTPException(status_code=400, detail="No fields to update")
+
+    user_repo = UserRepository()
+    updated = await user_repo.update_user(user_id, update_data)
+
+    if not updated:
+        raise HTTPException(status_code=404, detail="User not found")
+
+    logger.info(
+        "[Admin] User %s updated: %s by admin %s", user_id, update_data, _admin.id
+    )
+
+    return _to_admin_response(updated)

backend/app/api/routes/evaluate.py

@@ -63,7 +63,7 @@ class EvaluateRequest(BaseModel):
     )
     provider: str | None = Field(
         default=None,
-        description="LLM provider (gemini, openai, anthropic)",
+        description="LLM provider (gemini, vertex)",
     )
     model: str | None = Field(
         default=None,
@@ -296,12 +296,17 @@ async def get_result(
     """
     # Check if this is a public demo evaluation
     is_public_demo = evaluation_id in PUBLIC_DEMO_EVALUATIONS
-    
+
     # Require auth for non-public evaluations
     if not is_public_demo and user is None:
         raise CorkedError("Authentication required to view this evaluation")
-    
+
     try:
+        if not is_public_demo:
+            progress = await get_evaluation_progress(evaluation_id)
+            if progress.get("user_id") != user.id:
+                raise CorkedError("Access denied: evaluation belongs to another user")
+
         result = await get_evaluation_result(evaluation_id)
     except EmptyCellarError:
         raise EmptyCellarError(f"Evaluation not found: {evaluation_id}") from None

backend/app/core/config.py

@@ -38,8 +38,15 @@ class Settings(BaseSettings):
 
     # LLM APIs
     GEMINI_API_KEY: str = ""
-    OPENAI_API_KEY: str = ""
-    ANTHROPIC_API_KEY: str = ""
+
+    # Vertex AI Express (API key auth)
+    VERTEX_API_KEY: str = ""
+    GOOGLE_CLOUD_PROJECT: str = ""
+    GOOGLE_CLOUD_LOCATION: str = "asia-northeast3"
+    VERTEX_PREMIUM_USER_IDS: str = ""
+    VERTEX_ADMIN_USER_IDS: str = ""
+    VERTEX_PREMIUM_EMAILS: str = ""
+    VERTEX_ADMIN_EMAILS: str = ""
 
     # LangSmith Tracing (optional - enables LangGraph monitoring)
     LANGSMITH_API_KEY: str = ""
@@ -56,14 +63,10 @@ class Settings(BaseSettings):
     # Optional: Rate Limiting
     RATE_LIMIT_PER_MINUTE: int = 60
 
-    # RAG Enrichment (adds context retrieval before evaluation)
+    # RAG Enrichment (Gemini embeddings + Google Search grounding)
     RAG_ENABLED: bool = True
     RAG_TOP_K: int = 4
-    RAG_EMBEDDING_MODEL: str = "hf:nomic-ai/nomic-embed-text-v1.5"
-
-    # Synthetic API (for embeddings - free tier)
-    SYNTHETIC_API_KEY: str = ""
-    SYNTHETIC_BASE_URL: str = "https://api.synthetic.new/openai/v1"
+    RAG_EMBEDDING_MODEL: str = "gemini-embedding-001"
 
     # Server settings
     PORT: int = 8000

backend/app/graph/grand_tasting_graph.py

@@ -30,6 +30,8 @@
     CellarNotesNode,
 )
 from app.graph.nodes.rag_enrich import rag_enrich
+from app.graph.nodes.web_search_enrich import web_search_enrich
+from app.graph.nodes.code_analysis_enrich import code_analysis_enrich
 
 
 def create_grand_tasting_graph():
@@ -54,8 +56,17 @@ def create_grand_tasting_graph():
         "terroir",
     ]
 
+    enrichment_nodes = []
+
     if settings.RAG_ENABLED:
         builder.add_node("rag_enrich", rag_enrich)
+        enrichment_nodes.append("rag_enrich")
+
+    builder.add_node("web_search_enrich", web_search_enrich)
+    enrichment_nodes.append("web_search_enrich")
+
+    builder.add_node("code_analysis_enrich", code_analysis_enrich)
+    enrichment_nodes.append("code_analysis_enrich")
 
     builder.add_node("aroma", aroma.evaluate)
     builder.add_node("palate", palate.evaluate)
@@ -66,13 +77,10 @@ def create_grand_tasting_graph():
     builder.add_node("terroir", terroir.evaluate)
     builder.add_node("cellar", cellar.evaluate)
 
-    if settings.RAG_ENABLED:
-        builder.add_edge("__start__", "rag_enrich")
-        for node in parallel_nodes:
-            builder.add_edge("rag_enrich", node)
-    else:
+    for enrich_node in enrichment_nodes:
+        builder.add_edge("__start__", enrich_node)
         for node in parallel_nodes:
-            builder.add_edge("__start__", node)
+            builder.add_edge(enrich_node, node)
 
     for node in parallel_nodes:
         builder.add_edge(node, "cellar")

backend/app/graph/graph.py

@@ -15,16 +15,17 @@
 from app.graph.nodes.laurent import LaurentNode
 from app.graph.nodes.jeanpierre import JeanPierreNode
 from app.graph.nodes.rag_enrich import rag_enrich
+from app.graph.nodes.web_search_enrich import web_search_enrich
+from app.graph.nodes.code_analysis_enrich import code_analysis_enrich
 
 
 def create_evaluation_graph():
     """Create and configure the evaluation graph.
 
     The graph follows a fan-out/fan-in pattern:
-    - Optional: RAG enrichment node runs first (if RAG_ENABLED)
-    - Fan-out: 5 sommelier nodes run in parallel
-    - Fan-in: All must complete before Jean-Pierre synthesis
-    - End: Jean-Pierre connects to END after synthesis
+    - Stage 1: RAG enrichment + Web Search run in parallel
+    - Stage 2: 5 sommelier nodes run in parallel (after both enrichments complete)
+    - Stage 3: Jean-Pierre synthesis (after all sommeliers complete)
 
     Returns:
         Compiled LangGraph with MongoDB checkpointer for state persistence.
@@ -39,9 +40,17 @@ def create_evaluation_graph():
     builder = StateGraph(EvaluationState)
 
     sommelier_nodes = ["marcel", "isabella", "heinrich", "sofia", "laurent"]
+    enrichment_nodes = []
 
     if settings.RAG_ENABLED:
         builder.add_node("rag_enrich", rag_enrich)
+        enrichment_nodes.append("rag_enrich")
+
+    builder.add_node("web_search_enrich", web_search_enrich)
+    enrichment_nodes.append("web_search_enrich")
+
+    builder.add_node("code_analysis_enrich", code_analysis_enrich)
+    enrichment_nodes.append("code_analysis_enrich")
 
     builder.add_node("marcel", marcel.evaluate)
     builder.add_node("isabella", isabella.evaluate)
@@ -50,13 +59,10 @@ def create_evaluation_graph():
     builder.add_node("laurent", laurent.evaluate)
     builder.add_node("jeanpierre", jeanpierre.evaluate)
 
-    if settings.RAG_ENABLED:
-        builder.add_edge("__start__", "rag_enrich")
-        for node in sommelier_nodes:
-            builder.add_edge("rag_enrich", node)
-    else:
-        for node in sommelier_nodes:
-            builder.add_edge("__start__", node)
+    for enrich_node in enrichment_nodes:
+        builder.add_edge("__start__", enrich_node)
+        for sommelier in sommelier_nodes:
+            builder.add_edge(enrich_node, sommelier)
 
     for node in sommelier_nodes:
         builder.add_edge(node, "jeanpierre")