refactor: FastAPI migration — unify MCP + A2A + Admin into single process#1066
Merged
refactor: FastAPI migration — unify MCP + A2A + Admin into single process#1066
Conversation
Schema alignment tests were silently skipping in CI because the schemas/ directory is gitignored. Replace file-path-based schema loading with on-demand HTTP download from adcontextprotocol.org with local caching. Also remove stale --ignore flags in CI workflow and test runner that pointed to files already moved to tests/integration_v2/. Surfaced pre-existing spec drift (tracked separately): - GetSignalsRequest missing signal_ids and pagination fields - GetProductsRequest missing brand, catalog, buyer_campaign_ref fields
…sRequest GetProductsRequest: add brand, catalog, buyer_campaign_ref (spec fields not yet in adcp library v3.2.0). Prevents extra_forbidden rejections for spec-compliant requests. GetSignalsRequest: add signal_ids and pagination (same pattern). Update test_adcp_contract.py drift assertions with explicit allowlists for locally-extended spec fields. All 2003 unit tests pass, 25/25 schema alignment tests pass.
Some e2e tests read os.environ directly for port lookup (e.g., test_a2a_endpoints_working.py, test_landing_pages.py). Previously these vars were only set in the subprocess env dict, not in the test process itself.
Replace gutted test_adcp_full_lifecycle.py with a real 4-phase lifecycle test (get_products -> create_media_buy -> sync_creatives -> delivery). Delete 4 dead files: placeholder tests and obsolete strategy simulation.
Add three new unit test suites for migration safety net: - test_auth_consistency: verifies auth middleware behavior across all MCP tools (missing token, invalid token, anonymous discovery access) - test_error_format_consistency: verifies error shapes across MCP and A2A transports, including cross-transport consistency - test_response_shapes: verifies serialized response structure for all major AdCP operations via model_dump(mode="json") Also applies ruff formatting fixes to touched files.
…t_creatives Complete the coverage matrix for the two core tools that were missing shape and error path tests: - UpdateMediaBuySuccess: field types, affected_packages nesting, internal field exclusion - ListCreativesResponse: creative fields, query_summary, pagination, format_id structure - Error paths: missing context/auth for both MCP and A2A transports
6-atom workflow per UC: read-scenarios (trace contextgit) → cross-reference (classify coverage) → review → triage → implement → commit. Each atom runs in fresh context to prevent drift across 130+ scenarios. Formula cooked into 55 atoms under epic salesagent-72th.
…req scenarios Maps BDD scenarios from adcp-req (BR-UC-001 through BR-UC-009) into behavioral snapshot tests that lock current salesagent behavior before FastAPI migration. Each test file covers one use case: - UC-001: get_products (32 tests) - ranking, access control, pricing - UC-002: create_media_buy (18 tests) - validation, creative pipeline - UC-003: update_media_buy (13 tests) - flight dates, budget, packages - UC-004: delivery (21 tests) - orchestration, circuit breaker, filters - UC-005: creative_formats (17 tests) - sort order, filters, boundaries - UC-006: sync_creatives (16 tests) - status transitions, Slack guards - UC-007: authorized_properties (31 tests) - policy assembly, context echo - UC-009: performance_index (9 tests) - mapping, batch, A2A validation UC-008 (signals) excluded - dead code path.
…iveStatus enum Two changes: 1. Add ruff TID251 banned-api rule for inspect.getsource() — structural tests that grep source code provide zero regression protection. 6 existing violations flagged (to be replaced with behavioral tests). 2. Fix build_creative default status from 'active' (invalid) to 'processing' (valid CreativeStatus enum value). This broke test_four_phase_lifecycle e2e test.
Replaced all tautological structural tests (grep-as-test anti-pattern) with real behavioral tests that exercise actual code paths: - test_create_media_buy_behavioral: 2 tests now call _create_media_buy_impl to verify CREATIVE_UPLOAD_FAILED and CREATIVES_NOT_FOUND error codes - test_dry_run_no_persistence: removed redundant structural test (covered by existing test_dry_run_returns_simulated_response) - test_gam_placement_targeting: 2 tests call _update_media_buy_impl to verify invalid_placement_ids and placement_targeting_not_supported errors - test_incremental_sync_stale_marking: 2 tests call _run_sync_thread to verify incremental sync skips stale marking while full sync calls it - test_inventory_adapter_restrictions: test calls MockAdServer directly to verify no-targeting requests are accepted without validation errors inspect.getsource() is now banned via ruff TID251 (previous commit).
…a2a tests
3 unit tests were silently skipping due to importing core_get_signals_tool
which was removed (signals is dead code). The overly broad except clause
`if "a2a" in str(e)` matched the module path in the error message,
producing a misleading "a2a library not available" skip.
Changes:
- Remove all core_get_signals_tool references from test imports/assertions
- Fix test_async_functions: list_creatives and sync_creatives are sync, not
async — this was a hidden bug masked by the bogus skip
- Tighten ImportError handling in 8 test files (3 unit + 5 e2e): use
`e.name.startswith("a2a")` to only catch actual a2a-sdk library absence,
not any ImportError from modules whose path contains "a2a"
Result: 3 previously-skipped tests now pass (10/10 in file, 0 skipped)
…e tests Signals is dead code (UC-008) — removed from both MCP and A2A transports. But 4 test files still referenced GetSignalsRequest/get_signals in their test matrices, producing 2 misleading skips and stale test coverage. Changes: - test_pydantic_schema_alignment.py: remove GetSignalsRequest from SCHEMA_TO_MODEL_MAP (eliminates 2 skipped tests) - test_mcp_tool_type_alignment.py: remove get_signals from tool-schema pair list - a2a_response_validator.py: remove get_signals from expected skill fields and handler methods Result: 2244 passed, 0 skipped (was 2243 passed, 5 skipped)
…rsions Replace all hardcoded GAM API version strings (v202411, v202505) with the GAM_API_VERSION constant from constants.py. The v202411 version has been deprecated and disabled by Google, causing API calls to fail with ApiVersionError.UPDATE_TO_NEWER_VERSION.
- Add 11 GAM e2e tests verifying real API connectivity: connection, inventory discovery, advertiser listing, adapter init, health checks - Fix GAMHealthChecker to support service_account_json (was key_file only) - Fix GAMHealthChecker to pass network_code from client manager - Fix SOAP object attribute access in health checker (use [] not .get()) - Add GAM fixtures to e2e conftest with credential auto-discovery - Gate tests behind @pytest.mark.requires_gam marker Test network: 23341594478 (salesagent-e2e service account)
Only use environment variables (GAM_SERVICE_ACCOUNT_JSON, GAM_SERVICE_ACCOUNT_KEY_FILE) for GAM test credentials.
Converts the manual GAM automation test script into proper pytest e2e tests that create real GAM orders via the adapter, verify line item types, and test archive lifecycle operations. 5 tests covering: non-guaranteed CPM orders (PRICE_PRIORITY), guaranteed CPM orders (STANDARD), advertiser verification, order archival, and guaranteed activation workflow.
Expand test coverage to include order lifecycle management: - test_pause_media_buy: pause via adapter's update_media_buy - test_pause_then_archive_order: create → pause → archive flow (mirrors manual script's test_lifecycle_archive_order) - Add Principal seed data for MediaBuy FK constraint - Add _persist_media_buy helper for lifecycle tests that need DB records (update_media_buy requires MediaBuy/MediaPackage) All 6 tests verified against real GAM API.
GAM SDK returns zeep CompoundValue objects, not Python dicts.
These support obj["key"] and "key" in obj, but NOT obj.get().
Fixed in orders.py:
- get_order_status: result.get("results") → "results" in result
- archive_order: result.get("numChanges", 0) → bracket access
- get_order_line_items: removed isinstance(result, dict) guard
- check_order_has_guaranteed_items: same pattern
- update_line_item_budget: same pattern
- _update_line_item_status: same pattern
- approve_order: getattr → bracket access for consistency
Fixed in creatives.py:
- line_item.get("creativeRotationType") → bracket access
Closes salesagent-mzpq
… vulnerable deps - Add buying_mode field to GetProductsRequest (new required field in AdCP spec) - Move pagination out of internal-only section (it's in the spec) - Update contract test allowlist for buying_mode - Update Flask 3.1.2→3.1.3 (GHSA-68rp-wp8r-4726) - Update Werkzeug 3.1.5→3.1.6 (GHSA-29vq-49wr-vm6x) - Fix pre-existing formatting in tests/e2e/conftest.py
- Update schema validation test: buying_mode is now required per AdCP spec - Relax delivery assertion in lifecycle test: mock adapter may return empty deliveries for freshly created media buys (matches reference test behavior)
- Bump fastmcp>=3.0.2 for combine_lifespans and better FastAPI integration - Create src/app.py as central FastAPI application with MCP mounted at /mcp - Update scripts/run_server.py to use uvicorn instead of mcp.run() subprocess - Fix tests for FastMCP v3 API changes (_tool_manager removed, use get_tool())
- Add A2A routes directly to FastAPI app via add_routes_to_app() - Move auth and messageId compatibility middleware to src/app.py - Add dynamic agent card endpoints with tenant-specific URLs - Remove main() and standalone execution from adcp_a2a_server.py (~300 lines) - Remove A2A subprocess from run_all_services.py
…anagement tools - Mount Flask admin via WSGIMiddleware at /admin, /static, /auth, /api, etc. - Add landing page routes (/, /landing) as FastAPI endpoints - Extract list_tasks, get_task, complete_task into src/core/tools/task_management.py - Remove unified_mode block from main.py (~350 lines) - Register task management tools unconditionally (13 MCP tools total) - Update test patches to target new module path
…outer - Create src/routes/health.py with APIRouter for all 8 endpoints - Remove all @mcp.custom_route decorators from main.py - Include health router in src/app.py via app.include_router() - Update test patches to target canonical import locations - Endpoints unchanged: /health, /health/config, /admin/reset-db-pool, /debug/db-state, /debug/tenant, /debug/root, /debug/landing, /debug/root-logic
- Update all nginx configs to route to single upstream (localhost:8080) - Remove admin-ui service from docker-compose.yml and docker-compose.e2e.yml - Remove run_admin_ui() and run_a2a_server() from run_all_services.py - Set A2A_PORT = MCP_PORT in e2e test infrastructure (same process) - Simplify health checks to single server check - Update run_all_tests.sh port allocation (2 ports instead of 4) Before: 3 processes (MCP:8080, A2A:8091, Admin:8001) behind nginx After: 1 FastAPI process (8080) behind nginx
Replace asyncio.new_event_loop() + run_until_complete() calls with run_async_in_sync_context() from validation_helpers, which correctly handles both sync and async caller contexts via a thread pool. This eliminates the deadlock risk when get_format() or list_available_formats() are called from an async context (e.g., FastMCP tools). Also applies the same fix to list_available_formats(), removing its hand-rolled dual-path asyncio detection logic in favor of the shared helper.
All /debug/* route handlers are now grouped under a dedicated sub-router with a FastAPI dependency that returns 404 when ADCP_TESTING is not set, preventing internal state exposure in production.
…nd dicts) - Remove ApproveAdaptationRequest and ApproveAdaptationResponse placeholder classes (no external references found in src/ or tests/) - Remove load_media_buys_from_db() no-op function - Remove load_tasks_from_db() deprecated no-op function - Remove in-memory media_buys dict (written but never read) - Remove corresponding write to media_buys in media_buy_create.py - Remove pydantic BaseModel import that was only used by removed classes - Remove stale patches of src.core.main.media_buys in unit tests
…eption handling - Remove sys.path manipulation (no longer needed in unified FastAPI app) - Remove logging.basicConfig() that overrode app-level logging config - Change bare except: to except Exception: to avoid swallowing SystemExit/KeyboardInterrupt
- Make ASGI receive callable async (Starlette requires await receive()) - Fix CORS: use ALLOWED_ORIGINS env var instead of wildcard with credentials - Validate Apx-Incoming-Host header against hostname regex before use - Remove duplicate /agent.json route registration - Move reset-db-pool endpoint to /_internal/ to avoid WSGI mount shadowing - Document middleware execution order (CORS outermost, then messageId, then auth) - Add warning log when _replace_routes() finds no matching SDK route paths - Wrap sync DB calls in asyncio.to_thread() to avoid blocking the event loop Co-Authored-By: Konst <noreply@anthropic.com>
Remove _auth_context_var ContextVar that was only consumed by A2A handler as a fallback when ServerCallContext was not provided. In production this fallback was unreachable since AdCPCallContextBuilder always populates context.state["auth_context"]. Changes: - Add tests/a2a_helpers.py with make_a2a_context() test helper - Migrate 33 test callsites from _auth_context_var.set() to passing explicit ServerCallContext via make_a2a_context() - Remove ContextVar fallback from _get_auth_token() and _resolve_a2a_identity() in A2A handler - Remove ContextVar write from UnifiedAuthMiddleware (scope["state"] only) - Remove _auth_context_var and get_current_auth_context() from auth_context.py - Remove 3 ContextVar tests from test_unified_auth_middleware.py - Add 7 behavioral regression tests in test_no_contextvar_in_a2a.py
…leware UnifiedAuthMiddleware now checks x-adcp-auth before Authorization: Bearer (matching resolved_identity._extract_auth_token priority) and uses case-insensitive Bearer prefix matching per RFC 7235 Section 2.1. Previously, Authorization took priority and only capital-B "Bearer" matched, which disagreed with the resolve_identity fallback path used by MCP.
…ions - Export GetAuthContext, ResolveAuth, RequireAuth as Annotated type aliases (FastAPI 0.95+ pattern) alongside backward-compatible Depends instances - Type context_builder.build(request) as Request instead of object - Fix _log_a2a_operation params: dict[str, Any] | None, str | None
- Replace sequential task_id (len(self.tasks)+1) with uuid4 hex to prevent
collisions under concurrent access
- Remove logger.info("[DEBUG]...") lines that leaked debug instrumentation
into production INFO logs
- Change 3 unimplemented skill stubs from returning {"success": False} dicts
to raising ServerError(UnsupportedOperationError) per A2A SDK protocol
- Add regression tests for all 3 fixes
- Remove ContextVar references from app.py comments (uses scope["state"] now) - Update architecture.md diagram to show unified FastAPI app with nginx proxy - Fix security.md code sample to use SQLAlchemy 2.0 select() pattern - Remove SQLite references from config_loader.py and validation_helpers.py - Add guard tests to prevent stale content from reappearing
…onstant, portable paths
- Wrap AuthContext.headers in MappingProxyType via __post_init__ to prevent
mutation of frozen dataclass internals
- Extract AUTH_CONTEXT_STATE_KEY constant and use it in middleware,
context_builder, handler, and test helpers (replaces 5+ string literals)
- Convert all test open("src/...") calls to pathlib relative to __file__
for CWD-independent execution
- Add regression tests for all 3 hardening items
…ty internals Move set_current_tenant() calls out of resolver internals (_detect_tenant, get_principal_from_token, resolve_identity) and into transport boundaries (REST auth deps, A2A handler, MCP wrapper). get_principal_from_token() now returns (principal_id, tenant_dict) tuple instead of mutating global state. Also fixes pre-existing mypy errors in auth_context.py (MappingProxyType vs dict type mismatch).
…actored auth - xfail schema alignment tests that validate against /schemas/latest/ (a moving target ahead of the adcp library we depend on — no versioned URLs exist) - Replace hardcoded 2026-03-01 dates with relative future dates to prevent "start time in the past" validation failures - Update tenant isolation test to match post-4csg architecture where get_principal_from_context returns tenant context instead of setting ContextVar
Collaborator
Author
|
Fixed the time-based test (1st of March is in the past now), updated the test for authenticated context as it works differently now. |
KonstantinMirin
added a commit
to KonstantinMirin/prebid-salesagent
that referenced
this pull request
Mar 1, 2026
Merges KonstantinMirin/refactor-fastapi-migration into adcp-v3.6-upgrade. Key changes from PR prebid#1066: - UnifiedAuthMiddleware replaces 3 separate auth middlewares (ASGI) - MCPAuthMiddleware pre-resolves identity via ctx.get_state() - REST auth via FastAPI Depends (Annotated types) - A2A CallContextBuilder threads SDK context to handlers - ContextVar dual-write eliminated from A2A and tenant paths - Shared http_utils.get_header_case_insensitive() Conflict resolutions (13 files): - auth_utils.py: removed dead config_loader import (PR1066 correct) - schemas.py: kept v3.6 min/max constraints, removed v3.2 field overrides now in library (brand, catalog, pagination, buyer_campaign_ref); kept account as local extension (different from library account_id) - media_buy_create.py: adopted MCPAuthMiddleware state pattern - media_buy_list.py: kept v3.6 UoW/repository pattern + AdCPAuthenticationError, adopted MCPAuthMiddleware identity resolution - adcp_a2a_server.py: kept brand_manifest backward compat normalization, used v3.6 field names (brand not brand_manifest), removed obsolete auth resolution (identity now passed as parameter) - Tests: v3.6 field names (brand) + PR1066 auth patterns (identity=) - Guard updates: allowlisted 4 model_dump violations from PR1066 in media_buy_create.py, corrected stale line numbers All quality gates pass: 3211 unit tests (140 new from PR1066).
7 tasks
KonstantinMirin
added a commit
to KonstantinMirin/prebid-salesagent
that referenced
this pull request
Mar 1, 2026
- Update integration_v2 A2A tests to use _resolve_a2a_identity mock instead of removed get_principal_from_token (PR prebid#1066 refactor) - Add SyncCreativesRequest to schema-library mismatch allowlist (account, idempotency_key added to online spec) - Convert 10 pytest.mark.skip to xfail(run=False) in test_media_buy.py to satisfy no-skip-decorator smoke test
ChrisHuie
reviewed
Mar 1, 2026
| else: | ||
| host = _get_header_case_insensitive(request.headers, "Host") or "" | ||
| sales_domain = get_sales_agent_domain() | ||
| if host and host != sales_domain: |
Contributor
There was a problem hiding this comment.
would add the _is_valid_hostname(host) similar to above with apx_incoming_host
ChrisHuie
reviewed
Mar 1, 2026
src/core/tools/media_buy_create.py
Outdated
| @@ -2249,7 +2261,7 @@ def unwrap_po(po: Any) -> Any: | |||
| # Lazy import to avoid circular dependency with main.py | |||
| from src.core.main import get_product_catalog | |||
Contributor
There was a problem hiding this comment.
this imports the old get_product_catalog before your changes. Should be => from src.core.tools.products import get_product_catalog
ChrisHuie
reviewed
Mar 1, 2026
src/core/auth_utils.py
Outdated
| # Check if it's the admin token for this specific tenant | ||
| tenant_stmt = select(Tenant).filter_by(tenant_id=tenant_id, is_active=True) | ||
| tenant_obj = session.scalars(tenant_stmt).first() | ||
| if tenant_obj and tenant_obj.admin_token == token: |
Contributor
There was a problem hiding this comment.
webhook_verification and webhook_authenticator both use hmac for constant-time comparison over ==
would think about going something like this instead maybe...
import hmac
if tenant_obj and tenant_obj.admin_token and hmac.compare_digest(tenant_obj.admin_token, token):
Contributor
|
Got this from claude but not sure if it 100% true. Would ask your agent to maybe investigate further to see if it is an issue? TENANT-1 — TenantContext vs dict Type Mismatch (Medium) The chain of events: Step 1 — resolve_identity() wraps tenant dicts in TenantContext (src/core/resolved_identity.py:184-192): Step 2 — Transport boundaries pass it to set_current_tenant() without conversion: src/core/auth_context.py:91-94 (REST): src/a2a_server/adcp_a2a_server.py:207-210 (A2A): Step 3 — But set_current_tenant is typed for dict (src/core/config_loader.py:184): Step 4 — Downstream code checks isinstance(tenant, dict) and gets False: src/core/helpers/context_helpers.py:79 (ensure_tenant_context): Falls through to Step 4: redundant DB lookup by tenant_idWhy it doesn't crash: TenantContext implements getitem, get(), contains, keys() (lines 64-82 of tenant_context.py), so tenant["tenant_id"] works. Most code paths survive via fallbacks. But Fix: Either update isinstance checks to isinstance(tenant, (dict, TenantContext)), or convert to dict before calling set_current_tenant(): |
ChrisHuie
reviewed
Mar 1, 2026
src/a2a_server/adcp_a2a_server.py
Outdated
| include_snapshot=parameters.get("include_snapshot", False), | ||
| account_id=parameters.get("account_id"), | ||
| context=parameters.get("context"), | ||
| ctx=tool_context, |
Contributor
There was a problem hiding this comment.
why not identity=identity ?
Collaborator
Author
There was a problem hiding this comment.
Good catch — fixed in ed27fc9. Now passes identity=identity directly (matching update_media_buy at line 1825) and removes the unnecessary tool_context construction.
…ly in A2A handler
resolve_identity() wraps tenant dicts in TenantContext (Pydantic model), but downstream isinstance(tenant, dict) checks failed silently for TenantContext, causing redundant DB queries on every request. Fix: set_current_tenant() now normalizes TenantContext and LazyTenantContext to plain dict before storing in the ContextVar. This is the single conversion point - callers pass whatever they have and the ContextVar always holds dict[str, Any]. Also removes isinstance(identity.tenant, dict) guards in context_helpers.py that are no longer needed since the normalization happens at the storage boundary.
…n product loader The conversion layer rejected auction CPC with a stale restriction from adcp 2.5.0 (commit d8c9019). The adcp library (now 3.2.0) explicitly supports auction CPC via CpcPricingOption with floor_price/price_guidance fields. Removes try/except ValueError/continue in both product loaders (products.py and main.py) that silently dropped unconvertible products — violating the "No Quiet Failures" principle.
8 tasks
Collaborator
Author
|
@ChrisHuie than you for catching a few important issues. I went on looking for similar and found some. Filed a ticket for everything not addressed yet here #1078 I would like to get to it after merging this and outstanding 3.6 migration work. Reason being simple - fixing now would force merges/reviews in all the derived PRs. Even though it is a good thing to do, it doesn't really matter if we address this now or then. That said, if the decision is to address it now, I'll get to it. |
KonstantinMirin
added a commit
to KonstantinMirin/prebid-salesagent
that referenced
this pull request
Mar 2, 2026
ChrisHuie
reviewed
Mar 2, 2026
src/core/tools/media_buy_list.py
Outdated
| from src.core.helpers.context_helpers import ensure_tenant_context | ||
|
|
||
| if identity is None: | ||
| raise ToolError("Identity is required") |
Contributor
There was a problem hiding this comment.
do we want these to raise ToolError or AdCPError
Collaborator
Author
There was a problem hiding this comment.
Sharp catch — you're exactly right. ToolError is an MCP transport concern (fastmcp.exceptions) and should never appear in shared _impl() functions that are called by MCP, A2A, and REST transports.
Fixed in 48d5bf3:
- Replaced
raise ToolError("Identity is required")→raise AdCPAuthenticationError(...) - Replaced
raise ToolError("account_id filtering is not yet supported")→raise AdCPValidationError(...) - Added regression tests that guard against MCP types leaking back into
_implcode - Also cleaned up stale ToolError references in docstrings/comments across
products.py,creative_helpers.py, andmedia_buy_create.py(code already used domain exceptions, comments were just outdated)
The MCP wrapper at line 242 still raises ToolError correctly — that IS the transport boundary where with_error_logging translates domain exceptions → ToolError for the MCP wire format.
_get_media_buys_impl raised ToolError (MCP transport type) instead of domain exceptions. Since _impl functions are shared across MCP, A2A, and REST transports, they must use AdCPError hierarchy exclusively. - Replace ToolError raises with AdCPAuthenticationError/AdCPValidationError - Update stale ToolError references in docstrings and comments - Add regression tests guarding against MCP type leakage into _impl code - Remove unused AdCPAdapterError import from integration test
ChrisHuie
approved these changes
Mar 2, 2026
KonstantinMirin
added a commit
to KonstantinMirin/prebid-salesagent
that referenced
this pull request
Mar 2, 2026
PR prebid#1066 was merged to main as a squash commit (7d2b1d9). This branch already contained prebid#1066 via a full merge (4899ab5). All 37 conflicts resolved by keeping ours — our branch has the combined prebid#1066 + prebid#1071 changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1050
Summary
Unify the three separate processes (MCP, A2A, Flask Admin) into a single FastAPI process with clean separation of concerns — and fix the test suite from 138 warnings / flaky failures to 3,490 passing tests, 0 warnings, 51% line coverage.
The core problem
Every transport (MCP, A2A, Admin) reimplemented auth extraction, tenant resolution, error formatting, and serialization. Every
_impl()function reached into framework concerns — reading tenant from ContextVars, callingset_current_tenant(), catching transport-specificToolError. This made it impossible to add a transport without duplicating all of that, and impossible to change any of it without touching every transport.What changed: data flow unification
The key idea is that each concern is handled exactly once, in one place.
Before: every layer does everything
Each handler and
_impl()function mixes auth, tenant resolution, error handling, serialization, and version compat. Adding a new tool means copying all of it.flowchart TD subgraph MCP["MCP Handler"] M1[Extract auth token] M2[Call _impl] M3[set_current_tenant] M4[get_current_tenant from ContextVar] M5[get_adapter via ContextVar] M6[Catch ToolError] M7[response.model_dump] M8[add_v2_compat] M1 --> M2 --> M3 --> M4 --> M5 --> M6 --> M7 --> M8 end subgraph A2A["A2A Handler"] A1[Extract auth token] A2[Validate parameters manually] A3[Call _impl] A4[set_current_tenant] A5[get_current_tenant from ContextVar] A6[get_adapter via ContextVar] A7[Return error dict] A8[Serialize for A2A] A1 --> A2 --> A3 --> A4 --> A5 --> A6 --> A7 --> A8 end style M1 fill:#f9c74f style A1 fill:#f9c74f style M3 fill:#f4845f style M4 fill:#f4845f style A4 fill:#f4845f style A5 fill:#f4845f style M6 fill:#c1121f style A7 fill:#c1121f style M7 fill:#90be6d style M8 fill:#90be6d style A8 fill:#90be6d style A2 fill:#577590🟡 Auth 🔴 Tenant ContextVar 🔵 Validation 🟢 Serialization — all duplicated across transports and mixed into
_impl()After: each concern lives in one layer
flowchart TD subgraph boundary["Transport Boundary (MCP / A2A / REST)"] direction TB B1["Auth extraction → principal_id"] B2["Tenant resolution → LazyTenantContext"] B3["Build ResolvedIdentity"] B1 --> B2 --> B3 end subgraph impl["Business Logic (_impl)"] direction TB I1["Receive (request, identity)"] I2["identity.tenant_id — no DB query"] I3["identity.tenant.ad_server — lazy DB load"] I4["get_adapter(tenant=tenant) — explicit"] I5["Raise AdCPError — transport-agnostic"] I6["Return typed response model"] I1 --> I2 --> I3 --> I4 --> I5 --> I6 end subgraph translate["Error Boundary"] direction TB E1["AdCPError → ToolError (MCP)"] E2["AdCPError → ServerError (A2A)"] E3["AdCPError → JSON 4xx (REST)"] end subgraph serial["Response"] direction TB S1["Framework serializes model"] S2["Version compat transform"] end boundary --> impl --> translate --> serial style B1 fill:#f9c74f style B2 fill:#f9c74f style B3 fill:#f9c74f style I1 fill:#4895ef style I2 fill:#4895ef style I3 fill:#4895ef style I4 fill:#4895ef style I5 fill:#4895ef style I6 fill:#4895ef style E1 fill:#c1121f,color:#fff style E2 fill:#c1121f,color:#fff style E3 fill:#c1121f,color:#fff style S1 fill:#90be6d style S2 fill:#90be6d🟡 Auth + tenant — resolved once at boundary 🔵 Business logic — pure functions, no global state 🔴 Errors — translated at the edge 🟢 Serialization — framework handles it
Data flow through the layers
sequenceDiagram participant T as Transport<br/>(MCP / A2A / REST) participant B as Boundary<br/>(resolve_identity) participant I as _impl()<br/>(business logic) participant L as LazyTenantContext participant DB as Database T->>B: incoming request + auth token B->>B: extract principal_id from token B->>B: resolve tenant_id from header/subdomain B->>B: create LazyTenantContext(tenant_id) Note over B: No DB query yet B->>I: _impl(request, ResolvedIdentity) I->>L: identity.tenant.tenant_id L-->>I: "test_tenant" (immediate, no DB) I->>L: identity.tenant.ad_server L->>DB: get_tenant_by_id("test_tenant") DB-->>L: {tenant_id, name, ad_server, ...} Note over L: Cached — subsequent<br/>accesses don't hit DB L-->>I: "gam" I->>I: get_adapter(tenant=tenant) I->>I: business logic... I-->>T: GetProductsResponse (typed model) alt Success T->>T: framework serializes response else AdCPError raised T->>T: translate to transport-specific error endLazy tenant loading detail
~85% of call paths only need
tenant_id, which is available without a DB query. Full tenant data loads transparently on first access to any other field.stateDiagram-v2 [*] --> Unloaded: LazyTenantContext(tenant_id) state Unloaded { [*] --> Available Available: tenant_id ✅ (immediate) Available: __contains__ ✅ (no DB) Available: __bool__ ✅ (always True) } Unloaded --> Loaded: Access .name, .ad_server,<br/>.approval_mode, etc. state Loaded { [*] --> Resolved Resolved: All 22 fields available Resolved: Backed by TenantContext model Resolved: set_current_tenant() called once Resolved: Cached — no repeat queries } note right of Unloaded: ~85% of _impl calls<br/>stay here note right of Loaded: Only when _impl needs<br/>full tenant configConcrete changes
1. Unified process — Single FastAPI app replaces 3 subprocesses
/mcpviahttp_app()A2AFastAPIApplication.add_routes_to_app()WSGIMiddleware2. Identity resolution — Auth + tenant resolved once at boundary
ResolvedIdentity— frozen Pydantic model carrying resolved auth + tenant contextTenantContext/LazyTenantContext— typed model replacing raw dicts, defers DB load until needed (~85% of calls never hit DB)get_adapter()takes explicittenantparameter (no ContextVar reads)_implmodules useidentity.tenantexclusivelyUnifiedAuthMiddlewarereplaces 3 separate auth middlewaresresolve_identity()via its own mechanism: FastMCP Middleware (MCP),_resolve_a2a_identity(A2A), FastAPIDepends(REST)3. Error boundary — Transport-agnostic errors in business logic
AdCPErrorhierarchy (Validation,Authentication,Authorization,Adapter) replacesToolErrorin 42+ sites across_implfunctions_implnever seesToolError,ServerError, or HTTP status codes4. Structural enforcement — 77 tests verify architecture invariants
_implfunctions never touch ContextVarsresolve_identity()internals are pure (noset_current_tenant()side effects)5. REST API — Full feature parity, for free
Because all business logic lives in shared
_implfunctions, adding a REST transport was a single 183-line file (src/routes/api_v1.py) with zero changes to business logic. It has complete feature parity with MCP and A2A — same 10 tools, same auth, same validation, same errors — just JSON-RPC over HTTP instead of MCP/A2A protocols. Swagger UI auto-generated at/docs, OpenAPI spec at/openapi.json. This layer is effectively maintenance-free: when an_implchanges, all three transports pick it up automatically.Benefits
ADCP_TESTINGTest suite health
The test suite was in rough shape — 138 warnings, flaky failures from resource leaks, unawaited coroutines, stale mocks, and tests that didn't actually test what they claimed. This PR fixes all of that:
What was fixed
update_performance_indexandget_adcp_capabilities, 8 new e2e tests for discovery endpoints and multi-tenant isolationlist_authorized_propertiesMCP wrapper silently dropped thecontextparametertime.sleepin retry/backoff tests replaced with mocks (54s → 17s)Test infrastructure
./run_all_tests.sh— one command: starts Docker, runstox -p(5 suites in parallel), combines coverage, tears down Dockermake test-stack-up/make test-stack-down— Docker lifecycle separated for fast iterationhtmlcov/index.html(HTML) +coverage.json(machine-readable), per-env isolation prevents SQLite race conditionstest-results/keeps only last 10 runstest-results/<timestamp>/Test plan
make qualitypasses (ruff format + lint + mypy + unit tests)tox -e unitverified independently./run_all_tests.shrun verified end-to-enddocker compose up— unified stack serves all routes/admin//docslists all 10 REST endpointsNginx configuration simplification
Since all three services (MCP, A2A, Admin) now run in a single FastAPI process, the nginx configs were simplified from ~40 location blocks to catch-all patterns. Each config now uses a single
location /with WebSocket-safe headers (viamap $http_upgrade $connection_upgrade) instead of repeating identical proxy blocks per path. Total reduction: 957 → 472 lines (50%) across the three configs (development, single-tenant, multi-tenant).Post-review hardening (29 commits)
The initial review surfaced gaps between the claimed architecture and the actual implementation — auth was described as "resolved once at the boundary" but each transport still had its own extraction logic, resolver internals still mutated ContextVars, and A2A had duplicated tenant detection with the wrong strategy order. 29 follow-up commits close these gaps.
Auth unification completed
UnifiedAuthMiddlewareresolve_identity()resolve_identity()DependswithAnnotatedtypesContextVar side effects eliminated from resolver internals
_detect_tenant()made pure — 6set_current_tenant()calls removedget_principal_from_token()returns(principal_id, tenant_dict)tuple instead of mutating ContextVarresolve_identity()no longer falls back toget_current_tenant()set_current_tenant()now called only at transport boundaries, never inside the resolverA2A handler correctness
CallContextBuilderwired to thread SDKServerCallContextto handler helpersServerErrorInfrastructure hardening
AuthContext.headerswrapped inMappingProxyType(immutable after creation)AUTH_CONTEXT_STATE_KEYshared constant replaces string literal duplicationresolve_identity()pathlibfor cross-platform portability🤖 Generated with Claude Code